Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies.
In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities.
In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers.
In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
Scada Industrial Control Systems Penetration Testing
Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
The focus of many information security methods are on office automation: protecting vulnerable data. When working in embedded software environments, the focus changes significantly to availability, and also the counter-measures against threats change dramatically. A major issue is that security will become an “IT problem” that industrial automation continues to ignore. In this presentation, the problem will be presented, as well as directions to embed security measures into the organisation.
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
Presentation about the steps required for Verifying and Vlaidating safety critical systems, as well as the test approach used. Contains examples of real-life IEC 61508 SIL 4 systems.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Practical DNP3 and Modern SCADA SystemsLiving Online
This manual covers the essentials of SCADA communication systems focusing on DNP3 and the other new developments in this area. The manual commences with a brief review of the fundamentals of SCADA systems hardware, software and the communications systems (such as RS-232 and RS-485 Ethernet and TCP/IP) that connect the SCADA operator stations together.
A solid review is then done on the DNP3 protocol where its features, message structure, practical benefits and applications are discussed. The manual is intended to be product independent but examples will be taken from existing products to ensure that all aspects of the DNP3 protocol are covered. The manual provides you with the tools to design your next SCADA system more effectively using DNP3 and draw on the latest technologies.
View Full Manual Here - www.idc-online.com/content/practical-dnp3-and-modern-scada-systems-20?id=33
During the last few years, SCADA quickly gained the major news headlights with different frightening articles: from STUXNET to breaches like the electrical power supply grid in Ukraine (December 2015). Since SCADA systems are actively used across various industries (oil & gas, pharma, power plants, critical infrastructures) to perform critical operations on daily basis, SCADA security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the most common SCADA components, known malware and incidents as well as security issues affecting this technology, including existing vulnerabilities in different modules. As part of the presentation, we will disassemble and reverse engineer a PLC and its protocol. This model will be used to demonstrate some aspects of discovered security vulnerabilities.
This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies.
In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities.
In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers.
In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
Scada Industrial Control Systems Penetration Testing
Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
The focus of many information security methods are on office automation: protecting vulnerable data. When working in embedded software environments, the focus changes significantly to availability, and also the counter-measures against threats change dramatically. A major issue is that security will become an “IT problem” that industrial automation continues to ignore. In this presentation, the problem will be presented, as well as directions to embed security measures into the organisation.
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
Presentation about the steps required for Verifying and Vlaidating safety critical systems, as well as the test approach used. Contains examples of real-life IEC 61508 SIL 4 systems.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Practical DNP3 and Modern SCADA SystemsLiving Online
This manual covers the essentials of SCADA communication systems focusing on DNP3 and the other new developments in this area. The manual commences with a brief review of the fundamentals of SCADA systems hardware, software and the communications systems (such as RS-232 and RS-485 Ethernet and TCP/IP) that connect the SCADA operator stations together.
A solid review is then done on the DNP3 protocol where its features, message structure, practical benefits and applications are discussed. The manual is intended to be product independent but examples will be taken from existing products to ensure that all aspects of the DNP3 protocol are covered. The manual provides you with the tools to design your next SCADA system more effectively using DNP3 and draw on the latest technologies.
View Full Manual Here - www.idc-online.com/content/practical-dnp3-and-modern-scada-systems-20?id=33
During the last few years, SCADA quickly gained the major news headlights with different frightening articles: from STUXNET to breaches like the electrical power supply grid in Ukraine (December 2015). Since SCADA systems are actively used across various industries (oil & gas, pharma, power plants, critical infrastructures) to perform critical operations on daily basis, SCADA security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the most common SCADA components, known malware and incidents as well as security issues affecting this technology, including existing vulnerabilities in different modules. As part of the presentation, we will disassemble and reverse engineer a PLC and its protocol. This model will be used to demonstrate some aspects of discovered security vulnerabilities.
