SlideShare a Scribd company logo

presentation_sas2016_V3

Marina Krotofil
Marina Krotofil

This document discusses attacks on industrial control systems through manipulation of analog-to-digital converters (ADCs). By generating signals at specific frequencies and phases, an attacker can cause an ADC to incorrectly sample input signals. This can allow manipulating values read by controllers. The document demonstrates this by racing an ADC clock and exploring its limitations. It argues that securing individual devices is not enough and advocates hardware and software mitigations like filtering, higher sampling rates, and secure coding practices.

1 of 53
Download to read offline
NEVER TRUST YOUR INPUTS: DATA PROCESSING AS ATTACK VECTOR ON ICS Alexander Bolshev & Marina Krotofil
; CAT /DEV/USER 2Security Analyst Summit 2016 Alexander @dark_k3y Bolshev, Ph.D. Security Researcher @ IOActive Assistant Professor @ SPbETU “LETI” Marina @marmusha Krotofil Security Researcher @HoneywellSec
Workstation Workstation Firewall ModemOperator Console Firewall SQL Server PLC RTU Maintenance File Server Webserver Corporate LAN SCADA network Webservices Active Directory Sensor Ventil Active Directory Engineering Workstation Process LAN INDUSTRIAL CONTROL SYSTEM 3Security Analyst Summit 2016 Physical application
INDUSTRIAL CONTROL SYSTEM 4Security Analyst Summit 2016 Workstation Workstation Firewall ModemOperator Console Firewall SQL Server PLC RTU Maintenance File Server Webserver Corporate LAN SCADA network Webservices Active Directory Sensor Ventil Active Directory Engineering Workstation Process LAN Catastrophic consequence
EQUIPMENT DAMAGE AT NUCLEAR PLANT 5 http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on- how-to-hack-a-chemical-plant-and-its-implication-to-actual-issues-at-a-nuclear-plant/  Two identically built nuclear plants. One had flow induced vibration issue. And another did not.  The vibrations indication showed itself as hf noise  Field engineer has filtered the signal to get rid of annoying noise  Loss of view into vibration issue
INDUSTRIAL CONTROL SYSTEM 6 Dataflow Control decision
IMAGINE A FIELD ARCHITECTURE… 7Security Analyst Summit 2016 Analog control loop Control PLC Actuator Safety PLC/Logger/DAQ/SIS HMI 0V (actuator is OFF) MV – Manipulated Variable What if MV value on actuator will be different from MV value on logger? 1.5V (actuator is ON)
BUT IT’S ANALOG CONTROL LINE! 8Security Analyst Summit 2016 It’s impossible to have two different MVs on the same line at the same time! Are you sure?
DEMO VIDEO
10Security Analyst Summit 2016
INTRO TO ANALOG-TO-DIGITAL CONVERTERS (ADC)
WHAT IS ADC? 12  Converts a continuous analog signal (voltage or amperage) to a digital number that represents signal's amplitude t x(t)
ADC IN A NUTSHELL 13Security Analyst Summit 2016 Quantizing & Encoding … • Frequency • Phase • Amplitude Sampling & Holding (S/H) circuit Resolution MSB ADC Clock uI(t) VREF uI’(t) fs Dn-1 D1 D0 Conversion time
EXPLOITABLE ADC LIMITATIONS 14Security Analyst Summit 2016  Sampling frequency should follow Nyquist rule ( > 2B)  Input amplitude range fs
“RACING” WITH ADC CLOCK
LET’S SETUP EXPERIMENT 16Security Analyst Summit 2016 Experimental setup:  Arduino Leonardo (Atmega32U4 with build-in ADC, 125kHz int clock)  Si5351 generator Algorithm: 1. Generate square signal with specific frequency and phase, 2. Read 120 ADC values in row and average them, 3. Output to serial port (PC), 4. Increase phase and frequency, 5. GOTO 1.
RESULT 17Security Analyst Summit 2016 What is this?!
STRANGE AVERAGE VALUES 18Security Analyst Summit 2016  On Arduino Leonardo ADC divider is set to the max value 128 At 16 Mhz master clock freq, the ADC clock freq = 125kHz  At ~125kHz there is a high probability, that generated signal will be always sampled by S&H in its max or min amplitude value  Average signal value even after 120 conversions will be 3.3V or 0V
RACING WITH ADC CLOCK 19Security Analyst Summit 2016
LET’S REPEAT OUR EXPERIMENT 20Security Analyst Summit 2016 Frequency = around 8.9kHz)
TIMING DIAGRAM EXPLAINS EVERYTHING 21Security Analyst Summit 2016 conversion time Signal
FROM ATMEGA32U4 DATASHEET 22Security Analyst Summit 2016 Chapter 24 on ADC , page 302 125kHz / 14 ~ 8928Hz (112μs) We’ve just breached through sampling rate precision of the ADC!
PROBLEMS WITH USING ADC IN SOFTWARE ADC access timing
FROM DEMO: TWO DEVICES & TWO DIFF OUTPUTS 24Security Analyst Summit 2016 Wait, but why? Timing diagrams can explain ;-)
EVERYTHING IS MUCH EASIER IN ICS WORLD 25Security Analyst Summit 2016  In many real-world ICS applications ADC doesn’t sample input signal with highest possible frequency  Typical sampling rate is 1-100 times per second
HURDLES OF THE ATTACKER 26Security Analyst Summit 2016  How to figure out the required phase and frequency to craft malicious signal?  Send some peak signals and monitor output of the ADC (directly/indirectly)  E.g. by hacking into switch you can monitor/control both data flow to control PLC AND signals from SIS/Safety LC/logger/DAQ/etc
