SlideShare a Scribd company logo

The Great Train Robbery: Fast and Furious

S
Sergey Gordeychik

This document discusses a presentation given by the SCADA StrangeLove team, a group of security researchers focused on industrial control systems. The presentation provides an overview of railway safety and signaling systems such as ETCS and analyzes past railway accidents like those in Santiago de Compostela and Wenzhou. It also examines train communication networks and onboard control systems from a security perspective. Throughout, it emphasizes that the views expressed are those of the researchers and not their employers.

Technology
1 of 90
Download to read offline
*AllpicturesaretakenfromDr StrangeLovemovieandother Internets Sergey Sidorov
 Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Sidorov Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
Please note, that this talk is by SCADA StrangeLove team. We don’t speak for our employers. All the opinions and information here are of our responsibility (actually no one ever saw this talk before). So, mistakes and bad jokes are all OUR responsibilities.
320 300 210 160 Km/h
L0 Series Max speed: 603 km/h Transrapid Max speed: 550 km/h
Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS
 Train Security (by Jakob Lyng Petersen)  Trains must not collide  Trains must not derail  Trains must not hit person working the tracks  Sadly, animals can’t handle the interview  Operating rules  Italy, Regolamento Segnali  UK, GE/RT8000 Rule Book  North America, GCOR and others  Russia, Rules of technical exploitation
Santiago de Compostela derailment  The accident occurred at the site where transition from the ETCS L1 system to the system ASFA (continuous train control system without speed control)  The observance of the speed is carried out in this mode by machinist
Wenzhou train collision  Lightning strike led to failure of the train protection system (first train stopped)  I/O fuse blown led to wrong-side failure  Human factor: Long- term coordination of further actions
https://en.wikipedia.org/wiki/File:Clear_track_circuit.svg
https://en.wikipedia.org/wiki/File:Occupied_track_circuit.svg
Static speed profile Speed control curve Fictitious stopping point Preset speed Permission for movement limit BKW – change of section identification LZB system:  Lineside computer  Train computer
March 2016 86.000 km  European Railway Traffic Management System  European Train Control System (ETCS)  GSM-R
 ETCS (L1, L2, L3)  Locomotives  Ground devices (Radio Block Center, Lineside Electronic Units, Balises, Base-Station Subsystem, Base Transceiver Station)  GSM-R
ETCS level 1
ETCS level 2
ETCS level 3
The train's signalling, control and train protection systems include a Transmission Voie- Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train Control System
The train's signalling, control and train protection systems include a Transmission Voie- Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train Control System Reactor Protection System (RPS) Train!
 TCN (Train Communication Network)  WTB + MVB  ETB in future - Ethernet Train Backbone (IEC 61375-2-5)  WTB (Wire Train Bus)  Each coach, loco  MVB (Multifunction Vehicle Bus)  Links WTBs  MVB ~= FlexRay  CANopen  etc.
http://uic.org/cdrom/2006/wcrr2006/pdf/292.pdf
“Abusing the Train Communication Network or What could have derailed the Northeast Regional #188?” by Moshe Zioni  no authentication  traffic is not encrypted
http://cordis.europa.eu/pub/t elematics/docs/tap_transport/r osin_d1.3.pdf The same?  no authentication  traffic is not encrypted
 MVB + MVB+ ... = WTB(Train)  Elections by largest number of nodes  Set LocStr to 256  If equal, first Detect_Request wins IEC61375
 Loco’s internals  Traction control  Braking system  Cab signaling  Train protection system  Passenger Information and Entertainment  Software is not available in public  True for the all railroad software  Btw, hardware available in public, but as a part of Public Transportation System