This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
Safety Verification and Software aspects of Automotive SoCPankaj Singh
IP-SoC Conference 2017 Grenoble
Automotive industry has evolved over last 100 years. Electronic systems were
introduced into the automotive industry in 1960. Since then the complexity has grown
many fold and today’s automobiles have as many as 150 programmable computing
elements or Electronic Control Units(ECUs) with several wiring connections.
The software content has also increased significantly with today’s car having more than
100 million of lines of software code.
This increased hardware and software complexity increases the risk of failure that could
impact negatively on vehicle safety. This has led to concerns regarding the validation of
failure modes and the detection mechanisms. Car maker and suppliers need to prove
that, despite increasing complexity, their electronic systems will deliver the required
functionality safely and reliably.
This presentation describes the challenges and methodology related to Safety
verification and Software development aspects of Automotive Microcontroller SoC.
Introduction to AIoT & TinyML - with ArduinoAndri Yadi
On last March 21, 2020, we participated in worldwide Arduino Day 2020 and organized the online event for Bandung, Indonesia. This is the deck I delivered for my talk and demo.
This paper Presentation(ppt) is totally on Industrial Automation for seminar along with project ( PLC based water bottle filling system) which work on the principle of Industrial Automation .
1. Honeywell Industrial Cyber Security
Marina KrotofilS4x16 Europe
June 10, 2016
Achieving ICS Resilience and Security
through Granular Data Flow Management
17. Cyber-Physical hacking
16
Manipulate the
process
Prevent response
Direct Indirect
1 2
Operators Control system
(including safety)
Blind Mislead
Direct
manipulation
of actuators
Deceiving
controller/operator
about process
state Blind about
process
state
Modify
operational/safety
limits
18. Data stream modification scenario
17
The most widely assumed scenario is that the attacker will
tamper with the data stream somewhere in the
communication infrastructure
– Packet replay/injection/modification/alike
– I did the same since I didn’t know better. I accidentally discovered
“Stale Data” attack
– Don't directly attack PID-controlled actuators, you’re almost
guaranteed to fail to maintain control over them
Requires real time analysis and understanding of process data
– Hard requirement for light-weight data processing algorithms able
to work with all kinds of strange data streams and artefacts
– Strange formatting of data
– Not always strategic enough
19. Data processing as attack vector
18
Analyzing data processing points
– Often “human friendly”
– Tell you exactly how to make data out of spec
– Allow for “educated guess” and granular manipulation
Good for
– Making data unusable; deceiving about process state
– Removing attack traces (e.g. spikes, etc.)
– Misleading forensics investigators
– Etc., etc.
20. Analyzing data processing points
– Often “human friendly”
– Tell you exactly how to make data out of spec
– Allow for “educated guess” and granular manipulation
Good for
– Making data unusable; deceiving about process state
– Removing attack traces (e.g. spikes, etc.)
– Misleading forensics investigators
– Etc., etc.
Data processing as attack vector
19
Desynchronization
of data
24. Threat scenario
23
Analog
control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ
HMI
0V (actuator is OFF)
It is expected that the ADCs on all devices which consume
the same analog signal will convert it into the same digital
number
– But what if not??
1.5V (actuator is ON)
Analog
control loop
http://www.slideshare.net/dark_k3y/never-trust-your-inputs-or-how-to-fool-and-adc
34. Systemic thinking
33
In complex systems such as ICS cause and effect are often
distant in time and space
In OT-oriented security communication link is characterized not
only by protocol/IP address/port.
– From the process perspective, the most important communication
link property is TIME: time constant, time to impact
Incomplete understanding of risks yields narrowly formulated security objectives and scant security controls.
Control systems used to be pneumatic and electronic prior to introduction of Computer Integrated Manufacturing in 1970s.
With the introduction of Computer aided manufacturing, the control systems started to act on data and not on pressure air and electrons as before.
With that data became the most essential ingredient of automation.
The goal was to find the architecture that would integrate all levels and functional units starting from the strategic planning down to the shop floor. The architecture was driven by the goal to address properties of the data at the individual layers.
On the lowest level data has short term significance and is used merely to control details and steps of the process. Data exchange is happening in milliseconds or seconds. The local data from sybsystems at the lowest levels is aggregated together and combined with the data from the other subsytems for presenting to the process operator for trending, alarm management and scheduling.
