SlideShare a Scribd company logo

S4x16 europe krotofil_granular_dataflowsics

Marina Krotofil
Marina Krotofil

S4x16 Europe Conference. Achieving ICS resilience through granular data flow management

1 of 37
Download to read offline
Honeywell Industrial Cyber Security Marina KrotofilS4x16 Europe June 10, 2016 Achieving ICS Resilience and Security through Granular Data Flow Management
© 2016 by Honeywell International Inc. All rights reserved. 1 Industrial Control System Physical application
© 2016 by Honeywell International Inc. All rights reserved. Cyber-Physical security 2 After the attacker gets access to a control system/network, the attack still needs to be performed – This is where open literature falls short – Best attack strategies (?) Security standards & guidelines require “knowing your system” prior performing risk assessment and subsequent implementation of security controls 1 2 – No guidance on HOW to understand the system in a away to best understand where all the risks lie – Who should participate in risk assessment
© 2016 by Honeywell International Inc. All rights reserved. Information as an asset 3 ❑ Computer-integrated manufacturing (CIM) concept in the 1970s ❑ The most essential constituent of modern automation is data, and processing this data into information is a substantial task in automation ❑ The key to handling information was the establishment of a transparent data flow inside an automation system with a strict subdivision of the data processing into a hierarchical model → automation pyramid
© 2016 by Honeywell International Inc. All rights reserved. Automation pyramid 4 Loop in milliseconds Loop in seconds http://krakenautomation.com/images/KrakenPyramid.jpg
© 2016 by Honeywell International Inc. All rights reserved. Automation pyramid 5 Operates on raw data Operates on information http://krakenautomation.com/images/KrakenPyramid.jpg
© 2016 by Honeywell International Inc. All rights reserved. Data processing 6 ❑ Raw sensory data rarely can be used directly. The electrical output of a sensing element is usually small in value and has non-idealities such as offset, sensitivity errors, nonlinearities, noise, etc. ❑ Sensor signal is manipulated (processed) in a specific way to meet the requirements of data consuming circuits/devices/applications to produce meaningful information − Data conditioning, conversion, aggregation, transformation, analysis….. 0 10 20 30 40 50 60 72 3600 3650 3700 3750 Hours kg/h D feed
© 2016 by Honeywell International Inc. All rights reserved. Impact of data processing 7 http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on-how-to-hack-a-chemical-plant-and-its-implication- to-actual-issues-at-a-nuclear-plant/ ❑ Two identically built nuclear plants. One had flow induced vibration issue. And another did not. ❑ The vibrations indication showed itself as a resonance (high- frequency) “noise” − Field engineer has changed signal filtering parameter in the signal recorder to get rid of noise − Loss of view into vibration issue Equipment damage at nuclear plant
© 2016 by Honeywell International Inc. All rights reserved. Process data reliability 8 Data→(BigData)Information
Use Case 1 Data Reliability in Electric Substation (courtesy Chris Sistrunk of Mandiant)
© 2016 by Honeywell International Inc. All rights reserved. Simplified electric substation 10 Analog control loop 115kV Bus 34.5kV Bus Power Transformer Breaker A Line 200 Feeder 11 Feeder 12 Properly select PT and CT ratio to allow some % of overload on the circuit, so the measurements will not top out at 100% when the actual values are higher. 1200:5 Current Transformer (CT) 1000:1 Potential Transformer (PT)
© 2016 by Honeywell International Inc. All rights reserved. 11 Analog control loop 115kV Bus 34.5kV Bus Power Transformer Breaker A Line 200 Feeder 11 Feeder 12 3-Element Transducer 3Ø, Wye + DC - 90 MW 114 kV 468 Amps to Relays, Panel Meter, & SCADA RTU, HMI Analog measurements of the line CT PT
© 2016 by Honeywell International Inc. All rights reserved. Purdue model view 12 Level 5 – Enterprise Network Level 4 – IT Apps, Outage Mgmt, Billing DMZ – Mirror Historian, Applications Level 3 – SCADA Historian Level 2 – Front End, SCADA Master Level 1 – Transducer, Meter, RTU Level 0 – CT, PT ySCADA = m*xLINE + b XDUCER RTU FEP SCADA HIS HIS OMS D a t a F l o w x – initial value m, b – scaling factor and offset for each time the data moves from one device to another
