Remote Physical Damage 101 - Bread and Butter Attacks

by Jason Larsen
Sept. 19, 2017 1 comment Black Hat belen_caty Pen Testing & Audits

It is possible to physically damage equipment through purely cyber means. Most of the time the attacker takes advantage of something specific to the CyberPhysical System (CPS) thats being targeted. As an example mixing in a cleaning agent during a production cycle can cause an unwanted chemical reaction. Attacking software has been described as "unexpected computation". Attacking a process is all about "unexpected physics." Finding and exploiting process-specific flaws generally takes subject matter expertise in the victim process. However, there are some generic attacks that can be applied in a wide range of scenarios. I call these bread and butter attacks. They take advantage of common configurations of valves, pumps, pipe, etc. to achieve damage to the process. These scenarios can be used as a basis for a first look in a process audit. During a full audit, a subject matter expert will still need to be consulted.

Mitchell Rowton moderator 3 months ago

This reminds me of stuxnet, the malware that damaged Irans nuclear program.