This document discusses attacks on industrial control systems through manipulation of analog-to-digital converters (ADCs). By generating signals at specific frequencies and phases, an attacker can cause an ADC to incorrectly sample input signals. This can allow manipulating values read by controllers. The document demonstrates this by racing an ADC clock and exploring its limitations. It argues that securing individual devices is not enough and advocates hardware and software mitigations like filtering, higher sampling rates, and secure coding practices.
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
Scada Industrial Control Systems Penetration Testing
Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies.
In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities.
In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers.
In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
The focus of many information security methods are on office automation: protecting vulnerable data. When working in embedded software environments, the focus changes significantly to availability, and also the counter-measures against threats change dramatically. A major issue is that security will become an “IT problem” that industrial automation continues to ignore. In this presentation, the problem will be presented, as well as directions to embed security measures into the organisation.
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
Presentation about the steps required for Verifying and Vlaidating safety critical systems, as well as the test approach used. Contains examples of real-life IEC 61508 SIL 4 systems.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
During the last few years, SCADA quickly gained the major news headlights with different frightening articles: from STUXNET to breaches like the electrical power supply grid in Ukraine (December 2015). Since SCADA systems are actively used across various industries (oil & gas, pharma, power plants, critical infrastructures) to perform critical operations on daily basis, SCADA security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the most common SCADA components, known malware and incidents as well as security issues affecting this technology, including existing vulnerabilities in different modules. As part of the presentation, we will disassemble and reverse engineer a PLC and its protocol. This model will be used to demonstrate some aspects of discovered security vulnerabilities.
Practical DNP3 and Modern SCADA SystemsLiving Online
This manual covers the essentials of SCADA communication systems focusing on DNP3 and the other new developments in this area. The manual commences with a brief review of the fundamentals of SCADA systems hardware, software and the communications systems (such as RS-232 and RS-485 Ethernet and TCP/IP) that connect the SCADA operator stations together.
A solid review is then done on the DNP3 protocol where its features, message structure, practical benefits and applications are discussed. The manual is intended to be product independent but examples will be taken from existing products to ensure that all aspects of the DNP3 protocol are covered. The manual provides you with the tools to design your next SCADA system more effectively using DNP3 and draw on the latest technologies.
View Full Manual Here - www.idc-online.com/content/practical-dnp3-and-modern-scada-systems-20?id=33
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
Scada Industrial Control Systems Penetration Testing
Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies.
In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities.
In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers.
In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
The focus of many information security methods are on office automation: protecting vulnerable data. When working in embedded software environments, the focus changes significantly to availability, and also the counter-measures against threats change dramatically. A major issue is that security will become an “IT problem” that industrial automation continues to ignore. In this presentation, the problem will be presented, as well as directions to embed security measures into the organisation.
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
Presentation about the steps required for Verifying and Vlaidating safety critical systems, as well as the test approach used. Contains examples of real-life IEC 61508 SIL 4 systems.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
During the last few years, SCADA quickly gained the major news headlights with different frightening articles: from STUXNET to breaches like the electrical power supply grid in Ukraine (December 2015). Since SCADA systems are actively used across various industries (oil & gas, pharma, power plants, critical infrastructures) to perform critical operations on daily basis, SCADA security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the most common SCADA components, known malware and incidents as well as security issues affecting this technology, including existing vulnerabilities in different modules. As part of the presentation, we will disassemble and reverse engineer a PLC and its protocol. This model will be used to demonstrate some aspects of discovered security vulnerabilities.
Practical DNP3 and Modern SCADA SystemsLiving Online
This manual covers the essentials of SCADA communication systems focusing on DNP3 and the other new developments in this area. The manual commences with a brief review of the fundamentals of SCADA systems hardware, software and the communications systems (such as RS-232 and RS-485 Ethernet and TCP/IP) that connect the SCADA operator stations together.
A solid review is then done on the DNP3 protocol where its features, message structure, practical benefits and applications are discussed. The manual is intended to be product independent but examples will be taken from existing products to ensure that all aspects of the DNP3 protocol are covered. The manual provides you with the tools to design your next SCADA system more effectively using DNP3 and draw on the latest technologies.
View Full Manual Here - www.idc-online.com/content/practical-dnp3-and-modern-scada-systems-20?id=33
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
SCADA for remote industrial plant project is used to process the real time data acquisition under supervisory control for large scale remote industries.
The industrial control market involves the monitoring and control aspects of both complex and simple processes. Common trends within the industry, notably the drive for increased efficiencies, better robustness, higher channel densities, and faster monitoring and control speeds, subsequently drive new technology advancements for semiconductor manufacturers. This session aims to give a broad overview of the system requirements for both field instruments (sensors/actuators) and control room (analog input/output) modules, and demonstrates a typical I/O module configuration with HART® (highway addressable remote transducer) connectivity.
The industrial control market involves the monitoring and control aspects of both complex and simple processes. Common trends within the industry, notably the drive for increased efficiencies, better robustness, higher channel densities, and faster monitoring and control speeds, subsequently drive new technology advancements for semiconductor manufacturers. This session aims to give a broad overview into the system requirements for both field instruments (sensors/actuators) and control room (analog input/output) modules, and demonstrates a typical I/O module configuration with HART (highway addressable remote transducer) connectivity.
4. INDUSTRIAL CONTROL SYSTEM
4Security Analyst Summit 2016
Workstation
Workstation
Firewall
ModemOperator Console
Firewall
SQL Server
PLC
RTU
Maintenance
File Server
Webserver
Corporate LAN
SCADA network
Webservices
Active Directory
Sensor
Ventil
Active Directory
Engineering
Workstation
Process LAN
Catastrophic
consequence
5. EQUIPMENT DAMAGE AT NUCLEAR PLANT
5
http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on-
how-to-hack-a-chemical-plant-and-its-implication-to-actual-issues-at-a-nuclear-plant/
Two identically built nuclear plants. One had flow induced vibration
issue. And another did not.
The vibrations indication showed itself as hf noise
Field engineer has filtered the signal to get rid of annoying noise
Loss of view into vibration issue
7. IMAGINE A FIELD ARCHITECTURE…
7Security Analyst Summit 2016
Analog control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ/SIS
HMI
0V (actuator is OFF)
MV – Manipulated Variable
What if MV value on actuator will be different
from MV value on logger?
1.5V (actuator is ON)
8. BUT IT’S ANALOG CONTROL LINE!
8Security Analyst Summit 2016
It’s impossible to have two different MVs on the same line at the
same time!
Are you sure?
16. LET’S SETUP EXPERIMENT
16Security Analyst Summit 2016
Experimental setup:
Arduino Leonardo
(Atmega32U4 with build-in
ADC, 125kHz int clock)
Si5351 generator
Algorithm:
1. Generate square signal with
specific frequency and phase,
2. Read 120 ADC values in row
and average them,
3. Output to serial port (PC),
4. Increase phase and frequency,
5. GOTO 1.
18. STRANGE AVERAGE VALUES
18Security Analyst Summit 2016
On Arduino Leonardo ADC divider is set to the max value 128
At 16 Mhz master clock freq, the ADC clock freq = 125kHz
At ~125kHz there is a high probability, that generated signal will
be always sampled by S&H in its max or min amplitude value
Average signal value even after 120 conversions will be 3.3V or 0V
24. FROM DEMO: TWO DEVICES & TWO DIFF OUTPUTS
24Security Analyst Summit 2016
Wait, but why? Timing diagrams can explain ;-)
25. EVERYTHING IS MUCH EASIER IN ICS WORLD
25Security Analyst Summit 2016
In many real-world ICS applications ADC doesn’t sample input
signal with highest possible frequency
Typical sampling rate is 1-100 times per second
26. HURDLES OF THE ATTACKER
26Security Analyst Summit 2016
How to figure out the required phase and frequency
to craft malicious signal?
Send some peak signals and monitor output of the
ADC (directly/indirectly)
E.g. by hacking into switch you can monitor/control
both data flow to control PLC AND signals from
SIS/Safety LC/logger/DAQ/etc
27. 27Security Analyst Summit 2016
Analog control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ/SIS
MV – Manipulated Variable
Compromised
industrial switch HMI
FIGURING OUT SIGNAL PARAMETERS
29. ADC IN CRITICAL APPLICATIONS
29Security Analyst Summit 2016
Be careful when using ADC in critical applications
Industrial PLCs also have analog inputs and
built-in ADCs
Let’s test at one of the most popular PLCs
S7 1200
30. EXPERIMENT
30
Let’s check the real conversion time of S7 1200 ADC
Arduino
Waveform generator S7 1200
Analog signal
S7 Protocol
S7 input amplitudeFrequency
I2C
Reads value
from PLC every
N time
35. BREAKING SOFTWARE DEFINED RANGES (I)
35Security Analyst Summit 2016
Consider a 5-10V signal which is
consumed by ADC with ranges 0-15 V
What will happen if you send signal
lower than 5V or higher 10V?
