{"id":5035,"date":"2015-08-19T08:39:29","date_gmt":"2015-08-19T12:39:29","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5035"},"modified":"2019-11-15T15:24:26","modified_gmt":"2019-11-15T11:24:26","slug":"hacking-chemical-plant","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/hacking-chemical-plant\/5035\/","title":{"rendered":"Hacking a chemical plant"},"content":{"rendered":"<p>Cyber-physical security researchers\u00a0<a href=\"https:\/\/twitter.com\/marmusha\" target=\"_blank\" rel=\"noopener nofollow\">Marina Krotofil<\/a>\u00a0and\u00a0<a href=\"https:\/\/www.linkedin.com\/pub\/jason-larsen\/65\/984\/950\" target=\"_blank\" rel=\"noopener nofollow\">Jason Larsen<\/a>\u00a0presented their research on hacking chemical plants at Black Hat and DEF CON \u2013 this was a very fascinating talk.<\/p>\n<p>It\u2019s not that hacking a chemical plant topic itself is unbelievable. Especially when people can hack, say,\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/stuxnet-victims-zero\" target=\"_blank\" rel=\"noopener nofollow\">the uranium enrichment facility<\/a>,\u00a0<a href=\"https:\/\/threatpost.com\/researchers-manipulate-rifles-precision-targeting-system\/114028\" target=\"_blank\" rel=\"noopener nofollow\">sniper rifle<\/a>, or\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/blackhat-jeep-cherokee-hack-explained\" target=\"_blank\" rel=\"noopener nofollow\">thousands of Jeeps at once<\/a>, there\u2019s no doubt that some other people can hack chemical plant. There\u2019s nothing unhackable in this world, so why should chemical plants should be the exception?<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/BlackHat?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#BlackHat<\/a> 2015: The full story of how that Jeep was hacked <a href=\"https:\/\/t.co\/y0d6k8UE4n\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/y0d6k8UE4n<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/bhUSA?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#bhUSA<\/a> <a href=\"http:\/\/t.co\/SWulPz4Et7\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/SWulPz4Et7<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/629651596876644352?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 7, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>What is really interesting: in her talk, Krotofil went into depth of what hackers\u00a0<em>could<\/em>\u00a0and\u00a0<em>should<\/em>\u00a0do after taking control over plant\u2019s computer network. First lesson of this research:\u00a0<b>the aftermath of hack doesn\u2019t have to be obvious<\/b>.<\/p>\n<p>There are multiple ways to exploit a hacked and owned chemical plant. Only one of them is really evident: hackers in question put the plant out of operation. In this case, the aftermath would be hard to miss.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5037\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/08\/05103709\/hacking-chemical-plant-1.jpg\" alt=\"hacking-chemical-plant-1\" width=\"1280\" height=\"960\"><\/p>\n<p>The more refined way of hacking would be to carefully adjust chemical processes in order to make the plant less profitable and the owner company less competitive. For example, hackers can tune chemical process to reduce product quality and\/or product rate. And when you speak about chemistry, the parameter that matters the most is purity.<\/p>\n<p>For example, paracetomol with purity of 98% costs just about 1 EUR per kilogram (approximately $1.11 USD). At the same time, paracetomol with purity of 100% costs more than 8000 EUR per kilogram. And this reduction is very clear aim for a hacker who wants to earn money from plant\u2019s owner competitors.<\/p>\n<p><iframe loading=\"lazy\" title=\"Damn Vulnerable Chemical Process\" src=\"https:\/\/www.slideshare.net\/slideshow\/embed_code\/key\/dkSZ2fSSfzzA9h\" width=\"427\" height=\"356\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" style=\"border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;\" allowfullscreen> <\/iframe> <\/p>\n<div style=\"margin-bottom:5px\"> <strong> <a href=\"https:\/\/www.slideshare.net\/phdays\/damn-vulnerable-chemical-process\" title=\"Damn Vulnerable Chemical Process\" target=\"_blank\" rel=\"noopener nofollow\">Damn Vulnerable Chemical Process<\/a> <\/strong> from <strong><a href=\"https:\/\/www.slideshare.net\/phdays\" target=\"_blank\" rel=\"noopener nofollow\">Positive Hack Days<\/a><\/strong> <\/div>\n<p>\u00a0<\/p>\n<p>But it\u2019s not that easy to exploit the hack of cyber-physical system, and this is the second lesson we can learn from this research. The plant is very complex thing, and many of its physical and chemical processes depend on each other. If you change something here, something else can happen there. In order to achieve certain goals, you have to understand all these interrelations.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5038\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/08\/05103707\/hacking-chemical-plant-2.jpg\" alt=\"hacking-chemical-plant-2\" width=\"1280\" height=\"960\"><\/p>\n<p>First of all, you need a chemist, a good one to be precise. Secondly, you need your own chemical plant to carry out experiments. By the way, this was the case for Stuxnet developers \u2014 they used a few real uranium enrichment centrifuges during development of this famous worm.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5039\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/08\/05103704\/hacking-chemical-plant-3.jpg\" alt=\"hacking-chemical-plant-3\" width=\"1280\" height=\"960\"><\/p>\n<p>If you can\u2019t afford your own chemical plant, then you need to build a software model and carry experiments there. You will also need to discover, what equipment and software you\u2019re going to deal with. Surprisingly, a hacker\u2019s best weapon in this case is the Internet as a whole, and social networks in particular: it is difficult to imagine what employees do not post there. What they most certainly do post are real screenshots with useful information.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5040\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/08\/05103701\/hacking-chemical-plant-4.jpg\" alt=\"hacking-chemical-plant-4\" width=\"1280\" height=\"960\"><\/p>\n<p>Even after obtaining a real good chemist, all necessary information and software models, you can\u2019t be sure you really can control the chemical processes you want. The thing is, chemical plants aren\u2019t designed to be comfortably hackable; for example cyber-physical systems don\u2019t have versatile diagnostic tools in contrast with pure computer systems, which almost always do have them.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5041\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2015\/08\/05103659\/hacking-chemical-plant-5.jpg\" alt=\"hacking-chemical-plant-5\" width=\"1280\" height=\"960\"><\/p>\n<p>That\u2019s why your adjustments have to be guided by indirect data. For instance, you can\u2019t measure purity of product itself, just because at plants they don\u2019t need such embedded tool, they measure purity after production. Instead you need to estimate it from temperature or pressure. Therefore the complexity of hacking a chemical plant can barely be overestimated. However, if you have plenty of time and resources, everything is possible.<\/p>\n<p>Simply put, it\u2019s rather hard to hack complex cyber-physical systems, on the one hand. On the other hand, it is possible to do. And if the plant is hacked, the complexity plays against defenders as well \u2014 it\u2019s not easy for them to detect malicious activity.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>What we can learn from chemical plant #hack #BlackHat #DefCon<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FYze3&amp;text=What+we+can+learn+from+chemical+plant+%23hack+%23BlackHat+%23DefCon\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>As Kim Zetter wrote in \u2018<a href=\"http:\/\/www.amazon.com\/Countdown-Zero-Day-Stuxnet-Digital\/dp\/077043617X\" target=\"_blank\" rel=\"noopener nofollow\">Countdown to Zero Day<\/a>\u2018 book about Stuxnet, originally this worm was designed not to wreck uranium enrichment centrifuges, but to reduce the \u2018quality\u2019 of nuclear fuel. And if one very powerful person was patient enough and didn\u2019t insist on faster effect, the malware could stay unnoticed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cyber-physical security researchers\u00a0Marina Krotofil\u00a0and\u00a0Jason Larsen\u00a0presented their research on hacking chemical plants at Black Hat and DEF CON \u2013 this was a very fascinating talk. It\u2019s not that hacking a chemical<\/p>\n","protected":false},"author":421,"featured_media":5036,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[740,1044,1045,741,1034,78,82],"class_list":{"0":"post-5035","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-black-hat","9":"tag-blackhat15","10":"tag-chemical-plants","11":"tag-def-con","12":"tag-defcon23","13":"tag-hackers","14":"tag-hacking"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/hacking-chemical-plant\/5035\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/hacking-chemical-plant\/3491\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/hacking-chemical-plant\/5841\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/hacking-chemical-plant\/6127\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/hacking-chemical-plant\/5933\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/hacking-chemical-plant\/6623\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/hacking-chemical-plant\/6510\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/hacking-chemical-plant\/8948\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hacking-chemical-plant\/9603\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/hacking-chemical-plant\/4791\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/hacking-chemical-plant\/5620\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/hacking-chemical-plant\/5982\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/hacking-chemical-plant\/8615\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/hacking-chemical-plant\/8948\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hacking-chemical-plant\/9603\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hacking-chemical-plant\/9603\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/black-hat\/","name":"black hat"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5035"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5035\/revisions"}],"predecessor-version":[{"id":14930,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5035\/revisions\/14930"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5036"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}