Whereas low level are mostly operate on raw data, the upper layers operate on the information extracted from the data.
Information at the highest level is concerned with long-term planning and enterprise management. The degree of aggregation and abstraction level are usually very high.
We effectively building a data chain.
The direction of the process data flow is bottom-up, while management and control data flows from top to bottom, with each layer adding latency. “Real-time” strategic process monitoring and management is about long-term changes and correct long term drifts. Supervisory control is about medium term strategic monitoring and tactical control (process supervisors and process managers). The focus of operators, and controllers, is short-term transactional data for regulatory control of a process and to time critical operational problems.
Data combined with more data for deriving useful information and are fed into equations
Sensor signal conditioners are used to minimize these non-idealities.
Proper configuration of data processing is critical. loss of data integrity directly results in loss of view, and with that loss of control over the physical operational process.
In many cases the controller and operator can only observe the physical process through sensor readings, and must have faith in the process data describing true underlying physics.
In essence, data processing is conducted to provide usable/actionable information, based on the requirements defined by each stage in a data pathway. Any error in data processing along a pathway harbours the potential to degrade and even lose visibility of the process state.
Understanding data sources and pathways is essential to the comprehension of undesirable impact on process operations, caused by errors or intentional manipulation of data streams.
The requirements to data processing are determined only by the needs of hardware and software but the people who will be later using the data because they may need to extract different types of information from the data.
Consider a situation when a technician recalibrates or replaces a sensor which may e.g. have different sampling frequency. He will likely know to liaise with a PLC configuration engineer, in order to account for the applied changes within the PLC logic, therefore maintaining stable physical process
operations. This fulfills the initial requirement of sensors, providing accurate input to operational decision making.
However, when re-configuration requirements arise in relation to neighbouring devices, HMIs and Data Historians for example, if left unchanged, regulatory, alarm monitoring, safety, and performance analytics data will become compromised because the awareness of sensor data consumption
beyond the PLC, is outside the scope of an instrumentation engineers role.
Few hours or days later a data analyst from the upper layer will obtain very strange data and will call to the shop demanding to fix the problem and restore the quality of the data. From the initial suspicions around spurious data historian support engineers would drill down into complex mathematical calculation to find a root cause. Where calculation are derived from up to 30+ operational tags (signal inputs), this process could prove time consuming. Furthermore, where data is processed at multiple points in the system and where visibility of data ends inside of some device interaction with Level 1 control engineers would be required to better understand any changes further downstream.
It is for this reason identification of complex system-to-system (device to device interactions) and system-to-user relationships (end user and maintenance personnel interactions with systems) and requirements, within the manufacturing zone demonstrate the challenge of ensuring data reliability caused by the continuing deployment and development of new and/or existing OT technology, in parallel to the growing number of data users across all levels of ICS.
Direct manipulation of actuators is very hard. Whenever you are dealing with something what is not of the binary state like on and off, the malicious actions are competing with the control algorithm because each process has to transition to a new state at a specific way and time frame.The attacker is much better off by deceiving the controller e. g. that something is hot to making it to cool down the system. In that way the process will reach a new state smoothly and without unpredictable deviations
If not designed and configured in the right way, such control loops are vulnerable to a large number of attack scenario.
At this point you probably wonder so how exactly we can validate inputs in process contro. I will say few words to that later and other than that – ask me after the talk.
This view aggregating information from extensive network architecture reviews of the utility, configuration reviews, and interviews with system
operators and support/maintenance personnel.
Each component (PLC, RTU, Historian, etc.) or sub-component (memory location, interface, function, etc.) is represented by a square or circular node. A circular node stands for user interaction/visibility via a user interface. A square node with dashed edges depicts a function being applied to a data stream (data processing point).
Each node is color coded to represent the system level in which it resides, according to the Purdue. However, as can be seen with some nodes (e.g. node
”analogue input card”) two colors are applied. This application of multiple colors has been introduced where a device, interface, element of configuration, etc. is accessed or under the control/management of system users from more than one level.
