SlideShare a Scribd company logo

Defcon through the_eyes_of_the_attacker_2018_slides

Marina Krotofil
Marina Krotofil

Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies. In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities. In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers. In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.

Technology
1 of 128
Download to read offline
Jos Wetzels, Marina Krotofil Through the Eyes of the Attacker: DEF CON 26, August 11, 2018 Designing Embedded Systems Exploits for Industrial Control Systems
Who Are We? Jos Wetzels Marina Krotofil Independent Security Researcher @ Midnight Blue Embedded Systems (ICS, Automotive, IoT, …) (Previously) Security Researcher @ UTwente Critical Infrastructure / ICS @s4mvartaka http://www.midnightbluelabs.com http://samvartaka.github.io ICS/SCADA security professional, focusing on offensive and defensive cyber-physical security Previously Principal Analyst at FireEye and Lead Cyber Security Researcher at Honeywell @marmusha marmusha@gmail.com https://www.linkedin.com/in/marina-krotofil
ROADMAP • Introduction • ICS Device Exploitation • Developing ICS Device Implants & OT Payloads • Conclusions
WARNING: FAST PACED TALK https://www.disneyclips.com/imagesnewb/alice4.html
INTRODUCTION http://ats-transporttechnieken.nl/wp-content/uploads/photo-gallery/Draadloze%20shuttle%20voor%20zwembaden/2H8_016.JPG
Industrial Control Systems (ICS) Physical process Attacker end target Also known as SCADA Information Technology (IT) Operational Technology (OT) Computer science Engineering
Physical process and control equipment https://vecer.mk/files/article/2017/05/02/485749-saudiska-arabija-ja-kupi-najgolemata-naftena-rafinerija-vo-sad.jpg http://www.jfwhite.com/Collateral/Images/English-US/Galleries/middleboro9115kvbreakers.jpg https://www.roboticsbusinessreview.com/wp-content/uploads/2016/05/jaguar-factory.jpg https://selinc.com/uploadedImages/Web/Videos/Playlists/Playlist_RTAC_1280x720.png?n=63584758126000 http://www02.abb.com/global/seitp/seitp202.nsf/0/0601d25ed243cfb0c1257d7e0043e50e/$file/7184_lvl2.jpghttps://www.oilandgasproductnews.com/files/slides/locale_image/medium/0089/22183_en_16f9d_8738_honeywell- process-solutions-rtu2020-process-controller.jpg
Cyber-Physical Attacks https://vecer.mk/files/article/2017/05/02/485749-saudiska-arabija-ja-kupi-najgolemata-naftena-rafinerija-vo-sad.jpg http://www.jfwhite.com/Collateral/Images/English-US/Galleries/middleboro9115kvbreakers.jpg https://www.roboticsbusinessreview.com/wp-content/uploads/2016/05/jaguar-factory.jpg https://selinc.com/uploadedImages/Web/Videos/Playlists/Playlist_RTAC_1280x720.png?n=63584758126000 http://www02.abb.com/global/seitp/seitp202.nsf/0/0601d25ed243cfb0c1257d7e0043e50e/$file/7184_lvl2.jpghttps://www.oilandgasproductnews.com/files/slides/locale_image/medium/0089/22183_en_16f9d_8738_honeywell- process-solutions-rtu2020-process-controller.jpg CYBER PHYSICAL http://magazine.scientificmalaysian.com/wp-content/uploads/2013/12/Oil-refinery-explosion.png
ICS threat landscape Has Changed Crazy amount of hacking on a daily basis Nobody even knows about our existence
ICS Threat Landscape Has Changed https://qph.fs.quoracdn.net/main-qimg-f741c6e5db32b87f282e54448a2129ce 2010 20172015 2016 Ukr. power grid attack (Industroyer) Ukr. power grid attack (BlackEnergy) It’s happening: Publicly known cyber-physical attacks Planned operation to hinder Iran’s nuclear program First publicly known OT recon activities (HAVEX) 2013 Recon and weaponization of capabilities https://www.schneider-electric.com/ww/en/Images/tricon-IC-654x654.jpg Seems to be a trigger and a tipping point
TRITON Attack 11
Hazards and Layers of Protection
https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/ DCS / SIS Network An attack on a safety system can cause the MOST DAMAGING outcome of a cyber-physical attack
Triconex (SIL3) http://iom.invensys.com/EN/pdfLibrary/Datasheet_Triconex_TriconSIL3_06-11.pdf
Triconex is everywhere…[OSINT] https://www.bluewater.com/fleet-operations/our-fpso-fleet/glas-dowr/ http://software.schneider-electric.com/about-us/success-stories/listing-content/bluewater/
TRITON Attack: Overview Attacker obtained remote access to SIS work station https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/
TRITON Payload: Overview imain.bin + inject.bin TriStation protocol Eng. Workstation trilog.exe • script_test.py • library.zip • inject.bin • imain.bin Attacker attempted to inject passive backdoor/remote access trojan into industrial safety controller - Read arbitrary memory - Write into memory - Execute arbitrary code “Your wish is my command”
• Attack scenario depends on attacker goal • Sometimes this means explosions • Sometimes it doesn’t • No need to hit someone with a baseball bat if you want to slap their wrist • Simple process shutdown / economic disruption might do fine • Doubles as testing round for offensive ICS toolkit + TTPs … Attacks on Industrial Systems M. Krotofil, J. Larsen “Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion”, Def Con, 2015
Simple ‘Do Not Press’ HMI Attack Source: Innergy http://innergy-global.com/en
More Complex Attacks TRITON used an implant on Triconex SIS Process shutdown could’ve been achieved much easier What’s going on here?
More Complex Attacks • Industrial processes are complicated and are built to be robust & recoverable • More complex attacks with significant, lasting damage will be process specific & require good process comprehension • Will require attacker to develop detailed ‘damage scenario’ • What causes a pipeline to explode? • What causes the right pipeline to explode? • What causes the right pipeline to explode at the right moment?
Industrial Attacks Are About Control Loops 0 10 20 30 40 50 60 70 3550 3600 3650 3700 3750 D Feed Hours kg/h 0 10 20 30 40 50 60 70 62.6 62.8 63 63.2 63.4 63.6 D feed Hours % Actuators Control system Sensors Measure process state Computes control commands for actuators Adjusted to influence process behavior
Industrial Attack Approach 1 Manipulate the process Prevent response Direct Indirect Manipulation of actuators Deceive controller/ operator about process state (e.g. spoof sensor) 3 Operators Control / Safety System Blind Mislead Modify operational / safety limits Blind about process state OT Payload 2 Obtain Feedback Direct or Derived (e.g., via proxy sensors /calculations) Often hardest to achieve
1 Manipulate the process Prevent response Direct Indirect Manipulation of actuators Deceive controller/ operator about process state (e.g. spoof sensor) 3 Operators Control / Safety System Blind Mislead Modify operational / safety limits Blind about process state OT Payload 2 Obtain Feedback Direct or Derived (e.g., via proxy sensors /calculations) Where does TRITON fit into all this?