27Security Analyst Summit 2016 Analog control loop Control PLC Actuator Safety PLC/Logger/DAQ/SIS MV – Manipulated Variable Compromised industrial switch HMI FIGURING OUT SIGNAL PARAMETERS
ADC conversion time PROBLEMS WITH USING ADC IN SOFTWARE
ADC IN CRITICAL APPLICATIONS 29Security Analyst Summit 2016 Be careful when using ADC in critical applications  Industrial PLCs also have analog inputs and built-in ADCs  Let’s test at one of the most popular PLCs S7 1200
EXPERIMENT 30 Let’s check the real conversion time of S7 1200 ADC Arduino Waveform generator S7 1200 Analog signal S7 Protocol S7 input amplitudeFrequency I2C Reads value from PLC every N time
31 Frequency is fixed N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
32Security Analyst Summit 2016
WHAT’S WRONG? 33Security Analyst Summit 2016 Nothing, really. You just need to read datasheet more thoroughly Text in small letters
INVALID RANGE OF SIGNAL
BREAKING SOFTWARE DEFINED RANGES (I) 35Security Analyst Summit 2016  Consider a 5-10V signal which is consumed by ADC with ranges 0-15 V  What will happen if you send signal lower than 5V or higher 10V? Time 5 10 V From the real life code: uint8_t val = readADC(0); // reading 8-bit ADC value with ranges 0V -15 V val = val – 85; // Normalization -> 85 == 5 Volts (255/3) Any signal of less them 5 V (val < 85)will cause integer overflow in val
BREAKING HARDWARE DEFINED RANGES 36Security Analyst Summit 2016 What if the attacker sends signal outside of the ADS hardware defined range?  ADC will output max value (all bit set to 1)  ADC might be damaged (did not test out of cost factors )  Values on other inputs could be distorted
ATTACK VECTORS IN ICS SYSTEMS
DIRECT ACCESS ATTACK TOOLKIT 38 Line coupling circuit (usually OpAmp/Transformer) Total setup cost 50$ (1kHz) -- 400$ (50MHz)
ATTACKING FROM ICS DEVICE 39  Compromising one of the field components (PLC, sensor, actuator, DAQ, logger, etc.)  Most MCUs inside transmitters/actuators are capable of generating arbitrary signals up to 500-1000Hz  Some devices allow to generate signals of 44kHz and above
ATTACK FROM TRANSMITTER 40Security Analyst Summit 2016 HART transmitter reference design ;-) DAC with s/r up to 100kHz (smooth sine wave at ~ 5kHz) http://www.tm-eetimes.com/en/accurate-industrial-temperature-measurements-with-loop-powered- transmitter.html?cmp_id=7&news_id=222918850
MITIGATIONS We’re at SAS after all 
HARDWARE MITIGATIONS 42Security Analyst Summit 2016
PUT ANALOG LPF (LOW-PASS FILTER) ON ADC INPUT 43Security Analyst Summit 2016  Low-pass filter rejects signals with a frequency higher than its cutoff frequency  Buffer ADC input with LPF  Good design dictates ADC fs >= LPF fc
LPF FILTERS IN REFERENCE DESIGNS 44Security Analyst Summit 2016 “We included LPF in our design" ADC with fs > 470Hz LPF with fc near 15 kHz
45Security Analyst Summit 2016 SOLUTION
FLIP SIDE OF USING LPF 46Security Analyst Summit 2016 ”Securing” may lead to more vulnerabilities  When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies  E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of success increases!
NOTE: DIGITAL LPF WON’T WORK! 47Security Analyst Summit 2016 Do not use digital LPF after the ADC! ADC will be already compromised by an ill-intended signal and no digital filter will fix the matters
USE ADC WITH HIGHER BANDWIDTH/LOWER CONVERSION TIME 48Security Analyst Summit 2016  Using ADC with higher sampling frequency can mitigate “oversampling” attack as the attacker will have to generate signal of much higher frequency  Generating >1MHz signal and injecting it into analog line is much harder than injecting < 1MHz signal  H/f signals subjected to greater attenuation and more affected by noise
SCALE SIGNAL AMPLITUDE BEFORE ADC 49Security Analyst Summit 2016  To avoid abuse of ADC ranges, normalize signal amplitude before feeding the signal to ADC - Simplest option: voltage divider + OpAmp, - Signal conditioning circuits or even dynamic range compression Select what is suitable for your OT process
SOFTWARE MITIGATIONS 50Security Analyst Summit 2016
APPLY SECURE CODING TECHNIQUES 51Security Analyst Summit 2016  Scrutinize your ADCs/PLC datasheets to figure out effective ranges, conversion time, frequency and other critical parameters  Even if it is sufficient to control the process with one value per second, sample the signal with higher frequency and average converted values  When receiving value from ADC, treat it as an absolute value (all bits received from ADC are significant)
DO NOT SLEEP! (WHILE WORKING ) 52Security Analyst Summit 2016 Avoid writing/using the following code (if you don’t completely understand your process and aren’t completely sure about what you are doing) Val = readADC(); Output(Val); Sleep(Timeout);
IT AND OT HAVE COMMON PROBLEMS 53Security Analyst Summit 2016 NEVER TRUST YOUR INPUTS

