{"guid":"3a5c291c-f380-51a1-9123-73e8b0e8faf8","title":"Honey, let's hack the kitchen: ","subtitle":"Attacks on critical and not-so-critical cyber physical systems","slug":"mch2022-108-honey-let-s-hack-the-kitchen-attacks-on-critical-and-not-so-critical-cyber-physical-systems","link":"https://program.mch2022.org/mch2022/talk/C9FANR/","description":"Attacks on cyber physical systems are perceived as necessarily complex and requiring significant time and resources. However, in the last couple years we have also observed the inverse: simple attacks where actors with varying levels of skill and few resources gain access to software and interfaces that control physical processes. These compromises appear to be driven by ideological, egotistical, or financial objectives, taking advantage of an ample supply of internet-connected cyber physical systems. This is sometimes concerning, for example when it is affects panels for controlling processes in a water facilities or manufacturing processes. Sometimes, though, it is absurd, such as when the critical systems actors claim to compromise are in fact toys or domestic appliances. In this talk, we will share a series of stories of success and failure involving low sophistication compromises on cyber physical systems. We will describe the different types of cases we have observed, what the actors did, and how you can reproduce them for good. At last, we will discuss to what extent these crimes of opportunity represent a risk to cyber physical systems and what we can do about it.\r\n\r\nIn november 2021, I presented a version of this talk at a local non-profit event in Bergamo, Italy. For this event - NoHat - I focused on sharing the stories of low sophistication compromises we observed involving software used to control physical processes. However, for MCH I did some modifications in the title and the presentation itself to share not only the cases, but also how to reproduce them for good.\r\n\r\nThe purpose of this talk is to share with the audience how actors without necessarily a lot of skills or resources are using very simple tools to hack cyber physical systems. I will do some experiments to show very quick results the audience can get reproducing these techniques so that they learn how to find these internet-connected cyber physical assets and notify the owners.\r\n\r\nThe outline of the initial presentation was:\r\n\r\n•\tIntroduction\r\no\tStory: Hacked kitchen was supposed to be a gas system\r\n•\tDefine low sophistication cyber physical compromises\r\n•\t(De)evolution of cyber physical threats\r\no\tFrom state-sponsored to financial, and now opportunistic\r\n•\tDescribe low sophistication compromises of cyber physical systems\r\no\tDistribution and claims of exposed systems\r\no\tSeeming actor motivations\r\no\tCommon actor techniques\r\no\tTypes of evidence (or lack of)\r\n•\tLow Sophistication Threat Actors Access HMIs and Manipulate Control Processes\r\no\tOldsmar, Florida modified HMI on water facility\r\no\tIsrael’s advisory on compromises to water facility systems\r\no\tSolar energy and dam surveillance system\r\no\tHotel BAS\r\n•\tAmateur Actors Show Limited OT Expertise\r\no\t“Train control system” was in fact a human resources tool\r\no\tSecond “train control system” controls toy trains\r\no\tWebsite leaks claiming access to SCADA systems\r\n•\tHacktivist and Researcher Tutorials\r\no\tTwo hacktivist groups share tutorials for finding and compromising cyber physical systems\r\no\tResearchers have done too – including a couple examples, such as a recent script to identify tank gauges\r\n•\tDoes this activity pose an actual risk to cyber physical systems?\r\no\tEach incident provides threat actors with opportunities to learn more about OT, such as the underlying technology, physical processes, and operations.\r\no\tEven low-sophistication intrusions into OT environments carry the risk of disruption to physical processes, mainly in the case of industries or organizations with less mature security practices.\r\no\tThe publicity of these incidents normalizes cyber operations against OT and may encourage other threat actors to increasingly target or impact these systems.