Bryan Singer and Lily Glick start off the S4 Technical Sessions with a great presentation they named The Pragmatic Pwn of ICS. They focus on the engineering aspects of a cyber attack and the defense of a process using a distillation column (making 80 proof vodka) as an example.

They describe a Process Hazards Analysis (PHA) and introduce the concept of a Cyber Security Process Hazards Analysis (CS-PHA). “A PHA establishes criticality, but likelihood only from entropic failure”. A CS-PHA would include directed threats as well.

Some rarely heard but important points made in this presentation include:

  • Properly designed systems will have mechanical devices/processes that will prevent certain hazards (explosion in the column due to too much steam), even if a cyber attacker has complete control.
  • Manual process can be hacked if you know the system well. Trigger alarms that cause the operators or technicians to take the manual action you want taken.
  • Manual verification of true status before potentially dangerous control actions are taken can be an effective defense.
  • Operator rounds can be a detection security control.

There are a lot of gems in this session worth watching for those who generally focus on ICS hacking.