© 2016 by Honeywell International Inc. All rights reserved. Getting math right 13 Analog control loop Level 0 o MW Engineering Limit = (PT ratio) * (CT ratio) * (Transducer Multiplier) * (Line Connection Type) = (1200/5)(1000)(1500)(1)/1000000 = 300MW o Transducer Output Range = 0 to +/-1mA → 0 – +/-300MW/mA scale If transducer output = 0.25mA, then 0.25*300 = 90 MW RTU must be configured correctly, especially unipolar/bipolar and any analog offset values as well as logic and any other calculations Transducers may be 0 – 1mA or 4 – 20mA (which require an offset b) Level 1 o RTU Analog input card (16-bit Analog to Digital Converter) 15 bits plus +/- sign bit -32768 to +32767 counts = -1mA to 1mA = 300MW/mA +90 MW = .25*32767 = +8192 counts o RTU Database = same size → 90MW is stored as +8192 bits (+25% of db) o SCADA Protocol has 12-bit bipolar analogs (-2048 to 2047 counts) o SCADA protocol value MW = .25*2047 = 512 counts
© 2016 by Honeywell International Inc. All rights reserved. Getting math right 14 Analog control loop Level 2 o +512 bipolar counts from RTU to Front End Processor on a 12-bit protocol (0 – 4095) 1 count = 300MW/2047 = 0.073242 MW per count unipolar (remember Megawatt is a bipolar value) o The FEP has to shift the bipolar value to a unipolar value to store it in the database! FEP database value = 512 incoming counts + offset of 2048 = 2560 counts o FEP database = 16 bits = 0 – 32767 counts 2560 counts / 65535 counts = 0.039063 = 3.906309% o SCADA database = 32 bits = 0 – 4294967295 counts 3.906309% * 4294967295 = 167774307 counts Level 3 o SCADA Historian database, etc
© 2016 by Honeywell International Inc. All rights reserved. Conclusion 15 Analog control loop ❑ You need to understand the data path and know the people involved into data path configuration ❑ The described math is in reality a giant multipage excel spreadsheet ❑ While linear algebra is “simple”, the addition of multiple places to scale analog values can be difficult to calculate – The more calculations, the more opportunity to make a mistake and point fingers on others
Cyber-Physical hacking 16 Manipulate the process Prevent response Direct Indirect 1 2 Operators Control system (including safety) Blind Mislead 0 10 20 30 40 50 60 70 2780 2790 2800 2810 2820 Hours kPagauge Sensor signal Direct manipulation of actuators Deceiving controller/operator about process state Blind about process state Modify operational/safety limits
Data stream modification scenario 17 ❑ The most widely assumed scenario is that the attacker will tamper with the data stream somewhere in the communication infrastructure – Packet replay/injection/modification/alike – I did the same since I didn’t know better. I accidentally discovered “Stale Data” attack – Don't directly attack PID-controlled actuators, you’re almost guaranteed to fail to maintain control over them ❑ Requires real time analysis and understanding of process data – Hard → requirement for light-weight data processing algorithms able to work with all kinds of strange data streams and artefacts – Strange formatting of data – Not always strategic enough
Data processing as attack vector 18 ❑ Analyzing data processing points – Often “human friendly” – Tell you exactly how to make data out of spec – Allow for “educated guess” and granular manipulation ❑ Good for – Making data unusable; deceiving about process state – Removing attack traces (e.g. spikes, etc.) – Misleading forensics investigators – Etc., etc.
❑ Analyzing data processing points – Often “human friendly” – Tell you exactly how to make data out of spec – Allow for “educated guess” and granular manipulation ❑ Good for – Making data unusable; deceiving about process state – Removing attack traces (e.g. spikes, etc.) – Misleading forensics investigators – Etc., etc. Data processing as attack vector 19 Desynchronization of data
© 2016 by Honeywell International Inc. All rights reserved. Hacking task: blind the controller/operator 20 ❑ „Record-and-play-back“ o Storage requirement ❑ Derive process model o Time and brain consuming o CPU cycles requirement ❑ Crafting forged sensor signals as proposed by Jason Larsen o I extensively tested this approach. It is works like magic. But… needs to be parameterized to match signal properties; did not perform well for few specific types of signals ❑ Take advantage of signal processing points
© 2016 by Honeywell International Inc. All rights reserved. Hacking task: blind the controller/operator 21 ❑ „Record-and-play-back“ o Storage requirement ❑ Derive process model o Time and brain consuming o CPU cycles requirement ❑ Crafting forged sensor signals as proposed by Jason Larsen o I extensively tested this approach. It is works like magic. But… needs to be parameterized to match signal properties; did not perform well for few specific types of signals ❑ Take advantage of signal processing points 0 20 40 60 64 65 66 67 68 69 Time [hours] C Stripper Temperature No more oscillations!
Exploiting Analog-to-Digital Converters (joint work with Alexander Bolshev) Use Case 2 Black Hat Asia 2016
Threat scenario 23 Analog control loop Control PLC Actuator Safety PLC/Logger/DAQ HMI 0V (actuator is OFF) ❑ It is expected that the ADCs on all devices which consume the same analog signal will convert it into the same digital number – But what if not?? 1.5V (actuator is ON) Analog control loop http://www.slideshare.net/dark_k3y/never-trust-your-inputs-or-how-to-fool-and-adc
© 2016 by Honeywell International Inc. All rights reserved. Experimental setup 24 Analog control loop “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Safety PLC” (S7 1200)
© 2016 by Honeywell International Inc. All rights reserved. Demo: Two devices, two different MVs 25 Analog control loop DEMO VIDEO
© 2016 by Honeywell International Inc. All rights reserved. Never trust your inputs! 26 In ICS input validation refers to data conten(x)t rather than to its formatting IT and OT has common problems
© 2016 by Honeywell International Inc. All rights reserved. Typical data flow diagram 27 https://files.sans.org/summit/icsamsterdam14/PDFs/Ralph%20Langner%20.pdf
© 2016 by Honeywell International Inc. All rights reserved. Increase resolution! 28
© 2016 by Honeywell International Inc. All rights reserved. Data flow of a single sensor 29 Logging, monitoring, alarm management Control Courtesy: B. Green, Lancaster University, UK ❑ Case study at a European utility
© 2016 by Honeywell International Inc. All rights reserved. 30 Attack vectors Revealed additional attack surface
© 2016 by Honeywell International Inc. All rights reserved. System users 31 Operator Roles ICS Level Support/Maintenance Roles ICS Level Process control Operators 2,3,4,5 Electrical Engineers 0,1,2,5 Local Process Managers 3,4,5 Mechanical Engineers 0,5 Regional Process Managers 2,3,4,5 Control System Engineers 0,1,2,3,5 Regulatory Monitors/Testers 2,3,4,5 Instrumentation Engineers 0,1,2,5 Performance Analysts 4,5 Telemetry Engineers 0,1,2,3,DMZ,4,5 3rd Party Contractors 0,1,2,3,DMZ,4,5 Communications Engineers 3,DMZ,4,5 Alarm Management Centre Operator 4,5 Information Technology Engineers DMZ,4,5 Health and Safety Officers 0,1,2,3,DMZ,4,5 3rd Party Contractors 0,1,2,3,DMZ,4,5 Home Workers 3,4,5 Home Workers 3,4,5
© 2016 by Honeywell International Inc. All rights reserved. Process data consumption 32
Systemic thinking 33 ❑ In complex systems such as ICS cause and effect are often distant in time and space ❑ In OT-oriented security communication link is characterized not only by protocol/IP address/port. – From the process perspective, the most important communication link property is TIME: time constant, time to impact
© 2016 by Honeywell International Inc. All rights reserved. Conclusions 34 ❑ To create effective anti-hacker solutions we need to take a more granular view on ICS, especially at Levels 1-3 – Simply obtaining inventory of devices and network architectures is insufficient ❑ ICS security is not purely technical problem but socio- technical problem – System-to-system and system-to-user interactions ❑ ICS security cannot be purely achieved by the traditional IT security means – The data can be already “insecure” when submitted to communication infrastructure – Engineering design of ICS and operational process properties MATTER!!
© 2016 by Honeywell International Inc. All rights reserved. Acknowledgements 35 ❑ Chris Sistrunk, Mandiant ❑ Alexander Bolshev, IOActive ❑ Benjamin Green, Lancaster University
© 2016 by Honeywell International Inc. All rights reserved. Thank You! www.becybersecure.com marina.krotofil@honeywell.com Marina Krotofil

Recommended

"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
Marina Krotofil
 
S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_KrotofilMarina Krotofil
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2Marina Krotofil
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3Marina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 

Recommended

"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
Marina Krotofil
 
S4x16_Europe_Krotofil
S4x16_Europe_KrotofilS4x16_Europe_Krotofil
S4x16_Europe_KrotofilMarina Krotofil
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2Marina Krotofil
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3Marina Krotofil
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
Marina Krotofil
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
Chris Sistrunk
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
Ahmed Sherif
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
Alexander Bolshev
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
Narinrit Prem-apiwathanokul
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
Aleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
Living Online
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
Peter Wood
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
Chris Sistrunk
 
The Road Ahead of IoT
The Road Ahead of IoTThe Road Ahead of IoT
The Road Ahead of IoT
TiE Bangalore
 
Scada slide
Scada slideScada slide
Scada slideTowfiqur Rahman
 

More Related Content

What's hot

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
Marina Krotofil
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
Chris Sistrunk
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
Ahmed Sherif
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
Alexander Bolshev
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
Narinrit Prem-apiwathanokul
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
Aleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
Living Online
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
Peter Wood
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
Chris Sistrunk
 

What's hot (20)

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 

Similar to S4x16 europe krotofil_granular_dataflowsics

The Road Ahead of IoT
The Road Ahead of IoTThe Road Ahead of IoT
The Road Ahead of IoT
TiE Bangalore
 
Plc and scada project ppt
Plc and scada project pptPlc and scada project ppt
Plc and scada project ppt
Priya Hada
 
pdfslide.net_plc-and-scada-project-ppt.pdf
pdfslide.net_plc-and-scada-project-ppt.pdfpdfslide.net_plc-and-scada-project-ppt.pdf
pdfslide.net_plc-and-scada-project-ppt.pdf
PrafulPatel54
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
Lori Head
 
Ppt protection on lineman..final
Ppt protection on lineman..finalPpt protection on lineman..final
Ppt protection on lineman..final
Ravi Phadtare
 
IRJET- Plant Growth Analysis and Prediction using VAEA – (Virtual Agri Enviro...
IRJET- Plant Growth Analysis and Prediction using VAEA – (Virtual Agri Enviro...IRJET- Plant Growth Analysis and Prediction using VAEA – (Virtual Agri Enviro...
IRJET- Plant Growth Analysis and Prediction using VAEA – (Virtual Agri Enviro...
IRJET Journal
 
1250 alcohol-detection-with-vehicle-controlling
1250 alcohol-detection-with-vehicle-controlling1250 alcohol-detection-with-vehicle-controlling
1250 alcohol-detection-with-vehicle-controlling
Mikroc Srinivs
 
Scada System
Scada SystemScada System
Scada System
Arifbhatti
 
Embedded System for begners and good for seminar
Embedded System for begners and good for seminar Embedded System for begners and good for seminar
Embedded System for begners and good for seminar
Swaraj Nayak
 
Practical Distributed Control Systems (DCS) for Engineers and Technicians
Practical Distributed Control Systems (DCS) for Engineers and TechniciansPractical Distributed Control Systems (DCS) for Engineers and Technicians
Practical Distributed Control Systems (DCS) for Engineers and Technicians
Living Online
 
Introduction to EMBEDDED SYSTEM.pdf
Introduction to EMBEDDED SYSTEM.pdfIntroduction to EMBEDDED SYSTEM.pdf
Introduction to EMBEDDED SYSTEM.pdf
AkashBhagat32
 
Operationalizing SDN
Operationalizing SDNOperationalizing SDN
Operationalizing SDN
ADVA
 
scada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxscada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptx
surangagw
 
WMSN Dev Kit Brochure
WMSN Dev Kit BrochureWMSN Dev Kit Brochure
WMSN Dev Kit BrochureSrideep Ghosh
 
Smart Water Metering By Electronet Equipments Pvt Ltd
Smart Water Metering By Electronet Equipments Pvt LtdSmart Water Metering By Electronet Equipments Pvt Ltd
Smart Water Metering By Electronet Equipments Pvt Ltd
Rajendra Nagaonkar
 
Scada system for real time data monitoring and controlling in industries
Scada system for real time data monitoring and controlling in industriesScada system for real time data monitoring and controlling in industries
Scada system for real time data monitoring and controlling in industries
vishnu081
 
Monitoring photovoltaique GANTNER INSTRUMENTS FRANCE
Monitoring photovoltaique GANTNER INSTRUMENTS FRANCEMonitoring photovoltaique GANTNER INSTRUMENTS FRANCE
Monitoring photovoltaique GANTNER INSTRUMENTS FRANCE
EUROPAGES
 

Similar to S4x16 europe krotofil_granular_dataflowsics (20)

The Road Ahead of IoT
The Road Ahead of IoTThe Road Ahead of IoT
The Road Ahead of IoT
 
Scada slide
Scada slideScada slide
Scada slide
 
Plc and scada project ppt
Plc and scada project pptPlc and scada project ppt
Plc and scada project ppt
 
pdfslide.net_plc-and-scada-project-ppt.pdf
pdfslide.net_plc-and-scada-project-ppt.pdfpdfslide.net_plc-and-scada-project-ppt.pdf
pdfslide.net_plc-and-scada-project-ppt.pdf
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
 
Ppt protection on lineman..final
Ppt protection on lineman..finalPpt protection on lineman..final
Ppt protection on lineman..final
 
IRJET- Plant Growth Analysis and Prediction using VAEA – (Virtual Agri Enviro...
IRJET- Plant Growth Analysis and Prediction using VAEA – (Virtual Agri Enviro...IRJET- Plant Growth Analysis and Prediction using VAEA – (Virtual Agri Enviro...
IRJET- Plant Growth Analysis and Prediction using VAEA – (Virtual Agri Enviro...
 
1250 alcohol-detection-with-vehicle-controlling
1250 alcohol-detection-with-vehicle-controlling1250 alcohol-detection-with-vehicle-controlling
1250 alcohol-detection-with-vehicle-controlling
 
Scada System
Scada SystemScada System
Scada System
 
Ndabeni_Thobekile_212125710
Ndabeni_Thobekile_212125710Ndabeni_Thobekile_212125710
Ndabeni_Thobekile_212125710
 
Embedded System for begners and good for seminar
Embedded System for begners and good for seminar Embedded System for begners and good for seminar
Embedded System for begners and good for seminar
 
Practical Distributed Control Systems (DCS) for Engineers and Technicians
Practical Distributed Control Systems (DCS) for Engineers and TechniciansPractical Distributed Control Systems (DCS) for Engineers and Technicians
Practical Distributed Control Systems (DCS) for Engineers and Technicians
 
Introduction to EMBEDDED SYSTEM.pdf
Introduction to EMBEDDED SYSTEM.pdfIntroduction to EMBEDDED SYSTEM.pdf
Introduction to EMBEDDED SYSTEM.pdf
 
final report
final reportfinal report
final report
 
Operationalizing SDN
Operationalizing SDNOperationalizing SDN
Operationalizing SDN
 
scada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxscada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptx
 
WMSN Dev Kit Brochure
WMSN Dev Kit BrochureWMSN Dev Kit Brochure
WMSN Dev Kit Brochure
 
Smart Water Metering By Electronet Equipments Pvt Ltd
Smart Water Metering By Electronet Equipments Pvt LtdSmart Water Metering By Electronet Equipments Pvt Ltd
Smart Water Metering By Electronet Equipments Pvt Ltd
 
Scada system for real time data monitoring and controlling in industries
Scada system for real time data monitoring and controlling in industriesScada system for real time data monitoring and controlling in industries
Scada system for real time data monitoring and controlling in industries
 
Monitoring photovoltaique GANTNER INSTRUMENTS FRANCE
Monitoring photovoltaique GANTNER INSTRUMENTS FRANCEMonitoring photovoltaique GANTNER INSTRUMENTS FRANCE
Monitoring photovoltaique GANTNER INSTRUMENTS FRANCE
 

More from Marina Krotofil

Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3
Marina Krotofil
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
Marina Krotofil
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
Marina Krotofil
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
Marina Krotofil
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
Marina Krotofil
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
Marina Krotofil
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
Marina Krotofil
 

More from Marina Krotofil (7)

Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
 

Recently uploaded

Unbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptxUnbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptx
ChristineTorrepenida1
 
Basic Industrial Engineering terms for apparel
Basic Industrial Engineering terms for apparelBasic Industrial Engineering terms for apparel
Basic Industrial Engineering terms for apparel
top1002
 
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABSDESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
itech2017
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)
ClaraZara1
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 
Steel & Timber Design according to British Standard
Steel & Timber Design according to British StandardSteel & Timber Design according to British Standard
Steel & Timber Design according to British Standard
AkolbilaEmmanuel1
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
Aditya Rajan Patra
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
anoopmanoharan2
 
Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
AmarGB2
 
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTSHeap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Soumen Santra
 
Building Electrical System Design & Installation
Building Electrical System Design & InstallationBuilding Electrical System Design & Installation
Building Electrical System Design & Installation
symbo111
 
Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
Massimo Talia
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
ydteq
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
Kerry Sado
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation & Control
 
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prismsTechnical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
heavyhaig
 

Recently uploaded (20)

Unbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptxUnbalanced Three Phase Systems and circuits.pptx
Unbalanced Three Phase Systems and circuits.pptx
 
Basic Industrial Engineering terms for apparel
Basic Industrial Engineering terms for apparelBasic Industrial Engineering terms for apparel
Basic Industrial Engineering terms for apparel
 
