Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Never Trust Your Inputs

979 views

Published on

SAS2016 presentation about how to use special signals to fool ADC (analog-digital converters) in ICS (industrial control systems).

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Never Trust Your Inputs

  1. 1. NEVER  TRUST  YOUR  INPUTS:  DATA  PROCESSING   AS  ATTACK  VECTOR  ON  ICS   Alexander Bolshev & Marina Krotofil
  2. 2. ;  CAT  /DEV/USER   2Security Analyst Summit 2016 Alexander  @dark_k3y  Bolshev,  Ph.D.   Security  Researcher  @  IOAcLve   Assistant  Professor  @  SPbETU  “LETI”   Marina  @marmusha  Krotofil   Security  Researcher  @HoneywellSec  
  3. 3. WorkstaLon   WorkstaLon   Firewall   Modem  Operator  Console   Firewall   SQL  Server   PLC   RTU   Maintenance   File  Server   Webserver   Corporate  LAN   SCADA  network   Webservices   AcLve  Directory   Sensor   VenLl   AcLve  Directory   Engineering   WorkstaLon   Process  LAN   INDUSTRIAL  CONTROL  SYSTEM   3Security Analyst Summit 2016 Physical application
  4. 4. INDUSTRIAL  CONTROL  SYSTEM   4Security Analyst Summit 2016 WorkstaLon   WorkstaLon   Firewall   Modem  Operator  Console   Firewall   SQL  Server   PLC   RTU   Maintenance   File  Server   Webserver   Corporate  LAN   SCADA  network   Webservices   AcLve  Directory   Sensor   VenLl   AcLve  Directory   Engineering   WorkstaLon   Process  LAN   Catastrophic consequence
  5. 5. EQUIPMENT  DAMAGE  AT  NUCLEAR  PLANT   5 h"p://www.controlglobal.com/blogs/unfe"ered/marina-­‐krotofils-­‐presenta;on-­‐on-­‐ how-­‐to-­‐hack-­‐a-­‐chemical-­‐plant-­‐and-­‐its-­‐implica;on-­‐to-­‐actual-­‐issues-­‐at-­‐a-­‐nuclear-­‐plant/   q  Two  iden;cally  built  nuclear  plants.    One  had  flow  induced  vibra;on   issue.  And  another  did  not.   q  The  vibraLons  indicaLon  showed  itself  as  hf  noise   -  Field  engineer  has  filtered  the  signal  to  get  rid  of  annoying  noise   -  Loss  of  view  into  vibra;on  issue  
  6. 6. INDUSTRIAL  CONTROL  SYSTEM   6 Data  flow   Control  decision   0 20 40 60 64 65 66 67 68 69 Time [hours] C Stripper Temperature
  7. 7. IMAGINE  A  FIELD  ARCHITECTURE…   7Security Analyst Summit 2016 Analog control loop Control PLC Actuator Safety PLC/Logger/DAQ/SIS HMI 0V (actuator is OFF) MV – Manipulated Variable What  if  MV  value  on  actuator  will  be  different   from  MV  value  on  logger?   1.5V (actuator is ON)
  8. 8. BUT  IT’S  ANALOG  CONTROL  LINE!   8Security Analyst Summit 2016 It’s  impossible  to  have  two  different  MVs  on  the  same  line  at  the   same  ;me!   Are  you  sure?  
  9. 9. DEMO  VIDEO  
  10. 10. 10Security Analyst Summit 2016
  11. 11. INTRO  TO  ANALOG-­‐TO-­‐DIGITAL   CONVERTERS  (ADC)    
  12. 12. WHAT  IS  ADC?   12 q  Converts  a  con;nuous  analog  signal  (voltage  or  amperage)  to   a  digital  number  that  represents    signal's  amplitude   t x(t)
  13. 13. ADC  IN  A  NUTSHELL   13Security Analyst Summit 2016 QuanLzing   &   Encoding     … •  Frequency   •  Phase   •  Amplitude   Sampling & Holding (S/H) circuit Resolution MSB ADC   Clock uI(t) VREF uI’(t) fs Dn-1 D1 D0 Conversion time f clock
  14. 14. EXPLOITABLE  ADC  LIMITATIONS   14Security Analyst Summit 2016 q  Sampling  frequency  should  follow  Nyquist  rule  (          >  2B)   q  Input  amplitude  range   fs https://svi.nl/AliasingArtifacts
  15. 15. “RACING”  WITH  ADC  CLOCK  
  16. 16. LET’S    SETUP  EXPERIMENT   16Security Analyst Summit 2016 Experimental  setup:   -  Arduino  Leonardo   (Atmega32U4  with  build-­‐in   ADC,  125kHz  int  clock)   -  Si5351  generator   Algorithm:   1.  Generate  square  signal  with   specific  frequency  and  phase,   2.  Read  120  ADC  values  in  row   and  average  them,   3.  Output  to  serial  port  (PC),   4.  Increase  phase  and  frequency,   5.  GOTO  1.  
  17. 17. RESULT   17Security Analyst Summit 2016 What is this?!