Recommended

S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_KrotofilMarina Krotofil
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2Marina Krotofil
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
Marina Krotofil
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
Marina Krotofil
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
Alexander Bolshev
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
Marina Krotofil
 

Recommended

S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_KrotofilMarina Krotofil
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2Marina Krotofil
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
Marina Krotofil
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
Marina Krotofil
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
Alexander Bolshev
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
Marina Krotofil
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
Yehia Mamdouh
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
Ahmed Sherif
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Jaap van Ekris
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
Jaap van Ekris
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Mike Boudreaux
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
Narinrit Prem-apiwathanokul
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
scada systems
scada systemsscada systems
scada systems
Shovana Khan Yusufzai
 
Sil presentation
Sil presentationSil presentation
Sil presentation
Valeriano Barrilà
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's story
Paolo Stagno
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data Communications
Daniel Ehrenreich
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
Living Online
 
VigilantPlant | excellence in Safety & Availability
VigilantPlant | excellence in Safety & AvailabilityVigilantPlant | excellence in Safety & Availability
VigilantPlant | excellence in Safety & Availability
Yokogawa
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADC
Alexander Bolshev
 

More Related Content

What's hot

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
Yehia Mamdouh
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
Ahmed Sherif
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Jaap van Ekris
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
Jaap van Ekris
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Mike Boudreaux
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
Narinrit Prem-apiwathanokul
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
scada systems
scada systemsscada systems
scada systems
Shovana Khan Yusufzai
 
Sil presentation
Sil presentationSil presentation
Sil presentation
Valeriano Barrilà
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's story
Paolo Stagno
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data Communications
Daniel Ehrenreich
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
Living Online
 
VigilantPlant | excellence in Safety & Availability
VigilantPlant | excellence in Safety & AvailabilityVigilantPlant | excellence in Safety & Availability
VigilantPlant | excellence in Safety & Availability
Yokogawa
 

What's hot (20)

SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
Part 5 of 6 - Implementation Phase - Safety Lifecycle Seminar - Emerson Excha...
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
scada systems
scada systemsscada systems
scada systems
 
Sil presentation
Sil presentationSil presentation
Sil presentation
 
Scada, a PLC's story
Scada, a PLC's storyScada, a PLC's story
Scada, a PLC's story
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data Communications
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
 
VigilantPlant | excellence in Safety & Availability
VigilantPlant | excellence in Safety & AvailabilityVigilantPlant | excellence in Safety & Availability
VigilantPlant | excellence in Safety & Availability
 

Similar to presentation_sas2016_V3

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADC
Alexander Bolshev
 
Scada for remote industrial plant
Scada for remote industrial plant Scada for remote industrial plant
Scada for remote industrial plant
Edgefxkits & Solutions
 
Aircraft master warning system with ftc prompting
Aircraft master warning system with ftc promptingAircraft master warning system with ftc prompting
Aircraft master warning system with ftc prompting
Sudhanshu Janwadkar
 
Heart rate monitor system
Heart rate monitor systemHeart rate monitor system
Heart rate monitor system
Skyinthe Raw
 
Electrical, Control & Instrumentation
Electrical, Control & InstrumentationElectrical, Control & Instrumentation
Electrical, Control & InstrumentationAssystem
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
Pallavi7776
 
Process Control Systems - VE2013
Process Control Systems - VE2013Process Control Systems - VE2013
Process Control Systems - VE2013
Analog Devices, Inc.
 
Mine workers protection slides
Mine workers protection slidesMine workers protection slides
Mine workers protection slides
Arya Ls
 
FE_Technologies_PLC.ppt
FE_Technologies_PLC.pptFE_Technologies_PLC.ppt
FE_Technologies_PLC.ppt
luisvillanueva16463
 
CHM_Technologies_PLC.ppt
CHM_Technologies_PLC.pptCHM_Technologies_PLC.ppt
CHM_Technologies_PLC.ppt
VinothInst
 
FE_Technologies_PLC.ppt
FE_Technologies_PLC.pptFE_Technologies_PLC.ppt
FE_Technologies_PLC.ppt
Dilupa Herath
 
intelligent braking system report
intelligent braking system reportintelligent braking system report
intelligent braking system report
Sumit Kumar
 
Process Control (Design Conference 2013)
Process Control (Design Conference 2013)Process Control (Design Conference 2013)
Process Control (Design Conference 2013)
Analog Devices, Inc.
 
A PROJECT ON scada.pptx
A PROJECT ON scada.pptxA PROJECT ON scada.pptx
A PROJECT ON scada.pptx
AshhadRaza1
 
Research Inventy: International Journal of Engineering and Science
Research Inventy: International Journal of Engineering and ScienceResearch Inventy: International Journal of Engineering and Science
Research Inventy: International Journal of Engineering and Scienceresearchinventy
 
Research Inventy : International Journal of Engineering and Science is publis...
Research Inventy : International Journal of Engineering and Science is publis...Research Inventy : International Journal of Engineering and Science is publis...
Research Inventy : International Journal of Engineering and Science is publis...researchinventy
 
TYPHOON HIL - Product Catalog-.pdf
TYPHOON HIL - Product Catalog-.pdfTYPHOON HIL - Product Catalog-.pdf
TYPHOON HIL - Product Catalog-.pdf
ShababZehraRizvi
 

Similar to presentation_sas2016_V3 (20)

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADC
 
Scada for remote industrial plant
Scada for remote industrial plant Scada for remote industrial plant
Scada for remote industrial plant
 
Aircraft master warning system with ftc prompting
Aircraft master warning system with ftc promptingAircraft master warning system with ftc prompting
Aircraft master warning system with ftc prompting
 
ELECTRONIC AND - Copy (1)
ELECTRONIC AND - Copy (1)ELECTRONIC AND - Copy (1)
ELECTRONIC AND - Copy (1)
 
final report
final reportfinal report
final report
 
Heart rate monitor system
Heart rate monitor systemHeart rate monitor system
Heart rate monitor system
 
