Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion Marina Krotofil, Jason Larsen DefCon 23, Las Vegas, USA 07.08.2015 Who we are (Ex)Academic Hacker Got hooked on cyber- Dragged into academic world physical hacking against own will Motivation Industrial Control Systems Industrial Control Systems aka SCADA Physical application Curtesy: Compass Security Germany GmbH Industrial Control Systems Industry means big business Big business == $$$$$$$ How do we do it?? Some horrible physical consequences 010011011011101 Missing piece of knowledge Typical understanding of SCADA hacking Source: simentari.com What can be done to the process Equipment damage Production damage Compliance violation Equipment overstress Product quality and Safety (occupational, product rate environment) Violation of safety limits Operating costs Pollution (environment) Maintenance efforts Contractual agreements Attack considerations Equipment damage Equipment damage Production damage o Comes first into anybody’s mind (+) o Irreversible ( ± ) Compliance violation o Unclear collateral damage (-) o May transform into compliance violation, e.g. if it kills human (-) Compliance violation o Compliance regulations are public knowledge (+) o Unclear collateral damage (-) o Must be reported to the authorities ( ± ) o Will be investigated by the responsible agencies (-)
Description: