SlideShare a Scribd company logo

Dhs icsjwg 2015_v3

Marina Krotofil
Marina Krotofil

This document summarizes a presentation given by Marina Krotofil on cyber-physical hacking of industrial control systems. Some key points include: - Exploiting vulnerabilities in industrial equipment like switches and PLCs can allow attacks like denial of service to disrupt process control. - Sensor spoofing and signal manipulation can also impact process observability and control by deceiving operators or controllers. - Process dynamics and correlations between sensor signals can be analyzed to identify manipulated data and detect attacks. - Data processing and filtering can potentially hide attack indicators or process impairments from operators and control systems.

Technology
1 of 73
Download to read offline
Marina Krotofil DHS ICSJWG, Savanah, USA 28.10.2015 What I Learned about ICS Security from Cyber-Physical Hacking
Thanksgiving Jennifer Sunshine of IOActive for so kindly sponsoring my presence here
Thanksgiving Jason Larsen of INL/IOActive for collaboration
Who I am (Ex)Academic ❑ Self-taught cyber-physical researcher ❑ Bits & pieces of knowledge from all over the world ❑ Collaborations around the world Thank you everybody
My approach
Industrial Control Systems aka SCADA Physical application
Cyber-physical systems are IT systems “embedded” in an application in the physical world Cyber-physical systems
IT – centric security ICSA-13-274-01: Siemens SCALANCE X-200 Authentication Bypass Vulnerability ICSA-13-274-01: Schneider Electric Telvent SAGE RTU DNP3 Improper Input Validation Vulnerability ICSA-15-099-01A: Siemens SIMATIC HMI Devices Vulnerabilities (Update A) ICSA-12-320-01 : ABB AC500 PLC Webserver CoDeSys Vulnerability ICSA-15-048-03: Yokogawa HART Device DTM Vulnerability ICSA-15-111-01: Emerson AMS Device Manager SQL Injection Vulnerability ICS-ALERT-14-323-01: Advantech EKI-6340 Command Injection ICSA-11-307-01: Schneider Electric Vijeo Historian Web Server Multiple Vulnerabilities
ICS-CERT recommendation IMPACT Successful exploitation of this vulnerability may allow attackers to perform administrative operations over the network without authentication. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. ICSA-13-274-01: Siemens SCALANCE X-200 Authentication Bypass
My first “testbed” Frozen PLC, lost connection, project does not compiles, etc., etc. … Depression. Fatigue. Apathy. NEVER TOUCH a WORKING CONTROL SYSTEM
Damn Vulnerable Chemical Process Tennessee Eastman process Vinyl Acetate process
Time constant of 60 min 15.1 114.5 96.0 11.2 Process-centric security
ICS vulnerabilities Cyber-PhysicalSystem PhysicallayerControllayerCyberlayer Proces dynamics Control algorithm SensorActuator Sensor signal Actuator signal Manipulated variable Process variable ControllerHMIDB Engineering stationServer 1 3 2
Field instrumenation Level0 Process Level1Level2Level3 Regulatory control Supervisory Control Process management Corporate network PLC PLC PLC HMI Engineering station Historian Publishing server DMZ DCS servers Application servers Lesson #1: ICS stakeholders Process owners Asset owners Shared opinion about each other
Exploiting control features
Surprises from DoS Sensors Actuators Physical process 43 45 47 45 43 43 44 43 43 90 89 88 91 91 90 89 90 91 13 15 17 15 13 13 14 13 13 10 17 10 12 10 10 10 10 10 Attack time Attack duration PLC 55 61 43 49 43 90 13 10 0 1000 2000 3000 4000 5000 6000 7000 8.9 9 9.1 9.2 9.3 9.4 9.5 Stale data Attack time 0 5 10 15 20 25 30 2750 2800 2850 2900 2950 3000 Hours kPagauge Reactor Pressure Without attack Under attack
Stale Data attack
0 10 20 30 40 50 60 70 2760 2770 2780 2790 2800 2810 2820 Hours kPagauge Reactor Pressure Without attack Under attack Vulnerability of the process Impact of 8h long attack on reactor pressure at random time 0 10 20 30 40 50 60 70 2700 2750 2800 2850 2900 2950 Hours kPagauge Reactor Pressure Without attack Under attack 0 10 20 30 40 50 60 70 2450 2500 2550 2600 2650 2700 2750 2800 2850 Hours kPagauge Reactor Pressure Without attack Under attack 0 5 10 15 20 25 30 2750 2800 2850 2900 2950 3000 Hours kPagauge Reactor Pressure Without attack Under attack Ordinary glitch Economic inefficiency Safety shutdown Near miss 1
Avocado problem
0 10 20 30 40 50 60 70 2780 2790 2800 2810 2820 Hours kPagauge Sensor signal When to attack? Set point 0 10 20 30 40 50 60 70 2760 2770 2780 2790 2800 2810 2820 Hours kPagauge Reactor Pressure Without attack Under attack 0 10 20 30 40 50 60 70 2700 2750 2800 2850 2900 2950 Hours kPagauge Reactor Pressure Without attack Under attack 0 10 20 30 40 50 60 70 2450 2500 2550 2600 2650 2700 2750 2800 2850 Hours kPagauge Reactor Pressure Without attack Under attack 0 5 10 15 20 25 30 2750 2800 2850 2900 2950 3000 HourskPagauge Reactor Pressure Without attack Under attack To decrease process value To increase process value M. Krotofil, A. Cardenas, J. Larsen, D. Gollmann. Vulnerabilities of cyber-physical systems to stale data—Determining the optimal time to launch attacks (IJCIP, 2014)
Industrial switch Communication setup (Modbus, DNP, IEC850 ) Ethernet my old friend (Hack meeeeee!!!) How do we do it?
Vulnerability of control equipment Stale data is a feature! (and we shamelessly take advantage of it) ❑ Missing process updates are OK; report-by-exception o Freeze all points for a particular TCP/IP session with a UDP packet by advancing the sequence number o Session is kept alive and by sending a UDP packet every 30 seconds to any interface (This vendor is not vulnerable) 2 M. Krotofil, J. Larsen. What You Always Wanted and Now Can: Hacking Chemical Processes. Hack in the Box, Amsterdam (2015)
❑ Eireann Leverett showed bugs in industrial switches o Monitor process data o Pass only ACK messages to show link as healthy o Drop packets with process data Vulnerability of communication equipment 3 (Illustrative sample of equipment) E. Leverett. Switches Get Stitches .31C3 (2014)
43 45 47 45 43 43 44 43 43 90 89 88 91 91 90 89 90 91 13 15 17 15 13 13 14 13 13 60 59 62 60 70 75 80 95 99 DoS on controller output Sensors Actuators Physical process Attack time PLC 43 90 13 60 15 23 61 12 Saturated output Saturated output Attack duration 0 10 20 30 40 50 60 70 2700 2750 2800 2850 2900 Reactor pressure Hours kPagauge Attack duration Quiz!!
Control via DoS 0 10 20 30 40 50 60 70 2700 2720 2740 2760 2780 2800 2820 Hours kPagauge Reactor Pressure 0 10 20 30 40 50 60 70 0 10 20 30 40 50 Purge Hours % Chain attacks on: • Several sensors • Sensors and actuators DoS here
Lesson #2: Press isn’t always lying http://motherboard.vice.com/read/hackers-identify-weak-link-in-thousands-of-industrial-control-systems
But….
Process control security
Security requirements IT domain ICS domain
Civil war Level Priority 0 I,A,C 1 A,C, I 2 C&A&I 3 I,A,C 4 A&C, I 5 A,C&I Support/ Maintenance role Level Electrical engineers 0, 1, 2, 5 Mechanical engineers 0, 5 Control system engineers 0, 1, 2, 3, 5 Instrumentation engineers 0, 1, 2, 5 Telemetry engineers 3, DMZ, 4, 5 Communication engineers 3, DMZ, 4, 5 IT engineers DMZ, 4, 5 Third Party Contractors 0, 1, 2, 3, DMZ, 4, 5 B. Green, D. Prince, U. Roedig, J. Busby, D. Hutchison. Socio-technical security analysis of Industrial Control Systems (ICS). (ICS-CSR, 2014)
PLC Frequency converter Centrifuge Engineering station HMI DB Data flow Example: attack on process data flow Data integrity: packet injection; replay; manipulation; hijack … DoS: DoS; DDoS; flooding; starvation;…. Operator Net. Admin I am not controlling the process!! Linkage to cyber assets
Invariants of process control Controllability Observability Two major concepts of modern control system theory (R. Kalman in 1960) Operability
Process control security requirements IT domain Process control Observability Controllability Operability
Observability Controllability Operability IT security OT security CIA CO2 Evidence ☺
Process data flow (PLC) 0 10 20 30 40 50 60 72 3600 3650 3700 3750 Hours kg/h D feed 0 10 20 30 40 50 60 72 2780 2790 2800 2810 2820 Hours kPagauge Reactor pressure 0 10 20 30 40 50 60 72 8.6 8.8 9 9.2 9.4 9.6 9.8 A and C feed Hours kscmh (C)IA of data in storage and transit Courtesy:B.Green,LancasterUniversity,UK
0 10 20 30 40 50 60 72 3600 3650 3700 3750 Hours kg/h D feed 0 10 20 30 40 50 60 72 2780 2790 2800 2810 2820 Hours kPagauge Reactor pressure 0 10 20 30 40 50 60 72 8.6 8.8 9 9.2 9.4 9.6 9.8 A and C feed Hours kscmh Attack vectors Data trustworthiness or veracity Secure delivery of insecure data Courtesy:B.Green,LancasterUniversity,UK
NEVER TRUST YOUR INPUTS Lesson #3: IT and OT have common problems
InTech, ISA magazine, April 2014 HIMA presentation, October 2014 Instruments calibration
❑ Worst accident in the recent USA history (2005) ❑ 15 killed, 180 injured ❑ Wrong calibration the splitter tower level indicator o It showed that the tower level was declining when it was actually overfilling with flammable liquid hydrocarbons ❑ The further chain of events eventually led to an explosion BP Texas city refinery accident http://www.csb.gov/bp-america-refinery-explosion/
0 1000 2000 3000 4000 5000 6000 7000 8.9 9 9.1 9.2 9.3 9.4 9.5 0 1000 2000 3000 4000 5000 6000 7000 8.9 9 9.1 9.2 9.3 9.4 9.5 Sensor signals spoofing on field device 0 20 40 60 72 8.8 9 9.2 9.4 9.6 9.8 A and C feed Hours kscmh 0 20 40 60 72 8.8 9 9.2 9.4 9.6 9.8 A and C feed Hours kscmh Find X differences M. Krotofil, J. Larsen, D. Gollmann. The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems (ASIACCS, 2015)
Correlated sensor signals 0 10 20 30 40 50 60 70 29 30 31 32 33 34 35 Recycle Flow Hours kscmh 0 10 20 30 40 50 60 70 45 46 47 48 49 50 51 Reactor Feed Rate Hours kscmh 0 10 20 30 40 50 60 70 26 28 30 32 34 36 38 Component A to Reactor Hours Mole%
Correlation entropy 0 20 40 60 72 25 30 35 40 45 50 55 Sensors {5;6;23} Hours Signals correlation: Correlation entropy: + LOW HIGH + LOW
Detection Spoofed signals appears genuine at first glance. But they are not be correlated with the rest of the signals in the cluster of related sensors 0 10 20 30 40 50 60 70 0 1 2 3 4 5 6 Time-window cluster entropy Hours Entropy[bits] 0 20 40 60 72 25 30 35 40 45 50 55 Sensors {5;6;23} Hours
DataflowData processing
Dataflow Information Data processing as attack vector
Data processing and loss of equipment http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on-how-to-hack-a-chemical-plant-and-its-implication-to-actual- issues-at-a-nuclear-plant/ ❑ Two identically build nuclear power plants o One had flow-induced vibrations issues, another did not ❑ Excessive vibrations exhibited themselves in high frequency sensor signals noise o In once plant noise was filtered out at source, resulting in loss of view into vibrations indications ❑ „Filtered“ plant operated at full power, operating equipment in unsafe conditions o This lead to loss of equipment
❑ Make data unusable; deceive about process state ❑ Smooth out attack traces (spikes, etc.) ❑ Mislead forensics people o Also: Time sync attack Data processing as attack vector
State estimation and sensor placement https://sites.google.com/a/mix.wvu.edu/pse-deb/research/state-estimation-and-sensor-placement ❑ Sensor placement is determined by process feasibility, safety and economic objectives o Very active research area ❑ Attack indications (process impairment) might be unobservable to control system o Or unclear to operator Spread process information over multiple sensor/systems Use home court advantage
❑ For most reactors optimal operating (economic) efficiency is achieved at upper shutdown pressure limit o Attacker can achieve disruptive goal fast ❑ Maintaining safety margin of at least 100 kPa (out of 3000 kPa) is equivalent to a 5% increase in costs (TE process) Lesson #4: OT security and economy also conflict ❑ Security adds additional constraint on cost optimization function o Time to detect and react o Additional controls and/or safety protections
Cyber-physical system Controller Operator Socio-technical system
T2 Laboratories accident ❑ Thermal run away reaction (December 19, 2007) ❑ 4 killed, 28 insured ❑ Failed cooling system, no redundancy ❑ 10 min between the failure and explosion http://www.csb.gov/t2-laboratories-inc-reactive-chemical-explosion/
Human in the loop ❑ Process & control designs are a function of physics, economy and human factor http://www.controlglobal.com/articles/2015/a-lasting-plan-for-managing-alarms
Abnormal situation management ❑ Alarm floods ❑ Abnormal communication patterns ❑ Abnormal data flows Network monitoring strategy? http://www.asmconsortium.net
Attacker is not all mighty
Desired physical consequences 010011011011101 Instructions to the process Your wish != My command
Vinyl Acetate Monomer plant Catalyst for directing and accelerating the reaction
C1C3: Catalyst poisoning attack Reactants Product Catalyst ❑ Lifetime 1-2 years ❑ Low per-pass conversion o 15-35% for CH₃COOH and 8-10% for C2H4 ❑ Selectivity ≈ 94,8% (C2H4) Subjected to constant improvement On purpose low M. Krotofil. Damn Vulnerable Chemical Process .31C3 (2014)
Catalyst killer ❑ Hot spots above 200C -> permanent deactivation o Lower activity at T > 180C Reactor with cooling tubes It was not possible to rise temperature in the reactor and maintain it for long enough to cause damage to the catalyst
Alarm propagation Safety shutdown Alarm Alarm
Security zoning
Include physical environment Once connected together, physical components become related to each other by the physics of the process ❑ Physical environment is a communication media! ❑ Components can influence each other even if their control loops do not communicate electronically
❑ System remains SECURE if updated often o E.g. installing patches, updating firmware ❑ System remains SAFE if untouched o Any change in software or operational practices require safety revision Use case: Methyl chloride release at DuPont (1 killed) o After a maintenance software update (without review) alarm notifying on a hose change due date “disappeared” Harmonization of safety & security lifecycles o A hose used to transfer phosgene from a cylinder to a process catastrophically failed and sprayed a worker in the face M. Krotofil, J. Larsen. Are you Threatening my Hazards? IWSEC (2014)
Process-aware pentesting
Hacking Chemical Plant for Competition & Extortion Control Access DiscoveryCleanup Damage M. Krotofil. Hacking Chemical Plants for Competition and Extortion. Black Hat USA (2015) J. Larsen. Breakage. Black Hat Federal (2007)
Current: Access centric • 0days • Clueless users • AntiVirus and patch management • Database links • Backup systems • (Vulnerable) Internet facing devices • Supply chain
Needed: process centric What and how the process is producing How it is build and wired How it is controlled Target plant and third parties (illegal) Operating and safety constraints How much can attacker figure out about the facility and its operations?
From outside Most companies aren’t shy about telling everyone about customer contracts
From inside Piping and instrumentation diagram Ladder logicProgrammable Logic Controller Pump in the plant
From inside Piping and instrumentation diagram Ladder logicProgrammable Logic Controller Pump in the plant HAVEX: the server is queried for tag name, type, access, and id (ICS-CERT)
Sensor Safety time, h A-feed min 22.22 max E-feed min 4.29 max 2.83 Recycle flow min 4.39 max 9.17 Reactor pressure min 8.56 max Reactor level min 2.37 max 2.73 Reactor temperature min 1.34 max 0.65 ❑ The attacker is likely to design her attack based on information she can easily obtain or what is easy to understand o Protect what is most likely to be attacked Criticality vs. likelihood Lesson #5: Still likelihood M.Krotofil,A.Cardenas,J.Larsen,D.Gollmann.Vulnerabilitiesofcyber-physicalsystemsto staledata—Determiningtheoptimaltimetolaunchattacks(IJCIP,2014)
Afterword
Industrial Internet of Things (IIoT) IIoT means you license a pump, and it phones home regularly to make sure you made your monthly payments. Twitter @mtoecker Your trust in an infrastructure is directly proportional to how invisible it is to you as an end user. Twitter @blackswanburst Miniaturization. J. Larsen
TE: http://github.com/satejnik/DVCP-TE VAM: http://github.com/satejnik/DVCP-VAM Damn Vulnerable Chemical Process Thank you marina.krotofil@tuhh.de @marmusha

Recommended

Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
IRJET- Real Time Fault Detection System for Steam Condenser by using PLC SCADA
IRJET- Real Time Fault Detection System for Steam Condenser by using PLC SCADAIRJET- Real Time Fault Detection System for Steam Condenser by using PLC SCADA
IRJET- Real Time Fault Detection System for Steam Condenser by using PLC SCADAIRJET Journal
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
Original N-Channel IGBT RJP63K2 63K2 TO-220F New Renesas
Original N-Channel IGBT RJP63K2 63K2 TO-220F New RenesasOriginal N-Channel IGBT RJP63K2 63K2 TO-220F New Renesas
Original N-Channel IGBT RJP63K2 63K2 TO-220F New RenesasAUTHELECTRONIC
 
Original IGBT IC RJP63F3 63F3 TO-220 New Renesas
Original IGBT IC RJP63F3 63F3 TO-220 New RenesasOriginal IGBT IC RJP63F3 63F3 TO-220 New Renesas
Original IGBT IC RJP63F3 63F3 TO-220 New Renesasauthelectroniccom
 
SQL Slammer Worm
SQL Slammer WormSQL Slammer Worm
SQL Slammer WormSharklover92
 
Split core ct, rogowski coil (2016)
Split core ct, rogowski coil (2016)Split core ct, rogowski coil (2016)
Split core ct, rogowski coil (2016)Eric Bin
 
Catalog Feeo Solar
Catalog Feeo SolarCatalog Feeo Solar
Catalog Feeo SolarHUY HOANG TECHNOLOGY JOINT STOCK COMPANY
 

Recommended

Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
IRJET- Real Time Fault Detection System for Steam Condenser by using PLC SCADA
IRJET- Real Time Fault Detection System for Steam Condenser by using PLC SCADAIRJET- Real Time Fault Detection System for Steam Condenser by using PLC SCADA
IRJET- Real Time Fault Detection System for Steam Condenser by using PLC SCADAIRJET Journal
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
Original N-Channel IGBT RJP63K2 63K2 TO-220F New Renesas
Original N-Channel IGBT RJP63K2 63K2 TO-220F New RenesasOriginal N-Channel IGBT RJP63K2 63K2 TO-220F New Renesas
Original N-Channel IGBT RJP63K2 63K2 TO-220F New RenesasAUTHELECTRONIC
 
Original IGBT IC RJP63F3 63F3 TO-220 New Renesas
Original IGBT IC RJP63F3 63F3 TO-220 New RenesasOriginal IGBT IC RJP63F3 63F3 TO-220 New Renesas
Original IGBT IC RJP63F3 63F3 TO-220 New Renesasauthelectroniccom
 
SQL Slammer Worm
SQL Slammer WormSQL Slammer Worm
SQL Slammer WormSharklover92
 
Split core ct, rogowski coil (2016)
Split core ct, rogowski coil (2016)Split core ct, rogowski coil (2016)
Split core ct, rogowski coil (2016)Eric Bin
 
Catalog Feeo Solar
Catalog Feeo SolarCatalog Feeo Solar
Catalog Feeo SolarHUY HOANG TECHNOLOGY JOINT STOCK COMPANY
 
Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618PT. Siwali Swantika
 
Original IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonic
Original IGBT RJP30E4 360V 35A TO-263 New Renesas PanasonicOriginal IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonic
Original IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonicauthelectroniccom
 
Original IGBT RJP60V0 600V 22A TO-3P New
Original IGBT RJP60V0 600V 22A TO-3P NewOriginal IGBT RJP60V0 600V 22A TO-3P New
Original IGBT RJP60V0 600V 22A TO-3P Newauthelectroniccom
 
Aca60 v1.1.8en
Aca60 v1.1.8enAca60 v1.1.8en
Aca60 v1.1.8enmayaapriani
 
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUS
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUSData Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUS
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUSPT. Siwali Swantika
 
Alia multi function_calibrator_aca60
Alia multi function_calibrator_aca60Alia multi function_calibrator_aca60
Alia multi function_calibrator_aca60aliagroup
 
Circular Voice Coil Actuator
Circular Voice Coil ActuatorCircular Voice Coil Actuator
Circular Voice Coil Actuatorjuliangoal
 
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618PT. Siwali Swantika
 
Original IGBT RJP6065DPM 6065 New Renesas
Original IGBT RJP6065DPM 6065 New RenesasOriginal IGBT RJP6065DPM 6065 New Renesas
Original IGBT RJP6065DPM 6065 New Renesasauthelectroniccom
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your InputsAlexander Bolshev
 
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable Appliance
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable ApplianceSeaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable Appliance
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable ApplianceThorne & Derrick International
 
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesas
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New RenesasOriginal N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesas
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesasauthelectroniccom
 
Electronic Ballast Tester
Electronic Ballast TesterElectronic Ballast Tester
Electronic Ballast TesterLisun Group
 
Semiconductor equipment tool may 18th 2020
Semiconductor equipment tool may 18th 2020Semiconductor equipment tool may 18th 2020
Semiconductor equipment tool may 18th 2020Emily Tan
 
Jinko Smart Module with Tigo
Jinko Smart Module with Tigo Jinko Smart Module with Tigo
Jinko Smart Module with Tigo Optimus Energy Philippines
 
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618PT. Siwali Swantika
 
CWBS - Safety Contactors
CWBS - Safety ContactorsCWBS - Safety Contactors
CWBS - Safety ContactorsAllan Bernardino
 
