This document discusses practical attacks on analog-to-digital converters (ADCs). It begins with an anecdote about compromising a programmable logic controller (PLC) and bypassing monitoring systems. It then covers different types of ADCs and their vulnerabilities. Examples are provided of proof-of-concept attacks injecting arbitrary waveform signals and altering the digital representation of analog signals. Various hardware is demonstrated for evaluating ADCs, including signal generators, function generators, and data acquisition systems. Mitigation techniques are proposed, such as implementing appropriate anti-aliasing filters and randomizing sampling frequencies.
QC Multi-rules are designed and used to minimise false rejections and maintain a high rate of error detection. There are six main rules used to determine if results from a run of patient samples should be accepted or rejected, based on the performance of control materials against the rule criteria. Different combinations can be applied depending on the number of controls in use, total allowable error and the instrument in use. The flow chart below is often used to determine if a run should be accepted or rejected.
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
QC Multi-rules are designed and used to minimise false rejections and maintain a high rate of error detection. There are six main rules used to determine if results from a run of patient samples should be accepted or rejected, based on the performance of control materials against the rule criteria. Different combinations can be applied depending on the number of controls in use, total allowable error and the instrument in use. The flow chart below is often used to determine if a run should be accepted or rejected.
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick
Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs.
By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts
Instrumentation: Test and Measurement Methods and Solutions - VE2013Analog Devices, Inc.
Tilt Measurement: Tilt measurement is fast becoming a fundamental analysis tool in many fields including automotive, industrial, and healthcare. Navigation, vehicle dynamic control, building sway indication, and motion detection systems all rely on this simple, cheap, and precise way of angle monitoring. MEMS accelerometers are better suited to inclination measurement than other methodologies. This session will address the challenges encountered when designing a dual-axis tilt sensor using a MEMS accelerometer including measurement resolution, signal conditioning, single- vs. dual-axis, angle computation, and calibration.
Impedance Measurement: The measurement of complex impedance is widely used across industrial, commercial, automotive, healthcare, and consumer markets, and can include applications such as proximity sensing, inductive transducers, metallurgy and corrosion detection, loudspeaker impedance, biomedical, virus detection, blood coagulation factor, and network impedance analysis. This session will cover the concepts, approaches, and challenges of performing complex impedance measurements and will present a system-level solution for impedance conversion.
Weigh Scale Measurement: Most common industrial weigh scale applications use a bridge-type load-cell sensor, with a voltage output that is directly proportional to the load weight placed on it. This session examines the basic parameters of a bridge-type load-cell sensor, such as the number of varying elements, impedance, excitation, sensitivity (mV/V), errors, and drift. It will also discuss the various components of the signal conditioning chain and present solutions with high dynamic range.
Boundary scan for support engineers and techniciansInterlatin
Boundary scan in one of the most important electronic tests in the actual automotive, medical and consumer electronic manufacturing. Keysight Technologies electronic test systems have the capability to do this test - systems such as i3070 and the x1149 which provides boundary scan in a box. This training focuses on this test used by support engineers and technicians.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
More Related Content
Similar to Tools for Practical Attacks on Analog-to-Digital Conversion
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick
Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs.
By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts
Instrumentation: Test and Measurement Methods and Solutions - VE2013Analog Devices, Inc.
Tilt Measurement: Tilt measurement is fast becoming a fundamental analysis tool in many fields including automotive, industrial, and healthcare. Navigation, vehicle dynamic control, building sway indication, and motion detection systems all rely on this simple, cheap, and precise way of angle monitoring. MEMS accelerometers are better suited to inclination measurement than other methodologies. This session will address the challenges encountered when designing a dual-axis tilt sensor using a MEMS accelerometer including measurement resolution, signal conditioning, single- vs. dual-axis, angle computation, and calibration.
Impedance Measurement: The measurement of complex impedance is widely used across industrial, commercial, automotive, healthcare, and consumer markets, and can include applications such as proximity sensing, inductive transducers, metallurgy and corrosion detection, loudspeaker impedance, biomedical, virus detection, blood coagulation factor, and network impedance analysis. This session will cover the concepts, approaches, and challenges of performing complex impedance measurements and will present a system-level solution for impedance conversion.