Clandestine Control Loops • Cyber-Physical Attack is collection of ‘clandestine control loops’ • Cycle of process observation & manipulation to achieve unsafe state • Attack Timing is Crucial • Processes aren’t vulnerable all the time • Many damage scenarios take time to execute • Attack Coordination is Crucial • Observation of state A in component B needs to trigger payloads X, Y, Z • Requires granular control across process • Manage task quantity & timing
Timing & State Diagrams (TSD) * Jason Larsen – Hacking Critical Infrastructure like You’re not a n00b – RSA, 2016
Mapping TSD to Devices * Jason Larsen – Hacking Critical Infrastructure like You’re not a n00b – RSA, 2016
Mapping Devices to Implants • In order to coordinate all this we will need implants 1. For executing OT payloads 2. For monitoring attack progress & activating OT payloads • Carrying out attack at device level via implant has additional benefits • Autonomy in control zone with own TSD logic • Arbitrary control over device rather than what’s dictated by protocol • More stealthy: limited network traffic, limited introspection • Before we can implant a device we have to exploit it
Mapping Devices to Implants • MPC860, 50 MHz • 6 MB Flash • 16 MB DRAM • 32 KB SRAM • ARM9, 14 MHz • 512 KB Boot Flash • 8 MB RW Flash • 2 MB SRAM Will need to fit implant in there • Signals processing? • Malicious logic? • Comms? Often jam-packed by normal functionality already You better enjoy programming…
Comparing Attack Strategies * Jason Larsen – Hacking Critical Infrastructure like You’re not a n00b – RSA, 2016
Ah, so that’s why everything isn’t blowing up all the time … • This is complicated, expensive stuff • Ton of engineering know-how, RE, vuln research, exploit & implant dev, testing, … • High chance of messing up • Offsets terrible IT / OT security • Check out ‘Hacking Critical Infrastructure Like You’re Not a N00b’ @ RSAConf 2016 by Jason Larsen • Let’s walk through the process required for developing a single exploit / implant / payload combo (eg. TRITON)
ICS DEVICE EXPLOITATION
The Process Obtaining the Necessary Materials Device Teardown & PCB Analysis RE of Engineering Software, Firmware & Protocols Vulnerability Discovery Exploit Development 2 1 3 4 5
Obtaining the Necessary Materials * Schneider Electric 1
Obtaining Documentation
Obtaining Documentation
Obtaining Engineering Software • From vendor website (or by asking nicely) • Through asset owners • If you’re already in their IT / OT network might as well grab a souvenir • Via sketchy sources on the internet • Installation CDs sold on Ebay or Alibaba • Loose executable & archives drifting on the web • Open directories, FTP servers, etc.
Obtaining Engineering Software • From vendor website (or by asking nicely) • Through asset owners • If you’re already in their IT network might as well grab a souvenir • Via sketchy sources on the internet • Installation CDs sold on Ebay or Alibaba • Loose executable & archives drifting on the web • Open directories, FTP servers, etc. 3 USD
Obtaining the Device • You’re not gonna find this stuff at a yard sale or in the cornershop • Most ICS equipment is very expensive • You might want to buy multiple copies for teardown & in case you brick it • Buy it whole directly from vendor, through strawmen buyers or at a bankruptcy auction • Try Ebay / Alibaba (sourcing loose parts & putting enough together for it to work)
Obtaining Device Firmware • Various Options • Download from Vendor Website • Extract from Firmware Update Utility • Extract from Device Flash • Obtaining firmware can be complicated • Worst-case scenario: encrypted firmware + chip readout protection requiring bypass & invasive or side-channel attacks • Not so much for Triconex • No readout protection on flash. Desolder -> adapter + universal programmer does the trick
Obtaining Device Firmware • Various Options • Download from Vendor Website • Extract from Firmware Update Utility • Extract from Device Flash • Obtaining firmware can be complicated • Worst-case scenario: encrypted firmware + chip readout protection requiring bypass & invasive or side-channel attacks • Not so much for Triconex • No readout protection on flash. Desolder -> adapter + universal programmer does the trick • Or get it from firmware manager util
Device Teardown & PCB Analysis • We need info on • Microcontroller / SoC used • Device Functional Domain Divisions (where does what happen?) • Interesting interfaces like UART / JTAG • Sometimes we’re lucky • FCC IDs, public teardowns, etc. • Triconex: Planning & Installation Guide has block diagrams! • Sometimes we’re not • Teardown time 2
Don’t be afraid of teardowns * Serge Bazanski, Michal Kowalczyk
ICS Devices are not Magic * Stephen A. Ridley, Senrio Inc., 2016
Example: Modicon M238 & M340
Typical (simplified) PLC Architecture I/O Pins Serial Link MCU Source: www.eevblog.com
Triconex TMR Architecture https://www.nrc.gov/docs/ML0932/ML093290420.pdf
Triconex 3008 MP
Reverse-Engineering Protocols3 • One of first areas-of-interest in ICS devices • Often legacy, proprietary protocols • Ports of old serial protocols retrofitted onto Ethernet • Control very sensitive functionality • PLC start / stop, firmware update, control logic download, … • Might present way into device itself • RCE! • We want to know packet structure & semantics
• Comparison to functionally similar documented protocols • Testing for common encodings & fields • TLV, sequential identifiers, checksums, entropic analysis, … • Differential analysis of functional batches of packets “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” – Rob Savoye, FOSDEM 2009 Reverse-Engineering Protocols3
PCAP-Only Analysis • Comparison to functionally similar documented protocols • Testing for common encodings & fields • TLV, length fields, sequential identifiers, checksums, … • Differential analysis of functional batches of packets • Entropic analysis of suspected cryptographic fields • … • “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” – Rob Savoye, FOSDEM 2009 https://s-media-cache-ak0.pinimg.com/originals/1c/28/bb/1c28bbba04e46f4fe517c9b5309f8386.jpg
Ideally we assist analysis with binary RE • Want reconstruction to be complete & sound • Want to write reliable exploits • PCAP-Only can be incomplete, inaccurate or opaque • Undocumented / rare behavior, inferred semantics, encryption / compression • PCAP-Only can damage your sanity
tr1com40.dll • TriStation (UDP/1502) Comms DLL. Has all the juicy stuff! • Debug Symbols Present ☺ • Easy semantic mapping of function codes
Protocol RE for Attackers • Don’t need full RE, only need to understand a few interesting packet types fully • Attacker cares about crafting an exploit not a full protocol parser