Electrical, Control & Instrumentation
Electrical, Control & InstrumentationElectrical, Control & Instrumentation
Electrical, Control & Instrumentation
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
 
Process Control Systems - VE2013
Process Control Systems - VE2013Process Control Systems - VE2013
Process Control Systems - VE2013
 
Mine workers protection slides
Mine workers protection slidesMine workers protection slides
Mine workers protection slides
 
FE_Technologies_PLC.ppt
FE_Technologies_PLC.pptFE_Technologies_PLC.ppt
FE_Technologies_PLC.ppt
 
CHM_Technologies_PLC.ppt
CHM_Technologies_PLC.pptCHM_Technologies_PLC.ppt
CHM_Technologies_PLC.ppt
 
FE_Technologies_PLC.ppt
FE_Technologies_PLC.pptFE_Technologies_PLC.ppt
FE_Technologies_PLC.ppt
 
intelligent braking system report
intelligent braking system reportintelligent braking system report
intelligent braking system report
 
Process Control (Design Conference 2013)
Process Control (Design Conference 2013)Process Control (Design Conference 2013)
Process Control (Design Conference 2013)
 
A PROJECT ON scada.pptx
A PROJECT ON scada.pptxA PROJECT ON scada.pptx
A PROJECT ON scada.pptx
 
Research Inventy: International Journal of Engineering and Science
Research Inventy: International Journal of Engineering and ScienceResearch Inventy: International Journal of Engineering and Science
Research Inventy: International Journal of Engineering and Science
 
Research Inventy : International Journal of Engineering and Science is publis...
Research Inventy : International Journal of Engineering and Science is publis...Research Inventy : International Journal of Engineering and Science is publis...
Research Inventy : International Journal of Engineering and Science is publis...
 
TYPHOON HIL - Product Catalog-.pdf
TYPHOON HIL - Product Catalog-.pdfTYPHOON HIL - Product Catalog-.pdf
TYPHOON HIL - Product Catalog-.pdf
 

More from Marina Krotofil

Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3
Marina Krotofil
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
Marina Krotofil
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
Marina Krotofil
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
Marina Krotofil
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
Marina Krotofil
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
Marina Krotofil
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
Marina Krotofil
 

More from Marina Krotofil (7)

Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
 

presentation_sas2016_V3

  • 1. NEVER TRUST YOUR INPUTS: DATA PROCESSING AS ATTACK VECTOR ON ICS Alexander Bolshev & Marina Krotofil
  • 2. ; CAT /DEV/USER 2Security Analyst Summit 2016 Alexander @dark_k3y Bolshev, Ph.D. Security Researcher @ IOActive Assistant Professor @ SPbETU “LETI” Marina @marmusha Krotofil Security Researcher @HoneywellSec
  • 3. Workstation Workstation Firewall ModemOperator Console Firewall SQL Server PLC RTU Maintenance File Server Webserver Corporate LAN SCADA network Webservices Active Directory Sensor Ventil Active Directory Engineering Workstation Process LAN INDUSTRIAL CONTROL SYSTEM 3Security Analyst Summit 2016 Physical application
  • 4. INDUSTRIAL CONTROL SYSTEM 4Security Analyst Summit 2016 Workstation Workstation Firewall ModemOperator Console Firewall SQL Server PLC RTU Maintenance File Server Webserver Corporate LAN SCADA network Webservices Active Directory Sensor Ventil Active Directory Engineering Workstation Process LAN Catastrophic consequence
  • 5. EQUIPMENT DAMAGE AT NUCLEAR PLANT 5 http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on- how-to-hack-a-chemical-plant-and-its-implication-to-actual-issues-at-a-nuclear-plant/  Two identically built nuclear plants. One had flow induced vibration issue. And another did not.  The vibrations indication showed itself as hf noise  Field engineer has filtered the signal to get rid of annoying noise  Loss of view into vibration issue
  • 7. IMAGINE A FIELD ARCHITECTURE… 7Security Analyst Summit 2016 Analog control loop Control PLC Actuator Safety PLC/Logger/DAQ/SIS HMI 0V (actuator is OFF) MV – Manipulated Variable What if MV value on actuator will be different from MV value on logger? 1.5V (actuator is ON)
  • 8. BUT IT’S ANALOG CONTROL LINE! 8Security Analyst Summit 2016 It’s impossible to have two different MVs on the same line at the same time! Are you sure?
  • 12. WHAT IS ADC? 12  Converts a continuous analog signal (voltage or amperage) to a digital number that represents signal's amplitude t x(t)
  • 13. ADC IN A NUTSHELL 13Security Analyst Summit 2016 Quantizing & Encoding … • Frequency • Phase • Amplitude Sampling & Holding (S/H) circuit Resolution MSB ADC Clock uI(t) VREF uI’(t) fs Dn-1 D1 D0 Conversion time
  • 14. EXPLOITABLE ADC LIMITATIONS 14Security Analyst Summit 2016  Sampling frequency should follow Nyquist rule ( > 2B)  Input amplitude range fs
  • 16. LET’S SETUP EXPERIMENT 16Security Analyst Summit 2016 Experimental setup:  Arduino Leonardo (Atmega32U4 with build-in ADC, 125kHz int clock)  Si5351 generator Algorithm: 1. Generate square signal with specific frequency and phase, 2. Read 120 ADC values in row and average them, 3. Output to serial port (PC), 4. Increase phase and frequency, 5. GOTO 1.
  • 17. RESULT 17Security Analyst Summit 2016 What is this?!
  • 18. STRANGE AVERAGE VALUES 18Security Analyst Summit 2016  On Arduino Leonardo ADC divider is set to the max value 128 At 16 Mhz master clock freq, the ADC clock freq = 125kHz  At ~125kHz there is a high probability, that generated signal will be always sampled by S&H in its max or min amplitude value  Average signal value even after 120 conversions will be 3.3V or 0V
  • 19. RACING WITH ADC CLOCK 19Security Analyst Summit 2016
  • 20. LET’S REPEAT OUR EXPERIMENT 20Security Analyst Summit 2016 Frequency = around 8.9kHz)
  • 21. TIMING DIAGRAM EXPLAINS EVERYTHING 21Security Analyst Summit 2016 conversion time Signal
  • 22. FROM ATMEGA32U4 DATASHEET 22Security Analyst Summit 2016 Chapter 24 on ADC , page 302 125kHz / 14 ~ 8928Hz (112μs) We’ve just breached through sampling rate precision of the ADC!
  • 23. PROBLEMS WITH USING ADC IN SOFTWARE ADC access timing
  • 24. FROM DEMO: TWO DEVICES & TWO DIFF OUTPUTS 24Security Analyst Summit 2016 Wait, but why? Timing diagrams can explain ;-)
  • 25. EVERYTHING IS MUCH EASIER IN ICS WORLD 25Security Analyst Summit 2016  In many real-world ICS applications ADC doesn’t sample input signal with highest possible frequency  Typical sampling rate is 1-100 times per second
  • 26. HURDLES OF THE ATTACKER 26Security Analyst Summit 2016  How to figure out the required phase and frequency to craft malicious signal?  Send some peak signals and monitor output of the ADC (directly/indirectly)  E.g. by hacking into switch you can monitor/control both data flow to control PLC AND signals from SIS/Safety LC/logger/DAQ/etc
  • 27. 27Security Analyst Summit 2016 Analog control loop Control PLC Actuator Safety PLC/Logger/DAQ/SIS MV – Manipulated Variable Compromised industrial switch HMI FIGURING OUT SIGNAL PARAMETERS
  • 28. ADC conversion time PROBLEMS WITH USING ADC IN SOFTWARE
  • 29. ADC IN CRITICAL APPLICATIONS 29Security Analyst Summit 2016 Be careful when using ADC in critical applications  Industrial PLCs also have analog inputs and built-in ADCs  Let’s test at one of the most popular PLCs S7 1200
  • 30. EXPERIMENT 30 Let’s check the real conversion time of S7 1200 ADC Arduino Waveform generator S7 1200 Analog signal S7 Protocol S7 input amplitudeFrequency I2C Reads value from PLC every N time
  • 33. WHAT’S WRONG? 33Security Analyst Summit 2016 Nothing, really. You just need to read datasheet more thoroughly Text in small letters
  • 35. BREAKING SOFTWARE DEFINED RANGES (I) 35Security Analyst Summit 2016  Consider a 5-10V signal which is consumed by ADC with ranges 0-15 V  What will happen if you send signal lower than 5V or higher 10V? Time 5 10 V From the real life code: uint8_t val = readADC(0); // reading 8-bit ADC value with ranges 0V -15 V val = val – 85; // Normalization -> 85 == 5 Volts (255/3) Any signal of less them 5 V (val < 85)will cause integer overflow in val
  • 36. BREAKING HARDWARE DEFINED RANGES 36Security Analyst Summit 2016 What if the attacker sends signal outside of the ADS hardware defined range?  ADC will output max value (all bit set to 1)  ADC might be damaged (did not test out of cost factors )  Values on other inputs could be distorted
  • 37. ATTACK VECTORS IN ICS SYSTEMS
  • 38. DIRECT ACCESS ATTACK TOOLKIT 38 Line coupling circuit (usually OpAmp/Transformer) Total setup cost 50$ (1kHz) -- 400$ (50MHz)
  • 39. ATTACKING FROM ICS DEVICE 39  Compromising one of the field components (PLC, sensor, actuator, DAQ, logger, etc.)  Most MCUs inside transmitters/actuators are capable of generating arbitrary signals up to 500-1000Hz  Some devices allow to generate signals of 44kHz and above
  • 40. ATTACK FROM TRANSMITTER 40Security Analyst Summit 2016 HART transmitter reference design ;-) DAC with s/r up to 100kHz (smooth sine wave at ~ 5kHz) http://www.tm-eetimes.com/en/accurate-industrial-temperature-measurements-with-loop-powered- transmitter.html?cmp_id=7&news_id=222918850
  • 41. MITIGATIONS We’re at SAS after all 
  • 43. PUT ANALOG LPF (LOW-PASS FILTER) ON ADC INPUT 43Security Analyst Summit 2016  Low-pass filter rejects signals with a frequency higher than its cutoff frequency  Buffer ADC input with LPF  Good design dictates ADC fs >= LPF fc
  • 44. LPF FILTERS IN REFERENCE DESIGNS 44Security Analyst Summit 2016 “We included LPF in our design" ADC with fs > 470Hz LPF with fc near 15 kHz
  • 45. 45Security Analyst Summit 2016 SOLUTION
  • 46. FLIP SIDE OF USING LPF 46Security Analyst Summit 2016 ”Securing” may lead to more vulnerabilities  When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies  E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of success increases!
  • 47. NOTE: DIGITAL LPF WON’T WORK! 47Security Analyst Summit 2016 Do not use digital LPF after the ADC! ADC will be already compromised by an ill-intended signal and no digital filter will fix the matters
  • 48. USE ADC WITH HIGHER BANDWIDTH/LOWER CONVERSION TIME 48Security Analyst Summit 2016  Using ADC with higher sampling frequency can mitigate “oversampling” attack as the attacker will have to generate signal of much higher frequency  Generating >1MHz signal and injecting it into analog line is much harder than injecting < 1MHz signal  H/f signals subjected to greater attenuation and more affected by noise
  • 49. SCALE SIGNAL AMPLITUDE BEFORE ADC 49Security Analyst Summit 2016  To avoid abuse of ADC ranges, normalize signal amplitude before feeding the signal to ADC - Simplest option: voltage divider + OpAmp, - Signal conditioning circuits or even dynamic range compression Select what is suitable for your OT process
  • 51. APPLY SECURE CODING TECHNIQUES 51Security Analyst Summit 2016  Scrutinize your ADCs/PLC datasheets to figure out effective ranges, conversion time, frequency and other critical parameters  Even if it is sufficient to control the process with one value per second, sample the signal with higher frequency and average converted values  When receiving value from ADC, treat it as an absolute value (all bits received from ADC are significant)
  • 52. DO NOT SLEEP! (WHILE WORKING ) 52Security Analyst Summit 2016 Avoid writing/using the following code (if you don’t completely understand your process and aren’t completely sure about what you are doing) Val = readADC(); Output(Val); Sleep(Timeout);
  • 53. IT AND OT HAVE COMMON PROBLEMS 53Security Analyst Summit 2016 NEVER TRUST YOUR INPUTS