1 00:00:00,000 --> 00:00:19,640 36C3 Preroll music 2 00:00:19,640 --> 00:00:23,070 Herald: One of the obvious critical infrastructures we have nowadays is power 3 00:00:23,070 --> 00:00:29,539 generation. If there is no power, we're pretty much screwed. Our next speakers 4 00:00:29,539 --> 00:00:34,690 will take a very close look at common industrial control systems used in power 5 00:00:34,690 --> 00:00:42,690 turbines and their shortcomings. So please give a warm round of applause to repdet, 6 00:00:42,690 --> 00:00:44,830 moradek and cOrs. 7 00:00:44,830 --> 00:00:52,240 Applause 8 00:00:52,240 --> 00:00:58,610 repdet: Good morning, Congress. Thank you for waking up in the morning. We will talk 9 00:00:58,610 --> 00:01:05,000 about the security of power plants today, specifically about automation systems, 10 00:01:05,000 --> 00:01:11,139 that are used in the power plants up. You might think that this is another talk 11 00:01:11,139 --> 00:01:18,149 about how insecure the whole industrial things around us are and more or less it 12 00:01:18,149 --> 00:01:24,759 is. So for four years, we are we and our colleagues speak about problems in 13 00:01:24,759 --> 00:01:30,819 industrial security. We are happy to say that things are getting better, but it's 14 00:01:30,819 --> 00:01:34,389 just that the temper is a little bit different and feels a little bit 15 00:01:34,389 --> 00:01:38,990 uncomfortable though. Anyway, we will speak about to like how a power plants are 16 00:01:38,990 --> 00:01:43,150 built. What is the automation inside? What are the vulnerabilities? And like the high 17 00:01:43,150 --> 00:01:48,730 level overview of what you can do with this. But up at first a little bit of 18 00:01:48,730 --> 00:01:56,529 introduction. We are security consultants. We work with a lot of industrial things 19 00:01:56,529 --> 00:02:02,939 like PLC, RTuse, SCADAS, DCSs, LCS whatever it is, we were doing this for too 20 00:02:02,939 --> 00:02:10,300 long. We should have fought, for so long that we have a huge map of contacts with a 21 00:02:10,300 --> 00:02:15,890 lot of system integrators and vendors. And from the time we are not just doing the 22 00:02:15,890 --> 00:02:21,440 consultancy work for some asset owner, for example, for a power plant. We also talk 23 00:02:21,440 --> 00:02:27,330 to other entities and we try to fix things altogether. We work at Kaspersky 24 00:02:27,330 --> 00:02:32,320 and actually the whole research was done not just by me, Rado and Alexander, who 25 00:02:32,320 --> 00:02:44,060 are here, but also with the help of Eugenia and two Sergeys. Yep. So things 26 00:02:44,060 --> 00:02:49,170 that are very important to note is that everything that we will discuss right now 27 00:02:49,170 --> 00:02:57,920 is reported to our respective vendor. Basically long time ago you can see like 28 00:02:57,920 --> 00:03:03,270 vendors here, but more or less we will speak only about one vendor today. It's 29 00:03:03,270 --> 00:03:09,690 it's it is Siemens. But we would like you to understand that a similar security 30 00:03:09,690 --> 00:03:15,250 issues can be found in all other industrial solutions from other vendors. 31 00:03:15,250 --> 00:03:19,951 You would find some of the findings, not, for example, that seller does not require 32 00:03:19,951 --> 00:03:26,280 like weeks off work to find them out. And this would be through specifically for all 33 00:03:26,280 --> 00:03:33,090 other vendors which are not mentioned in the talk. Jokes aside, we will share 34 00:03:33,090 --> 00:03:41,850 security issues of real power plants out there and it might look like we are we are 35 00:03:41,850 --> 00:03:48,900 kind of irresponsible guys. But in fact, this is the other way around. I mean that 36 00:03:48,900 --> 00:03:54,280 to do some kind of research on with these systems that are working in the power 37 00:03:54,280 --> 00:03:59,580 plants, you need to get access to them. You need time to do this research. You 38 00:03:59,580 --> 00:04:05,709 need to have some knowledge to do this research and all these resources, they are 39 00:04:05,709 --> 00:04:10,430 limited for guys like us, for penetration testers, for auditors, for power plant 40 00:04:10,430 --> 00:04:16,209 operators and engineers, but for the bad guys like the potential attacker or so 41 00:04:16,209 --> 00:04:22,280 adversaries. This is actually their job. They they have a lot of investments to do 42 00:04:22,280 --> 00:04:27,699 some research. So we assume that bad guys already know this. And we just we would 43 00:04:27,699 --> 00:04:32,569 like to share some information with the good guys so they would be able to act 44 00:04:32,569 --> 00:04:42,240 upon this. So let's go to the talk itself. Power plants, power plants is the most 45 00:04:42,240 --> 00:04:48,520 common way how humans get their power, their electricity, their every everywhere 46 00:04:48,520 --> 00:04:54,259 around us. And there I believe the closest one to Leipzig is called the Lippendorf 47 00:04:54,259 --> 00:04:59,099 power station. And during this research when we were preparing an introduction, we 48 00:04:59,099 --> 00:05:02,300 were surprised how many information about power plants you can get from the 49 00:05:02,300 --> 00:05:07,430 Internet. It's not just, for example, a picture of this of the same power station 50 00:05:07,430 --> 00:05:14,800 on the Google Maps. It is actually a very it's a very good scheme of what you can 51 00:05:14,800 --> 00:05:20,020 see on the marketing materials from vendors, because when they sell some 52 00:05:20,020 --> 00:05:24,199 system that ultimate power plant operations, they sometimes start with 53 00:05:24,199 --> 00:05:29,759 building construction. And on their on their websites, you can find the schematic 54 00:05:29,759 --> 00:05:34,400 pictures of actually which building does what and where you will find some 55 00:05:34,400 --> 00:05:39,900 equipment, which versions of equipment are used in these systems. But if you like, if 56 00:05:39,900 --> 00:05:45,189 you don't have this experience, you can just Google things and you will find out 57 00:05:45,189 --> 00:05:50,029 which systems are used for automation in power plants, for example, for Lippendorf 58 00:05:50,029 --> 00:05:57,129 it's some system that is called Siemens SPP T2000 and P3000, which is actually 59 00:05:57,129 --> 00:06:02,819 have another Siemens system inside called Siemens SPPA-T/P3000. So it's a little bit 60 00:06:02,819 --> 00:06:09,539 confusing and it is. And we are still confused. This is exactly the system that 61 00:06:09,539 --> 00:06:18,479 would be that we will focus today. Siemens SPPT 3000. And again, it could be any 62 00:06:18,479 --> 00:06:23,619 other automation system, but it just happened the way that we've seen this 63 00:06:23,619 --> 00:06:31,889 system more and more often than others. Up there is a way how you can actually see 64 00:06:31,889 --> 00:06:37,529 older generation sites throughout the world. Thanks to their carbon monitoring 65 00:06:37,529 --> 00:06:42,600 communities, this is not just power plants. This is also like nuclear sites, 66 00:06:42,600 --> 00:06:49,409 wind generation, solar, solar plants, etc. and etc. They are all here, marked by 67 00:06:49,409 --> 00:06:56,479 different fuel types of generation. For example, there is a coil and gas power 68 00:06:56,479 --> 00:07:03,379 plants. Mark, marked there. So the topic is really huge. And like what we will 69 00:07:03,379 --> 00:07:08,580 focus today in our talk is mostly the power plants which are work on coal and 70 00:07:08,580 --> 00:07:14,360 gas, which is important to mention. The heart of each power plant is actually a 71 00:07:14,360 --> 00:07:18,170 turbine. We don't have a picture of a turbine on the slides, but more or less, I 72 00:07:18,170 --> 00:07:24,010 think everybody saw it on the airplane. There are various that there are similar 73 00:07:24,010 --> 00:07:31,189 specifically in terms of size and mostly how they work up on different vendor's Web 74 00:07:31,189 --> 00:07:36,979 sites. You can actually find a lot of information where those turbines are used. 75 00:07:36,979 --> 00:07:44,449 And this is, for example, the map of the turbines from Siemens. Not all turbines 76 00:07:44,449 --> 00:07:48,150 specifically are used in power plants. So there have a lot of different applications 77 00:07:48,150 --> 00:07:53,089 like chemical plants, oil and gas. A lot of other things. But if you correlate this 78 00:07:53,089 --> 00:07:57,439 information from previous slides, you would be able to identify which systems 79 00:07:57,439 --> 00:08:01,069 are used by which power plant. And if you will, Google more information, you can 80 00:08:01,069 --> 00:08:05,409 actually tell their versions and the generations of the systems that are used 81 00:08:05,409 --> 00:08:10,110 on these power plants. This is important because of the vulnerabilities that we 82 00:08:10,110 --> 00:08:17,199 will discuss later on on the slide. So before we will speak about so what is the 83 00:08:17,199 --> 00:08:21,909 automation on power plants, we should understand a little bit how they work. So 84 00:08:21,909 --> 00:08:27,659 we will go from right to left and it's very easy. A little a little noticed. For 85 00:08:27,659 --> 00:08:31,259 all the talk, we will simplify a lot of things for two reasons. One of them to 86 00:08:31,259 --> 00:08:36,520 make it more suitable for the audience. And another thing. We don't really 87 00:08:36,520 --> 00:08:43,080 understand everything by ourselves. So the first thing you should get is a fuel. Fuel 88 00:08:43,080 --> 00:08:49,110 could be, for example, a coil or coal or a gas. And you will just put this inside the 89 00:08:49,110 --> 00:08:54,830 combustion chamber where you would put it to set it up on fire, actually. And it 90 00:08:54,830 --> 00:08:59,260 will generate a lot of pressure which will go to the turbine. And because of the 91 00:08:59,260 --> 00:09:05,100 pressure, the turbine will begin to rotate. The turbine, have a shaft which 92 00:09:05,100 --> 00:09:10,100 will drive the electricity generator, which is obviously will generate 93 00:09:10,100 --> 00:09:16,050 electricity and put it on the power grid. So it is important from now I want to 94 00:09:16,050 --> 00:09:21,350 understand that when we generate some some electricity on the power plant, we put 95 00:09:21,350 --> 00:09:27,750 this this power not just for, for example, for this Congress center or for some city. 96 00:09:27,750 --> 00:09:33,810 We put it in a big thing called the power grid, where other entities will sell this 97 00:09:33,810 --> 00:09:40,380 electricity to different customers. There is also very interesting point about 98 00:09:40,380 --> 00:09:46,500 like, when we do generate this pressure and the combustion chamber is on fire, we 99 00:09:46,500 --> 00:09:51,070 have a lot of excessive heat. And we have two options like one of them is to safely 100 00:09:51,070 --> 00:09:55,100 put it in the air. We have condensing towers. This is option number one. And 101 00:09:55,100 --> 00:10:00,650 another option is we can do some form of recuperation. For example, we would take 102 00:10:00,650 --> 00:10:06,730 this heat. We will warm water. The water will produce steam. And we will put this 103 00:10:06,730 --> 00:10:11,960 steam in the steam turbine and produce additional electricity. This is kind of 104 00:10:11,960 --> 00:10:20,450 the optimization of some of some form. So what is the automation in this process? 105 00:10:20,450 --> 00:10:24,190 The automation systems that are used on the power plants are usually called 106 00:10:24,190 --> 00:10:31,090 distributed control systems or DCSs. And everything that I just said that it just 107 00:10:31,090 --> 00:10:36,790 described actually is automated inside those systems. The vendor of the solution 108 00:10:36,790 --> 00:10:41,650 want to simplify all things for the operator, because we don't want like 109 00:10:41,650 --> 00:10:46,250 hundreds of people working on the power plant. We just want like maybe dozens of 110 00:10:46,250 --> 00:10:50,830 people working there and they want to simplify the whole the whole process of 111 00:10:50,830 --> 00:10:55,780 length. They don't care about where they get this ???, gas or coal how much they 112 00:10:55,780 --> 00:11:01,220 need it. They just should be able to stop the generation process started. And they 113 00:11:01,220 --> 00:11:04,930 control one main thing, which is called how much power we should produce to the 114 00:11:04,930 --> 00:11:13,420 power grid. So like how many megawatts of electricity we should produce. This is 115 00:11:13,420 --> 00:11:19,930 this. This describes the actually the complexity, complexity hidden inside these 116 00:11:19,930 --> 00:11:24,070 solutions because there are a lot of small things happening inside and we will 117 00:11:24,070 --> 00:11:29,080 discuss it a little bit later. As I said, this GCF says they're not exclusively used 118 00:11:29,080 --> 00:11:33,560 on the power plants. There are a lot of other sites that would use the same 119 00:11:33,560 --> 00:11:40,180 solutions, the same software and hardware. The DCS is not just like a software that 120 00:11:40,180 --> 00:11:44,980 you can install. It's a set of hardware and software, various inputs, output, 121 00:11:44,980 --> 00:11:49,550 models, sensors, etc., etc.. As I said, sometimes they start from building 122 00:11:49,550 --> 00:11:55,260 construction of like there is a field. Please build a super power station. So 123 00:11:55,260 --> 00:12:01,190 it's a more complex projects. Most, most of the time. There are a lot of vendors 124 00:12:01,190 --> 00:12:06,250 that are doing it. As I said, we are focusing on this stock, on the Siemens 125 00:12:06,250 --> 00:12:15,720 one. Just a short little short description of how simplified things are for operators 126 00:12:15,720 --> 00:12:21,330 of this DCA software. So, for example, if we would like to answer the question how 127 00:12:21,330 --> 