SCADA TROJANSATTACKING THE GRIDRUBEN SANTAMARTA
¿What are we going to talk about?    SCADA / EMS    TROJANS    ATTACKS VECTORS    REVERSE ENGINEERING    ELECTRICAL ENERGY...
THEORY
1. SCADA Supervisory Control And Data Acquisition (Supervisión, Control y Adquisición de Datos). ●   FIELD DEVICES ●   PLC...
2.Electrical Energy System I Biggest industrial system ever ●   TRANSFORMER INVENTION – WIN!     +V -I → Transmission over...
2.Electrical Energy System II Generation Primary Source → Station → Three-Phase AC Generator       → Step up Transformer →...
2.Electrical Energy System III Transmission    Power Lines        Substations
2.Electrical Energy System IV Transmission – Substations I    RUNNING METASPLOIT AGAINST A SUBST. :)
2.Electrical Energy System IV Transmission – Substations II A Substation is a place where we can found ● Interconnection b...
2.Electrical Energy System VTransmission – Substation Automation I  Remote Connection Level ( Routers,Firewalls, Modems......
2.Electrical Energy System V  Transmission – Substation Automation II                       EMS/CC                        ...
2.Electrical Energy System VTransmission – Substation Automation III ● HMI ● One-line diagrams
2.Electrical Energy System VTransmission – Substation Automation IV●   Protocols    ● DNP3    ● Modbus    ● IEC 60870-5-10...
2.Electrical Energy System VDistribution   www.mrsite.com
3. EMS / SCADA  ENERGY MANAGEMENT SYSTEMS I  Computer based tools for...  ● Monitoring     ● Generation  ● Coordinating   ...
2. EMS / SCADA I       ENERGY MANAGEMENT SYSTEMS II                                CC                                     ...
3. EMS / SCADA      ENERGY MANAGEMENT SYSTEMS III                      LOAD MANAGEMENTDataAcquisition           ENERGY MAN...
3. EMS / SCADA  ENERGY MANAGEMENT SYSTEMS III    THE SYSTEM MUST SURVIVE IN ANY CASE      SECURITY CONTROL           DETER...
3. EMS / SCADA  ENERGY MANAGEMENT SYSTEMS IV       SECURITY CONTROL FUNCTIONS          TOPOLOGY PROCESSOR            STATE...
PRACTICE
4.SCADA TROJANS I  YOURE NOT A TARGET   SPONSORED BY STATES,   LARGE CORPORATIONS AND/OR 4CHAN  TWO-STAGE TROJANS  AUTONOM...
4.SCADA TROJANS II YOU NEED TO P0WN THE RIGHT PEOPLE OBTAIN NEEDED INFO REPLICATE THE TARGET DEPLOYMENT YOU CAN USE MONEY,...
4.SCADA TROJANS III ATTACK VECTORS        HARDWARE                    PEOPLE         SOFTWARE
4.SCADA TROJANS IV    CONTEXT    TWO LITTLE COUNTRIES IN CONFLICT    RUBENHISTAN           REGGAETONIA          Tiramisú  ...
4.SCADA TROJANS V OPERATION SNOW-HAMS RUBENHISTANs Secret Service maintains a list of companies that operate Reguetonias f...
4.SCADA TROJANS VI   P0WNING THE SUBSTATION I           PURE FICTIONIts known the company who operates the SubStationimple...
4.SCADA TROJANS VI  P0WNING THE SUBSTATION IIc:windowssystem32bwocxrun.ocx [WebAccess Client]Implements IObjectSafety: Tru...
4.SCADA TROJANS VI P0WNING THE SUBSTATION IIIAfter enticing one of the operators into visiting a speciallycrafted web, our...
TBOX LITE 200 - Ethernet2 counters (I) 6 Analog (I) 4/20mA8 digital (I/O) 2 Temperature (I) 4 relays 230 V ac 3A(O)EMBEDDE...
4.SCADA TROJANS VI P0WNING THE SUBSTATION IV TVIEW                 Basic                           COMPILER               ...
4.SCADA TROJANS VI P0WNING THE SUBSTATION V                                          IP        HEY, IM HERE TO POWN YOU   ...
4.SCADA TROJANS VI P0WNING THE SUBSTATION VI TWF FILES ● Compressed ● Contains code compiled by the original programmer ● ...