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABSDESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 
Steel & Timber Design according to British Standard
Steel & Timber Design according to British StandardSteel & Timber Design according to British Standard
Steel & Timber Design according to British Standard
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
 
Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
 
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTSHeap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
Heap Sort (SS).ppt FOR ENGINEERING GRADUATES, BCA, MCA, MTECH, BSC STUDENTS
 
Building Electrical System Design & Installation
Building Electrical System Design & InstallationBuilding Electrical System Design & Installation
Building Electrical System Design & Installation
 
Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prismsTechnical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
 

S4x16 europe krotofil_granular_dataflowsics

  • 1. Honeywell Industrial Cyber Security Marina KrotofilS4x16 Europe June 10, 2016 Achieving ICS Resilience and Security through Granular Data Flow Management
  • 2. © 2016 by Honeywell International Inc. All rights reserved. 1 Industrial Control System Physical application
  • 3. © 2016 by Honeywell International Inc. All rights reserved. Cyber-Physical security 2 After the attacker gets access to a control system/network, the attack still needs to be performed – This is where open literature falls short – Best attack strategies (?) Security standards & guidelines require “knowing your system” prior performing risk assessment and subsequent implementation of security controls 1 2 – No guidance on HOW to understand the system in a away to best understand where all the risks lie – Who should participate in risk assessment
  • 4. © 2016 by Honeywell International Inc. All rights reserved. Information as an asset 3 ❑ Computer-integrated manufacturing (CIM) concept in the 1970s ❑ The most essential constituent of modern automation is data, and processing this data into information is a substantial task in automation ❑ The key to handling information was the establishment of a transparent data flow inside an automation system with a strict subdivision of the data processing into a hierarchical model → automation pyramid
  • 5. © 2016 by Honeywell International Inc. All rights reserved. Automation pyramid 4 Loop in milliseconds Loop in seconds http://krakenautomation.com/images/KrakenPyramid.jpg
  • 6. © 2016 by Honeywell International Inc. All rights reserved. Automation pyramid 5 Operates on raw data Operates on information http://krakenautomation.com/images/KrakenPyramid.jpg
  • 7. © 2016 by Honeywell International Inc. All rights reserved. Data processing 6 ❑ Raw sensory data rarely can be used directly. The electrical output of a sensing element is usually small in value and has non-idealities such as offset, sensitivity errors, nonlinearities, noise, etc. ❑ Sensor signal is manipulated (processed) in a specific way to meet the requirements of data consuming circuits/devices/applications to produce meaningful information − Data conditioning, conversion, aggregation, transformation, analysis….. 0 10 20 30 40 50 60 72 3600 3650 3700 3750 Hours kg/h D feed
  • 8. © 2016 by Honeywell International Inc. All rights reserved. Impact of data processing 7 http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on-how-to-hack-a-chemical-plant-and-its-implication- to-actual-issues-at-a-nuclear-plant/ ❑ Two identically built nuclear plants. One had flow induced vibration issue. And another did not. ❑ The vibrations indication showed itself as a resonance (high- frequency) “noise” − Field engineer has changed signal filtering parameter in the signal recorder to get rid of noise − Loss of view into vibration issue Equipment damage at nuclear plant
  • 9. © 2016 by Honeywell International Inc. All rights reserved. Process data reliability 8 Data→(BigData)Information
  • 10. Use Case 1 Data Reliability in Electric Substation (courtesy Chris Sistrunk of Mandiant)
  • 11. © 2016 by Honeywell International Inc. All rights reserved. Simplified electric substation 10 Analog control loop 115kV Bus 34.5kV Bus Power Transformer Breaker A Line 200 Feeder 11 Feeder 12 Properly select PT and CT ratio to allow some % of overload on the circuit, so the measurements will not top out at 100% when the actual values are higher. 1200:5 Current Transformer (CT) 1000:1 Potential Transformer (PT)
  • 12. © 2016 by Honeywell International Inc. All rights reserved. 11 Analog control loop 115kV Bus 34.5kV Bus Power Transformer Breaker A Line 200 Feeder 11 Feeder 12 3-Element Transducer 3Ø, Wye + DC - 90 MW 114 kV 468 Amps to Relays, Panel Meter, & SCADA RTU, HMI Analog measurements of the line CT PT