 SIBAS 32  Eurostar e320 high-speed trains  class 120.1 locomotive of German Rail  S 252 of Spanish National Railways (RENFE)  LE 5600 of Portuguese Railways (CP)  EG 3100 in Sweden, Germany and Denmark  Velaro  class 182 2nd gene EuroSprinter  SIBAS PN  New DB ICE trains
 SIBAS 32 updates to SIBAS PN  Proprietary SIBAS OS on VxWorks + WinAC RTX  WTB (Wire Train Bus) to ETB (Ethernet Train Bus)  And PROFINET  Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc  S7 controllers to PC-based controllers with WinAC RTX software  “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller”
 SIBAS 32 updates to SIBAS PN  Proprietary SIBAS OS to VxWorks + WinAC RTX  WTB (Wire Train Bus) to ETB (Ethernet Train Bus)  And PROFINET  Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc  S7 controllers to PC-based controllers with WinAC RTX software  “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller”
 Hardcodes  No, they are for the authentication  Known protocols  XML over HTTP, S7  Secure network facing services  Self-written web server  Self-written xml parser  Heavily based on WinCC code  2012-2015: 41 vuln  Runs on Windows x86  Vulnerabilities?  Probably
How to access PC-based controllers (WinAC RTX)?  We don’t know  We don’t want to know  We will never know  Yet to not know  Yet to don’t know  Not yet to know
 Driver Information Systems  Track profile, loco speed and location (non-military GPS, GLONASS)  Interfaces  Server infrastructure for processing  External data feed  CAN to acquire data in loco  On the bus with whole train  Mobile operator to push data to the server  Data plan on Customer SIM card detected  Why build additional channels for other systems?
 Gateways  Diagnostic  Diagnostic of diagnostic  Services  Web, telnet, ftp, etc.  Proprietary service to rule them all  Interfaces  GSM-R  And more when GSM-R is too slow  At least no Wi-Fi, right?
Google for Airlink (c)
http://www.hollysys.com.sg/me dia/com_download/3.%20HollyS ys-HighSpeed.pdf
32C3: Sergey Gordeychik, Gleb Gritsai, Aleksandr Timorin: “The Great Train Cyber Robbery”
RLC circuit
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
28C3: Stefan Katzenbeisser: Can trains be hacked?  Multiple trains make use of the same KMAC for a long time  Using weak random number generators during the KSMAC derivation
In areas where the European Train Control System (ETCS) Level 2 or 3 is used, the train maintains a circuit switched digital modem connection to the train control centre at all times. … If the modem connection is lost, the train will automatically stop.
moving "really fast and passed three stations without stopping" … "due to a fault on the train's antenna that ensures trains stop accurately at each station"... "The train was hence not able to pick up the signal to stop at the next three stations”…
http://www.era.europa.eu/Document-Register/Documents/P38T9001%204.2%20FFFIS%20for%20GSM-R%20SIM-CARD.pdf
― Remote data recovery (Kc, TIMSI) • Chanel decryption (including A5/3) • «Clone» the SIM and mobile station ― SIM “malware” ― Block SIM via PIN/PUK brute ― Extended OTA features (FOTA) Karsten Nohl, https://srlabs.de/rooting-sim-cards/ Alexander Zaitsev, Sergey Gordeychik , Alexey Osipov, PacSec, Tokyo, Japan, 2014
Attack host
Control
Control Attack the ATC
… not exactly https://railway-news.com/global-cyber-attack-hits-deutsche-bahn/ https://www.hackread.com/russian-postal-service-hit-by-wannacry-ransomware/
Attacking System Train Control System Defending System Intellectual Technologies on Transport No 1
*Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Sergey Sidorov Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
*Allpicturesaretakenfrom googleandotherInternets
…We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity…