4.SCADA TROJANS VI P0WNING THE SUBSTATION VII HEY, TCOMM.DLL USES MODBUS AGAINST YOU       THATS RIGHT. ITS HOW YOU CAN   ...
4.SCADA TROJANS VI    P0WNING THE SUBSTATION VIII  Break on vbscript!COleScript::Compile to modify  TWFs basic code before...
4.SCADA TROJANS VI P0WNING THE SUBSTATION IX    YOU REALIZE EVERYONE CAN SEND YOU        RAW MODBUS REQUESTS?            D...
4.SCADA TROJANS VI   P0WNING THE SUBSTATION X We are already controlling Bay Level and Station Level However, still needed...
4.SCADA TROJANS VI P0WNING THE SUBSTATION XI webvrpcs.exe   port 4592                LANDED!
4.SCADA TROJANS VIIRecalling            Station/Operator p0wned via bwocxrun.ocx            0day            Bay Level p0wn...
ALL AT ONCE
4.SCADA TROJANS VIII     nd THE 2 STAGE I We deploy an autonomous agent to attack the State Estimator. Its goal is generat...
4.SCADA TROJANS VIII      nd    THE 2 STAGE II                        States       Static Data      Dynamic dataMeasuremen...
4.SCADA TROJANS VIII     nd THE 2 STAGE III Why an State Estimator?  Flows → real + reactive  Injections → real + reactive...
4.SCADA TROJANS VIII      nd    THE 2 STAGE IVWe can describe previous measurements as a function of the system states.hi ...
4.SCADA TROJANS VIII     nd THE 2 STAGE V Given the state vector   The following h (x)   are used                         ...
4.SCADA TROJANS VIII     nd THE 2 STAGE VI  ^ = h(x) and ^ = z – z  z     ^      r       ^            ...                 ...
4.SCADA TROJANS VIII     nd    THE 2 STAGE VIIWLS BASED S.E ALGORITHM (Weighted Least Squares )1.Initialize the state vect...
4.SCADA TROJANS VIII     nd THE 2 STAGE VIII  Our trojan must be triggered during the WLS  algorithm. So we have to revers...
// Step 6 - WLS Algorithm - Obtain max value from ∆xkfor ( dword_61C068[0] = 1; v9 > 0; --v9 )   {     dbl_61BFC8 = fabs(*...
TRY IT YOURSELF. PET   http://www.ece.neu.edu/~abur/pet.htm                       l
5.SCADA TROJANS IX MISSION COMPLETED After the successful attack, Reggaetonia suffered random blackouts for months till it...
6.CONCLUSIONS  Trojans designed for SCADA environments,  should do their job stealthly,quietly... letting  operators think...
HACK THE PLANET TAKE YOUR MW!  RUBEN SANTAMARTA  @reversemode
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]
Upcoming SlideShare
Loading in...5
×

Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]

4,622

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,622
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
159
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]

  1. 1. SCADA TROJANSATTACKING THE GRIDRUBEN SANTAMARTA
  2. 2. ¿What are we going to talk about? SCADA / EMS TROJANS ATTACKS VECTORS REVERSE ENGINEERING ELECTRICAL ENERGY SYSTEM
  3. 3. THEORY
  4. 4. 1. SCADA Supervisory Control And Data Acquisition (Supervisión, Control y Adquisición de Datos). ● FIELD DEVICES ● PLC/RTU/IED ● PROTOCOLS ● HMI / SCADA SERVER
  5. 5. 2.Electrical Energy System I Biggest industrial system ever ● TRANSFORMER INVENTION – WIN! +V -I → Transmission over long distances wikipedia
  6. 6. 2.Electrical Energy System II Generation Primary Source → Station → Three-Phase AC Generator → Step up Transformer → Transmission lines G ●Nuclear ●Hydroelectric ●Photovoltaic/Wind ●Biomass ●...