[Case Study] 42.2 kW K-Electric Net Metering Services
[Case Study] 42.2 kW K-Electric Net Metering Services[Case Study] 42.2 kW K-Electric Net Metering Services
[Case Study] 42.2 kW K-Electric Net Metering ServicesZorays Solar Pakistan
 
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...Delta Electronics Power Supply
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarEtienne Leduc
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 

More Related Content

Similar to Dhs icsjwg 2015_v3

Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618PT. Siwali Swantika
 
Original IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonic
Original IGBT RJP30E4 360V 35A TO-263 New Renesas PanasonicOriginal IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonic
Original IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonicauthelectroniccom
 
Original IGBT RJP60V0 600V 22A TO-3P New
Original IGBT RJP60V0 600V 22A TO-3P NewOriginal IGBT RJP60V0 600V 22A TO-3P New
Original IGBT RJP60V0 600V 22A TO-3P Newauthelectroniccom
 
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUS
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUSData Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUS
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUSPT. Siwali Swantika
 
Alia multi function_calibrator_aca60
Alia multi function_calibrator_aca60Alia multi function_calibrator_aca60
Alia multi function_calibrator_aca60aliagroup
 
Circular Voice Coil Actuator
Circular Voice Coil ActuatorCircular Voice Coil Actuator
Circular Voice Coil Actuatorjuliangoal
 
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618PT. Siwali Swantika
 
Original IGBT RJP6065DPM 6065 New Renesas
Original IGBT RJP6065DPM 6065 New RenesasOriginal IGBT RJP6065DPM 6065 New Renesas
Original IGBT RJP6065DPM 6065 New Renesasauthelectroniccom
 
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable Appliance
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable ApplianceSeaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable Appliance
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable ApplianceThorne & Derrick International
 
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesas
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New RenesasOriginal N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesas
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesasauthelectroniccom
 
Electronic Ballast Tester
Electronic Ballast TesterElectronic Ballast Tester
Electronic Ballast TesterLisun Group
 
Semiconductor equipment tool may 18th 2020
Semiconductor equipment tool may 18th 2020Semiconductor equipment tool may 18th 2020
Semiconductor equipment tool may 18th 2020Emily Tan
 
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618PT. Siwali Swantika
 
[Case Study] 42.2 kW K-Electric Net Metering Services
[Case Study] 42.2 kW K-Electric Net Metering Services[Case Study] 42.2 kW K-Electric Net Metering Services
[Case Study] 42.2 kW K-Electric Net Metering ServicesZorays Solar Pakistan
 
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...Delta Electronics Power Supply
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarEtienne Leduc
 

Similar to Dhs icsjwg 2015_v3 (20)

Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Metrel MI 3202. Hubungi PT. Siwali Swantika 021-45850618
 
Original IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonic
Original IGBT RJP30E4 360V 35A TO-263 New Renesas PanasonicOriginal IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonic
Original IGBT RJP30E4 360V 35A TO-263 New Renesas Panasonic
 
Original IGBT RJP60V0 600V 22A TO-3P New
Original IGBT RJP60V0 600V 22A TO-3P NewOriginal IGBT RJP60V0 600V 22A TO-3P New
Original IGBT RJP60V0 600V 22A TO-3P New
 
Aca60 v1.1.8en
Aca60 v1.1.8enAca60 v1.1.8en
Aca60 v1.1.8en
 
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUS
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUSData Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUS
Data Teknis Gossen Metrawatt Insulation Tester METRISO PRIME PLUS
 
Alia multi function_calibrator_aca60
Alia multi function_calibrator_aca60Alia multi function_calibrator_aca60
Alia multi function_calibrator_aca60
 
Circular Voice Coil Actuator
Circular Voice Coil ActuatorCircular Voice Coil Actuator
Circular Voice Coil Actuator
 
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 115. Hubungi PT. Siwali Swantika 021-45850618
 
Original IGBT RJP6065DPM 6065 New Renesas
Original IGBT RJP6065DPM 6065 New RenesasOriginal IGBT RJP6065DPM 6065 New Renesas
Original IGBT RJP6065DPM 6065 New Renesas
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
 
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable Appliance
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable ApplianceSeaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable Appliance
Seaward PrimeTest 250 Handheld PAT Tester - Electrical Safety Portable Appliance
 
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesas
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New RenesasOriginal N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesas
Original N-Channel IGBT RJH1CF7RDPQ RJH1CF7RDPQ-80 TO-247 New Renesas
 
Electronic Ballast Tester
Electronic Ballast TesterElectronic Ballast Tester
Electronic Ballast Tester
 
Semiconductor equipment tool may 18th 2020
Semiconductor equipment tool may 18th 2020Semiconductor equipment tool may 18th 2020
Semiconductor equipment tool may 18th 2020
 
Jinko Smart Module with Tigo
Jinko Smart Module with Tigo Jinko Smart Module with Tigo
Jinko Smart Module with Tigo
 
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618
Datasheet Fluke 113. Hubungi PT. Siwali Swantika 021-45850618
 
CWBS - Safety Contactors
CWBS - Safety ContactorsCWBS - Safety Contactors
CWBS - Safety Contactors
 
[Case Study] 42.2 kW K-Electric Net Metering Services
[Case Study] 42.2 kW K-Electric Net Metering Services[Case Study] 42.2 kW K-Electric Net Metering Services
[Case Study] 42.2 kW K-Electric Net Metering Services
 
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...
New CliQ VA Series of DIN Rail Power Supply with Integrated LCD Display for O...
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection Webinar
 

More from Marina Krotofil

S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...Marina Krotofil
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...Marina Krotofil
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017Marina Krotofil
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017Marina Krotofil
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016Marina Krotofil
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 

More from Marina Krotofil (15)

S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
 
S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_Krotofil
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINAL
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_Larsen
 

Recently uploaded

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Dhs icsjwg 2015_v3

  • 1. Marina Krotofil DHS ICSJWG, Savanah, USA 28.10.2015 What I Learned about ICS Security from Cyber-Physical Hacking
  • 2. Thanksgiving Jennifer Sunshine of IOActive for so kindly sponsoring my presence here
  • 3. Thanksgiving Jason Larsen of INL/IOActive for collaboration
  • 4. Who I am (Ex)Academic ❑ Self-taught cyber-physical researcher ❑ Bits & pieces of knowledge from all over the world ❑ Collaborations around the world Thank you everybody
  • 6. Industrial Control Systems aka SCADA Physical application
  • 7. Cyber-physical systems are IT systems “embedded” in an application in the physical world Cyber-physical systems
  • 8. IT – centric security ICSA-13-274-01: Siemens SCALANCE X-200 Authentication Bypass Vulnerability ICSA-13-274-01: Schneider Electric Telvent SAGE RTU DNP3 Improper Input Validation Vulnerability ICSA-15-099-01A: Siemens SIMATIC HMI Devices Vulnerabilities (Update A) ICSA-12-320-01 : ABB AC500 PLC Webserver CoDeSys Vulnerability ICSA-15-048-03: Yokogawa HART Device DTM Vulnerability ICSA-15-111-01: Emerson AMS Device Manager SQL Injection Vulnerability ICS-ALERT-14-323-01: Advantech EKI-6340 Command Injection ICSA-11-307-01: Schneider Electric Vijeo Historian Web Server Multiple Vulnerabilities
  • 9. ICS-CERT recommendation IMPACT Successful exploitation of this vulnerability may allow attackers to perform administrative operations over the network without authentication. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. ICSA-13-274-01: Siemens SCALANCE X-200 Authentication Bypass
  • 10. My first “testbed” Frozen PLC, lost connection, project does not compiles, etc., etc. … Depression. Fatigue. Apathy. NEVER TOUCH a WORKING CONTROL SYSTEM
  • 11. Damn Vulnerable Chemical Process Tennessee Eastman process Vinyl Acetate process
  • 12. Time constant of 60 min 15.1 114.5 96.0 11.2 Process-centric security
  • 13. ICS vulnerabilities Cyber-PhysicalSystem PhysicallayerControllayerCyberlayer Proces dynamics Control algorithm SensorActuator Sensor signal Actuator signal Manipulated variable Process variable ControllerHMIDB Engineering stationServer 1 3 2
  • 14. Field instrumenation Level0 Process Level1Level2Level3 Regulatory control Supervisory Control Process management Corporate network PLC PLC PLC HMI Engineering station Historian Publishing server DMZ DCS servers Application servers Lesson #1: ICS stakeholders Process owners Asset owners Shared opinion about each other
  • 16. Surprises from DoS Sensors Actuators Physical process 43 45 47 45 43 43 44 43 43 90 89 88 91 91 90 89 90 91 13 15 17 15 13 13 14 13 13 10 17 10 12 10 10 10 10 10 Attack time Attack duration PLC 55 61 43 49 43 90 13 10 0 1000 2000 3000 4000 5000 6000 7000 8.9 9 9.1 9.2 9.3 9.4 9.5 Stale data Attack time 0 5 10 15 20 25 30 2750 2800 2850 2900 2950 3000 Hours kPagauge Reactor Pressure Without attack Under attack
  • 18. 0 10 20 30 40 50 60 70 2760 2770 2780 2790 2800 2810 2820 Hours kPagauge Reactor Pressure Without attack Under attack Vulnerability of the process Impact of 8h long attack on reactor pressure at random time 0 10 20 30 40 50 60 70 2700 2750 2800 2850 2900 2950 Hours kPagauge Reactor Pressure Without attack Under attack 0 10 20 30 40 50 60 70 2450 2500 2550 2600 2650 2700 2750 2800 2850 Hours kPagauge Reactor Pressure Without attack Under attack 0 5 10 15 20 25 30 2750 2800 2850 2900 2950 3000 Hours kPagauge Reactor Pressure Without attack Under attack Ordinary glitch Economic inefficiency Safety shutdown Near miss 1
  • 20. 0 10 20 30 40 50 60 70 2780 2790 2800 2810 2820 Hours kPagauge Sensor signal When to attack? Set point 0 10 20 30 40 50 60 70 2760 2770 2780 2790 2800 2810 2820 Hours kPagauge Reactor Pressure Without attack Under attack 0 10 20 30 40 50 60 70 2700 2750 2800 2850 2900 2950 Hours kPagauge Reactor Pressure Without attack Under attack 0 10 20 30 40 50 60 70 2450 2500 2550 2600 2650 2700 2750 2800 2850 Hours kPagauge Reactor Pressure Without attack Under attack 0 5 10 15 20 25 30 2750 2800 2850 2900 2950 3000 HourskPagauge Reactor Pressure Without attack Under attack To decrease process value To increase process value M. Krotofil, A. Cardenas, J. Larsen, D. Gollmann. Vulnerabilities of cyber-physical systems to stale data—Determining the optimal time to launch attacks (IJCIP, 2014)
  • 21. Industrial switch Communication setup (Modbus, DNP, IEC850 ) Ethernet my old friend (Hack meeeeee!!!) How do we do it?
  • 22. Vulnerability of control equipment Stale data is a feature! (and we shamelessly take advantage of it) ❑ Missing process updates are OK; report-by-exception o Freeze all points for a particular TCP/IP session with a UDP packet by advancing the sequence number o Session is kept alive and by sending a UDP packet every 30 seconds to any interface (This vendor is not vulnerable) 2 M. Krotofil, J. Larsen. What You Always Wanted and Now Can: Hacking Chemical Processes. Hack in the Box, Amsterdam (2015)
  • 23. ❑ Eireann Leverett showed bugs in industrial switches o Monitor process data o Pass only ACK messages to show link as healthy o Drop packets with process data Vulnerability of communication equipment 3 (Illustrative sample of equipment) E. Leverett. Switches Get Stitches .31C3 (2014)