  18. 18. STRANGE  AVERAGE  VALUES   18Security Analyst Summit 2016 q  On  Arduino  Leonardo  ADC  divider  is  set  to  the  max    value  128     At  16  Mhz  master  clock  freq,  the  ADC  clock  freq  =  125kHz   q  At  ~125kHz  there  is  a  high  probability,  that  generated  signal  will   be  always  sampled  by  S&H  in  its  max  or  min  amplitude  value     -  Average  signal  value  even  aher  120  conversions  will  be  3.3V  or  0V      
  19. 19. RACING  WITH  ADC  CLOCK   19Security Analyst Summit 2016
  20. 20. LET’S  REPEAT  OUR  EXPERIMENT     20Security Analyst Summit 2016 Frequency  =  around  8.9kHz)  
  21. 21. TIMING  DIAGRAM  EXPLAINS  EVERYTHING   21Security Analyst Summit 2016 conversion time Signal
  22. 22. FROM  ATMEGA32U4  DATASHEET   22Security Analyst Summit 2016 Chapter  24  on  ADC  ,  page  302   125kHz  /  14  ~  8928Hz  (112μs)   We’ve  just  breached  through  sampling  rate   precision  of  the  ADC!  
  23. 23. PROBLEMS  WITH  USING  ADC  IN   SOFTWARE   ADC  access  Lming  
  24. 24. FROM  DEMO:  TWO  DEVICES  &  TWO  DIFF  OUTPUTS   24Security Analyst Summit 2016 Wait,  but  why?  Timing  diagrams  can  explain  ;-­‐)  
  25. 25. EVERYTHING  IS  MUCH  EASIER  IN  ICS  WORLD   25Security Analyst Summit 2016 q  In  many  real-­‐world  ICS  applica;ons  ADC  doesn’t  sample  input   signal  with  highest  possible  frequency   -   Typical  sampling  rate  is  1-­‐100  ;mes  per  second  
  26. 26. HURDLES  OF  THE  ATTACKER   26Security Analyst Summit 2016 q  How  to  figure  out  the  required  phase  and  frequency     to  crah  malicious  signal?     q  Send  some  peak  signals  and  monitor  output  of  the   ADC  (directly/indirectly)   q  E.g.  by  hacking  into  switch  you  can  monitor/control   both  data  flow  to  control  PLC  AND  signals  from  SIS/ Safety  LC/logger/DAQ/etc  
  27. 27. 27Security Analyst Summit 2016 Analog  control  loop   Control  PLC   Actuator   Safety  PLC/Logger/DAQ/SIS   MV  –  Manipulated  Variable   Compromised   industrial  switch   HMI FIGURING  OUT  SIGNAL  PARAMETERS    
  28. 28. ADC  conversion  Lme   PROBLEMS  WITH  USING  ADC  IN   SOFTWARE  
  29. 29. ADC  IN  CRITICAL  APPLICATIONS   29Security Analyst Summit 2016 Be  careful  when  using  ADC  in  criLcal  applicaLons     q  Industrial  PLCs  also  have  analog  inputs  and   built-­‐in  ADCs   q  Let’s  test  at  one  of  the  most  popular  PLCs   S7  1200  
  30. 30. EXPERIMENT   30 Let’s  check  the  real  conversion  Lme  of  S7  1200  ADC   Arduino   Waveform  generator   S7  1200   Analog  signal   S7  Protocol   S7  input  amplitude  Frequency   I2C   Reads  value   from  PLC  every   N  Lme  
  31. 31. 31 Frequency is fixed N=8.3ms   N=9ms   N=7ms   N=4.5ms   N=2.5ms  
  32. 32. 32Security Analyst Summit 2016
  33. 33. WHAT’S  WRONG?   33Security Analyst Summit 2016 Nothing,  really.  You  just  need  to  read  datasheet   more  thoroughly   Text in small letters
  34. 34. INVALID  RANGE  OF  SIGNAL  
  35. 35. BREAKING  SOFTWARE  DEFINED  RANGES  (I)   35Security Analyst Summit 2016 q  Consider  a  5-­‐10V  signal  which  is   consumed  by    ADC  with  ranges  0-­‐15  V   q   What  will  happen  if  you  send  signal   lower  than  5V  or  higher  10V? Time 5   10 V From the real life code: uint8_t  val  =  readADC(0);  //  reading  8-­‐bit  ADC  value  with  ranges  0V  -­‐15  V   val  =  val  –  85;  //  Normaliza;on  -­‐>  85  ==  5  Volts  (255/3)     Any  signal  of  less  them  5  V  (val  <  85)will  cause  integer  overflow  in  val  
  36. 36. BREAKING  HARDWARE  DEFINED  RANGES   36Security Analyst Summit 2016 What  if  the  avacker  sends  signal  outside  of  the  ADS  hardware  defined   range?   q  ADC  will  output  max  value    (all  bit  set  to  1)   q  ADC  might  be  damaged  (did  not  test  out  of  cost  factors  J)   q  Values  on  other    inputs  could  be  distorted    
  37. 37. ATTACK  VECTORS  IN  ICS  SYSTEMS  