Time
5
10
V
From the real life code:
uint8_t val = readADC(0); // reading 8-bit ADC value with ranges 0V -15 V
val = val – 85; // Normalization -> 85 == 5 Volts (255/3)
Any signal of less them 5 V (val < 85)will cause integer overflow in val
36. BREAKING HARDWARE DEFINED RANGES
36Security Analyst Summit 2016
What if the attacker sends signal outside of the ADS hardware defined
range?
ADC will output max value (all bit set to 1)
ADC might be damaged (did not test out of cost factors )
Values on other inputs could be distorted
38. DIRECT ACCESS ATTACK TOOLKIT
38
Line coupling circuit
(usually OpAmp/Transformer)
Total setup cost
50$ (1kHz) -- 400$ (50MHz)
39. ATTACKING FROM ICS DEVICE
39
Compromising one of the field components (PLC, sensor, actuator,
DAQ, logger, etc.)
Most MCUs inside transmitters/actuators are capable of generating
arbitrary signals up to 500-1000Hz
Some devices allow to generate signals of 44kHz and above
40. ATTACK FROM TRANSMITTER
40Security Analyst Summit 2016
HART transmitter reference design ;-)
DAC with s/r up to 100kHz
(smooth sine wave at ~ 5kHz)
http://www.tm-eetimes.com/en/accurate-industrial-temperature-measurements-with-loop-powered-
transmitter.html?cmp_id=7&news_id=222918850
43. PUT ANALOG LPF (LOW-PASS FILTER) ON ADC INPUT
43Security Analyst Summit 2016
Low-pass filter rejects signals with a
frequency higher than its cutoff
frequency
Buffer ADC input with LPF
Good design dictates ADC fs >= LPF fc
44. LPF FILTERS IN REFERENCE DESIGNS
44Security Analyst Summit 2016
“We included LPF in our design"
ADC with fs > 470Hz
LPF with fc near 15 kHz
46. FLIP SIDE OF USING LPF
46Security Analyst Summit 2016
”Securing” may lead to more vulnerabilities
When adding LPF into an individual device, make sure that all
related devices have the same cut-off frequencies
E.g. if PLC input is buffered with LPF 𝒇 𝒄 =
𝟏𝒌𝑯𝒛 and actuator equipped with LPF with
𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible,
but the probability of success increases!
47. NOTE: DIGITAL LPF WON’T WORK!
47Security Analyst Summit 2016
Do not use digital LPF after the ADC!
ADC will be already compromised by an ill-intended signal and no
digital filter will fix the matters
48. USE ADC WITH HIGHER BANDWIDTH/LOWER
CONVERSION TIME
48Security Analyst Summit 2016
Using ADC with higher sampling frequency can mitigate
“oversampling” attack as the attacker will have to generate signal
of much higher frequency
Generating >1MHz signal and injecting it into analog line is much
harder than injecting < 1MHz signal
H/f signals subjected to greater attenuation and more affected by
noise
49. SCALE SIGNAL AMPLITUDE BEFORE ADC
49Security Analyst Summit 2016
To avoid abuse of ADC ranges, normalize signal amplitude before
feeding the signal to ADC
- Simplest option: voltage divider + OpAmp,
- Signal conditioning circuits or even dynamic
range compression
Select what is suitable for your OT process
51. APPLY SECURE CODING TECHNIQUES
51Security Analyst Summit 2016
Scrutinize your ADCs/PLC datasheets to figure out effective
ranges, conversion time, frequency and other critical parameters
Even if it is sufficient to control the process with one value
per second, sample the signal with higher frequency and
average converted values
When receiving value from ADC, treat it as an absolute value
(all bits received from ADC are significant)
52. DO NOT SLEEP! (WHILE WORKING )
52Security Analyst Summit 2016
Avoid writing/using the following code (if you don’t completely
understand your process and aren’t completely sure about what you
are doing)
Val = readADC();
Output(Val);
Sleep(Timeout);
53. IT AND OT HAVE COMMON PROBLEMS
53Security Analyst Summit 2016
NEVER TRUST YOUR INPUTS