  • 24. 43 45 47 45 43 43 44 43 43 90 89 88 91 91 90 89 90 91 13 15 17 15 13 13 14 13 13 60 59 62 60 70 75 80 95 99 DoS on controller output Sensors Actuators Physical process Attack time PLC 43 90 13 60 15 23 61 12 Saturated output Saturated output Attack duration 0 10 20 30 40 50 60 70 2700 2750 2800 2850 2900 Reactor pressure Hours kPagauge Attack duration Quiz!!
  • 25. Control via DoS 0 10 20 30 40 50 60 70 2700 2720 2740 2760 2780 2800 2820 Hours kPagauge Reactor Pressure 0 10 20 30 40 50 60 70 0 10 20 30 40 50 Purge Hours % Chain attacks on: • Several sensors • Sensors and actuators DoS here
  • 26. Lesson #2: Press isn’t always lying http://motherboard.vice.com/read/hackers-identify-weak-link-in-thousands-of-industrial-control-systems
  • 30. Civil war Level Priority 0 I,A,C 1 A,C, I 2 C&A&I 3 I,A,C 4 A&C, I 5 A,C&I Support/ Maintenance role Level Electrical engineers 0, 1, 2, 5 Mechanical engineers 0, 5 Control system engineers 0, 1, 2, 3, 5 Instrumentation engineers 0, 1, 2, 5 Telemetry engineers 3, DMZ, 4, 5 Communication engineers 3, DMZ, 4, 5 IT engineers DMZ, 4, 5 Third Party Contractors 0, 1, 2, 3, DMZ, 4, 5 B. Green, D. Prince, U. Roedig, J. Busby, D. Hutchison. Socio-technical security analysis of Industrial Control Systems (ICS). (ICS-CSR, 2014)
  • 31. PLC Frequency converter Centrifuge Engineering station HMI DB Data flow Example: attack on process data flow Data integrity: packet injection; replay; manipulation; hijack … DoS: DoS; DDoS; flooding; starvation;…. Operator Net. Admin I am not controlling the process!! Linkage to cyber assets
  • 32. Invariants of process control Controllability Observability Two major concepts of modern control system theory (R. Kalman in 1960) Operability
  • 33. Process control security requirements IT domain Process control Observability Controllability Operability
  • 35. Process data flow (PLC) 0 10 20 30 40 50 60 72 3600 3650 3700 3750 Hours kg/h D feed 0 10 20 30 40 50 60 72 2780 2790 2800 2810 2820 Hours kPagauge Reactor pressure 0 10 20 30 40 50 60 72 8.6 8.8 9 9.2 9.4 9.6 9.8 A and C feed Hours kscmh (C)IA of data in storage and transit Courtesy:B.Green,LancasterUniversity,UK
  • 36. 0 10 20 30 40 50 60 72 3600 3650 3700 3750 Hours kg/h D feed 0 10 20 30 40 50 60 72 2780 2790 2800 2810 2820 Hours kPagauge Reactor pressure 0 10 20 30 40 50 60 72 8.6 8.8 9 9.2 9.4 9.6 9.8 A and C feed Hours kscmh Attack vectors Data trustworthiness or veracity Secure delivery of insecure data Courtesy:B.Green,LancasterUniversity,UK
  • 37. NEVER TRUST YOUR INPUTS Lesson #3: IT and OT have common problems
  • 38. InTech, ISA magazine, April 2014 HIMA presentation, October 2014 Instruments calibration
  • 39. ❑ Worst accident in the recent USA history (2005) ❑ 15 killed, 180 injured ❑ Wrong calibration the splitter tower level indicator o It showed that the tower level was declining when it was actually overfilling with flammable liquid hydrocarbons ❑ The further chain of events eventually led to an explosion BP Texas city refinery accident http://www.csb.gov/bp-america-refinery-explosion/
  • 40. 0 1000 2000 3000 4000 5000 6000 7000 8.9 9 9.1 9.2 9.3 9.4 9.5 0 1000 2000 3000 4000 5000 6000 7000 8.9 9 9.1 9.2 9.3 9.4 9.5 Sensor signals spoofing on field device 0 20 40 60 72 8.8 9 9.2 9.4 9.6 9.8 A and C feed Hours kscmh 0 20 40 60 72 8.8 9 9.2 9.4 9.6 9.8 A and C feed Hours kscmh Find X differences M. Krotofil, J. Larsen, D. Gollmann. The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems (ASIACCS, 2015)
  • 41. Correlated sensor signals 0 10 20 30 40 50 60 70 29 30 31 32 33 34 35 Recycle Flow Hours kscmh 0 10 20 30 40 50 60 70 45 46 47 48 49 50 51 Reactor Feed Rate Hours kscmh 0 10 20 30 40 50 60 70 26 28 30 32 34 36 38 Component A to Reactor Hours Mole%
  • 42. Correlation entropy 0 20 40 60 72 25 30 35 40 45 50 55 Sensors {5;6;23} Hours Signals correlation: Correlation entropy: + LOW HIGH + LOW
  • 43. Detection Spoofed signals appears genuine at first glance. But they are not be correlated with the rest of the signals in the cluster of related sensors 0 10 20 30 40 50 60 70 0 1 2 3 4 5 6 Time-window cluster entropy Hours Entropy[bits] 0 20 40 60 72 25 30 35 40 45 50 55 Sensors {5;6;23} Hours
  • 46. Data processing and loss of equipment http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on-how-to-hack-a-chemical-plant-and-its-implication-to-actual- issues-at-a-nuclear-plant/ ❑ Two identically build nuclear power plants o One had flow-induced vibrations issues, another did not ❑ Excessive vibrations exhibited themselves in high frequency sensor signals noise o In once plant noise was filtered out at source, resulting in loss of view into vibrations indications ❑ „Filtered“ plant operated at full power, operating equipment in unsafe conditions o This lead to loss of equipment
  • 47. ❑ Make data unusable; deceive about process state ❑ Smooth out attack traces (spikes, etc.) ❑ Mislead forensics people o Also: Time sync attack Data processing as attack vector