\r\n•\tOn the bright side…\r\no\tThere are safety methods in place that stop immediate computer instructions from modifying actual physical processes\r\n\tEngineering and human processes\r\n\tMissing security on the software side\r\n\r\nAdditional Materials:\r\nPlease find in this link our recent blog on this topic: https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophistication-operational-technology-compromises.html","original_language":"eng","persons":["Daniel Kapellmann Zafra"],"view_count":212,"promoted":false,"date":"2022-07-23T14:00:00.000+02:00","release_date":"2022-07-24T00:00:00.000+02:00","updated_at":"2025-12-29T13:19:05.661+01:00","tags":["mch2022","108","2022","MCH2022 Curated content"],"length":2322,"duration":2322,"thumb_url":"https://static.media.ccc.de/media/events/MCH2022/108-3a5c291c-f380-51a1-9123-73e8b0e8faf8.jpg","poster_url":"https://static.media.ccc.de/media/events/MCH2022/108-3a5c291c-f380-51a1-9123-73e8b0e8faf8_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/MCH2022/108-3a5c291c-f380-51a1-9123-73e8b0e8faf8.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/MCH2022/108-3a5c291c-f380-51a1-9123-73e8b0e8faf8.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/mch2022-108-honey-let-s-hack-the-kitchen-attacks-on-critical-and-not-so-critical-cyber-physical-systems","url":"https://api.media.ccc.de/public/events/3a5c291c-f380-51a1-9123-73e8b0e8faf8","conference_title":"May Contain Hackers 2022","conference_url":"https://api.media.ccc.de/public/conferences/MCH2022","related":[],"recordings":[{"size":265,"length":2322,"mime_type":"video/webm","language":"eng","filename":"mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2022-07-24T14:38:59.110+02:00","recording_url":"https://cdn.media.ccc.de/events/MCH2022/webm-hd/mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/60153","event_url":"https://api.media.ccc.de/public/events/3a5c291c-f380-51a1-9123-73e8b0e8faf8","conference_url":"https://api.media.ccc.de/public/conferences/MCH2022"},{"size":101,"length":2322,"mime_type":"video/webm","language":"eng","filename":"mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2022-07-24T14:21:06.916+02:00","recording_url":"https://cdn.media.ccc.de/events/MCH2022/webm-sd/mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/60151","event_url":"https://api.media.ccc.de/public/events/3a5c291c-f380-51a1-9123-73e8b0e8faf8","conference_url":"https://api.media.ccc.de/public/conferences/MCH2022"},{"size":35,"length":2322,"mime_type":"audio/mpeg","language":"eng","filename":"mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2022-07-24T14:05:59.706+02:00","recording_url":"https://cdn.media.ccc.de/events/MCH2022/mp3/mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/60149","event_url":"https://api.media.ccc.de/public/events/3a5c291c-f380-51a1-9123-73e8b0e8faf8","conference_url":"https://api.media.ccc.de/public/conferences/MCH2022"},{"size":93,"length":2322,"mime_type":"video/mp4","language":"eng","filename":"mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2022-07-24T14:02:38.282+02:00","recording_url":"https://cdn.media.ccc.de/events/MCH2022/h264-sd/mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_sd.mp4","url":"https://api.media.ccc.de/public/recordings/60147","event_url":"https://api.media.ccc.de/public/events/3a5c291c-f380-51a1-9123-73e8b0e8faf8","conference_url":"https://api.media.ccc.de/public/conferences/MCH2022"},{"size":26,"length":2322,"mime_type":"audio/opus","language":"eng","filename":"mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2022-07-24T14:00:04.164+02:00","recording_url":"https://cdn.media.ccc.de/events/MCH2022/opus/mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_opus.opus","url":"https://api.media.ccc.de/public/recordings/60146","event_url":"https://api.media.ccc.de/public/events/3a5c291c-f380-51a1-9123-73e8b0e8faf8","conference_url":"https://api.media.ccc.de/public/conferences/MCH2022"},{"size":288,"length":2322,"mime_type":"video/mp4","language":"eng","filename":"mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2022-07-24T11:25:04.346+02:00","recording_url":"https://cdn.media.ccc.de/events/MCH2022/h264-hd/mch2022-108-eng-Honey_lets_hack_the_kitchen_attacks_on_critical_and_not-so-critical_cyber_physical_systems_hd.mp4","url":"https://api.media.ccc.de/public/recordings/60115","event_url":"https://api.media.ccc.de/public/events/3a5c291c-f380-51a1-9123-73e8b0e8faf8","conference_url":"https://api.media.ccc.de/public/conferences/MCH2022"}]}