Vulnerability Discovery • The next step is getting code exec on the device • Ideally pre-auth vulnerability but • Pre-auth is a relative concept here… • ICS Vulns are often byproduct of RE • Insecure by default, ancient legacy shit, … • Shake a stick at it & vulns fall out 4 http://www.fao.org/docrep/006/AD226E/AD226E12.gif
Example: Moxa NPort W2150A* • Serial-to-Ethernet/WiFi Converter • Web Interface • Broken auth (hashing on client side) • CMD injection in ping test form * Thomas Roth, 2017
Example: Opto 22 OPTEMU-SNR-DR2* • Energy Monitoring & Control Device • FTP + OptoMMP (unauth) • Use OptoMMP to • Disable IP filtering, enable FTP, fetch FTP credentials • Use FTP to upload firmware & reflash over FTP • No firmware signing * David Barksdale, Jeremy Brown, 2016
Example: Modicon Quantum PLC* • Large PLC for process applications • FTP with hardcoded creds • Read / Write configuration, firmware, passwords, … • Telnet with hardcoded backdoor • Actually a C interpreter … • Unauthenticated Proprietary Modbus Extension • Start / Stop PLC • Overwrite programmable logic • … • Gazillion ways to get code exec * K. Reid Wightman, Rubén Santamarta, 2011-2012
Example: Advantech EKI-1522* • Serial-to-Ethernet Converter • Web Interface • Unlocking web interface on one PC disables auth for everyone … • CMD injection in email alert setup * Thomas Roth, 2017
You get the idea … https://i.redd.it/e5l1ngm7rzr01.jpg
TRITON Vulnerability: Execute My Packet Please! • Vulnerability is freebie of protocol RE: Safety program download functionality • ‘Start Download Change’ (FC: 0x01) • ‘Allocate Program’ (FC: 0x37) • ‘End Download Change’ (FC: 0x0B) • No authentication • No control program secure signing • Right … Skip directly from RE to XDEV: neat!
Exploit Development • After finding a suitable vulnerability, we need to craft an exploit to gain code execution, eg. • Inserting payload directly into unauthenticated firmware upload • Use buffer overflow to hijack control-flow to execute payload • Etc. TRITON: How to go from downloading safety program to executing arbitrary code on the microcontroller? 5
Safety & Control Applications • Developed in IEC 61131-3 (ST, IL, LD, FBD) and CEMPLE • Get compiled, downloaded & executed on main processor • Another freebie: no breaking out of sandboxes, exploiting runtimes or hopping across chip perimeters!
TRITON Code Injection • TRITON does not overwrite original programming but appends to it • ‘Download Changes’ (0x01) instead of ‘Download All’ (0x00) Safety logic continues to run without interruption
Complication: Keyswitch https://images-na.ssl-images-amazon.com/images/I/41jr93jKzML._SX466_.jpg
Complication: Heterogeneity • Embedded Devices are far more heterogeneous than general purpose ones • Architectures: ARM, MIPS, PPC, 8086, AVR, V850, 68K, … • (RT)OSes: VxWorks, ThreadX, QNX, FreeRTOS, MQX, Nucleus, BSD & Linux flavors, custom executives, … • Triconex: different architectures & ‘OS’ per version • Triconex 9 (3006): NS32GX32 + TSX • Triconex 10 (3008): MPC860 + ETSX • Triconex 11 (3009): Power Architecture e500mc + ETSX Scaling the attack requires writing / modifying payloads & implants for each version
ICS IMPLANT & OT PAYLOAD DEVELOPMENT http://iom.invensys.com/EN/Pages/IOM_NewsDetail.aspx?NewsID=78
ICS Implant & OT Payload Development Alright we can run arbitrary PPC shellcode, now what? 1 2 Exploitation is just one step among many, for complicated OT payloads we will need to develop an implant. After that we will have to craft an OT payload to do (part of) the actual damage.
ICS Implant Strategies • Directly implant OT payload or implant backdoor • Keeps OT payload secret until Zero Hour (‘killswitch’) • Cross-Boot Persistence • Requires modifying flash / enough space • Memory-Residence • Requires executable RAM • Reboot = implant gone (safety controller uptime …) • Complicates forensics 1
ICS Implant Scalability • Common Devices Throughout ICS (cross-facility) • > 18000 Triconex systems in > 80 countries • Common Software Throughout ICS (cross-vendor) • Protocol / Connectivity Stacks • Control Runtimes / RTOSes • Construct arsenal of exploits & implants against common devices & software stacks • One time upfront investment, no huge turnover … TRITON makes more sense as tool in such an arsenal rather than expensive one-off 1
Reverse-Engineering ICS Firmware Extract Firmware Preprocess the firmware Hunt for interesting functionality A B C
Extracting Firmware • Determine firmware format & unpack • Sometimes multiple chip firmwares / data blobs are glued together • Decompress / Decrypt • Key might be in firmware util, bootloader, side-channel attacks, etc. Triconex firmware unencrypted A
Preprocessing Firmware • Obtain the memory map • ROM • RAM • External Memory • Special Purpose Registers • Get this from the datasheet Learn to love datasheets B Source: https://www.nxp.com/docs/en/reference-manual/MPC860UM.pdf
Identifying Base Address • Need to load blob at right address, how to find it? • Many roads lead to Rome… • Chip-Fixed Address • RE update utility • Extract from IVT / bootloader • Extract from self-relocating code, jump tables or string tables B
Example: RTU Firmware (ARM)B
Example: RTU Firmware (ARM)B
Example: RTU Firmware (ARM)B Source: https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR.html#details
Example: RTU Firmware (ARM)B Source: https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR.html#details
Example: RTU Firmware (ARM)B
Reconstructing Code & Data Topology • Firmware images usually not neat executable formats (PE, ELF, Mach-O) • Will have to heuristically identify functions, strings, jump tables, structs, etc. Upside: you don’t need to fully RE firmware, only up until readiness for next step B
Hunt for Interesting Functionality • Want to RE in sniper fashion • Control runtime • Protocol parsers • Comms & Peripheral IO handlers • Security / Safety / Sanity-Checking Functionality C
Reverse-Engineering ICS Firmware What does this look like for Triconex 3008?
Triconex 3008 V10.3 MP Firmware • PowerPC: nice, Hex-Rays decompiler available • Not substitute for reading disasm but eases navigation • Uses ETSX 6236, tiny custom OS with 27 syscalls. • Some sparse documentation exists (NRC) Source: United States Nuclear Regulatory Commission , Document number NTX-SER-09-10, Page 96
Enhanched Tricon System Executive (ETSX)
Triconex Firmware RE Targets • Memory Layout & Management • For memory residence • Consistency Checks & Diagnostics Functionality • For implant stability • Network Command Dispatchers Functionality • For implant comms • Privilege Mode Management • For privilege escalation • (possibly) Scan Task I/O Transfers + Safety Program Storage / Running • For OT payload
