Honey, let's hack the kitchen: attacks on critical and not-so-critical cyber physical systems

Daniel Kapellmann Zafra

Playlists: 'MCH2022' videos starting here / audio

Attacks on cyber physical systems are perceived as necessarily complex and requiring significant time and resources. However, in the last couple years we have also observed the inverse: simple attacks where actors with varying levels of skill and few resources gain access to software and interfaces that control physical processes. These compromises appear to be driven by ideological, egotistical, or financial objectives, taking advantage of an ample supply of internet-connected cyber physical systems. This is sometimes concerning, for example when it is affects panels for controlling processes in a water facilities or manufacturing processes. Sometimes, though, it is absurd, such as when the critical systems actors claim to compromise are in fact toys or domestic appliances. In this talk, we will share a series of stories of success and failure involving low sophistication compromises on cyber physical systems. We will describe the different types of cases we have observed, what the actors did, and how you can reproduce them for good. At last, we will discuss to what extent these crimes of opportunity represent a risk to cyber physical systems and what we can do about it.

In november 2021, I presented a version of this talk at a local non-profit event in Bergamo, Italy. For this event - NoHat - I focused on sharing the stories of low sophistication compromises we observed involving software used to control physical processes. However, for MCH I did some modifications in the title and the presentation itself to share not only the cases, but also how to reproduce them for good.

The purpose of this talk is to share with the audience how actors without necessarily a lot of skills or resources are using very simple tools to hack cyber physical systems. I will do some experiments to show very quick results the audience can get reproducing these techniques so that they learn how to find these internet-connected cyber physical assets and notify the owners.

The outline of the initial presentation was:

• Introduction
o Story: Hacked kitchen was supposed to be a gas system
• Define low sophistication cyber physical compromises
• (De)evolution of cyber physical threats
o From state-sponsored to financial, and now opportunistic
• Describe low sophistication compromises of cyber physical systems
o Distribution and claims of exposed systems
o Seeming actor motivations
o Common actor techniques
o Types of evidence (or lack of)
• Low Sophistication Threat Actors Access HMIs and Manipulate Control Processes
o Oldsmar, Florida modified HMI on water facility
o Israel’s advisory on compromises to water facility systems
o Solar energy and dam surveillance system
o Hotel BAS
• Amateur Actors Show Limited OT Expertise
o “Train control system” was in fact a human resources tool
o Second “train control system” controls toy trains
o Website leaks claiming access to SCADA systems
• Hacktivist and Researcher Tutorials
o Two hacktivist groups share tutorials for finding and compromising cyber physical systems
o Researchers have done too – including a couple examples, such as a recent script to identify tank gauges
• Does this activity pose an actual risk to cyber physical systems?
o Each incident provides threat actors with opportunities to learn more about OT, such as the underlying technology, physical processes, and operations.
o Even low-sophistication intrusions into OT environments carry the risk of disruption to physical processes, mainly in the case of industries or organizations with less mature security practices.
o The publicity of these incidents normalizes cyber operations against OT and may encourage other threat actors to increasingly target or impact these systems.
• On the bright side…
o There are safety methods in place that stop immediate computer instructions from modifying actual physical processes
 Engineering and human processes
 Missing security on the software side

Additional Materials:
Please find in this link our recent blog on this topic: https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophistication-operational-technology-compromises.html