00:12:28,020 we would regulate the output and megabytes of our power plant, we would need to 128 00:12:28,020 --> 00:12:33,030 control basically three things. Again, we are oversimplifying here. First of all, 129 00:12:33,030 --> 00:12:37,900 you would control how many. This is an example for there for the gas turbine. So 130 00:12:37,900 --> 00:12:43,060 we would need to regulate how many? Guess, we would put inside the combustion chamber 131 00:12:43,060 --> 00:12:49,490 where would control the flame temperature. And we will control the thing that gets 132 00:12:49,490 --> 00:12:54,870 air inside the turbine that basically three things that are controlled by simple 133 00:12:54,870 --> 00:13:00,380 peel cease in the whole system. And you would be able, for example, to change 100 134 00:13:00,380 --> 00:13:08,830 megawatts to 150 megawatts based on these settings. So the system itself that we are 135 00:13:08,830 --> 00:13:15,480 going to discuss is called Siemens SPPT3000. And actually, again, as allow 136 00:13:15,480 --> 00:13:21,750 all other DCA systems or from other vendors. This is a typical industrial 137 00:13:21,750 --> 00:13:28,630 systems system. It has all these things called plcs, RTUse, to use HMAS, servers, 138 00:13:28,630 --> 00:13:34,070 OPEC traffic, et cetera, et cetera. The only thing that has a difference 139 00:13:34,070 --> 00:13:41,100 specifically for Siemens as SPPT3000 is that they have two main things called 140 00:13:41,100 --> 00:13:46,320 application server and automation server. That's this software running on the 141 00:13:46,320 --> 00:13:53,380 servers is not what you will find on other installations. Despite the fact that there 142 00:13:53,380 --> 00:13:59,900 are a lot of like if you will read the manuals for for the systems from Siemens. 143 00:13:59,900 --> 00:14:07,010 There would be a lot of different networks and highways and a lot of things like 144 00:14:07,010 --> 00:14:11,410 Siemens would state that there is no connection between the application network 145 00:14:11,410 --> 00:14:18,300 and external networks. In practice and in reality, you will find things like spick 146 00:14:18,300 --> 00:14:23,170 sensor network, like monitoring both vibration, foreign objects and some noises 147 00:14:23,170 --> 00:14:28,970 inside the turbine. You will find the demilitarized zone because all in all, 148 00:14:28,970 --> 00:14:33,900 like all power plant operators, they won't have like onsite maintenance guys, 149 00:14:33,900 --> 00:14:37,860 engineers. They would try to do a remote support. They would need to install 150 00:14:37,860 --> 00:14:42,630 updates for operating system, although for their signatures of their anti viruses, 151 00:14:42,630 --> 00:14:46,420 they would need to push some opposite traffic. So like information about the 152 00:14:46,420 --> 00:14:50,620 generation process outside either to corporate network or to some regulator, 153 00:14:50,620 --> 00:14:54,360 because the whole energy market is regulated and there are different entities 154 00:14:54,360 --> 00:14:58,570 who would monitor common electricity generation or they basically will tell you 155 00:14:58,570 --> 00:15:02,680 how many electricity you should generate. Because this is common electricity was 156 00:15:02,680 --> 00:15:09,110 sold on the energy market. Basically, the whole talk is structured like this. We 157 00:15:09,110 --> 00:15:13,790 will speak first about application server, then automation server and then some 158 00:15:13,790 --> 00:15:20,650 summary. It all started with the process called Coordinated Vulnerability 159 00:15:20,650 --> 00:15:28,000 Disclosure. We notified Siemens about some issues almost a year ago and like a month 160 00:15:28,000 --> 00:15:34,950 at the beginning of December, Siemens published an advisory. It was it was not 161 00:15:34,950 --> 00:15:39,890 an advisory just from from the issues, just from us. A lot of other teams also 162 00:15:39,890 --> 00:15:45,540 contributed to it. And this December, this year, December, doesn't mean that Siemens 163 00:15:45,540 --> 00:15:51,230 just released the patches. When they say that this system, SPPT3000, is exclusively 164 00:15:51,230 --> 00:15:56,060 supported. So the system integrator for the system is Siemens itself. So 165 00:15:56,060 --> 00:15:59,930 throughout the year after we notified them about some security issues, they started 166 00:15:59,930 --> 00:16:05,770 to roll out patches and install updates on critical infrastructure they support and 167 00:16:05,770 --> 00:16:13,260 hopefully they did it with all the sensitive issues. There is a lot of things 168 00:16:13,260 --> 00:16:18,580 to discuss here we will skip, because we are a little bit in a hurry. Things like 169 00:16:18,580 --> 00:16:24,100 not all vulnerabilities are the same. And we use, for example, CVSS here to talk 170 00:16:24,100 --> 00:16:28,300 about like how critical the vulnerability is, but it's actually not very applicable 171 00:16:28,300 --> 00:16:33,750 to the industrial sites. You should understand what you can do with each 172 00:16:33,750 --> 00:16:39,190 vulnerability, how you can impact the process, and we will skip this part. There 173 00:16:39,190 --> 00:16:45,350 is actually kind of a threat model in the white paper that we will release later on, 174 00:16:45,350 --> 00:16:53,440 like during January. We will hope. So, application server, application server is 175 00:16:53,440 --> 00:17:02,550 this main is is a main resource that you would find in the SPPT3000 network. Like 176 00:17:02,550 --> 00:17:07,870 if if someone will remotely connect to the system, it would end up in application 177 00:17:07,870 --> 00:17:12,020 server. If someone wants to start the generation process or to change some 178 00:17:12,020 --> 00:17:17,800 values, it would be the application server. If there are other servers that 179 00:17:17,800 --> 00:17:21,270 would, for example, try to communicate the application server, they will actually 180 00:17:21,270 --> 00:17:25,530 start their work by downloading their software from application server and then 181 00:17:25,530 --> 00:17:31,850 executing it. So the first thing you might notice here is there are a lot of a lot of 182 00:17:31,850 --> 00:17:37,960 network ports available on this on this machine. And actually, this is the first 183 00:17:37,960 --> 00:17:45,190 point. There is a, a huge attack surface for that bursary??? to choose whether or 184 00:17:45,190 --> 00:17:49,460 not he would like to compromise some Siemens software or its Windows software 185 00:17:49,460 --> 00:17:55,030 or its some another third party. Huge attack surface starting from the fact that 186 00:17:55,030 --> 00:18:01,240 there are, all of the installation of this SPP systems are kind of different. So 187 00:18:01,240 --> 00:18:05,850 depending on the version and other generation, you can find different Windows 188 00:18:05,850 --> 00:18:17,970 versions from 2003 to 2016. Hopefully they are all updated right now, but because