THE TRITON IMPLANT
TRITON Multi-Stage Payload * ICS-CERT Report on HATMAN • Stage 1: Argument-Setter • Stage 2: Implant Installer (inject.bin) • Stage 3: Backdoor Implant (imain.bin) • Stage 4: Missing OT Payload
Payload Stage 1: Argument-Setter • Egghunt for Control Program (CP) fstat field, sanity tests writing, uses it for stage 2 FSM control Source: ICS-CERT MAR-17-352-01 HatMan—Safety System Targeted Malware (Update A)
Payload Stage 2: Full FSM * ICS-CERT Report on HATMAN
Payload Stage 2: PrivEsc Exploit
Payload Stage 2: PrivEsc Exploit *0x19AC68 = 0x9002
Payload Stage 2: PrivEsc Exploit • What’s happening here? What lives at 0x19AC68? • ETSX syscall invocation (re)stores SRR1 here (saved MSR) • Why overwrite MSR with 0x9002? • Bit 17 of MSR will be 0 Source: https://www.nxp.com/docs/en/reference-manual/MPC860UM.pdf
Payload Stage 2: Implant Installer * ICS-CERT Report on HATMAN Requires Supervisor Privileges
Payload Stage 2: Relocate Backdoor Ensures Residence Even with full program wipe
• Entry 0x1D (Get MP Status) • Allows for network comms Payload Stage 2: Install TriStation Handler
Payload Stage 2: Disable Diagnostics Originally conditional branch
Payload Stage 3: Backdoor Implant * ICS-CERT Report on HATMAN
Payload Stage 3: Backdoor Implant * ICS-CERT Report on HATMAN
Payload Stage 4: OT Payload? • Once backdoor is injected, we have god mode • Still need OT payload to carry out ‘meat’ of the attack • Not recovered from incident, hard to determine attack (sub) goal • Asset owner can make educated guess, we can only speculate … • Which we will! 2
Prevent response 3 Control / Safety System Modify operational / safety limits Blind about process state Possible TRITON OT Payloads2 Engineering
I/O SPOOFINGA Source: Wikimedia commons
OT PAYLOAD: I/O SPOOFING Measurement Instrumentation Controller Input Signal Output Signal
I/O TRANSLATION Source: Ghost in the PLC – Ali Abbasi, Majid Hashemi, BlackHat EU 2016
Triconex MP I/O
Example: Wago PFC 200 + 8CH DIO • ARM Cortex A8 + Real-Time Linux • CODESYS runtime (TCP/2455) • Runs as root • V2.4.7 has unauth arbitrary file read/write vuln* • Use CPU debug registers to catch access to memory mapped IO • Custom exception handler changes pin mode from output to input to prevent outgoing writes to ‘actuator’ * https://www.sec-consult.com/en/blog/advisories/wago-pfc-200-series-critical-codesys-vulnerabilities/ Source: Ghost in the PLC – Ali Abbasi, Majid Hashemi, BlackHat EU 2016
DEMO: I/O Spoofing Attack
ALARM SUPPRESSIONB https://upload.wikimedia.org/wikipedia/commons/thumb/0/03/Leitstand_2.jpg/327px-Leitstand_2.jpg
OT PAYLOAD: ALARM SUPPRESSION Safety shutdown Alarm Alarm Goal: catalyst deactivation Engineering
HIDING ALARMS
SUPPRESSING ALARMS
Example: Triconex Safety View • PC-based HMI • Management & bypass of priority 1 alarms • Each HMI function is mapped to Triconex logic function blocks Source: Invensys / Schneider Electric
Example: Triconex Alarm FBs • Consider simple water tank level alarm • OR of measurement DIs -> alarm DO
Example: Suppressing Alarms • Safety Program resides in-memory as code • OT payload can modify instructions to set alarm to fixed FALSE • Stored program on flash remains untouched • Attacker needs to know 1. Where program lives in memory 2. Which instructions of program to modify
Example: Finding Safety Program • Programs stored as circular linked list
Example: Analyzing Safety Program
Example: Hot-Patching Safety Program
Example: Alarm Suppression
More Speculation Ahead: Why Did The Attack Fail?
Option A: b0rked payload? • Failed PrivEsc / Backdoor allows for raw RWX • You read / write / execute the wrong thing in the wrong place … • Getting into a fight with the watchdog • Very common embedded way to shoot yourself in the foot • Missed diagnostics? Source: https://betterembsw.blogspot.com
Option B: TMR? https://patentimages.storage.googleapis.com/5a/1a/88/f75a93ace8c548/US8037356.pdf
CONCLUSIONS
TRITON Cost & Complexity Assessment • Obtaining Necessary Materials • Documentation: public, very detailed (NRC) • Engineering Software: mostly free (sketchy websites) or cheap • Triconex Setup: > $7500 (used), > $20000 (new) [xN for bricking] • 1x Chassis + 1x PWS + 3x MP + 1x TCM + 1x IO • Firmware: In update util / flash, unencrypted • Protocol RE / Vulnerability Discovery • Prior work on TSAA / TriStation relation (B. Lim et al., January 2017) • Engineering software with debug symbols • Unauthenticated protocol with sensitive functionality
TRITON Cost & Complexity Assessment • Exploit Development • No safety / control program signing • Program compiled for & executed directly on main processor • Keyswitch has to be in program mode • Implant Development • Required (simple) Privesc Exploit • Required deep firmware RE • No Triconex attestation / introspection (internal monitoring)! • TMR / Diagnostic Self-Tests • OT Payload Development • Hardest part: deep firmware RE + understand position of particular SIS instance in process
TRITON Attacker Investment Risk • Vulnerability Discovery & Exploit Development: low • Easy RE, no real VD or XD • Scales well beyond target to all Triconex • Implant Development: medium • RE investment but scales at least within Triconex V10 with address mods • OT Payload Development: high • Likely doesn’t scale beyond facility • Requires comprehensive (and difficult) OT recon • Complicated to test (do it live? $$$ lab setup?)
Open Questions • If part of broader ICS arsenal, where’s the rest? • In what light should TRITON dev cost be seen? • Expensive for a one-off, cheap for a scalable one-time upfront? • What does the attack failure tell us? • Implant development = Software development = 99% Frustration • Maybe stability sacrificed in R&D cost/benefit judgement? • If or when for copycats? • Either of TRITON or as blueprint against other SIS
Thank You Note • Ali Abbasi, Uni Bochum, Germany • Thorsten Holz, Uni Bochum, Germany • Felix ‘FX’ Lindner, Recurity Labs • Various security community folks who kindly contributed to our knowledge and experience
TOOLKIT • Disassemblers / Decompilers: IDA, Radare2, Binary Ninja, Capstone Engine, Hopper, RetDec • Debuggers: GDB, WinDBG, OllyDbg, Immunity Debugger • Emulators: Unicorn Engine, Qemu • Raw File Analysis Tools: Unix file, multidiff, any hex editor, file carvers • Firmware Analysis Tools: binwalk, FACT, IDAPython Embedded Toolkit, FIRMADYNE, BinCAT, BinDiff, Diaphora • NOTE: You’ll end up writing a ton of IDAPython scripts (‘one-off’ or not) • NOTE: You’ll also spend ages finding tools / info on weird & ancient chips
Questions? @s4mvartaka j.wetzels@midnightbluelabs.com www.midnightbluelabs.com @marmusha marmusha@gmail.com

Recommended

Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 

Recommended

Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultAlienVault
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
EDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxEDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxSMIT PAREKH
 
OSINT
OSINTOSINT
OSINTApurv Singh Gautam
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systemsSeraphic Nazir
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
Penetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıPenetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıBGA Cyber Security
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 

More Related Content

What's hot

Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultAlienVault
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
EDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxEDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxSMIT PAREKH
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systemsSeraphic Nazir
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Penetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıPenetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıBGA Cyber Security
 

What's hot (20)

Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
EDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxEDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptx
 
OSINT
OSINTOSINT
OSINT
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systems
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
 
Penetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıPenetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
 

Similar to Defcon through the_eyes_of_the_attacker_2018_slides

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433Terry Gilsenan
 
ExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPTim De Keukelaere
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Automotive Cyber-Security Insights learned from IT and ICS/SCADA
Automotive Cyber-Security Insights learned from IT and ICS/SCADAAutomotive Cyber-Security Insights learned from IT and ICS/SCADA
Automotive Cyber-Security Insights learned from IT and ICS/SCADAGilad Bandel
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i SecurityPrecisely
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)TI Safe
 

Similar to Defcon through the_eyes_of_the_attacker_2018_slides (20)

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
S4x20 Forescout Presentation
S4x20 Forescout Presentation S4x20 Forescout Presentation
S4x20 Forescout Presentation
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433
 
ExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATP
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Automotive Cyber-Security Insights learned from IT and ICS/SCADA
Automotive Cyber-Security Insights learned from IT and ICS/SCADAAutomotive Cyber-Security Insights learned from IT and ICS/SCADA
Automotive Cyber-Security Insights learned from IT and ICS/SCADA
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
 

More from Marina Krotofil

S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...Marina Krotofil
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...Marina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017Marina Krotofil
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017Marina Krotofil
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016Marina Krotofil
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 

More from Marina Krotofil (15)

S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
 
Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
 
S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_Krotofil
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINAL
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_Larsen
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Defcon through the_eyes_of_the_attacker_2018_slides