  7. 7. 2.Electrical Energy System III Transmission Power Lines Substations
  8. 8. 2.Electrical Energy System IV Transmission – Substations I RUNNING METASPLOIT AGAINST A SUBST. :)
  9. 9. 2.Electrical Energy System IV Transmission – Substations II A Substation is a place where we can found ● Interconnection buses for lines ● Step down transformers ● Measurement, protection, interruption and dispatch equipment ● Disconnect Switches ● Load Break Switches ● Circuit Switchers ● Power Fuses ● Circuit Breakers Types of Substations → Transmission → Distribution → Collector → Switching
  10. 10. 2.Electrical Energy System VTransmission – Substation Automation I Remote Connection Level ( Routers,Firewalls, Modems...) HMI Level ( Substation automation software,Server...) Station Level ( LAN, Concentrator,Additional devices...) Bay Level ( IEDs, Protection Devices...) Process Level (Breakers,Switchers,Transformers...)
  11. 11. 2.Electrical Energy System V Transmission – Substation Automation II EMS/CC Remote HMI Station Bay ProcessSubstation Equipment (Breakers,Switchers,Transformers...)
  12. 12. 2.Electrical Energy System VTransmission – Substation Automation III ● HMI ● One-line diagrams
  13. 13. 2.Electrical Energy System VTransmission – Substation Automation IV● Protocols ● DNP3 ● Modbus ● IEC 60870-5-10(1,3,4) ● IEC 61850 ● ICCP ● OPC ● RS-232/485 ● UCA2 MMS ● Vendor specific ● Harris ● Westinhouse ● ABB ● ...
  14. 14. 2.Electrical Energy System VDistribution www.mrsite.com
  15. 15. 3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS I Computer based tools for... ● Monitoring ● Generation ● Coordinating ● Transmission ● Controlling ● Distribution KEY CONCEPT: DECISSION SUPPORT TO OPERATORS
  16. 16. 2. EMS / SCADA I ENERGY MANAGEMENT SYSTEMS II CC CONTROL CENTERFRONT-ENDSCADAFRONT-ENDs SubstationIEDs …RTUs PowerPlant
  17. 17. 3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS III LOAD MANAGEMENTDataAcquisition ENERGY MANAGEMENT SCADA FRONT END AUTO. GEN.CONTROL SECURITY CONTROLSupervisoryControl
  18. 18. 3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS III THE SYSTEM MUST SURVIVE IN ANY CASE SECURITY CONTROL DETERMINE THE STATE OF THE SYSTEM PROCESS CONTINGENCIES DETERMINE PROPER ACTIONS
  19. 19. 3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS IV SECURITY CONTROL FUNCTIONS TOPOLOGY PROCESSOR STATE ESTIMATOR POWER FLOW OPTIMAL POWER FLOW CONTINGENCY ANALYSIS SECURITY ENHACEMENT ... BUS LOAD FORECASTING
  20. 20. PRACTICE
  21. 21. 4.SCADA TROJANS I YOURE NOT A TARGET SPONSORED BY STATES, LARGE CORPORATIONS AND/OR 4CHAN TWO-STAGE TROJANS AUTONOMOUS AGENTS INTELLIGENCE INSIDE... AND OUTSIDE
  22. 22. 4.SCADA TROJANS II YOU NEED TO P0WN THE RIGHT PEOPLE OBTAIN NEEDED INFO REPLICATE THE TARGET DEPLOYMENT YOU CAN USE MONEY,TECHNOLOGY OR BOTH nd SOME DAY, SOMEWHERE THE 2 STAGE WILL BE TRIGGERED
  23. 23. 4.SCADA TROJANS III ATTACK VECTORS HARDWARE PEOPLE SOFTWARE
  24. 24. 4.SCADA TROJANS IV CONTEXT TWO LITTLE COUNTRIES IN CONFLICT RUBENHISTAN REGGAETONIA Tiramisú Gasolinia● REGGAETONIA PLANS TO HOLD THE BIGGEST REGGAETON FESTIVAL EVER.● RUBENHISTAN IS DETERMINED TO STOP IT.