E.g. the analogue input card represents a physical interface on the PLC. Level 0 shows instrumentation engineers responsible for sensors feeding this card, and Level 1 control engineers responsible for the operational logic being executed on the PLC, both requiring access to the analogue input card.
A temporary memory address in the PLC logic (MD104) splits into two discrete datablocks, (1) one for on-site control logic and workstation interaction, (2) the other for offsite monitoring and alarm management, with several systems and users involved in directly supporting/utilising the data at
a local level (Levels 1, 2, and 3).
The increased level of granularity allows for comprehension of critical functions, and memory addressing, applied to the computational processing of one signal.
The increased level of granularity allows for comprehension of critical functions, and memory addressing, applied to the computational processing of one signal. Once mapped, a larger attack surface is revealed allowing for further refinement of the risk assessment process and security control implementation.
For performing security and risk assessment it is important to involve the right people. Exploration of more complex system-to-user relationship, first requires an understanding of role groups across each level of the ICS.
Each of the data processing points or functions as well as data addressing are
A significant number of roles were identified during the case study. These roles performed a multitude of functions across the organisation, from operational process management, to budgeting, mechanical engineering, and performance evaluation.
Firstly, baseline separation of core role functions. have been separated into two categories, Operators and Support/Maintenance. The operators
group could include physical access to operational sites and control rooms, however system access excludes the ability to modify device/system configurations. The Support/ Maintenance group could also include physical access to operational sites, control rooms, and data centres; however
this role category includes the ability to modify device/system configurations. The table presents the permissions allowing users to perform tasks at different levels of the ICS. As you can see, some roles enjoy quite powerful set of permission essentially being almost a ROOT user of ICS. This certainly critical roles and credentials of those people need to be carefully protected.
Also, pay attention that malware can travel in laptops of those users effectively bypassing firewalls.
Based on Table I, one can begin to analyse multicolored nodes to understanding challenges induced through previously unconsidered
system-to-user relationships.
This is a very critical data addressing point as overwriting value at this location effectively blind not only controller but also the operator and smart analytics.
At this point I want to point out the difference between data integrity and reliability. Integrity is a binary state: it is either true or false. And this property more related to IT world. In OT world it is possible to ensure high level of data reliability. For example in this case since there is additional local monitor overwriting the memory location does not automatically result into loss of view or not complete loss of view. It might be the case that you can estimate process state from some related process parameters, you can get them from the local monitor or perhaps grab from the safety sensor.
Attacks and abuses of information technology systems do not generally rely on timing aspects. Of course, when exploiting race conditions or time-of-check to time-of-use vulnerabil- ities, or launching cross-site scripting attacks that rely on gaining access to session cookies before they expire, attackers must ensure that their attacks occur within tight time windows. However, in the case of cyber-physical systems, timing has a much more important role because the state of a physical system changes continuously over time, and as the system evolves in time.
In the ICS risk assessment the communication links are typically described in terms. If I would look at it as an OT engineer the first thing I care is time constant meaning the speed of the control loop reaction to the control command. All short time constant control loops and coomunicatio links which carry those control commands ARE MORE CRITICAL than others. Because if compromised the time to impact is short, in certain cases leaving no time to react.
Going further, we will explore scoping of parameters that focus on time constants of system-to-system interactions and associated data processing point criticality (time to negative impact), essentially aiding the formulation of device configuration requirements. This increased scope in ”understanding the system” will provide yet more granularity, giving risk assessment and security control implementation highly detailed visibility of device requirements/objectives.
Viewpoints confined to a local level provide insufficient granular visibility, and clear comprehension of the given system, missing attack surfaces, and identification of not only IT vs. OT, but OT vs. OT challenges. The resulting effect is formulation of incomplete risk assessments. This has the
potential to lead towards implementation of ineffective, even damaging security controls.
Understanding the relationships between roles and devices, and where possible, roles and device specifics/configuration parameters, is required to develop risk mitigation strategies. T