Recommended

"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove
Aleksandr Timorin
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
qqlan
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
Aleksandr Timorin
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Internet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLCInternet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLCqqlan
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2qqlan
 
Enable the smart factory with IO Link
Enable the smart factory with IO LinkEnable the smart factory with IO Link
Enable the smart factory with IO Link
Dan Rossek
 

Recommended

"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove
Aleksandr Timorin
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
qqlan
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
Aleksandr Timorin
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Internet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLCInternet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLCqqlan
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2qqlan
 
Enable the smart factory with IO Link
Enable the smart factory with IO LinkEnable the smart factory with IO Link
Enable the smart factory with IO Link
Dan Rossek
 
Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
PROFIBUS and PROFINET InternationaI - PI UK
 
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C ImplementationMIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI Alliance
 
An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015
PROFIBUS and PROFINET InternationaI - PI UK
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
qqlan
 
UGM CAN PXI
UGM CAN PXIUGM CAN PXI
UGM CAN PXI
Interlatin
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate ModesMIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI Alliance
 
STM32 L4 presentation
STM32 L4 presentation STM32 L4 presentation
STM32 L4 presentation
Sylvie Boube-Politano
 
Ec 2 traffic signal controller brochure
Ec 2 traffic signal controller brochureEc 2 traffic signal controller brochure
Ec 2 traffic signal controller brochure
Imtech Traffic and Infra
 
Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
PROFIBUS and PROFINET InternationaI - PI UK
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowqqlan
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Moxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation MarketMoxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation MarketEric Lo
 
Iai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheetIai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheet
Electromate
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
RoboticCarKit_MANUAL
RoboticCarKit_MANUALRoboticCarKit_MANUAL
RoboticCarKit_MANUALElijah Barner
 
Railroad Industry Connectivity Solutions
Railroad Industry Connectivity SolutionsRailroad Industry Connectivity Solutions
Railroad Industry Connectivity Solutions
METZ CONNECT USA Inc.
 
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET Journal
 
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdfRailway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
AslamNalband
 

More Related Content

What's hot

Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
PROFIBUS and PROFINET InternationaI - PI UK
 
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C ImplementationMIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI Alliance
 
An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015
PROFIBUS and PROFINET InternationaI - PI UK
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
qqlan
 
UGM CAN PXI
UGM CAN PXIUGM CAN PXI
UGM CAN PXI
Interlatin
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate ModesMIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI Alliance
 
STM32 L4 presentation
STM32 L4 presentation STM32 L4 presentation
STM32 L4 presentation
Sylvie Boube-Politano
 
Ec 2 traffic signal controller brochure
Ec 2 traffic signal controller brochureEc 2 traffic signal controller brochure
Ec 2 traffic signal controller brochure
Imtech Traffic and Infra
 
Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
PROFIBUS and PROFINET InternationaI - PI UK
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowqqlan
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Moxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation MarketMoxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation MarketEric Lo
 
Iai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheetIai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheet
Electromate
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
RoboticCarKit_MANUAL
RoboticCarKit_MANUALRoboticCarKit_MANUAL
RoboticCarKit_MANUALElijah Barner
 
Railroad Industry Connectivity Solutions
Railroad Industry Connectivity SolutionsRailroad Industry Connectivity Solutions
Railroad Industry Connectivity Solutions
METZ CONNECT USA Inc.
 

What's hot (20)

Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
 
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C ImplementationMIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
 
An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
 
UGM CAN PXI
UGM CAN PXIUGM CAN PXI
UGM CAN PXI
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate ModesMIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
 
STM32 L4 presentation
STM32 L4 presentation STM32 L4 presentation
STM32 L4 presentation
 
Ec 2 traffic signal controller brochure
Ec 2 traffic signal controller brochureEc 2 traffic signal controller brochure
Ec 2 traffic signal controller brochure
 
Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Moxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation MarketMoxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation Market
 
Iai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheetIai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheet
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
RoboticCarKit_MANUAL
RoboticCarKit_MANUALRoboticCarKit_MANUAL
RoboticCarKit_MANUAL
 
Railroad Industry Connectivity Solutions
Railroad Industry Connectivity SolutionsRailroad Industry Connectivity Solutions
Railroad Industry Connectivity Solutions
 

Similar to The Great Train Robbery: Fast and Furious

IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET Journal
 
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdfRailway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
AslamNalband
 
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
SrinidhirkGowda
 
Inter vehicle communication
Inter vehicle communicationInter vehicle communication
Inter vehicle communication
R prasad
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
IOSR Journals
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
IOSR Journals
 
Passenger amenities (2)
Passenger amenities (2)Passenger amenities (2)
Passenger amenities (2)
Suraj Soni
 
Integrated Railway Transport Management System
Integrated Railway Transport Management SystemIntegrated Railway Transport Management System
Integrated Railway Transport Management System
SIS Group International
 
Automatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway securityAutomatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway security
Rahul Barick
 
Controller area network as the security of the vehicles
Controller area network as the security of the vehiclesController area network as the security of the vehicles
Controller area network as the security of the vehicles
IAEME Publication
 
Innovation Solutions
Innovation SolutionsInnovation Solutions
Innovation Solutions
Railways and Harbours
 
Report on wireless System CDMA security
Report on wireless System CDMA securityReport on wireless System CDMA security
Report on wireless System CDMA security
ViVek Patel
 