  25. 25. 4.SCADA TROJANS V OPERATION SNOW-HAMS RUBENHISTANs Secret Service maintains a list of companies that operate Reguetonias facilities. RUBENHISTANs Secret Service also consults public open source intelligence sources as a citys urban planning to determine substations coverage. RUBENHISTANs Secret Service launches a Targeted attack against the operators who control a key substation and even the Reguetonias EMS LETS SEE HOW TO PROCEED
  26. 26. 4.SCADA TROJANS VI P0WNING THE SUBSTATION I PURE FICTIONIts known the company who operates the SubStationimplements a HMI client/server software from Advantech. Advantech WebAccess
  27. 27. 4.SCADA TROJANS VI P0WNING THE SUBSTATION IIc:windowssystem32bwocxrun.ocx [WebAccess Client]Implements IObjectSafety: TrueIDisp Safe: Safe for untrusted: caller,dataIPersist Safe: Safe for untrusted: caller,dataIPStorage Safe: Safe for untrusted: caller,data
  28. 28. 4.SCADA TROJANS VI P0WNING THE SUBSTATION IIIAfter enticing one of the operators into visiting a speciallycrafted web, our bwocxrun.ocx exploit worked. We landed.Time to map the Substation network.At Bay level we find CSE-Semaphore RTUs/IEDs http://www.cse-semaphore.com/
  29. 29. TBOX LITE 200 - Ethernet2 counters (I) 6 Analog (I) 4/20mA8 digital (I/O) 2 Temperature (I) 4 relays 230 V ac 3A(O)EMBEDDED HTTP Server, FTP, SNMP, EMAIL ... DNP3, IEC 60870-5 MODBUS ... +40 Drivers http://www.cse-semaphore.com/pdf/brochure_T-BOX-Lite.pdf
  30. 30. 4.SCADA TROJANS VI P0WNING THE SUBSTATION IV TVIEW Basic COMPILER Ladder Logic SECURITY ●MODBUS: (Optional) ACCESS CODE- 4 Hexa Chars. ●HTTP AUTH (Optional) ●CUSTOM PASSWORD PROTECTION VIA SOURCE CODE
  31. 31. 4.SCADA TROJANS VI P0WNING THE SUBSTATION V IP HEY, IM HERE TO POWN YOU OK, BUT FIRST INSTALL THIS ACTIVEX OK, DONE. COOL. DOWNLOAD THESE .TWF FILES
  32. 32. 4.SCADA TROJANS VI P0WNING THE SUBSTATION VI TWF FILES ● Compressed ● Contains code compiled by the original programmer ● VBasic Script code → executed by vbscript.dll ● Propietary Format. Parsed by WebFormParser.dll ● Contains fixed “classes” ● CStationList ● CTagList ● CTag... Inside the TWF, each CTag entry contains its name, MODBUS address and length.
  33. 33. 4.SCADA TROJANS VI P0WNING THE SUBSTATION VII HEY, TCOMM.DLL USES MODBUS AGAINST YOU THATS RIGHT. ITS HOW YOU CAN INTERACT WITH ME MMM, BASIC CODE IS COMPILED AND EXECUTED AT CLIENT-SIDE, EVEN AUTH ROUTINES! WHAT IS CLIENT-SIDE?
  34. 34. 4.SCADA TROJANS VI P0WNING THE SUBSTATION VIII Break on vbscript!COleScript::Compile to modify TWFs basic code before being compiled. compiledREAL EXAMPLEIf txt_Password.Text <> Dlb_SMSPassword.Value Ortxt_password.text = "" Then msgbox "The Password is incorrect!!" & vbCrlf & "Apassord is ...." & vbCrlf & "Contact your local distributor toget the password.",Vbexclamation,"Password" Exit SubEnd IfCHANGE “<>” BY “=” ... WE ARE IN!
  35. 35. 4.SCADA TROJANS VI P0WNING THE SUBSTATION IX YOU REALIZE EVERYONE CAN SEND YOU RAW MODBUS REQUESTS? DONT BE EVIL! Tcomm.dll
  36. 36. 4.SCADA TROJANS VI P0WNING THE SUBSTATION X We are already controlling Bay Level and Station Level However, still needed a vector to the EMS SCADA Front-End + Network Service ( webvrpcs.exe ) MIDA.plw + MIDL.exe + Opcode 0x00 + others...void sub_401000( /* [in] */ handle_t arg_1, /* [in] */ long arg_2, /* [in] */ long arg_3, /* [in] */ long arg_4, /* [size_is][ref][in] */ unsigned char *arg_5, /* [in] */ long arg_6, /* [size_is][ref][out] */ unsigned char *arg_7, /* [ref][out] */ long *arg_8)
  37. 37. 4.SCADA TROJANS VI P0WNING THE SUBSTATION XI webvrpcs.exe port 4592 LANDED!
  38. 38. 4.SCADA TROJANS VIIRecalling Station/Operator p0wned via bwocxrun.ocx 0day Bay Level p0wned via TBOX flawed logic 0day SCADA Front-End p0wned via webvrpcs.exe RPC 0day 3 0days! Almost Stuxnet! ;)
  39. 39. ALL AT ONCE
  40. 40. 4.SCADA TROJANS VIII nd THE 2 STAGE I We deploy an autonomous agent to attack the State Estimator. Its goal is generating unexpected contingencies, which may end up causing a blackout. Operators will deal with fake results. Only “in memory”. Everything else is correct. The entire EMS is no longer operating within a secure state.
  41. 41. 4.SCADA TROJANS VIII nd THE 2 STAGE II States Static Data Dynamic dataMeasurements Topology Prefiltering Processor State Observability Estimation analysis Nonobservable zones Error Error Detection Identification Estimated state Errors HMI
  42. 42. 4.SCADA TROJANS VIII nd THE 2 STAGE III Why an State Estimator? Flows → real + reactive Injections → real + reactive Voltage Current Virtual Measurements Pseudomeasurements
  43. 43. 4.SCADA TROJANS VIII nd THE 2 STAGE IVWe can describe previous measurements as a function of the system states.hi are nonlinear.
  44. 44. 4.SCADA TROJANS VIII nd THE 2 STAGE V Given the state vector The following h (x) are used i Injections Flows
  45. 45. 4.SCADA TROJANS VIII nd THE 2 STAGE VI ^ = h(x) and ^ = z – z z ^ r ^ ... WLS ALGORITHM
  46. 46. 4.SCADA TROJANS VIII nd THE 2 STAGE VIIWLS BASED S.E ALGORITHM (Weighted Least Squares )1.Initialize the state vector x =x0 with the flat voltage profile (Vi =1 pu, θi =0) and the1.iteration counter (k =0).2. Compute the measurement residuals r =z−h(xk ).3. Obtain H and G=HTWH.4. Solve the linear system: ∆xk =G-1 HTW r5. Update the state vector (xk+1 =xk +∆xk ) and the iteration counter (k =k +1).6. If any of the elements of x exceeds the specified convergence threshold then return tostep 2. Otherwise, stop.
  47. 47. 4.SCADA TROJANS VIII nd THE 2 STAGE VIII Our trojan must be triggered during the WLS algorithm. So we have to reverse engineering the target EMS Software to find out where it performs the operations we have been seeing. Due to the complexity of EMS products, we should use tools for “differential debugging”. A great/free tool is “myNav”, implemented as an IDA plugin developed by Joxean Koret. http://code.google.com/p/mynav/
  48. 48. // Step 6 - WLS Algorithm - Obtain max value from ∆xkfor ( dword_61C068[0] = 1; v9 > 0; --v9 ) { dbl_61BFC8 = fabs(*(double *)&dword_61C6A8[2 * dword_61C068[0]]); if ( dbl_61BFC8 > dbl_61BFD0 ) { dbl_61BFD0 = dbl_61BFC8; dword_61C030 = dword_61C068[0]; } ++dword_61C068[0]; } v3 = dbl_61BFD0; if ( dbl_61BFD0 < dbl_937300[0] ) //Max val from ∆xk < Tolerance { dword_61C02C = 1; v43 = 0; goto No_More_iters; } ++dword_94EDF4; --g_K; // iterations if ( g_K <= 0 ) goto No_More_iters; // It didnt converge
  49. 49. TRY IT YOURSELF. PET http://www.ece.neu.edu/~abur/pet.htm l
  50. 50. 5.SCADA TROJANS IX MISSION COMPLETED After the successful attack, Reggaetonia suffered random blackouts for months till its own people ,tired of the situation, assaulted the institutions. Every attempt to contract a considerable amount of MW for reggaeton festivals, ended up in an partial blackout. RUBENHISTAN WINS.
  51. 51. 6.CONCLUSIONS Trojans designed for SCADA environments, should do their job stealthly,quietly... letting operators think still can trust their HMI/equipment. Combined attacks against State Estimators give you 100% success guaranteed. In the near future, a massive adoption of PMU could set a point of inflection. False data injection, nowadays, is more an academic attack than a real world attack IMHO. We have presented a general attack against SE.
  52. 52. HACK THE PLANET TAKE YOUR MW! RUBEN SANTAMARTA @reversemode
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×