  • 1. Jos Wetzels, Marina Krotofil Through the Eyes of the Attacker: DEF CON 26, August 11, 2018 Designing Embedded Systems Exploits for Industrial Control Systems
  • 2. Who Are We? Jos Wetzels Marina Krotofil Independent Security Researcher @ Midnight Blue Embedded Systems (ICS, Automotive, IoT, …) (Previously) Security Researcher @ UTwente Critical Infrastructure / ICS @s4mvartaka http://www.midnightbluelabs.com http://samvartaka.github.io ICS/SCADA security professional, focusing on offensive and defensive cyber-physical security Previously Principal Analyst at FireEye and Lead Cyber Security Researcher at Honeywell @marmusha marmusha@gmail.com https://www.linkedin.com/in/marina-krotofil
  • 3. ROADMAP • Introduction • ICS Device Exploitation • Developing ICS Device Implants & OT Payloads • Conclusions
  • 4. WARNING: FAST PACED TALK https://www.disneyclips.com/imagesnewb/alice4.html
  • 6. Industrial Control Systems (ICS) Physical process Attacker end target Also known as SCADA Information Technology (IT) Operational Technology (OT) Computer science Engineering
  • 7. Physical process and control equipment https://vecer.mk/files/article/2017/05/02/485749-saudiska-arabija-ja-kupi-najgolemata-naftena-rafinerija-vo-sad.jpg http://www.jfwhite.com/Collateral/Images/English-US/Galleries/middleboro9115kvbreakers.jpg https://www.roboticsbusinessreview.com/wp-content/uploads/2016/05/jaguar-factory.jpg https://selinc.com/uploadedImages/Web/Videos/Playlists/Playlist_RTAC_1280x720.png?n=63584758126000 http://www02.abb.com/global/seitp/seitp202.nsf/0/0601d25ed243cfb0c1257d7e0043e50e/$file/7184_lvl2.jpghttps://www.oilandgasproductnews.com/files/slides/locale_image/medium/0089/22183_en_16f9d_8738_honeywell- process-solutions-rtu2020-process-controller.jpg
  • 8. Cyber-Physical Attacks https://vecer.mk/files/article/2017/05/02/485749-saudiska-arabija-ja-kupi-najgolemata-naftena-rafinerija-vo-sad.jpg http://www.jfwhite.com/Collateral/Images/English-US/Galleries/middleboro9115kvbreakers.jpg https://www.roboticsbusinessreview.com/wp-content/uploads/2016/05/jaguar-factory.jpg https://selinc.com/uploadedImages/Web/Videos/Playlists/Playlist_RTAC_1280x720.png?n=63584758126000 http://www02.abb.com/global/seitp/seitp202.nsf/0/0601d25ed243cfb0c1257d7e0043e50e/$file/7184_lvl2.jpghttps://www.oilandgasproductnews.com/files/slides/locale_image/medium/0089/22183_en_16f9d_8738_honeywell- process-solutions-rtu2020-process-controller.jpg CYBER PHYSICAL http://magazine.scientificmalaysian.com/wp-content/uploads/2013/12/Oil-refinery-explosion.png
  • 9. ICS threat landscape Has Changed Crazy amount of hacking on a daily basis Nobody even knows about our existence
  • 10. ICS Threat Landscape Has Changed https://qph.fs.quoracdn.net/main-qimg-f741c6e5db32b87f282e54448a2129ce 2010 20172015 2016 Ukr. power grid attack (Industroyer) Ukr. power grid attack (BlackEnergy) It’s happening: Publicly known cyber-physical attacks Planned operation to hinder Iran’s nuclear program First publicly known OT recon activities (HAVEX) 2013 Recon and weaponization of capabilities https://www.schneider-electric.com/ww/en/Images/tricon-IC-654x654.jpg Seems to be a trigger and a tipping point
  • 12. Hazards and Layers of Protection
  • 13. https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/ DCS / SIS Network An attack on a safety system can cause the MOST DAMAGING outcome of a cyber-physical attack
  • 16. TRITON Attack: Overview Attacker obtained remote access to SIS work station https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/
  • 17. TRITON Payload: Overview imain.bin + inject.bin TriStation protocol Eng. Workstation trilog.exe • script_test.py • library.zip • inject.bin • imain.bin Attacker attempted to inject passive backdoor/remote access trojan into industrial safety controller - Read arbitrary memory - Write into memory - Execute arbitrary code “Your wish is my command”
  • 18. • Attack scenario depends on attacker goal • Sometimes this means explosions • Sometimes it doesn’t • No need to hit someone with a baseball bat if you want to slap their wrist • Simple process shutdown / economic disruption might do fine • Doubles as testing round for offensive ICS toolkit + TTPs … Attacks on Industrial Systems M. Krotofil, J. Larsen “Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion”, Def Con, 2015
  • 19. Simple ‘Do Not Press’ HMI Attack Source: Innergy http://innergy-global.com/en
  • 20. More Complex Attacks TRITON used an implant on Triconex SIS Process shutdown could’ve been achieved much easier What’s going on here?
  • 21. More Complex Attacks • Industrial processes are complicated and are built to be robust & recoverable • More complex attacks with significant, lasting damage will be process specific & require good process comprehension • Will require attacker to develop detailed ‘damage scenario’ • What causes a pipeline to explode? • What causes the right pipeline to explode? • What causes the right pipeline to explode at the right moment?
  • 22. Industrial Attacks Are About Control Loops 0 10 20 30 40 50 60 70 3550 3600 3650 3700 3750 D Feed Hours kg/h 0 10 20 30 40 50 60 70 62.6 62.8 63 63.2 63.4 63.6 D feed Hours % Actuators Control system Sensors Measure process state Computes control commands for actuators Adjusted to influence process behavior
  • 23. Industrial Attack Approach 1 Manipulate the process Prevent response Direct Indirect Manipulation of actuators Deceive controller/ operator about process state (e.g. spoof sensor) 3 Operators Control / Safety System Blind Mislead Modify operational / safety limits Blind about process state OT Payload 2 Obtain Feedback Direct or Derived (e.g., via proxy sensors /calculations) Often hardest to achieve
  • 24. 1 Manipulate the process Prevent response Direct Indirect Manipulation of actuators Deceive controller/ operator about process state (e.g. spoof sensor) 3 Operators Control / Safety System Blind Mislead Modify operational / safety limits Blind about process state OT Payload 2 Obtain Feedback Direct or Derived (e.g., via proxy sensors /calculations) Where does TRITON fit into all this?
  • 25. Clandestine Control Loops • Cyber-Physical Attack is collection of ‘clandestine control loops’ • Cycle of process observation & manipulation to achieve unsafe state • Attack Timing is Crucial • Processes aren’t vulnerable all the time • Many damage scenarios take time to execute • Attack Coordination is Crucial • Observation of state A in component B needs to trigger payloads X, Y, Z • Requires granular control across process • Manage task quantity & timing
  • 26. Timing & State Diagrams (TSD) * Jason Larsen – Hacking Critical Infrastructure like You’re not a n00b – RSA, 2016
  • 27. Mapping TSD to Devices * Jason Larsen – Hacking Critical Infrastructure like You’re not a n00b – RSA, 2016
  • 28. Mapping Devices to Implants • In order to coordinate all this we will need implants 1. For executing OT payloads 2. For monitoring attack progress & activating OT payloads • Carrying out attack at device level via implant has additional benefits • Autonomy in control zone with own TSD logic • Arbitrary control over device rather than what’s dictated by protocol • More stealthy: limited network traffic, limited introspection • Before we can implant a device we have to exploit it
  • 29. Mapping Devices to Implants • MPC860, 50 MHz • 6 MB Flash • 16 MB DRAM • 32 KB SRAM • ARM9, 14 MHz • 512 KB Boot Flash • 8 MB RW Flash • 2 MB SRAM Will need to fit implant in there • Signals processing? • Malicious logic? • Comms? Often jam-packed by normal functionality already You better enjoy programming…
  • 30. Comparing Attack Strategies * Jason Larsen – Hacking Critical Infrastructure like You’re not a n00b – RSA, 2016
  • 31. Ah, so that’s why everything isn’t blowing up all the time … • This is complicated, expensive stuff • Ton of engineering know-how, RE, vuln research, exploit & implant dev, testing, … • High chance of messing up • Offsets terrible IT / OT security • Check out ‘Hacking Critical Infrastructure Like You’re Not a N00b’ @ RSAConf 2016 by Jason Larsen • Let’s walk through the process required for developing a single exploit / implant / payload combo (eg. TRITON)
  • 33. The Process Obtaining the Necessary Materials Device Teardown & PCB Analysis RE of Engineering Software, Firmware & Protocols Vulnerability Discovery Exploit Development 2 1 3 4 5
  • 34. Obtaining the Necessary Materials * Schneider Electric 1
  • 37. Obtaining Engineering Software • From vendor website (or by asking nicely) • Through asset owners • If you’re already in their IT / OT network might as well grab a souvenir • Via sketchy sources on the internet • Installation CDs sold on Ebay or Alibaba • Loose executable & archives drifting on the web • Open directories, FTP servers, etc.
  • 38. Obtaining Engineering Software • From vendor website (or by asking nicely) • Through asset owners • If you’re already in their IT network might as well grab a souvenir • Via sketchy sources on the internet • Installation CDs sold on Ebay or Alibaba • Loose executable & archives drifting on the web • Open directories, FTP servers, etc. 3 USD
  • 39. Obtaining the Device • You’re not gonna find this stuff at a yard sale or in the cornershop • Most ICS equipment is very expensive • You might want to buy multiple copies for teardown & in case you brick it • Buy it whole directly from vendor, through strawmen buyers or at a bankruptcy auction • Try Ebay / Alibaba (sourcing loose parts & putting enough together for it to work)
  • 40. Obtaining Device Firmware • Various Options • Download from Vendor Website • Extract from Firmware Update Utility • Extract from Device Flash • Obtaining firmware can be complicated • Worst-case scenario: encrypted firmware + chip readout protection requiring bypass & invasive or side-channel attacks • Not so much for Triconex • No readout protection on flash. Desolder -> adapter + universal programmer does the trick
  • 41. Obtaining Device Firmware • Various Options • Download from Vendor Website • Extract from Firmware Update Utility • Extract from Device Flash • Obtaining firmware can be complicated • Worst-case scenario: encrypted firmware + chip readout protection requiring bypass & invasive or side-channel attacks • Not so much for Triconex • No readout protection on flash. Desolder -> adapter + universal programmer does the trick • Or get it from firmware manager util
  • 42. Device Teardown & PCB Analysis • We need info on • Microcontroller / SoC used • Device Functional Domain Divisions (where does what happen?) • Interesting interfaces like UART / JTAG • Sometimes we’re lucky • FCC IDs, public teardowns, etc. • Triconex: Planning & Installation Guide has block diagrams! • Sometimes we’re not • Teardown time 2
  • 43. Don’t be afraid of teardowns * Serge Bazanski, Michal Kowalczyk
  • 44. ICS Devices are not Magic * Stephen A. Ridley, Senrio Inc., 2016
  • 46. Typical (simplified) PLC Architecture I/O Pins Serial Link MCU Source: www.eevblog.com
  • 49. Reverse-Engineering Protocols3 • One of first areas-of-interest in ICS devices • Often legacy, proprietary protocols • Ports of old serial protocols retrofitted onto Ethernet • Control very sensitive functionality • PLC start / stop, firmware update, control logic download, … • Might present way into device itself • RCE! • We want to know packet structure & semantics
  • 50. • Comparison to functionally similar documented protocols • Testing for common encodings & fields • TLV, sequential identifiers, checksums, entropic analysis, … • Differential analysis of functional batches of packets “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” – Rob Savoye, FOSDEM 2009 Reverse-Engineering Protocols3
  • 51. PCAP-Only Analysis • Comparison to functionally similar documented protocols • Testing for common encodings & fields • TLV, length fields, sequential identifiers, checksums, … • Differential analysis of functional batches of packets • Entropic analysis of suspected cryptographic fields • … • “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” – Rob Savoye, FOSDEM 2009 https://s-media-cache-ak0.pinimg.com/originals/1c/28/bb/1c28bbba04e46f4fe517c9b5309f8386.jpg
  • 52. Ideally we assist analysis with binary RE • Want reconstruction to be complete & sound • Want to write reliable exploits • PCAP-Only can be incomplete, inaccurate or opaque • Undocumented / rare behavior, inferred semantics, encryption / compression • PCAP-Only can damage your sanity
  • 53. tr1com40.dll • TriStation (UDP/1502) Comms DLL. Has all the juicy stuff! • Debug Symbols Present ☺ • Easy semantic mapping of function codes
  • 54. Protocol RE for Attackers • Don’t need full RE, only need to understand a few interesting packet types fully • Attacker cares about crafting an exploit not a full protocol parser
  • 55. Vulnerability Discovery • The next step is getting code exec on the device • Ideally pre-auth vulnerability but • Pre-auth is a relative concept here… • ICS Vulns are often byproduct of RE • Insecure by default, ancient legacy shit, … • Shake a stick at it & vulns fall out 4 http://www.fao.org/docrep/006/AD226E/AD226E12.gif
  • 56. Example: Moxa NPort W2150A* • Serial-to-Ethernet/WiFi Converter • Web Interface • Broken auth (hashing on client side) • CMD injection in ping test form * Thomas Roth, 2017
  • 57. Example: Opto 22 OPTEMU-SNR-DR2* • Energy Monitoring & Control Device • FTP + OptoMMP (unauth) • Use OptoMMP to • Disable IP filtering, enable FTP, fetch FTP credentials • Use FTP to upload firmware & reflash over FTP • No firmware signing * David Barksdale, Jeremy Brown, 2016
  • 58. Example: Modicon Quantum PLC* • Large PLC for process applications • FTP with hardcoded creds • Read / Write configuration, firmware, passwords, … • Telnet with hardcoded backdoor • Actually a C interpreter … • Unauthenticated Proprietary Modbus Extension • Start / Stop PLC • Overwrite programmable logic • … • Gazillion ways to get code exec * K. Reid Wightman, Rubén Santamarta, 2011-2012
  • 59. Example: Advantech EKI-1522* • Serial-to-Ethernet Converter • Web Interface • Unlocking web interface on one PC disables auth for everyone … • CMD injection in email alert setup * Thomas Roth, 2017
  • 60. You get the idea … https://i.redd.it/e5l1ngm7rzr01.jpg
  • 61. TRITON Vulnerability: Execute My Packet Please! • Vulnerability is freebie of protocol RE: Safety program download functionality • ‘Start Download Change’ (FC: 0x01) • ‘Allocate Program’ (FC: 0x37) • ‘End Download Change’ (FC: 0x0B) • No authentication • No control program secure signing • Right … Skip directly from RE to XDEV: neat!
  • 62. Exploit Development • After finding a suitable vulnerability, we need to craft an exploit to gain code execution, eg. • Inserting payload directly into unauthenticated firmware upload • Use buffer overflow to hijack control-flow to execute payload • Etc. TRITON: How to go from downloading safety program to executing arbitrary code on the microcontroller? 5
  • 63. Safety & Control Applications • Developed in IEC 61131-3 (ST, IL, LD, FBD) and CEMPLE • Get compiled, downloaded & executed on main processor • Another freebie: no breaking out of sandboxes, exploiting runtimes or hopping across chip perimeters!
  • 64. TRITON Code Injection • TRITON does not overwrite original programming but appends to it • ‘Download Changes’ (0x01) instead of ‘Download All’ (0x00) Safety logic continues to run without interruption
  • 66. Complication: Heterogeneity • Embedded Devices are far more heterogeneous than general purpose ones • Architectures: ARM, MIPS, PPC, 8086, AVR, V850, 68K, … • (RT)OSes: VxWorks, ThreadX, QNX, FreeRTOS, MQX, Nucleus, BSD & Linux flavors, custom executives, … • Triconex: different architectures & ‘OS’ per version • Triconex 9 (3006): NS32GX32 + TSX • Triconex 10 (3008): MPC860 + ETSX • Triconex 11 (3009): Power Architecture e500mc + ETSX Scaling the attack requires writing / modifying payloads & implants for each version
  • 67. ICS IMPLANT & OT PAYLOAD DEVELOPMENT http://iom.invensys.com/EN/Pages/IOM_NewsDetail.aspx?NewsID=78
  • 68. ICS Implant & OT Payload Development Alright we can run arbitrary PPC shellcode, now what? 1 2 Exploitation is just one step among many, for complicated OT payloads we will need to develop an implant. After that we will have to craft an OT payload to do (part of) the actual damage.
  • 69. ICS Implant Strategies • Directly implant OT payload or implant backdoor • Keeps OT payload secret until Zero Hour (‘killswitch’) • Cross-Boot Persistence • Requires modifying flash / enough space • Memory-Residence • Requires executable RAM • Reboot = implant gone (safety controller uptime …) • Complicates forensics 1
  • 70. ICS Implant Scalability • Common Devices Throughout ICS (cross-facility) • > 18000 Triconex systems in > 80 countries • Common Software Throughout ICS (cross-vendor) • Protocol / Connectivity Stacks • Control Runtimes / RTOSes • Construct arsenal of exploits & implants against common devices & software stacks • One time upfront investment, no huge turnover … TRITON makes more sense as tool in such an arsenal rather than expensive one-off 1
  • 71. Reverse-Engineering ICS Firmware Extract Firmware Preprocess the firmware Hunt for interesting functionality A B C