Weigh Scale Measurement: Most common industrial weigh scale applications use a bridge-type load-cell sensor, with a voltage output that is directly proportional to the load weight placed on it. This session examines the basic parameters of a bridge-type load-cell sensor, such as the number of varying elements, impedance, excitation, sensitivity (mV/V), errors, and drift. It will also discuss the various components of the signal conditioning chain and present solutions with high dynamic range.
Boundary scan for support engineers and techniciansInterlatin
Boundary scan in one of the most important electronic tests in the actual automotive, medical and consumer electronic manufacturing. Keysight Technologies electronic test systems have the capability to do this test - systems such as i3070 and the x1149 which provides boundary scan in a box. This training focuses on this test used by support engineers and technicians.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsVictor Morales
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...ssuser7dcef0
Power plants release a large amount of water vapor into the
atmosphere through the stack. The flue gas can be a potential
source for obtaining much needed cooling water for a power
plant. If a power plant could recover and reuse a portion of this
moisture, it could reduce its total cooling water intake
requirement. One of the most practical way to recover water
from flue gas is to use a condensing heat exchanger. The power
plant could also recover latent heat due to condensation as well
as sensible heat due to lowering the flue gas exit temperature.
Additionally, harmful acids released from the stack can be
reduced in a condensing heat exchanger by acid condensation. reduced in a condensing heat exchanger by acid condensation.
Condensation of vapors in flue gas is a complicated
phenomenon since heat and mass transfer of water vapor and
various acids simultaneously occur in the presence of noncondensable
gases such as nitrogen and oxygen. Design of a
condenser depends on the knowledge and understanding of the
heat and mass transfer processes. A computer program for
numerical simulations of water (H2O) and sulfuric acid (H2SO4)
condensation in a flue gas condensing heat exchanger was
developed using MATLAB. Governing equations based on
mass and energy balances for the system were derived to
predict variables such as flue gas exit temperature, cooling
water outlet temperature, mole fraction and condensation rates
of water and sulfuric acid vapors. The equations were solved
using an iterative solution technique with calculations of heat
and mass transfer coefficients and physical properties.
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Student information management system project report ii.pdf
Tools for Practical Attacks on Analog-to-Digital Conversion
1. Tools for Practical Attacks on
Analog-to-Digital Conversion
Alexander ‘dark_k3y’ Bolshev
With a help from:
Marina Krotofil
Gabriel Gonzalez
Andrey Dolgikh
2. ; CAT /DEV/USER
Alexander ‘dark_k3y’ Bolshev
Ph.D., security consultant @ IOActive Madrid
HW Lab
Distributed systems researcher
“the more complex & strange is the system ->
the better”
3. Important Disclaimer
The whole presentation is mostly discussed on the first lections of
‘Control theory’ and ‘Digital Signal Processing’ university courses, so in
fact it won’t be about something new.
5. Dialog with (some) ICS engineer during
pentest
Me: You have …vulns……vulns……vulns… and as a result I could
compromise your PLC!
Engineer: You will achieve nothing with it, because my monitoring
system will stop you when the analog signal that is generated by this
PLC will be out of 10% range. After it, backup PLC will be launched in a
very short time
Me: Okay... (went away crying)
(some time passed)
Me: But I will be back!
7. Correct interpretation of data is important, because embedded and
industrial control systems uses analog inputs to create the picture of
controlled system’s state.
ICS field level
Actuators
Control
system
Sensors
Measure
process state
Computes control
commands for
actuators
Adjust themselves
to influence
process behavior
Physical Process
ADCDAC
8. Consider the following architecture
Analog control
loop
Control PLC
Actuator
Monitoring PLC/
Logger/DAQ/Safety PLC
HMI
Attacker
9. Consider the following architecture
Analog control
loop
Control PLC
Actuator
Monitoring PLC/
Logger/DAQ/Safety PLC
HMI
0V (actuator is OFF)
MV – Manipulated Variable
What if MV value on actuator will be
different from MV value on logger?
1.5V (actuator is ON)
Attacker
10. Proof-of-Concept demo from the past
“HMI Panel”
“Control PLC”
(arduino)
“Actuator”
(motor)
“Monitoring
PLC”
(S7 1200)
See v1_motor_arduino_vs_plcadc.m4v video
11. How is it possible at all? MV
is represented by analog
signal!
Because we’re talking not about altering the analog signal,
but about altering its digital representation (conversion).
13. • A device that converts a continuous physical quantity (usually voltage)
to a digital number that represents the quantity's amplitude.[3]
• An ADC is defined by its bandwidth (the range of frequencies it can
measure) and its signal to noise ratio (how accurately it can measure a
signal relative to the noise it introduces).
• Bandwidth of an ADC is characterized primarily by its sampling rate,
and to a lesser extent by how it handles errors such as aliasing.
What is ADC?
ADC
Input
Signal
Reference
Digital
Representation
14. Types of ADCs
There are many types of ADCs, the most common are three:
• Successive-approximation ADC (SAR)
• Sigma-delta ADC
• Pipeline (usually based on flash)
15. Aliasing
• Sampling frequency should follow Nyquist rule ( fs > 2f )
• Otherwise the signal will appear of false (alias) frequency
16. Anti-aliasing filters: “input validation” in ADC
world
• Anti-aliasing filter (AAF) is a filter that is used before sampling device (e.g.
ADC) to attenuate the power of signal in high frequency ranges for
approximate or complete satisfying the sampling theorem (fs > 2f)
• As a representative of low-pass filters (LPF) family, AAF could be characterized
by cut-off frequency (fc) and stop-band frequency (fsb)
[4]
17. Attacks against ADCs
• Frequency and phase:
• Arbitrary Waveform signal, i.e. signal with waveform that
could be somehow misinterpreted by ADC. (see ep.1)
• High-Frequency function signal, i.e. generating sine wave
with kHz or MHz frequency that could somehow be
misinterpreted by ADC.
• OverSampling attack against SAR (see ep.1)
• Special-frequency attack against ΔΣ (see ep. 2)
• Amplitude (out-of-voltage-range signal) (see ep.1)
24. AWG signal against “lazy-call” ADC
Val = readADC();
Sleep(Timeout); /* or doSmth(Timeout) */
Output(Val);
25. But this is just Arduino, not real controller!
Ok, let’s try without Arduino…
26. Ok, let’s try something more real…
SIMATIC S7-1200, ANALOG OUTPUT SB 1232,
1 AO, +/- 10VDC (12 BIT RES.) OR 0 - 20 MA
(11 BIT RES)
Problem: no public information on real SPS for these module…
33. ΔΣ Modulation
• Delta-sigma (ΔΣ; or sigma-delta, ΣΔ) modulation is a method for encoding
analog signals into digital signals as found in an ADC. [7]
• In Δ-modulation the change in the signal (its delta) is encoded, rather than the
absolute value. The result is a stream of pulses. In ΔΣ-modulation, the
accuracy of the modulation is improved by passing the digital output through a
1-bit DAC and adding (sigma) the resulting analog signal to the input signal,
thereby reducing the error introduced by the Δ-modulation. [7]
34. Delta-sigma ADC
• ΔΣ ADCs are based on ΔΣ-modulation and consist of two parts: analog
and digital:
• analog part generates a very high-frequency bitstream;
• digital part creates the real number output by filtering it with digital
filter and decimating it to the output samples per second value.
ΔΣ
Modulator
Digital
Low-Pass
filter
Decimation
Filter
Analog input 1-bit stream N-bit stream Output data
0 1 1 0 0 3.3 3.4 3.4 3.4 2.7 2.2 …
Digital partAnalog part
37. Demo: The mystery of the
ΔΣ AD7706 ADC…
See v3_mystery_sdadc1.mp4 video
38.
39. Possible explanation from the datasheet?
• Expecting to have some noise
there than, but possibly not the
clear sin signal
• It explains just partly, and we
need some good hypothesis for
all these things.
In our case fCLKIN = 2.00MHz,
so fs = 31250
41. USB UART
Atmega328
AD7706 & Vref
Signal
generator
Demo: The second mystery
of the ΔΣ AD7706 ADC…
See v4_mystery_various_signals.mov video
42. Hypothesis and frustrations
• Digital filter corner frequency/noise?