  • 13. © 2016 by Honeywell International Inc. All rights reserved. Purdue model view 12 Level 5 – Enterprise Network Level 4 – IT Apps, Outage Mgmt, Billing DMZ – Mirror Historian, Applications Level 3 – SCADA Historian Level 2 – Front End, SCADA Master Level 1 – Transducer, Meter, RTU Level 0 – CT, PT ySCADA = m*xLINE + b XDUCER RTU FEP SCADA HIS HIS OMS D a t a F l o w x – initial value m, b – scaling factor and offset for each time the data moves from one device to another
  • 14. © 2016 by Honeywell International Inc. All rights reserved. Getting math right 13 Analog control loop Level 0 o MW Engineering Limit = (PT ratio) * (CT ratio) * (Transducer Multiplier) * (Line Connection Type) = (1200/5)(1000)(1500)(1)/1000000 = 300MW o Transducer Output Range = 0 to +/-1mA → 0 – +/-300MW/mA scale If transducer output = 0.25mA, then 0.25*300 = 90 MW RTU must be configured correctly, especially unipolar/bipolar and any analog offset values as well as logic and any other calculations Transducers may be 0 – 1mA or 4 – 20mA (which require an offset b) Level 1 o RTU Analog input card (16-bit Analog to Digital Converter) 15 bits plus +/- sign bit -32768 to +32767 counts = -1mA to 1mA = 300MW/mA +90 MW = .25*32767 = +8192 counts o RTU Database = same size → 90MW is stored as +8192 bits (+25% of db) o SCADA Protocol has 12-bit bipolar analogs (-2048 to 2047 counts) o SCADA protocol value MW = .25*2047 = 512 counts
  • 15. © 2016 by Honeywell International Inc. All rights reserved. Getting math right 14 Analog control loop Level 2 o +512 bipolar counts from RTU to Front End Processor on a 12-bit protocol (0 – 4095) 1 count = 300MW/2047 = 0.073242 MW per count unipolar (remember Megawatt is a bipolar value) o The FEP has to shift the bipolar value to a unipolar value to store it in the database! FEP database value = 512 incoming counts + offset of 2048 = 2560 counts o FEP database = 16 bits = 0 – 32767 counts 2560 counts / 65535 counts = 0.039063 = 3.906309% o SCADA database = 32 bits = 0 – 4294967295 counts 3.906309% * 4294967295 = 167774307 counts Level 3 o SCADA Historian database, etc
  • 16. © 2016 by Honeywell International Inc. All rights reserved. Conclusion 15 Analog control loop ❑ You need to understand the data path and know the people involved into data path configuration ❑ The described math is in reality a giant multipage excel spreadsheet ❑ While linear algebra is “simple”, the addition of multiple places to scale analog values can be difficult to calculate – The more calculations, the more opportunity to make a mistake and point fingers on others
  • 17. Cyber-Physical hacking 16 Manipulate the process Prevent response Direct Indirect 1 2 Operators Control system (including safety) Blind Mislead 0 10 20 30 40 50 60 70 2780 2790 2800 2810 2820 Hours kPagauge Sensor signal Direct manipulation of actuators Deceiving controller/operator about process state Blind about process state Modify operational/safety limits
  • 18. Data stream modification scenario 17 ❑ The most widely assumed scenario is that the attacker will tamper with the data stream somewhere in the communication infrastructure – Packet replay/injection/modification/alike – I did the same since I didn’t know better. I accidentally discovered “Stale Data” attack – Don't directly attack PID-controlled actuators, you’re almost guaranteed to fail to maintain control over them ❑ Requires real time analysis and understanding of process data – Hard → requirement for light-weight data processing algorithms able to work with all kinds of strange data streams and artefacts – Strange formatting of data – Not always strategic enough
  • 19. Data processing as attack vector 18 ❑ Analyzing data processing points – Often “human friendly” – Tell you exactly how to make data out of spec – Allow for “educated guess” and granular manipulation ❑ Good for – Making data unusable; deceiving about process state – Removing attack traces (e.g. spikes, etc.) – Misleading forensics investigators – Etc., etc.
  • 20. ❑ Analyzing data processing points – Often “human friendly” – Tell you exactly how to make data out of spec – Allow for “educated guess” and granular manipulation ❑ Good for – Making data unusable; deceiving about process state – Removing attack traces (e.g. spikes, etc.) – Misleading forensics investigators – Etc., etc. Data processing as attack vector 19 Desynchronization of data
