DefenseCybersecurity

SecTor 2025 | Tracing Adversary Steps Through Cyber-Physical Attack Lifecycle

Black Hat
Black HatApr 20, 2026

Why It Matters

Understanding the true complexity of cyber‑physical attacks helps critical‑infrastructure operators prioritize engineering‑focused defenses over superficial threat alerts, reducing the risk of costly physical disruptions.

Key Takeaways

  • Physical system design can nullify cyber intrusions, preventing impact.
  • Attackers often spoof sensor data rather than directly manipulate actuators.
  • Control loop logic, not just HMI access, is critical attack surface.
  • Recent OT attacks reuse old malware; complexity hasn’t increased since 2017.
  • Military command now directs state-sponsored cyber‑physical operations worldwide.

Summary

The SecTor 2025 presentation examined why breaching a cyber‑physical system does not automatically translate into physical damage. Using recent water‑utility incidents and a live HMI demonstration, the speaker showed that system safeguards—such as valve‑size limits and automatic shut‑offs—can absorb malicious commands, rendering many attacks ineffective.

Key insights highlighted the layered nature of operational technology. Attackers typically spoof sensor readings to trick control algorithms, rather than directly toggling actuators, because control loops enforce state‑based safety checks. The speaker traced the full attack lifecycle, from network infiltration to manipulation of control‑system logic, emphasizing that successful exploitation hinges on understanding engineering constraints, time constants, and physical interdependencies.

Illustrative examples included a chemical‑plant scenario where a tiny purge valve created a physical vulnerability, and a comparison of recent ransomware‑style OT intrusions that merely repackaged the same Triton code used since 2017. The presenter also cited leaked Russian operational documents, noting that cyber‑physical campaigns are now coordinated under military command, a trend mirrored by China and other state actors.

The analysis underscores that the perceived surge in headline‑grabbing OT attacks is largely hype; true high‑impact exploits remain rare and technically demanding. Organizations must shift focus from generic vulnerability scanning to deep assessments of control‑logic integrity, sensor authentication, and safety‑system interlocks, especially as cloud‑based OT services broaden the attack surface.

Original Description

Cyber operations are increasingly being militarized, with cyber commands being moved under national Ministries/Departments of Defense or simply military forces. In this new setting, cyber-physical security is destined to become a potent weapon. But is the mostly civilian defense ready to deal with such a capable adversary?
Ten years ago, at BH USA 2015, I presented a cyber-physical attack lifecycle, the first and to date the only attack lifecycle which specifically describes the steps the attacker needs to take to architect and practically implement an attack that leads to a desired physical impact. After the initial release and highly positive feedback, I further refined the attack lifecycle and extensively verified it on several complex cyber-physical systems such as traffic lights and moving bridge systems. The truth is that, to date, mostly state-associated types of users benefited from the framework, while the civilian sector is still struggling to find pragmatic approaches to cyber-physical risk assessments and adversary emulation exercises. Vendors similarly lack a structured approach to assess their solutions for both exploitability and post-exploitability.
This talk will present the finalized version of the cyber-physical attack lifecycle, with two attack stages, and illustrate its utility with the example of designing a targeted attack on a Real-Time Locating System (RTLS), a class of localization solutions used for, e.g., medical patients' location tracking, safety geofencing, contact tracing, and more. Starting from a vulnerability in a communication protocol and ending with fooling the solution operators, the talk will demonstrate numerous nontrivial hurdles the attacker needs to overcome to reach the desired outcome. Spoiler: math and geometry are involved.
The talk will conclude with a close examination of how rapid advancements in AI technologies are expected to streamline the process of designing high-precision cyber-physical attacks by automating previously manual or highly laborious tasks and partially replacing the need for SME inputs. Last but not least, the talk touches upon the relevant threat landscape in Canada to date.
By: Marina Krotofil | Cyber Security Engineer, Critical Infrastructures, mk|security
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...