Demonstration of a destructive cyber attack vector on “air-gapped” systems

Sept. 21, 2016

All too often, people claim their systems are air-gapped, and therefore have no cyber vulnerability. But Alternating Current (AC) power cords cross the ostensible “air gap”, and power supplies for laptops, servers, ICSs, etc. have rarely been addressed for cyber security vulnerabilities. This demonstration will remotely cyber attack and permanently disable a fully air-gapped system – in this case, a server, a router, and a PLC connected only to each other.

All too often, people claim their systems are air-gapped, and therefore have no cyber vulnerability. But Alternating Current (AC) power cords cross the ostensible “air gap”, and power supplies for laptops, servers, ICSs, etc. have rarely been addressed for cyber security vulnerabilities.

Alex McEachern from Power Standards Laboratory will provide a hands-on demonstration of two types of attack-to-failure of a real, air-gapped ICS at the October ICS Cyber Security Conference (www.icscybersecurityconference.com). McEachern’s demonstration will remotely cyber attack and permanently disable a fully air-gapped system – in this case, a server, a router, and a PLC connected only to each other. Well, that's not quite true: all three would be connected to a power outlet, which will be McEachern’s vector of attack. 

Electrical systems, including ICSs, that claim to be fully air-gapped often aren't, says McEachern. In particular, the ICS takes electrical power from a local network, or Uninterruptible Power Supply (UPS). Power supply engineers who work on power disturbances, like McEachern, can demonstrate certain types of events -- as simple as turning the power off and on in a particular pattern -- that can permanently disable typical off-the-shelf power supplies.  In this case, McEachern will use the Internet to initiate the attack, but that isn’t necessary. McEachern will explain the technical basis of both attacks-to-failure. He will initiate, from his PC, both types of attacks on the air-gapped table-top ICS. He will also briefly discuss how to detect and prevent these types of attacks.

Power supply issues can have real impacts. The attackers in the 2015 Ukrainian hack discovered a network connected to a UPS and reconfigured the UPS so that when the attacker caused a power outage, it was followed by an event that would also impact the power in the energy company’s buildings or data centers/closets. The 2010 San Bruno, CA natural gas pipeline rupture was initiated as a result of the replacement of the SCADA UPS that directly led to the overpressure that burst the weak pipe. Given these actual cases, it should be evident that compromising power supplies can have very significant physical impacts.

This demonstration of a destructive attack on an air-gapped system and the protective relay hacking demonstration (see 9/15/16 blog) have several points in common. Both demonstrations involve physics issues that have been known by industry experts for years. Both demonstrations use cyber means (remote access) to exploit these physics issues. Neither attack vector can be detected by network monitoring as these are not traditional malware attacks. Both demonstrations can use the substation protective relays to initiate the cyber attacks.

Joe Weiss