  • 21. © 2016 by Honeywell International Inc. All rights reserved. Hacking task: blind the controller/operator 20 ❑ „Record-and-play-back“ o Storage requirement ❑ Derive process model o Time and brain consuming o CPU cycles requirement ❑ Crafting forged sensor signals as proposed by Jason Larsen o I extensively tested this approach. It is works like magic. But… needs to be parameterized to match signal properties; did not perform well for few specific types of signals ❑ Take advantage of signal processing points
  • 22. © 2016 by Honeywell International Inc. All rights reserved. Hacking task: blind the controller/operator 21 ❑ „Record-and-play-back“ o Storage requirement ❑ Derive process model o Time and brain consuming o CPU cycles requirement ❑ Crafting forged sensor signals as proposed by Jason Larsen o I extensively tested this approach. It is works like magic. But… needs to be parameterized to match signal properties; did not perform well for few specific types of signals ❑ Take advantage of signal processing points 0 20 40 60 64 65 66 67 68 69 Time [hours] C Stripper Temperature No more oscillations!
  • 23. Exploiting Analog-to-Digital Converters (joint work with Alexander Bolshev) Use Case 2 Black Hat Asia 2016
  • 24. Threat scenario 23 Analog control loop Control PLC Actuator Safety PLC/Logger/DAQ HMI 0V (actuator is OFF) ❑ It is expected that the ADCs on all devices which consume the same analog signal will convert it into the same digital number – But what if not?? 1.5V (actuator is ON) Analog control loop http://www.slideshare.net/dark_k3y/never-trust-your-inputs-or-how-to-fool-and-adc
  • 25. © 2016 by Honeywell International Inc. All rights reserved. Experimental setup 24 Analog control loop “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Safety PLC” (S7 1200)
  • 26. © 2016 by Honeywell International Inc. All rights reserved. Demo: Two devices, two different MVs 25 Analog control loop DEMO VIDEO
  • 27. © 2016 by Honeywell International Inc. All rights reserved. Never trust your inputs! 26 In ICS input validation refers to data conten(x)t rather than to its formatting IT and OT has common problems
  • 28. © 2016 by Honeywell International Inc. All rights reserved. Typical data flow diagram 27 https://files.sans.org/summit/icsamsterdam14/PDFs/Ralph%20Langner%20.pdf
  • 29. © 2016 by Honeywell International Inc. All rights reserved. Increase resolution! 28
  • 30. © 2016 by Honeywell International Inc. All rights reserved. Data flow of a single sensor 29 Logging, monitoring, alarm management Control Courtesy: B. Green, Lancaster University, UK ❑ Case study at a European utility
  • 31. © 2016 by Honeywell International Inc. All rights reserved. 30 Attack vectors Revealed additional attack surface
  • 32. © 2016 by Honeywell International Inc. All rights reserved. System users 31 Operator Roles ICS Level Support/Maintenance Roles ICS Level Process control Operators 2,3,4,5 Electrical Engineers 0,1,2,5 Local Process Managers 3,4,5 Mechanical Engineers 0,5 Regional Process Managers 2,3,4,5 Control System Engineers 0,1,2,3,5 Regulatory Monitors/Testers 2,3,4,5 Instrumentation Engineers 0,1,2,5 Performance Analysts 4,5 Telemetry Engineers 0,1,2,3,DMZ,4,5 3rd Party Contractors 0,1,2,3,DMZ,4,5 Communications Engineers 3,DMZ,4,5 Alarm Management Centre Operator 4,5 Information Technology Engineers DMZ,4,5 Health and Safety Officers 0,1,2,3,DMZ,4,5 3rd Party Contractors 0,1,2,3,DMZ,4,5 Home Workers 3,4,5 Home Workers 3,4,5
  • 33. © 2016 by Honeywell International Inc. All rights reserved. Process data consumption 32
  • 34. Systemic thinking 33 ❑ In complex systems such as ICS cause and effect are often distant in time and space ❑ In OT-oriented security communication link is characterized not only by protocol/IP address/port. – From the process perspective, the most important communication link property is TIME: time constant, time to impact
  • 35. © 2016 by Honeywell International Inc. All rights reserved. Conclusions 34 ❑ To create effective anti-hacker solutions we need to take a more granular view on ICS, especially at Levels 1-3 – Simply obtaining inventory of devices and network architectures is insufficient ❑ ICS security is not purely technical problem but socio- technical problem – System-to-system and system-to-user interactions ❑ ICS security cannot be purely achieved by the traditional IT security means – The data can be already “insecure” when submitted to communication infrastructure – Engineering design of ICS and operational process properties MATTER!!
  • 36. © 2016 by Honeywell International Inc. All rights reserved. Acknowledgements 35 ❑ Chris Sistrunk, Mandiant ❑ Alexander Bolshev, IOActive ❑ Benjamin Green, Lancaster University
  • 37. © 2016 by Honeywell International Inc. All rights reserved. Thank You! www.becybersecure.com marina.krotofil@honeywell.com Marina Krotofil