  • 48. State estimation and sensor placement https://sites.google.com/a/mix.wvu.edu/pse-deb/research/state-estimation-and-sensor-placement ❑ Sensor placement is determined by process feasibility, safety and economic objectives o Very active research area ❑ Attack indications (process impairment) might be unobservable to control system o Or unclear to operator Spread process information over multiple sensor/systems Use home court advantage
  • 49. ❑ For most reactors optimal operating (economic) efficiency is achieved at upper shutdown pressure limit o Attacker can achieve disruptive goal fast ❑ Maintaining safety margin of at least 100 kPa (out of 3000 kPa) is equivalent to a 5% increase in costs (TE process) Lesson #4: OT security and economy also conflict ❑ Security adds additional constraint on cost optimization function o Time to detect and react o Additional controls and/or safety protections
  • 51. T2 Laboratories accident ❑ Thermal run away reaction (December 19, 2007) ❑ 4 killed, 28 insured ❑ Failed cooling system, no redundancy ❑ 10 min between the failure and explosion http://www.csb.gov/t2-laboratories-inc-reactive-chemical-explosion/
  • 52. Human in the loop ❑ Process & control designs are a function of physics, economy and human factor http://www.controlglobal.com/articles/2015/a-lasting-plan-for-managing-alarms
  • 53. Abnormal situation management ❑ Alarm floods ❑ Abnormal communication patterns ❑ Abnormal data flows Network monitoring strategy? http://www.asmconsortium.net
  • 54. Attacker is not all mighty
  • 56. Vinyl Acetate Monomer plant Catalyst for directing and accelerating the reaction
  • 57. C1C3: Catalyst poisoning attack Reactants Product Catalyst ❑ Lifetime 1-2 years ❑ Low per-pass conversion o 15-35% for CH₃COOH and 8-10% for C2H4 ❑ Selectivity ≈ 94,8% (C2H4) Subjected to constant improvement On purpose low M. Krotofil. Damn Vulnerable Chemical Process .31C3 (2014)
  • 58. Catalyst killer ❑ Hot spots above 200C -> permanent deactivation o Lower activity at T > 180C Reactor with cooling tubes It was not possible to rise temperature in the reactor and maintain it for long enough to cause damage to the catalyst
  • 61. Include physical environment Once connected together, physical components become related to each other by the physics of the process ❑ Physical environment is a communication media! ❑ Components can influence each other even if their control loops do not communicate electronically
  • 62. ❑ System remains SECURE if updated often o E.g. installing patches, updating firmware ❑ System remains SAFE if untouched o Any change in software or operational practices require safety revision Use case: Methyl chloride release at DuPont (1 killed) o After a maintenance software update (without review) alarm notifying on a hose change due date “disappeared” Harmonization of safety & security lifecycles o A hose used to transfer phosgene from a cylinder to a process catastrophically failed and sprayed a worker in the face M. Krotofil, J. Larsen. Are you Threatening my Hazards? IWSEC (2014)
  • 64. Hacking Chemical Plant for Competition & Extortion Control Access DiscoveryCleanup Damage M. Krotofil. Hacking Chemical Plants for Competition and Extortion. Black Hat USA (2015) J. Larsen. Breakage. Black Hat Federal (2007)
  • 65. Current: Access centric • 0days • Clueless users • AntiVirus and patch management • Database links • Backup systems • (Vulnerable) Internet facing devices • Supply chain
  • 66. Needed: process centric What and how the process is producing How it is build and wired How it is controlled Target plant and third parties (illegal) Operating and safety constraints How much can attacker figure out about the facility and its operations?
  • 67. From outside Most companies aren’t shy about telling everyone about customer contracts
  • 68. From inside Piping and instrumentation diagram Ladder logicProgrammable Logic Controller Pump in the plant
  • 69. From inside Piping and instrumentation diagram Ladder logicProgrammable Logic Controller Pump in the plant HAVEX: the server is queried for tag name, type, access, and id (ICS-CERT)
  • 70. Sensor Safety time, h A-feed min 22.22 max E-feed min 4.29 max 2.83 Recycle flow min 4.39 max 9.17 Reactor pressure min 8.56 max Reactor level min 2.37 max 2.73 Reactor temperature min 1.34 max 0.65 ❑ The attacker is likely to design her attack based on information she can easily obtain or what is easy to understand o Protect what is most likely to be attacked Criticality vs. likelihood Lesson #5: Still likelihood M.Krotofil,A.Cardenas,J.Larsen,D.Gollmann.Vulnerabilitiesofcyber-physicalsystemsto staledata—Determiningtheoptimaltimetolaunchattacks(IJCIP,2014)
  • 72. Industrial Internet of Things (IIoT) IIoT means you license a pump, and it phones home regularly to make sure you made your monthly payments. Twitter @mtoecker Your trust in an infrastructure is directly proportional to how invisible it is to you as an end user. Twitter @blackswanburst Miniaturization. J. Larsen
  • 73. TE: http://github.com/satejnik/DVCP-TE VAM: http://github.com/satejnik/DVCP-VAM Damn Vulnerable Chemical Process Thank you marina.krotofil@tuhh.de @marmusha