  38. 38. DIRECT  ACCESS  ATTACK  TOOLKIT   38 Line  coupling  circuit   (usually  OpAmp/Transformer) Total  setup  cost   50$  (1kHz)  -­‐-­‐  400$  (50MHz)  
  39. 39. ATTACKING  FROM  ICS  DEVICE   39 q Compromising  one  of  the  field  components  (PLC,  sensor,  actuator,   DAQ,  logger,  etc.)   -  Most  MCUs  inside  transmi"ers/actuators  are  capable  of  genera;ng   arbitrary  signals  up  to  500-­‐1000Hz   -  Some  devices  allow  to  generate  signals  of  44kHz  and  above  
  40. 40. ATTACK  FROM  TRANSMITTER   40Security Analyst Summit 2016 HART  transmiver  reference  design  ;-­‐)   DAC with s/r up to 100kHz (smooth sine wave at ~ 5kHz) http://www.tm-eetimes.com/en/accurate-industrial-temperature-measurements-with-loop-powered-transmitter.html? cmp_id=7&news_id=222918850
  41. 41. MITIGATIONS     We’re  at  SAS  axer  all  J    
  42. 42. HARDWARE  MITIGATIONS   42Security Analyst Summit 2016
  43. 43. PUT  ANALOG  LPF  (LOW-­‐PASS  FILTER)  ON  ADC  INPUT     43Security Analyst Summit 2016 q Low-­‐pass  filter  rejects  signals  with  a   frequency  higher  than  its  cutoff   frequency   q Buffer  ADC  input  with  LPF   q Good  design  dictates  ADC  fs  >=  LPF  fc  
  44. 44. LPF  FILTERS  IN  REFERENCE  DESIGNS   44Security Analyst Summit 2016  “We  included  LPF  in  our  design"   ADC  with  fs  >  470Hz   LPF  with  fc  near  15  kHz  
  45. 45. 45Security Analyst Summit 2016 SOLUTION  
  46. 46. FLIP  SIDE  OF  USING  LPF   46Security Analyst Summit 2016 ”Securing”  may  lead  to  more  vulnerabiliLes   q When  adding  LPF  into  an  individual  device,  make  sure  that  all   related  devices  have  the  same  cut-­‐off  frequencies   q E.g.  if  PLC  input  is  buffered  with  LPF  ​ 𝒇↓𝒄  =𝟏 𝒌𝑯𝒛  and  actuator  equipped  with  LPF  with  ​ 𝒇↓𝒄 =𝟓 𝒌𝑯𝒛,  the  a"ack  not  only  possible,  but   the  probability  of  success  increases!  
  47. 47. NOTE:  DIGITAL  LPF  WON’T  WORK!   47Security Analyst Summit 2016 Do not use digital LPF after the ADC! ADC will be already compromised by an ill-intended signal and no digital filter will fix the matters
  48. 48. USE  ADC  WITH  HIGHER  BANDWIDTH/LOWER   CONVERSION  TIME     48Security Analyst Summit 2016 q  Using  ADC  with  higher  sampling  frequency  can  mi;gate   “oversampling”  a"ack  as  the  a"acker  will  have  to  generate   signal  of  much  higher  frequency   q  Genera;ng  >1MHz  signal  and  injec;ng  it  into  analog  line  is  much   harder  than  injec;ng  <  1MHz  signal   -   H/f  signals  subjected  to  greater  a"enua;on  and  more  affected  by   noise  
  49. 49. SCALE  SIGNAL  AMPLITUDE  BEFORE  ADC     49Security Analyst Summit 2016 q  To  avoid  abuse  of  ADC  ranges,  normalize  signal  amplitude  before   feeding  the  signal  to  ADC   -  Simplest  op;on:  voltage  divider  +  OpAmp,     -  Signal  condi;oning  circuits  or    even  dynamic   range  compression          Select  what  is  suitable  for  your  OT  process  
  50. 50. SOFTWARE  MITIGATIONS   50Security Analyst Summit 2016
  51. 51. APPLY  SECURE  CODING  TECHNIQUES     51Security Analyst Summit 2016 q  Scru;nize  your  ADCs/PLC  datasheets  to  figure  out  effecLve   ranges,  conversion  ;me,  frequency  and  other  cri;cal  parameters   q Even  if  it  is  sufficient  to  control  the  process  with  one  value   per  second,  sample  the  signal  with  higher  frequency  and   average  converted  values   q When  receiving  value  from  ADC,  treat  it  as  an  absolute  value   (all  bits  received  from  ADC  are  significant)  
  52. 52. DO  NOT  SLEEP!  (WHILE  WORKING  J)   52Security Analyst Summit 2016 Avoid  wriLng/using    the  following  code  (if  you  don’t  completely   understand  your  process  and  aren’t  completely  sure  about  what  you   are  doing)   Val  =  readADC();   Output(Val);   Sleep(Timeout);  
  53. 53. IT  AND  OT  HAVE  COMMON  PROBLEMS   53Security Analyst Summit 2016 NEVER  TRUST  YOUR  INPUTS  

×