Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies.
In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities.
In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers.
In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies.
In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities.
In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers.
In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
Your SCADA system has a DNP3 vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed.
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
Updated slides on Master Serial Killer from Adam Crain and Chris Sistrunk's research on ICS Protocol Vulnerabilities called Project Robus, the Aegis Fuzzer, and mitigations of these vulnerabilities.
Practical DNP3 and Modern SCADA SystemsLiving Online
This manual covers the essentials of SCADA communication systems focusing on DNP3 and the other new developments in this area. The manual commences with a brief review of the fundamentals of SCADA systems hardware, software and the communications systems (such as RS-232 and RS-485 Ethernet and TCP/IP) that connect the SCADA operator stations together.
A solid review is then done on the DNP3 protocol where its features, message structure, practical benefits and applications are discussed. The manual is intended to be product independent but examples will be taken from existing products to ensure that all aspects of the DNP3 protocol are covered. The manual provides you with the tools to design your next SCADA system more effectively using DNP3 and draw on the latest technologies.
View Full Manual Here - www.idc-online.com/content/practical-dnp3-and-modern-scada-systems-20?id=33
This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
Your SCADA system has a DNP3 vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed.
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
Updated slides on Master Serial Killer from Adam Crain and Chris Sistrunk's research on ICS Protocol Vulnerabilities called Project Robus, the Aegis Fuzzer, and mitigations of these vulnerabilities.
Practical DNP3 and Modern SCADA SystemsLiving Online
This manual covers the essentials of SCADA communication systems focusing on DNP3 and the other new developments in this area. The manual commences with a brief review of the fundamentals of SCADA systems hardware, software and the communications systems (such as RS-232 and RS-485 Ethernet and TCP/IP) that connect the SCADA operator stations together.
A solid review is then done on the DNP3 protocol where its features, message structure, practical benefits and applications are discussed. The manual is intended to be product independent but examples will be taken from existing products to ensure that all aspects of the DNP3 protocol are covered. The manual provides you with the tools to design your next SCADA system more effectively using DNP3 and draw on the latest technologies.
View Full Manual Here - www.idc-online.com/content/practical-dnp3-and-modern-scada-systems-20?id=33
This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
Practical Distributed Control Systems (DCS) for Engineers and TechniciansLiving Online
This workshop will cover the practical applications of the modern Distributed Control System (DCS). Whilst all control systems are distributed to a certain extent today and there is a definite merging of the concepts of a DCS, Programmable Logic Controller (PLC) and SCADA and despite the rapid growth in the use of PLC’s and SCADA systems, some of the advantages of a DCS can still be said to be Integrity and Engineering time.
Abnormal Situation Management and Intelligent Alarm Management is a very important DCS issue that provides significant advantages over PLC and SCADA systems.
Few DCSs do justice to the process in terms of controlling for superior performance – most of them merely do the basics and leave the rest to the operators. Operators tend to operate within their comfort zone; they don’t drive the process “like Vettel drives his Renault”. If more than one adverse condition developed at the same time and the system is too basic to act protectively, the operator would probably not be able to react adequately and risk a major deviation.
Not only is the process control functionality normally underdeveloped but on-line process and control system performance evaluation is rarely seen and alarm management is often badly done. Operators consequently have little feedback on their own performance and exceptional adverse conditions are often not handled as well as they should be. This workshop gives suggestions on dealing with these issues.
The losses in process performance due to the inadequately developed control functionality and the operator’s utilisation of the system are invisible in the conventional plant and process performance evaluation and reporting system; that is why it is so hard to make the case for eliminating these losses. Accounting for the invisible losses due to inferior control is not a simple matter, technically and managerially; so it is rarely attempted. A few suggestions are given in dealing with this.
Why are DCS generally so underutilised? Often because the vendor minimises the applications software development costs to be sure of winning the job, or because he does not know enough about the process or if it is a green-field situation, enough could not be known at commissioning time but no allowance was made to add the missing functionality during the ramp-up phase. Often the client does not have the technical skills in-house to realise the desired functionality is missing or to adequately specify the desired functionality.
This workshop examines all these issues and gives suggestions in dealing with them and whilst not being by any means exhaustive provides an excellent starting point for you in working with a DCS.
MORE INFORMATION: http://www.idc-online.com/content/practical-distributed-control-systems-dcs-engineers-technicians-2
In this AI Net Conference presentation, Ulrich Kohn discussed new technology using artificial intelligence to operationalize SDN. He showed how telemetry streaming, big data collection and analysis, and artificial intelligence can be used in combination with machine learning to develop efficient ways of monitoring and operating networks, while at the same time easing the burden of migrating to centralized SDN architectures.
Electronet is a supplier of everything from water meters, metering systems to service and support. It is our job to make it easy for you to run a sustainable water utility. Electronet delivers solutions in Residential and Industrial water metering. Our water metering solutions are based on proven technology and represent the next generation of smart metering. With a READY automated water meter reading system, you can say goodbye to manual readings, reporting via the internet and estimated calculations. Now, you can personally read consumption data automatically, without disturbing consumers.
Electronet's Smart Water Metering System aims to give consumers the information that they need to make intelligent decisions, the ability to execute those decisions and a variety of choices leading to substantial benefits they would not have enjoyed otherwise. With its robust Metering Infrastructure, It makes easy for the franchisees to manage the utilities and help them in greatly improving the consumer service and also refining the utility operations and asset management processes.
The whole distribution network can be continuously monitored real time by any specified interval reads. Reduction in overall water consumption requires a smart metering system, which enables companies to remotely cut off the water supply, in case a consumer exceeds the overdue limit. Utilities company, derive benefits from accurate billing, easy remote monitoring, and detection and prevention of theft.
More Info: http://www.eeplindia.com/water-metering.html
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
HEAP SORT ILLUSTRATED WITH HEAPIFY, BUILD HEAP FOR DYNAMIC ARRAYS.
Heap sort is a comparison-based sorting technique based on Binary Heap data structure. It is similar to the selection sort where we first find the minimum element and place the minimum element at the beginning. Repeat the same process for the remaining elements.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Technical Drawings introduction to drawing of prisms
S4x16 europe krotofil_granular_dataflowsics
1. Honeywell Industrial Cyber Security
Marina KrotofilS4x16 Europe
June 10, 2016
Achieving ICS Resilience and Security
through Granular Data Flow Management
17. Cyber-Physical hacking
16
Manipulate the
process
Prevent response
Direct Indirect
1 2
Operators Control system
(including safety)
Blind Mislead
0 10 20 30 40 50 60 70
2780
2790
2800
2810
2820
Hours
kPagauge
Sensor signal
Direct
manipulation
of actuators
Deceiving
controller/operator
about process
state Blind about
process
state
Modify
operational/safety
limits
18. Data stream modification scenario
17
❑ The most widely assumed scenario is that the attacker will
tamper with the data stream somewhere in the
communication infrastructure
– Packet replay/injection/modification/alike
– I did the same since I didn’t know better. I accidentally discovered
“Stale Data” attack
– Don't directly attack PID-controlled actuators, you’re almost
guaranteed to fail to maintain control over them
❑ Requires real time analysis and understanding of process data
– Hard → requirement for light-weight data processing algorithms able
to work with all kinds of strange data streams and artefacts
– Strange formatting of data
– Not always strategic enough
19. Data processing as attack vector
18
❑ Analyzing data processing points
– Often “human friendly”
– Tell you exactly how to make data out of spec
– Allow for “educated guess” and granular manipulation
❑ Good for
– Making data unusable; deceiving about process state
– Removing attack traces (e.g. spikes, etc.)
– Misleading forensics investigators
– Etc., etc.
20. ❑ Analyzing data processing points
– Often “human friendly”
– Tell you exactly how to make data out of spec
– Allow for “educated guess” and granular manipulation
❑ Good for
– Making data unusable; deceiving about process state
– Removing attack traces (e.g. spikes, etc.)
– Misleading forensics investigators
– Etc., etc.
Data processing as attack vector
19
Desynchronization
of data
24. Threat scenario
23
Analog
control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ
HMI
0V (actuator is OFF)
❑ It is expected that the ADCs on all devices which consume
the same analog signal will convert it into the same digital
number
– But what if not??
1.5V (actuator is ON)
Analog
control loop
http://www.slideshare.net/dark_k3y/never-trust-your-inputs-or-how-to-fool-and-adc
34. Systemic thinking
33
❑ In complex systems such as ICS cause and effect are often
distant in time and space
❑ In OT-oriented security communication link is characterized not
only by protocol/IP address/port.
– From the process perspective, the most important communication
link property is TIME: time constant, time to impact