the 189 00:18:17,970 --> 00:18:24,220 that the update process for such as for such installations is is a hard thing to 190 00:18:24,220 --> 00:18:29,059 do. I mean you should wait for maintenance and it should be like maybe once in a 191 00:18:29,059 --> 00:18:33,470 healthy year or once a year. You will always find some window where you can use 192 00:18:33,470 --> 00:18:38,480 some remotely exploitable vulnerabilities like the eternal blue or blue keeper mark 193 00:18:38,480 --> 00:18:45,240 mentioned on the slide. There is tons of different additional software like all 194 00:18:45,240 --> 00:18:48,570 signwin??? that will allow you to do privilege escalation, badly configured 195 00:18:48,570 --> 00:18:55,300 Tomcats and we have here this funny pie charts that show how configuration of 196 00:18:55,300 --> 00:19:00,330 different software is aligned with the best practices from CIS benchmarks. Those 197 00:19:00,330 --> 00:19:06,621 are those are basically security configuration gardening guides. The most 198 00:19:06,621 --> 00:19:12,760 important thing in the application server is a lot of Java software and in a minute 199 00:19:12,760 --> 00:19:19,230 repdet will tell you about this. Surprise, surprise there, the one of the most 200 00:19:19,230 --> 00:19:27,510 notable problems in this Siemens SPPT3000 is actually passwords. There, there are 201 00:19:27,510 --> 00:19:32,420 three important ranges. The first the first of them is like what's all the 202 00:19:32,420 --> 00:19:39,681 installations before 2014 and maybe 2015. All passwords for the for for all the 203 00:19:39,681 --> 00:19:44,360 power stations were the same. And you can easily Google them. We've also published 204 00:19:44,360 --> 00:19:50,280 like the full world list in the white paper. After this year's Siemens started 205 00:19:50,280 --> 00:19:57,800 to generate the unique passwords for all power plants. But until this year, it was 206 00:19:57,800 --> 00:20:01,540 kind of hard to change this password. So you need to be aware of how to do this. 207 00:20:01,540 --> 00:20:04,310 You need to know the process. You maybe need to contact to contact your system 208 00:20:04,310 --> 00:20:08,260 integrator to do this. Starting up from this December, it would be much easier 209 00:20:08,260 --> 00:20:13,910 specifically to change passwords. So it's in the past. Even if you know, you have 210 00:20:13,910 --> 00:20:19,910 you have these issues, you were not able to simply change or all these things. 211 00:20:19,910 --> 00:20:23,679 Along with the passwords, passwords, you can find the like the full diagrams and 212 00:20:23,679 --> 00:20:30,190 the integrator documentation that can show you how the system is built, how it's 213 00:20:30,190 --> 00:20:34,340 operating, specific accounts, etc, etc. Of course, this was not published by Siemens, 214 00:20:34,340 --> 00:20:38,600 thouse some power plant operators who thought that would be a good idea to share 215 00:20:38,600 --> 00:20:44,810 this information. So as I said, the most important thing the application server is 216 00:20:44,810 --> 00:20:48,870 a bunch of Java applications and please welcome moradek will share the details 217 00:20:48,870 --> 00:20:57,070 about this. Applause 218 00:20:57,070 --> 00:21:01,310 moradek: Hi, everyone. Let's look at how this perverse software works on aplication 219 00:21:01,310 --> 00:21:06,980 server. The operator can communicate with system through at Thin client and Fat client 220 00:21:06,980 --> 00:21:15,810 and. A Thin client act as Java applet inside Internet Explorer browser and 221 00:21:15,810 --> 00:21:23,130 communicate with server through HTTPS, so it can be outside of application of fork 222 00:21:23,130 --> 00:21:28,800 and its communications can be constrained by a firewall. In opposite in case of Fat 223 00:21:28,800 --> 00:21:34,910 client, software should be installed on operator machine and client directly 224 00:21:34,910 --> 00:21:40,800 communicates with RMA registry to find services. And after that directly 225 00:21:40,800 --> 00:21:49,760 communicates with this myservices. So Fat client should belong to application fork. 226 00:21:49,760 --> 00:21:57,910 Illustration of where architecture was kindly provided by SPPA throws a URL. Not 227 00:21:57,910 --> 00:22:04,410 to be missed, let divided into spaces in red zone. The items that brought this 228 00:22:04,410 --> 00:22:10,960 request from Thin client and redirect them to rmyservices. And in green zones there 229 00:22:10,960 --> 00:22:17,570 are myservices which act as network services on their name on TCP ports. SPP 230 00:22:17,570 --> 00:22:23,690 consists of containers, each container can encapsulate inside one or more or 231 00:22:23,690 --> 00:22:32,010 myservices. All type of containers are represented on illustration and all of 232 00:22:32,010 --> 00:22:40,340 them have self explanatory names. Before we going deep inside in tunnels office 233 00:22:40,340 --> 00:22:45,410 PPA, let me introduce some tools which used in this research. First of all, old 234 00:22:45,410 --> 00:22:51,500 jars files inside this PPA are obfuscated with commercial product. But these 235 00:22:51,500 --> 00:22:59,350 security measures can be easily bypassed by public available tool the Obfuscator. 236 00:22:59,350 --> 00:23:05,580 Elswhere sometimes it is useful to see how legit software communicates with system. 237 00:23:05,580 --> 00:23:13,720 It helps to understand architecture of system and workflow of clients. In case of 238 00:23:13,720 --> 00:23:21,570 PPA it my district was written, it represents a role TCP streams in human 239 00:23:21,570 --> 00:23:30,010 readable format inside it. Use method read object from jsdk. It is known that this 240 00:23:30,010 --> 00:23:35,160 method is unsafe to insecure diserealisation, so be careful not 241 00:23:35,160 --> 00:23:42,910 to be exploited through remote pickup. The first pillar of SPP it's apache webserver. 242 00:23:42,910 --> 00:23:51,740 According it config folder or software config can be accessed by unauthorized 243 00:23:51,740 --> 00:23:59,040 user. In fact, this folder contains some sensitive information of system. For 244 00:23:59,040 --> 00:24:07,170 example, files PC system configuration, datasmells and files inside. If C contain 245 00:24:07,170 --> 00:24:14,660 startup options and configuration of all containers either application work or 246 00:24:14,660 --> 00:24:20,559 automation work. Else configuration of Oracle and publication in Tomcat DLC can be 247 00:24:20,559 --> 00:24:26,409 accessed using this vulnerability. And about Tomcat. There are three web 248 00:24:26,409 --> 00:24:33,790 applications registered, remote diagnostic viewer, manager and orion. According to 249 00:24:33,790 --> 00:24:38,970 configuration of Tomcat, it's apache webserver. I've observed as a ordering 250 00:24:38,970 --> 00:24:48,660 service can be accessed through HTTPS and uh, in the file web dot xml there are list 251 00:24:48,660 --> 00:24:56,710 of all servlets of orion application and the list is really huge. So some of these 252 00:24:56,710 --> 00:25:04,710 servlets have attractive name forTiger, for example, brow seservlet. In fact it allows 253 00:25:04,710 --> 00:25:12,700 a third of the user directory, and listing directories of operation system. But in 254 00:25:12,700 --> 00:25:19,910 case of exploitation another servlet is more attractive. File upload servlet it 255 00:25:19,910 --> 00:25:28,980 allows you allows on the file upload with system parameters based you in touch with 256 00:25:28,980 --> 00:25:34,680 me in full control the name of the file. So this vulnerability can be easily 257 00:25:34,680 --> 00:25:39,420 transformed to a remote code execution. You can override some startups scripts 258 00:25:39,420 --> 00:25:46,390 office PPA or simply inject a shel in the application and get the remote code 259 00:25:46,390 --> 00:25:54,770 execution with system rights. Also there are some set alerts which contains good 260 00:25:54,770 --> 00:26:03,809 service factory names. In fact, they redirect http request to my services. 261 00:26:03,809 --> 00:26:12,210 Inside they passed around to foreign http requests and search desirable my servives. 262 00:26:12,210 --> 00:26:19,980 According to parameter service url and further invoke go to the public method of 263 00:26:19,980 --> 00:26:26,190 security service. And the name of the method defined in centralized object in 264 00:26:26,190 --> 00:26:34,439 the data section of which to progress. Else parameters, the parameters of these 265 00:26:34,439 --> 00:26:43,490 goals are also defined in this object. So now we have situation one Thin client and 266 00:26:43,490 --> 00:26:52,500 Fat client can access my services, but in case of Fat client, it, it can also 267 00:26:52,500 --> 00:26:59,340 directly communicate with RMA registry. So if application server missed some 268 00:26:59,340 --> 00:27:04,430 important java security updates, it contains insecure deserialization 269 00:27:04,430 --> 00:27:13,059 vulnerability. And using public to use serial we can simply exploit it and get a 270 00:27:13,059 --> 00:27:18,730 code execution with system rights again. The next task will be to list all 271 00:27:18,730 --> 00:27:25,670 available rMyservices on this SPPA system. At first step, we simply use class look at 272 00:27:25,670 --> 00:27:35,201 triggers and Java SDK and get a big list of services. All but one jmakes it to 273 00:27:35,201 --> 00:27:43,370 myservices, I assume that they perform some general interface for com, for 274 00:27:43,370 --> 00:27:52,630 control and manage containers of SPPA. For the further investigation we only choose 275 00:27:52,630 --> 00:28:01,160 LookUp Service. In fact, this service looks like some a collection of another 276 00:28:01,160 --> 00:28:10,480 RMA services using its public method list we get the name of all available services 277 00:28:10,480 --> 00:28:17,620 and using the name and public method lookup we get the reference of RMA 278 00:28:17,620 --> 00:28:27,000 service. All RMA services in this tip implement interface satisfactory. So 279 00:28:27,000 --> 00:28:36,100 buttons as this. We can assume that and that this is a game collection of another 280 00:28:36,100 --> 00:28:41,100 RMA services. But in fact it doesn't have public method to get the name of the 281 00:28:41,100 --> 00:28:52,700 service. So we need to decompile. So we need to decompile the class and find some 282 00:28:52,700 --> 00:29:00,470 factory methods which create RMA service, for example, create adminscript and 283 00:29:00,470 --> 00:29:08,330 inside we can find as the name of the created service. As it can be guessed, 284 00:29:08,330 --> 00:29:14,230 it's admin service. So using public method, get service in this name, we find 285 00:29:14,230 --> 00:29:22,880 that I gets the reference to the next level RMA service and in final step we get 286 00:29:22,880 --> 00:29:31,350 the reference to RMA services which perform real job SPPA. But it this RMA 287 00:29:31,350 --> 00:29:39,070 service also contains a lot of public methods for unauthorized user. So to sum 288 00:29:39,070 --> 00:29:46,380 up which referes registry and at each level we find a lot of RMA services. And 289 00:29:46,380 --> 00:29:54,290 as the last item also contains a lot of public methods. So the attack surface of 290 00:29:54,290 --> 00:30:01,799 Supply C system is really huge. Now when we list all available RMA services, the 291 00:30:01,799 --> 00:30:10,140 next question is how does authentication of client request performs on the system? 292 00:30:10,140 --> 00:30:15,750 To answer this question, let's look how client requests to security service 293 00:30:15,750 --> 00:30:22,190 processed from system. First of all, clients get the reference to security 294 00:30:22,190 --> 00:30:31,150 service using some client ID. Further PCServiceFactory tries to get valid 295 00:30:31,150 --> 00:30:38,350 session. Using this clientID in SessionManager. If SessionManager will 296 00:30:38,350 --> 00:30:45,240 failed in his task, the exception will be throat and client will be failed. But if 297 00:30:45,240 --> 00:30:54,470 it succeeds, valid sessionID will return to PCSfactory. And further in its turn 298 00:30:54,470 --> 00:31:00,830 instance of SecurityService will be created in factory method. While the 299 00:31:00,830 --> 00:31:12,220 session Id will be stored in loginID inside SecurityService. And finally client will 300 00:31:12,220 --> 00:31:18,620 get the reference to Security Service. Further he can call some public method of 301 00:31:18,620 --> 00:31:28,600 it. But as this method can perform privileged checks of user using loginId in 302 00:31:28,600 --> 00:31:35,940 SecurityManager. So to sum up, we have two security measures in this system. But as 303 00:31:35,940 --> 00:31:41,660 is the question how user client can perform login operation. If he doesn't 304 00:31:41,660 --> 00:31:47,830 have any valid clientID. In this case, it's start up of the system, 305 00:31:47,830 --> 00:31:53,959 SessionManager will be added on anonymus session with clientID that equals zero. 306 00:31:53,959 --> 00:32:00,150 And client will use this clientID, and perform login operation. But attacker can 307 00:32:00,150 --> 00:32:07,100 also use this feature and simply bypass those look. So to sum up, there is only 308 00:32:07,100 --> 00:32:14,770 one security measure on the system ends and each fully delegated to two method or 309 00:32:14,770 --> 00:32:22,450 for RMA services. But amount of itemized services is huge, amount of public methods 310 00:32:22,450 --> 00:32:29,249 is really huge. And so it's become really difficult to manage security service of 311 00:32:29,249 --> 00:32:40,120 system. According to this information. So we know we know all inputs of system. We 312 00:32:40,120 --> 00:32:45,070 know all possible security measures or systems. So it's time to find 313 00:32:45,070 --> 00:32:53,180 vulnerabilities in the list of RMA services. This one, which looks so 314 00:32:53,180 --> 00:32:58,350 attractive, its admins service, it can be accessed with a anonymus session inside. 