• No, sinus too clear for it
• sinc3 filter implemented in MCU and has integer overflow?
• ”Artificial gain” (No PGA), but just multiplication on digital output?
• That’s wrong according to chip decap image.
43. • Dynamic compression?
• Overflow in logic circuit?
• Pole-zero cancelation in filter?
Still mystery
44. 31.25kHz looks too much for a successful
attack
DAC with s/r up to 100kHz
46. Ok, I got it, but what else I could use for
attack?
Line coupling circuit
(usually OpAmp/Transformer)
Signal/Function Generator
Two most common industrial analog line loops:
• Voltage (0-10V, 0-24(28)V, 0-48V
• Current (0-20mA)
Aka ADC research kit for Joseph FitzPatrick
47. Voltage
Signal/Function Generator:
-> Si5351 + any MCU via I2C
Coupling circuit:
Buffer RtR OpAmp + H-V OpAmp
Gain = 1 + (R2/R1)
TI OPA551/OPA552
Fairchild LM358N
Buffering requirement depends on signal source
48. Current (0-20mA) -> Cypress PSoC
http://www.planetanalog.com/author.asp?section_id=3066&doc_id=563262
CY8CKIT-049-42XX
~<10EUR
MAX15006
Any suitable
and cheap
transistor for
such current
51. Ok, let’s look at real device with behavior like ΔΣ ADC:
Allen-Bradley 1794AENT + 1794-IE4XOE2 Flex I/O
+
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
52. Very weird results for real industrial PLC: 1 -> 24Hz
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
58. Flex I/O vs. PowerFlex
Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
59. Do we have at least one “normal” ΔΣ ADC?!
Yes, e.g. MAX11205
• Sinc4 filter with no visible
mistakes + postfiltering(?)
• Looks very reliable
Postfiltering?
63. Mitigations
• As hardware developers/vendors:
• Implement correct AA-filters in accordance to REAL characteristics of your
ADC (read latest/hidden datasheets, test you ADC manually)
• Remember: digital filters won’t help
• As software developers (incl. firmware and PLC program
development):
• Introduce sampling frequency randomization in software that works with ADC
• Avoid “sleepy” code
• As engineer:
• Implement same AA-filters all over your analog network in accordance with
your OT process
68. 2Vendor: also remember: digital filter won’t
help
• The signal is already ”compromised” by ”ADC features”, so any digital
filtering after ADC won’t help you.
• If you want full control, install ΔΣ modulator and implement digital
part of ΔΣ-ADC manually in FPGA
Analog
signal
Digital
representation
1-bit
stream
69. Developer: introduce sampling frequency
randomization
• Certain randomness in sampling frequency will make attacker’s job
much harder
• Many of the discussed attacks will be much more challenging to execute
• Small variation of 𝒇 𝑠 won’t degrade signal understanding process. On
the contrary, it will produce a signal sample of better quality.
𝒇 𝑠 = 𝑓 + rand(△)
Time
V
0
http://www.sixsigma4service.com/evaluation-considerations-for-data-sampling.html
70. Developer: Avoid sleepy code
Avoid writing/using the following code (if you don’t
completely understand your process):
Val = readADC();
Output(Val);
Sleep(Timeout);
71. • When adding LPF into an individual device, make sure that all
related devices have the same cut-off frequencies
• E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with
LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of
success increases!
Engineer: Use SAME AA-filters across all
analog line
Control PLC
𝒇 𝒄 = 𝟏𝒌𝑯𝒛
𝒇 𝒄 = 𝟓𝒌𝑯𝒛
Monitoring PLC
72. Thanksgiving service
• Marina Krotofil for being a co-researcher in ep. 1 and many bright
ideas
• Andrey ‘@c4f3t13r3’ Dolgikh from Binghamton University, for
information on Allen Bradley PLC behavior vs. different frequencies.
• Guys from IOA hw lab (especially Gabriel, Ruben and Alfredo) for
help and support
• Fedor Savelyev for ideas and help with DSP (digital signal processing)
analysis
• Dmitry Nedospasov for many useful advices