  • 72. Extracting Firmware • Determine firmware format & unpack • Sometimes multiple chip firmwares / data blobs are glued together • Decompress / Decrypt • Key might be in firmware util, bootloader, side-channel attacks, etc. Triconex firmware unencrypted A
  • 73. Preprocessing Firmware • Obtain the memory map • ROM • RAM • External Memory • Special Purpose Registers • Get this from the datasheet Learn to love datasheets B Source: https://www.nxp.com/docs/en/reference-manual/MPC860UM.pdf
  • 74. Identifying Base Address • Need to load blob at right address, how to find it? • Many roads lead to Rome… • Chip-Fixed Address • RE update utility • Extract from IVT / bootloader • Extract from self-relocating code, jump tables or string tables B
  • 77. Example: RTU Firmware (ARM)B Source: https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR.html#details
  • 78. Example: RTU Firmware (ARM)B Source: https://www.keil.com/pack/doc/CMSIS/Core_A/html/group__CMSIS__CPSR.html#details
  • 80. Reconstructing Code & Data Topology • Firmware images usually not neat executable formats (PE, ELF, Mach-O) • Will have to heuristically identify functions, strings, jump tables, structs, etc. Upside: you don’t need to fully RE firmware, only up until readiness for next step B
  • 81. Hunt for Interesting Functionality • Want to RE in sniper fashion • Control runtime • Protocol parsers • Comms & Peripheral IO handlers • Security / Safety / Sanity-Checking Functionality C
  • 82. Reverse-Engineering ICS Firmware What does this look like for Triconex 3008?
  • 83. Triconex 3008 V10.3 MP Firmware • PowerPC: nice, Hex-Rays decompiler available • Not substitute for reading disasm but eases navigation • Uses ETSX 6236, tiny custom OS with 27 syscalls. • Some sparse documentation exists (NRC) Source: United States Nuclear Regulatory Commission , Document number NTX-SER-09-10, Page 96
  • 84. Enhanched Tricon System Executive (ETSX)
  • 85. Triconex Firmware RE Targets • Memory Layout & Management • For memory residence • Consistency Checks & Diagnostics Functionality • For implant stability • Network Command Dispatchers Functionality • For implant comms • Privilege Mode Management • For privilege escalation • (possibly) Scan Task I/O Transfers + Safety Program Storage / Running • For OT payload
  • 87. TRITON Multi-Stage Payload * ICS-CERT Report on HATMAN • Stage 1: Argument-Setter • Stage 2: Implant Installer (inject.bin) • Stage 3: Backdoor Implant (imain.bin) • Stage 4: Missing OT Payload
  • 88. Payload Stage 1: Argument-Setter • Egghunt for Control Program (CP) fstat field, sanity tests writing, uses it for stage 2 FSM control Source: ICS-CERT MAR-17-352-01 HatMan—Safety System Targeted Malware (Update A)
  • 89. Payload Stage 2: Full FSM * ICS-CERT Report on HATMAN
  • 90. Payload Stage 2: PrivEsc Exploit
  • 91. Payload Stage 2: PrivEsc Exploit *0x19AC68 = 0x9002
  • 92. Payload Stage 2: PrivEsc Exploit • What’s happening here? What lives at 0x19AC68? • ETSX syscall invocation (re)stores SRR1 here (saved MSR) • Why overwrite MSR with 0x9002? • Bit 17 of MSR will be 0 Source: https://www.nxp.com/docs/en/reference-manual/MPC860UM.pdf
  • 93. Payload Stage 2: Implant Installer * ICS-CERT Report on HATMAN Requires Supervisor Privileges
  • 94. Payload Stage 2: Relocate Backdoor Ensures Residence Even with full program wipe
  • 95. • Entry 0x1D (Get MP Status) • Allows for network comms Payload Stage 2: Install TriStation Handler
  • 96. Payload Stage 2: Disable Diagnostics Originally conditional branch
  • 97. Payload Stage 3: Backdoor Implant * ICS-CERT Report on HATMAN
  • 98. Payload Stage 3: Backdoor Implant * ICS-CERT Report on HATMAN
  • 99. Payload Stage 4: OT Payload? • Once backdoor is injected, we have god mode • Still need OT payload to carry out ‘meat’ of the attack • Not recovered from incident, hard to determine attack (sub) goal • Asset owner can make educated guess, we can only speculate … • Which we will! 2
  • 100. Prevent response 3 Control / Safety System Modify operational / safety limits Blind about process state Possible TRITON OT Payloads2 Engineering
  • 102. OT PAYLOAD: I/O SPOOFING Measurement Instrumentation Controller Input Signal Output Signal
  • 103. I/O TRANSLATION Source: Ghost in the PLC – Ali Abbasi, Majid Hashemi, BlackHat EU 2016
  • 105. Example: Wago PFC 200 + 8CH DIO • ARM Cortex A8 + Real-Time Linux • CODESYS runtime (TCP/2455) • Runs as root • V2.4.7 has unauth arbitrary file read/write vuln* • Use CPU debug registers to catch access to memory mapped IO • Custom exception handler changes pin mode from output to input to prevent outgoing writes to ‘actuator’ * https://www.sec-consult.com/en/blog/advisories/wago-pfc-200-series-critical-codesys-vulnerabilities/ Source: Ghost in the PLC – Ali Abbasi, Majid Hashemi, BlackHat EU 2016
  • 108. OT PAYLOAD: ALARM SUPPRESSION Safety shutdown Alarm Alarm Goal: catalyst deactivation Engineering
  • 111. Example: Triconex Safety View • PC-based HMI • Management & bypass of priority 1 alarms • Each HMI function is mapped to Triconex logic function blocks Source: Invensys / Schneider Electric
  • 112. Example: Triconex Alarm FBs • Consider simple water tank level alarm • OR of measurement DIs -> alarm DO
  • 113. Example: Suppressing Alarms • Safety Program resides in-memory as code • OT payload can modify instructions to set alarm to fixed FALSE • Stored program on flash remains untouched • Attacker needs to know 1. Where program lives in memory 2. Which instructions of program to modify
  • 114. Example: Finding Safety Program • Programs stored as circular linked list
  • 118. More Speculation Ahead: Why Did The Attack Fail?
  • 119. Option A: b0rked payload? • Failed PrivEsc / Backdoor allows for raw RWX • You read / write / execute the wrong thing in the wrong place … • Getting into a fight with the watchdog • Very common embedded way to shoot yourself in the foot • Missed diagnostics? Source: https://betterembsw.blogspot.com
  • 122. TRITON Cost & Complexity Assessment • Obtaining Necessary Materials • Documentation: public, very detailed (NRC) • Engineering Software: mostly free (sketchy websites) or cheap • Triconex Setup: > $7500 (used), > $20000 (new) [xN for bricking] • 1x Chassis + 1x PWS + 3x MP + 1x TCM + 1x IO • Firmware: In update util / flash, unencrypted • Protocol RE / Vulnerability Discovery • Prior work on TSAA / TriStation relation (B. Lim et al., January 2017) • Engineering software with debug symbols • Unauthenticated protocol with sensitive functionality
  • 123. TRITON Cost & Complexity Assessment • Exploit Development • No safety / control program signing • Program compiled for & executed directly on main processor • Keyswitch has to be in program mode • Implant Development • Required (simple) Privesc Exploit • Required deep firmware RE • No Triconex attestation / introspection (internal monitoring)! • TMR / Diagnostic Self-Tests • OT Payload Development • Hardest part: deep firmware RE + understand position of particular SIS instance in process
  • 124. TRITON Attacker Investment Risk • Vulnerability Discovery & Exploit Development: low • Easy RE, no real VD or XD • Scales well beyond target to all Triconex • Implant Development: medium • RE investment but scales at least within Triconex V10 with address mods • OT Payload Development: high • Likely doesn’t scale beyond facility • Requires comprehensive (and difficult) OT recon • Complicated to test (do it live? $$$ lab setup?)
  • 125. Open Questions • If part of broader ICS arsenal, where’s the rest? • In what light should TRITON dev cost be seen? • Expensive for a one-off, cheap for a scalable one-time upfront? • What does the attack failure tell us? • Implant development = Software development = 99% Frustration • Maybe stability sacrificed in R&D cost/benefit judgement? • If or when for copycats? • Either of TRITON or as blueprint against other SIS
  • 126. Thank You Note • Ali Abbasi, Uni Bochum, Germany • Thorsten Holz, Uni Bochum, Germany • Felix ‘FX’ Lindner, Recurity Labs • Various security community folks who kindly contributed to our knowledge and experience
  • 127. TOOLKIT • Disassemblers / Decompilers: IDA, Radare2, Binary Ninja, Capstone Engine, Hopper, RetDec • Debuggers: GDB, WinDBG, OllyDbg, Immunity Debugger • Emulators: Unicorn Engine, Qemu • Raw File Analysis Tools: Unix file, multidiff, any hex editor, file carvers • Firmware Analysis Tools: binwalk, FACT, IDAPython Embedded Toolkit, FIRMADYNE, BinCAT, BinDiff, Diaphora • NOTE: You’ll end up writing a ton of IDAPython scripts (‘one-off’ or not) • NOTE: You’ll also spend ages finding tools / info on weird & ancient chips