315 00:32:58,350 --> 00:33:04,150 If this public method transcript, this method doesn't perform any privileged 316 00:33:04,150 --> 00:33:13,250 checks, so we can call its resulting Ternium credentials and so on. At first 317 00:33:13,250 --> 00:33:19,980 step, these methods creates instance of class loader using bytes from arguments 318 00:33:19,980 --> 00:33:27,429 and in fact this step will allow to arbitrary java class. This class should 319 00:33:27,429 --> 00:33:33,750 implement interface admins screams and defined method to execute and this method 320 00:33:33,750 --> 00:33:43,030 to execute will be called by run script of RMA services. For this case we create Java 321 00:33:43,030 --> 00:33:51,210 class as a simply run os common from arguments of run script. And we get code 322 00:33:51,210 --> 00:33:58,520 execution on the system, we system, right? Of course, there's a more powerful post 323 00:33:58,520 --> 00:34:05,790 exploitation of this vulnerability than simply run os command. You can. This 324 00:34:05,790 --> 00:34:13,579 vulerability allows inject arbitrary java class inside running its SPPA application 325 00:34:13,579 --> 00:34:25,480 so you can use some Java reflection to to patch some variables of system and and 326 00:34:25,480 --> 00:34:36,029 have influence on technological properties of SPPA. Else, privilege check inside 327 00:34:36,029 --> 00:34:43,870 methods of RMA service can be bypassed with SEC vulnerability in session service. This 328 00:34:43,870 --> 00:34:49,650 service has public method getloggingsessions(). In fact, this method 329 00:34:49,650 --> 00:34:58,770 return all sessiondata of loginin users on the system. This information includes user 330 00:34:58,770 --> 00:35:10,040 names, IP and client Id. So if it this amounts these clientId of user that has 331 00:35:10,040 --> 00:35:16,569 some admin privileges, attacker can use this clientId to get a reference to 332 00:35:16,569 --> 00:35:22,620 security service and this reference will be with some more privileged session. 333 00:35:22,620 --> 00:35:36,290 Further further, attacker can goal public method of security service, get all users 334 00:35:36,290 --> 00:35:43,290 and get all private information about all users of the system and password hashes 335 00:35:43,290 --> 00:35:53,820 included in this private information. So to sum up, we have to or both of these 336 00:35:53,820 --> 00:36:06,590 vulnerabilities can be accessed through https and federal rules can be bypassed. 337 00:36:06,590 --> 00:36:14,200 In general, all communication with RMA services are encrypted. So usernames and 338 00:36:14,200 --> 00:36:24,880 password hashes are transfered in plain text. This is this because, this is more critical for 339 00:36:24,880 --> 00:36:37,800 for Fat client case. So more all passwort hashes doesn't perform any doesn't have 340 00:36:37,800 --> 00:36:44,400 any session protection mechanism. So if attacker can perform when and zoom into a 341 00:36:44,400 --> 00:36:51,670 key attack against some user office prior and captures the traffic between this user 342 00:36:51,670 --> 00:36:59,109 and application server, he can get valid username and password hash of the system 343 00:36:59,109 --> 00:37:05,940 and simply reuses this credentials and perform login operation on the system. 344 00:37:05,940 --> 00:37:13,820 More. over, he also can change the password of this user. I talk a lot about 345 00:37:13,820 --> 00:37:18,750 user names and password hashes, so it's time to understand how these items 346 00:37:18,750 --> 00:37:27,080 organized on the system. Alex. Alex: Hello everyone. I will continue our 347 00:37:27,080 --> 00:37:33,170 discussion about application server. On the previous slide you can see how remote 348 00:37:33,170 --> 00:37:42,910 authentification works. Now. Sorry, I repeat. On the parent slide you could see 349 00:37:42,910 --> 00:37:49,620 how remote authentification works. And now I'm going to tell you about how it is 350 00:37:49,620 --> 00:37:57,590 organized locally. After the system, after system gets started, it begins to read two 351 00:37:57,590 --> 00:38:04,900 files: user1.xml and pdata1.exm to get user list and their password respectevly. 352 00:38:04,900 --> 00:38:11,660 The user1 file is the simple xml while the data1 has a slightly more difficult 353 00:38:11,660 --> 00:38:17,921 structure. It is jzip archive encoded in base64, so as java actualization object in 354 00:38:17,921 --> 00:38:23,540 jzip archive contained in a specific xml. The field of this xml presents on the 355 00:38:23,540 --> 00:38:29,990 slide. They are used to calculate cash value and check passport during their 356 00:38:29,990 --> 00:38:36,660 authentification. On the buttom of the slide you can see password check algorithm 357 00:38:36,660 --> 00:38:44,790 in a pseudo code. It's a photographic scam is the type of called crypted hashing scheme 358 00:38:44,790 --> 00:38:52,190 like on Unix and Linux machine. It has a number of iterations salts and only one 359 00:38:52,190 --> 00:38:56,910 things is edited was, was edited that is hardcore the salt, which is the same for 360 00:38:56,910 --> 00:39:03,900 all user. The tool for password, as a tool to extract password hashes and set 361 00:39:03,900 --> 00:39:11,730 parameters from the data1-file had been developed on this slide. You can see its 362 00:39:11,730 --> 00:39:18,420 output as a tool. The tool can be used during the password auditing, them to 363 00:39:18,420 --> 00:39:22,730 check her password to check week or dictionary password and their actual hash 364 00:39:22,730 --> 00:39:31,960 collision parameters. A tool is available at the link below. And draws the line, 365 00:39:31,960 --> 00:39:40,660 draws a line on the application server analysis first, as we have seen, attack 366 00:39:40,660 --> 00:39:47,490 surface is really huge and includes a lot of different components. Secondly, it's 367 00:39:47,490 --> 00:39:57,310 about remote connections. What's that about? Whether SPP has remote connection 368 00:39:57,310 --> 00:39:59,620 or because no remote connection. I couldn't I couldn't do end this or someone 369 00:39:59,620 --> 00:40:13,089 else, who told you? You should check it anyway. And the last thing is a attacker 370 00:40:13,089 --> 00:40:19,490 has opportunity to impact power generation process. For example, it can start stop 371 00:40:19,490 --> 00:40:26,070 generation, change some output value. Or get some additional information about 372 00:40:26,070 --> 00:40:32,230 generation process and all this. Action can be done from application server. It's 373 00:40:32,230 --> 00:40:40,720 all about application server. And let's start discussion about automation. Its 374 00:40:40,720 --> 00:40:45,619 main goal of automation server is to execute realtime real time automation 375 00:40:45,619 --> 00:40:54,209 functions and tasks depending on a depending on the power plant project 376 00:40:54,209 --> 00:41:01,260 architecture and its features. They're all over automation server can be different. We have 377 00:41:01,260 --> 00:41:07,020 to distinguish three roles. The first one is automation role. They may be a slight 378 00:41:07,020 --> 00:41:14,190 confusion because the term is used was for server and for it's role, but analyzing 379 00:41:14,190 --> 00:41:18,839 uplink automation server configuration and publicly available information we have 380 00:41:18,839 --> 00:41:25,490 found that whatever the role is, almost the same hardware and software are used 381 00:41:25,490 --> 00:41:34,090 and we have decided to use these kind of classifications. That seems less confusing 382 00:41:34,090 --> 00:41:40,740 to us. At the same time, it's slightly different from the Windows 383 00:41:40,740 --> 00:41:49,210 classification anyway. I mean, in automation role, automation role means 384 00:41:49,210 --> 00:41:53,040 that the server is responsible for interaction with input-output modules to 385 00:41:53,040 --> 00:41:58,390 each control and monitor power plant equipment such as turbine electric 386 00:41:58,390 --> 00:42:04,550 generator or some some other. The second role is communication in this role. This 387 00:42:04,550 --> 00:42:10,360 role is used for connection the third party software and system in other words 388 00:42:10,360 --> 00:42:18,760 it's just a protocol converter supporting such protocols as modbus, I see 101, 104 389 00:42:18,760 --> 00:42:25,339 and some other. And the last roll is a migration role. This role is used to 390 00:42:25,339 --> 00:42:32,890 connect previous version or for SPPA-T2000 and as legacy systems such as SPPA- 80 391 00:42:32,890 --> 00:42:42,570 2002, or tel per MI.. Automation role in automation server in automation role can 392 00:42:42,570 --> 00:42:52,150 be run on the semantic SLMPC and in an industrial or industrial P.C.. Other roles 393 00:42:52,150 --> 00:42:55,730 can be run only on industrial PCs. Now let's talk a little more about each role 394 00:42:55,730 --> 00:43:03,560 and let's start with automation role based on PLC. PLC I will directly control field 395 00:43:03,560 --> 00:43:09,760 devices like voles and turbine and access to them in excess numbers. The game 396 00:43:09,760 --> 00:43:16,750 over for any security discussion. They usually represent low, the lowest level in 397 00:43:16,750 --> 00:43:21,750 different reference models, such as do model, for example. Any credential, any 398 00:43:21,750 --> 00:43:27,630 configuration changes and updates for PLC required to stop to stop technological 399 00:43:27,630 --> 00:43:33,710 process. So these devices always have security misconfiguration, firmware, 400 00:43:33,710 --> 00:43:40,260 visible security updates and secure industrial protocols. In case of SPPA they 401 00:43:40,260 --> 00:43:48,060 are assembler ??? (Server???) protocols LCT data. ??? Logic information about its 402 00:43:48,060 --> 00:43:54,349 own protocols in the internet, but not so much about PLC data protocol. So we had to 403 00:43:54,349 --> 00:44:01,859 deal with it and analyze it ourselves. It's not a special protocol for SPPA. When 404 00:44:01,859 --> 00:44:06,810 you program your Symantec, PLC an need to exchange some that some data between them 405 00:44:06,810 --> 00:44:14,880 in real time. You use this protocol. It's a quite simple protocol and maybe its 406 00:44:14,880 --> 00:44:21,140 description is available somewhere in the internet. But we couldn't find it. So just 407 00:44:21,140 --> 00:44:28,830 the case show you need structure. In ways that knows security mechanism in this 408 00:44:28,830 --> 00:44:35,790 protocol, so, so, so only obstacle while do remain in the middle attack to spool 409 00:44:35,790 --> 00:44:40,680 data in the sequence number, which we can get from a packet that just follows the 410 00:44:40,680 --> 00:44:48,160 implementation. For practical analyses we have developed the sector, which is 411 00:44:48,160 --> 00:44:55,220 available at the link below. During the security assessment of PLC configurations, 412 00:44:55,220 --> 00:45:02,380 one of the main things, which we check, is unauthorized access to the two reading and 413 00:45:02,380 --> 00:45:09,550 writing PLC memory. Availability of unauthorized access is determinate by 414 00:45:09,550 --> 00:45:17,480 position of the mod selector of the PLC and some other configuration parameters. 415 00:45:17,480 --> 00:45:22,870 During the previous research conducted to one of our colleg Daniel Parnischev???? is 416 00:45:22,870 --> 00:45:30,580 a privilege matrix has been obtained. They shows unsecure states and configurations 417 00:45:30,580 --> 00:45:37,440 of PLC. The tool for gathering information from the PLC. over the network and its 418 00:45:37,440 --> 00:45:42,350 analysis has been developed by Danil and also available in our repository. Now 419 00:45:42,350 --> 00:45:48,250 let's talk about application server based on industial PC. Its just a Linux box. 420 00:45:48,250 --> 00:45:52,270 During the start it tries to download some additional files from the application 421 00:45:52,270 --> 00:45:59,520 server. This file includes to include jar files, the bar scrapes, some configuration 422 00:45:59,520 --> 00:46:07,260 protocols files and some other. You know, to execute jar files PTC Perc virtual 423 00:46:07,260 --> 00:46:15,250 machine is used. Is it a runtime java machine widely spread in industrial IJ and 424 00:46:15,250 --> 00:46:22,700 military area. PTC Perc contains a completion mechanism. So that is all jar 425 00:46:22,700 --> 00:46:28,190 files contains a bitecode transformation. That's why regularly decompiles Fails 426 00:46:28,190 --> 00:46:36,490 exam. To solve this problem, we have written a php script to perform reverse 427 00:46:36,490 --> 00:46:44,110 transformation. After that, regular decompilers have been successful. Running 428 00:46:44,110 --> 00:46:49,000 jars open RMI services on the automation server and the sound ??? of their 429 00:46:49,000 --> 00:46:55,849 extension. For example, in case of migration server on PC services, which are 430 00:46:55,849 --> 00:47:00,260 extension of classic Java RMA services are used and on the slide you can see is the 431 00:47:00,260 --> 00:47:07,280 list of of these services. Just the key issues of automation. So based on 432 00:47:07,280 --> 00:47:13,250 industrial PCM present represents just light. Firstly, as you can see, it's there 433 00:47:13,250 --> 00:47:19,790 is a possibility to spoof downloaded files from application server files downloaded 434 00:47:19,790 --> 00:47:24,980 over https and there are no security security mechanisms during the process. 