Since the NSA’s infamous Stuxnet malware started exploding Iranian centrifuges, hacker attacks that disrupt big, physical systems have moved out of the realm of Die Hard sequels and into reality. As those attacks evolve, the cybersecurity community has started to move beyond the question of whether hacks can impact physical infrastructure, to the more chilling question of exactly what those attacks might accomplish. Judging by one proof-of-concept demonstration, those attacks could come in more insidious and unexpected forms than defenders expect.
In a talk at the Black Hat security conference Thursday, Honeywell security researcher Marina Krotofil showed one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyberphysical systems—physical systems that can be manipulated by digital means—might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, highly destructive weapon on that massive machine: bubbles.
Midway through her talk, Krotofil pointed to a Flowserve pump system, roughly the size of a big rig truck’s engine, in front of the crowd. To that point, it had loudly cycled water through a series of transparent pipes. Then she cued a “hacker’ in a black hoodie on stage, who typed a command that sent a thick flow of bubbles through those pipes. A sensor on the pump registered that it was subtly vibrating, reducing its efficiency and, Krotofil said, slowly damaging it. In a matter of hours, she said, the bubbles would start to wear pits in the pump’s metal surfaces, and in days would wear down the “impellers” that push water through it, until it’s rendered useless.
“Bubbles can be evil,” she said. “These bubbles are my attack payload. And I deliver them through the physics of the process.”
Importantly, Krotofil’s hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called “cavitation,” turn back into a liquid, transfering their energy to the pump. “They collapse at very high velocity and high frequency, which creates massive shockwaves,” Krotofil explained.
That means a hacker would be able to quietly and steadily cause damage to the pump, despite obtaining only indirect access to it. But Krotofil’s attack doesn’t merely warn about the specific the danger of hacker-induced bubbles. Instead, it’s meant as a harbinger, illustrating that in the coming world of cyberphysical hacking, attackers can use physics to cause chain reactions, inducing mayhem even in parts of a system that they haven’t directly breached.
“She can use a less critical piece to control that critical piece of the system,” says Jason Larsen, a researcher with security consultancy IOActive who worked with Krotofil on some parts of her research. “If you look at just the data flows, you’re going to miss a bunch of attack vectors. There are also these physical flows that go between parts of the system.”
That could not only allow a hacker to reach further into a sensitive system, but also make it far harder to detect their presence or the damage they’ve caused, Larsen says. Cavitation, for instance, is a hazard of industrial systems that often occurs by accident, so stealthy hackers could use it as a weapon without necessarily attracting attention.
‘Bubbles can be evil.’ – Marina Krotofil, Honeywell
In her talk, Krotofil argued that defending against that kind of insidious attack requires more careful, broader measurements of industrial systems to identify potential hacker attacks as they unfold. She described that kind of anomaly detection as another necessary layer of defense for those with cyberphysical systems, beyond traditional data security protections like firewalls and IT-focused intrusion detection systems. “We know that we have to have defense in depth,” Krotofil said. “This is how we build security.”
Hacker attacks that meddle with physical infrastructure remain exceedingly rare. But in 2015, for instance, hackers attacked a German steel mill, preventing a furnace from being shut down and causing “massive” damage to the facility according to a government report. And late last year, hackers used a sophisticated piece of malware known as “Crash Override” or “Industroyer” to automate an attack on the country’s state-run power company Ukrenergo, triggering a blackout in Kiev.
Those sorts of attacks show that physical infrastructure hacking is indeed evolving, says Larsen. “What we see in research, we see attackers do five or six years later,” Larsen says. Krotofil’s work, he says, “is about laying the groundwork for when these attacks do start showing up.” Given the potentially disastrous damage one of those physical attacks can cause, better to start imagining the future of evil bubble sabotage than wait for it to arrive.