MCH2022 Curated content
Honey, let's hack the kitchen: attacks on critical and not-so-critical cyber physical systems
Attacks on cyber physical systems are perceived as necessarily complex and requiring significant time and resources. However, in the last couple years we have also observed the inverse: simple attacks where actors with varying levels of skill and few resources gain access to software and interfaces that control physical processes. These compromises appear to be driven by ideological, egotistical, or financial objectives, taking advantage of an ample supply of internet-connected cyber physical systems. This is sometimes concerning, for example when it is affects panels for controlling processes in a water facilities or manufacturing processes. Sometimes, though, it is absurd, such as when the critical systems actors claim to compromise are in fact toys or domestic appliances. In this talk, we will share a series of stories of success and failure involving low sophistication compromises on cyber physical systems. We will describe the different types of cases we have observed, what the actors did, and how you can reproduce them for good. At last, we will discuss to what extent these crimes of opportunity represent a risk to cyber physical systems and what we can do about it.
In november 2021, I presented a version of this talk at a local non-profit event in Bergamo, Italy. For this event - NoHat - I focused on sharing the stories of low sophistication compromises we observed involving software used to control physical processes. However, for MCH I did some modifications in the title and the presentation itself to share not only the cases, but also how to reproduce them for good.
The purpose of this talk is to share with the audience how actors without necessarily a lot of skills or resources are using very simple tools to hack cyber physical systems. I will do some experiments to show very quick results the audience can get reproducing these techniques so that they learn how to find these internet-connected cyber physical assets and notify the owners.
The outline of the initial presentation was:
• Introduction
o Story: Hacked kitchen was supposed to be a gas system
• Define low sophistication cyber physical compromises
• (De)evolution of cyber physical threats
o From state-sponsored to financial, and now opportunistic
• Describe low sophistication compromises of cyber physical systems
o Distribution and claims of exposed systems
o Seeming actor motivations
o Common actor techniques
o Types of evidence (or lack of)
• Low Sophistication Threat Actors Access HMIs and Manipulate Control Processes
o Oldsmar, Florida modified HMI on water facility
o Israel’s advisory on compromises to water facility systems
o Solar energy and dam surveillance system
o Hotel BAS
• Amateur Actors Show Limited OT Expertise
o “Train control system” was in fact a human resources tool
o Second “train control system” controls toy trains
o Website leaks claiming access to SCADA systems
• Hacktivist and Researcher Tutorials
o Two hacktivist groups share tutorials for finding and compromising cyber physical systems
o Researchers have done too – including a couple examples, such as a recent script to identify tank gauges
• Does this activity pose an actual risk to cyber physical systems?
o Each incident provides threat actors with opportunities to learn more about OT, such as the underlying technology, physical processes, and operations.
o Even low-sophistication intrusions into OT environments carry the risk of disruption to physical processes, mainly in the case of industries or organizations with less mature security practices.
o The publicity of these incidents normalizes cyber operations against OT and may encourage other threat actors to increasingly target or impact these systems.
• On the bright side…
o There are safety methods in place that stop immediate computer instructions from modifying actual physical processes
 Engineering and human processes
 Missing security on the software side
Additional Materials:
Please find in this link our recent blog on this topic: https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophistication-operational-technology-compromises.html
Additional information
| Type | Talk |
|---|---|
| Language | English |
More sessions
| 7/22/22 |
⚠️ Warning! This talk may contain hackers. There may be hackers in the room. There may be hackers surrounding the room. There may be hackers recording this. There may be hackers listening in. There may be hackers that exfiltrate data. There may be hackers wearing shirts. There may be hackers carrying spying devices. OH NO! There are hackers EVERYWHERE! What can we do now, except having a party?
|
| 7/22/22 |
What do big tech, synthesizers, the crucifixion and Matthäus Passion have in common? Find the answer in the tech performance The Silicon Passion. We’ve all embraced big tech —but is it a warm hug or a strangulation? Bear witness to a debate of biblical proportions between tech nerds, technology and its users. In The Silicon Passion SETUP, in collaboration with de Transmissie (David Schwarz en Derk Stenvers) and Rodrigo Ferreira, is looking for a way out of the pit that technology has ...
|
| 7/22/22 |
Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.mch2022.org/Static:Lightning_Talks
|
| 7/22/22 |
In this workshop, we will learn how to assemble tiny parts on circuit boards by building an electronic touch-activated purring kitten. Anyone can do it. Yes, even you who never touched anything electronic before. Takes 120mins, 20€/kit, avoid caffeine immediately before. Max 10 participants per session, sign up on PAPER at the Hardware Hacking Area.
|
| 7/22/22 |
This is a submission for a keynote talk at MCH2022. The Internet is both a familiar, comfortable place as well as a bottomless rabbit hole you can lose yourself in. The Internet has always been like this from its inception, the difference now is the scale and consequences are almost immeasurable - and it tests the limits of human imagination. When you look into the mirror of the Internet what you see reflected back depends on what you are looking for. It has become largely a reflection of ...
|
| 7/22/22 |
Have you ever forgotten a passphrase or lost a hardware token? Lost access to enough Bitcoin to buy a pizza or two? Encryption is fundamental to securing our liberties, but key and password management remain difficult even for professionals, let alone the general public. This talk presents Passcrow, an Open Source project attempting to address one of crypto's largest usability issues: password and key recovery in a decentralized environment.
|
| 7/22/22 |
Thanks to DNSSEC and DANE, it is possible to automatically verify user@domain.name identities by checking with domain.name servers. The real problem however, is integration with existing protocols, instead of inventing something completely new and perhaps web-only. The purpose of our work on Realm Crossover mechanisms has been to design generic solutions that extend many different application protocols, without changing their protocol specs.
|