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
IRJET Journal
 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality Check
Security Innovation
 
Indian railway-3977545
Indian railway-3977545Indian railway-3977545
Indian railway-39775459586215895
 
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to CloudEmbedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
EmbeddedFest
 
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
rashmimabattin28
 
Presentation
PresentationPresentation
PresentationVideoguy
 
Presentation
PresentationPresentation
PresentationVideoguy
 
Presentation
PresentationPresentation
PresentationVideoguy
 

Similar to The Great Train Robbery: Fast and Furious (20)

IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
 
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdfRailway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
 
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
 
Inter vehicle communication
Inter vehicle communicationInter vehicle communication
Inter vehicle communication
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
 
Passenger amenities (2)
Passenger amenities (2)Passenger amenities (2)
Passenger amenities (2)
 
Integrated Railway Transport Management System
Integrated Railway Transport Management SystemIntegrated Railway Transport Management System
Integrated Railway Transport Management System
 
Automatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway securityAutomatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway security
 
Controller area network as the security of the vehicles
Controller area network as the security of the vehiclesController area network as the security of the vehicles
Controller area network as the security of the vehicles
 
Innovation Solutions
Innovation SolutionsInnovation Solutions
Innovation Solutions
 
Report on wireless System CDMA security
Report on wireless System CDMA securityReport on wireless System CDMA security
Report on wireless System CDMA security
 
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality Check
 
Indian railway-3977545
Indian railway-3977545Indian railway-3977545
Indian railway-3977545
 
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to CloudEmbedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
 
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
 
Presentation
PresentationPresentation
Presentation
 
Presentation
PresentationPresentation
Presentation
 
Presentation
PresentationPresentation
Presentation
 

More from Sergey Gordeychik

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELS
Sergey Gordeychik
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
Sergey Gordeychik
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018
Sergey Gordeychik
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
Sergey Gordeychik
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
Sergey Gordeychik
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
Sergey Gordeychik
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
Sergey Gordeychik
 

More from Sergey Gordeychik (12)

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELS
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
 

Recently uploaded

Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 

Recently uploaded (20)

Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 

The Great Train Robbery: Fast and Furious

  • 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Sidorov Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
  • 3. Please note, that this talk is by SCADA StrangeLove team. We don’t speak for our employers. All the opinions and information here are of our responsibility (actually no one ever saw this talk before). So, mistakes and bad jokes are all OUR responsibilities.
  • 5. L0 Series Max speed: 603 km/h Transrapid Max speed: 550 km/h
  • 6. Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS
  • 7.  Train Security (by Jakob Lyng Petersen)  Trains must not collide  Trains must not derail  Trains must not hit person working the tracks  Sadly, animals can’t handle the interview  Operating rules  Italy, Regolamento Segnali  UK, GE/RT8000 Rule Book  North America, GCOR and others  Russia, Rules of technical exploitation
  • 8.
  • 9. Santiago de Compostela derailment  The accident occurred at the site where transition from the ETCS L1 system to the system ASFA (continuous train control system without speed control)  The observance of the speed is carried out in this mode by machinist
  • 10. Wenzhou train collision  Lightning strike led to failure of the train protection system (first train stopped)  I/O fuse blown led to wrong-side failure  Human factor: Long- term coordination of further actions
  • 13. Static speed profile Speed control curve Fictitious stopping point Preset speed Permission for movement limit BKW – change of section identification LZB system:  Lineside computer  Train computer
  • 14.
  • 15.
  • 16.
  • 17. March 2016 86.000 km  European Railway Traffic Management System  European Train Control System (ETCS)  GSM-R
  • 18.  ETCS (L1, L2, L3)  Locomotives  Ground devices (Radio Block Center, Lineside Electronic Units, Balises, Base-Station Subsystem, Base Transceiver Station)  GSM-R
  • 22. The train's signalling, control and train protection systems include a Transmission Voie- Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train Control System
  • 23. The train's signalling, control and train protection systems include a Transmission Voie- Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train Control System Reactor Protection System (RPS) Train!
  • 24.  TCN (Train Communication Network)  WTB + MVB  ETB in future - Ethernet Train Backbone (IEC 61375-2-5)  WTB (Wire Train Bus)  Each coach, loco  MVB (Multifunction Vehicle Bus)  Links WTBs  MVB ~= FlexRay  CANopen  etc.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34. “Abusing the Train Communication Network or What could have derailed the Northeast Regional #188?” by Moshe Zioni  no authentication  traffic is not encrypted
  • 36.
  • 37.  MVB + MVB+ ... = WTB(Train)  Elections by largest number of nodes  Set LocStr to 256  If equal, first Detect_Request wins IEC61375
  • 38.  Loco’s internals  Traction control  Braking system  Cab signaling  Train protection system  Passenger Information and Entertainment  Software is not available in public  True for the all railroad software  Btw, hardware available in public, but as a part of Public Transportation System
  • 39.  SIBAS 32  Eurostar e320 high-speed trains  class 120.1 locomotive of German Rail  S 252 of Spanish National Railways (RENFE)  LE 5600 of Portuguese Railways (CP)  EG 3100 in Sweden, Germany and Denmark  Velaro  class 182 2nd gene EuroSprinter  SIBAS PN  New DB ICE trains
  • 40.  SIBAS 32 updates to SIBAS PN  Proprietary SIBAS OS on VxWorks + WinAC RTX  WTB (Wire Train Bus) to ETB (Ethernet Train Bus)  And PROFINET  Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc  S7 controllers to PC-based controllers with WinAC RTX software  “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller”
  • 41.  SIBAS 32 updates to SIBAS PN  Proprietary SIBAS OS to VxWorks + WinAC RTX  WTB (Wire Train Bus) to ETB (Ethernet Train Bus)  And PROFINET  Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc  S7 controllers to PC-based controllers with WinAC RTX software  “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller”
  • 42.  Hardcodes  No, they are for the authentication  Known protocols  XML over HTTP, S7  Secure network facing services  Self-written web server  Self-written xml parser  Heavily based on WinCC code  2012-2015: 41 vuln  Runs on Windows x86  Vulnerabilities?  Probably
  • 43. How to access PC-based controllers (WinAC RTX)?  We don’t know  We don’t want to know  We will never know  Yet to not know  Yet to don’t know  Not yet to know
  • 44.  Driver Information Systems  Track profile, loco speed and location (non-military GPS, GLONASS)  Interfaces  Server infrastructure for processing  External data feed  CAN to acquire data in loco  On the bus with whole train  Mobile operator to push data to the server  Data plan on Customer SIM card detected  Why build additional channels for other systems?
  • 45.  Gateways  Diagnostic  Diagnostic of diagnostic  Services  Web, telnet, ftp, etc.  Proprietary service to rule them all  Interfaces  GSM-R  And more when GSM-R is too slow  At least no Wi-Fi, right?
  • 48.
  • 49.
  • 50. 32C3: Sergey Gordeychik, Gleb Gritsai, Aleksandr Timorin: “The Great Train Cyber Robbery”
  • 51.
  • 52.
  • 54.
  • 55.
  • 56. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 57. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 58. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 59. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 60. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 61. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 62. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 63. 28C3: Stefan Katzenbeisser: Can trains be hacked?  Multiple trains make use of the same KMAC for a long time  Using weak random number generators during the KSMAC derivation
  • 64. In areas where the European Train Control System (ETCS) Level 2 or 3 is used, the train maintains a circuit switched digital modem connection to the train control centre at all times. … If the modem connection is lost, the train will automatically stop.
  • 65. moving "really fast and passed three stations without stopping" … "due to a fault on the train's antenna that ensures trains stop accurately at each station"... "The train was hence not able to pick up the signal to stop at the next three stations”…
  • 66.
  • 68. ― Remote data recovery (Kc, TIMSI) • Chanel decryption (including A5/3) • «Clone» the SIM and mobile station ― SIM “malware” ― Block SIM via PIN/PUK brute ― Extended OTA features (FOTA) Karsten Nohl, https://srlabs.de/rooting-sim-cards/ Alexander Zaitsev, Sergey Gordeychik , Alexey Osipov, PacSec, Tokyo, Japan, 2014
  • 69.
  • 70.
  • 73.
  • 75.
  • 77.
  • 78.
  • 79.
  • 80.
  • 81.
  • 82.
  • 83.
  • 84.
  • 85.
  • 87. *Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Sergey Sidorov Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
  • 89.
  • 90. …We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity…