lolloj - Fotolia

BlackHat 2015: Cyber controls enable physical attacks, says researcher

Cyber attackers can usually find specific physical attacks that engineers typically would not anticipate, says a security researcher

There is seldom a big red button for cyber attackers to push to create physical damage in the world, according to security researcher Jason Larson.

But after quite a bit of work, attackers can manipulate industrial control systems to exploit physics to cause real-world damage, he told the BlackHat USA 2015 security conference in Las Vegas.

Larson detailed several mechanisms of physical damage, starting with shifting the place where chemical reactions take place in a targeted system or industrial plant.

“Where and when something happens is almost completely under cyber control,” said Larson.

Simply by shifting a chemical reaction from a pressure and vacuum-resistant chamber to pipes connected to that chamber can cause those pipes to burst or crumple, for example.

Larson said the biggest challenge with place-shifting attacks is providing the necessary heat for the chemical reaction in the new location. “The challenge is finding an alternative heat source,” he said.

However, Larson went on to detail water hammer attacks that can be created by causing valves to shut faster than they should.

When liquid stops suddenly, he said, that energy has to go somewhere, typically creating a pressure surge commonly known as a water hammer, fluid hammer or hydraulic shock.  

While a water hammer itself can cause physical damage to pipes, for example, it also creates heat, which Larson said could be used to provide the heat in a place-shifting attack.

Read more about physical cyber attacks

Another way of exploiting physics, he said, is to use gases in pipes that carry liquids and gases to create ripples in the liquid that are big enough to reach the top of the pipe and create a seal, which then forces a liquid “slug” forward with the force of an engine piston.

Finally, Larson talked about attacks that can cause physical damage by taking motors out of phase, citing the Idaho National Laboratory Aurora Generator Test in 2007 which demonstrated how a cyber attack could destroy physical components of the electricity grid.

By studying industrial processes, he said attackers can usually find specific attacks that engineers typically would not anticipate and block by building in the necessary protections.

“A classic example is one in which the only attack engineers could think of in a cookie production factory was that controllers could be manipulated to add too much salt, while hackers were able to identify ways of manipulating controllers to block pipes carrying cookie ingredients to shut down production,” said Larson.

People who design and run industrial processes, he said, are usually very bad at predicting what hackers could do to shut down those processes or manipulate them to exploit physical laws to create unexpected physical events.

Read more on Hackers and cybercrime prevention