435 00:47:24,980 --> 00:47:32,000 Secondly, it's about the default credentials. You can get access over SSH 436 00:47:32,000 --> 00:47:40,740 SSH to server vs user SAM admin and password. See him next. It's 437 00:47:40,740 --> 00:47:46,130 vulnerabilities in archives in our around IPC services. This will not be allowed to 438 00:47:46,130 --> 00:47:50,840 perform sensitive data explosion and remote code execution. And finally, the 439 00:47:50,840 --> 00:47:54,520 last group with vulnerabilities found in the software used to feel an immigration 440 00:47:54,520 --> 00:48:01,770 role for communication vs SB 82000, also known as the DSP system has a number of 441 00:48:01,770 --> 00:48:06,480 issues on the immigration server vs old TXP. You are not. You are in magic 442 00:48:06,480 --> 00:48:14,190 position. If you wrote about your own obviously vulnerabilities as they are in 443 00:48:14,190 --> 00:48:21,210 runtime as you need and service as this service contains request runtime contain a 444 00:48:21,210 --> 00:48:29,480 method where the first argument defines as the action to be executed. Using the 445 00:48:29,480 --> 00:48:34,620 action read file it is possible to get content of any file from the system. Using 446 00:48:34,620 --> 00:48:39,460 the right config file it's possible to write information to the server. To the 447 00:48:39,460 --> 00:48:46,700 server. And for example, it can be a jar files, which execute shell comand on from 448 00:48:46,700 --> 00:48:52,800 the command line and use in some SPPA specific functions, you can execute these 449 00:48:52,800 --> 00:49:00,580 jar files later. This is all about automation server. To sum up, automated 450 00:49:00,580 --> 00:49:07,540 automation server can based on PLC or industrial PC. In case of PLC it says a 451 00:49:07,540 --> 00:49:16,420 simple PLC is usual PLC with no security issues. In case of industrial PLC.. it's 452 00:49:16,420 --> 00:49:21,990 just a Linux box., which try to download some additional files from the application 453 00:49:21,990 --> 00:49:28,639 server and some of them execute with the virtual machine. So far, we haven't 454 00:49:28,639 --> 00:49:33,390 mentioned any network equipment using distributed control system Using the 455 00:49:33,390 --> 00:49:41,340 research we saw a wide variety of network devices and network infrastructure, 456 00:49:41,340 --> 00:49:46,820 including switches, firewalls and more rare devices such as data diet, for 457 00:49:46,820 --> 00:49:55,790 example. We tried to summarize all this information and got it common SPPA on 458 00:49:55,790 --> 00:50:02,160 network topology and scam. Lookup shown in purple usual places for network devices. 459 00:50:02,160 --> 00:50:08,510 By the same device it can be found in other vendors distributed control system. 460 00:50:08,510 --> 00:50:13,110 Network devices in industrial network usually have a lot of security issues. The 461 00:50:13,110 --> 00:50:18,579 reason for this is that most of them don't require any configuration before start and 462 00:50:18,579 --> 00:50:29,199 can be run out of the box. And that's why the things like get NLP??? and then be 463 00:50:29,199 --> 00:50:35,220 coming in to stream with credentials for different services. Fill ware? with 464 00:50:35,220 --> 00:50:43,910 publicly, publicly available, exploits and just a lack of security configurations. 465 00:50:43,910 --> 00:50:53,321 All the things are usual for usual for network devices and they are usually usual 466 00:50:53,321 --> 00:51:01,380 usual security issues for our industrial network. I think that's all I know now 467 00:51:01,380 --> 00:51:07,170 Gleb wil sum up our discussion. repdet: Yep. Yep. So the topic of power 468 00:51:07,170 --> 00:51:13,660 plants is huge. The system is huge and we try to cover this and that's a lot of 469 00:51:13,660 --> 00:51:17,690 small things in the talk. And in fact everything can be summed up on this slide. 470 00:51:17,690 --> 00:51:22,550 These those are just the vulnerabilities, as you can see in the problems in Java, in 471 00:51:22,550 --> 00:51:28,220 Web applications, in different simple mechanisms that you can exploit actually 472 00:51:28,220 --> 00:51:33,340 directly even not go into the PLC or field level, field level. You can impact the 473 00:51:33,340 --> 00:51:39,460 process itself. What we don't cover in this talk, is actually what select 474 00:51:39,460 --> 00:51:44,200 havoc???? or disaster could be caused by attacking such systems because it's actually 475 00:51:44,200 --> 00:51:48,930 not that bad. I mean they're talking about things like blackouts of the series or 476 00:51:48,930 --> 00:51:54,470 things like this. This is not what you can do with as a consensus system, because the 477 00:51:54,470 --> 00:51:59,000 like the distribution of the power power in the grid is not there according to the 478 00:51:59,000 --> 00:52:02,100 threat model is not the problem of the power generation. There shouldn't be like 479 00:52:02,100 --> 00:52:05,950 another regulator who should watch for like enough capacity in the network to 480 00:52:05,950 --> 00:52:10,860 fill this, to fill the electricity for the customers. So what we're really speaking 481 00:52:10,860 --> 00:52:17,350 here is like the is how we can impact there. For example, the turbine, the 482 00:52:17,350 --> 00:52:23,090 turbine is itself, for example, but we had no access to the real turbine. They're 483 00:52:23,090 --> 00:52:27,580 big, expensive, and we haven't found anyone willing to provide us one. So we 484 00:52:27,580 --> 00:52:34,060 will destroy it. But the point is, we have an educated guess like PLCs, they control 485 00:52:34,060 --> 00:52:38,780 a lot of parameters of this turbine. And the turbine is like a big mechanical 486 00:52:38,780 --> 00:52:44,599 monster that is actually self degrading by working and putting it into different like 487 00:52:44,599 --> 00:52:49,880 incomfortable operating modes will degrade it even faster or it will break its end. 488 00:52:49,880 --> 00:52:54,330 It's not easy. You can have a spare PLC or some other device. You won't have a spare 489 00:52:54,330 --> 00:53:03,021 turbine. So that the impact is there. But it's not like a very huge. So what we 490 00:53:03,021 --> 00:53:09,440 tried to do with this research mostly is to understand, how we can help the power 491 00:53:09,440 --> 00:53:14,910 plant, the apparatus out there. And we have to fight in all the issues and 492 00:53:14,910 --> 00:53:19,750 analysing this infrastructures and the customer sites, we understood that all of 493 00:53:19,750 --> 00:53:23,950 the installations actually did the same. And we can write a very simple do it 494 00:53:23,950 --> 00:53:30,249 yourself assessment. And hopefully even like engineers on the power plants can 495 00:53:30,249 --> 00:53:35,050 test themselves. It is very easy. A set of steps on two or three pages. You connect 496 00:53:35,050 --> 00:53:39,020 to application network, you connect to the automation network, you run the tests, you 497 00:53:39,020 --> 00:53:43,050 get the results. And afterwards you talk with Siemens. Well, you can fix something 498 00:53:43,050 --> 00:53:47,971 by yourselves. And basically you don't have to hire like expensive consultants to 499 00:53:47,971 --> 00:53:52,950 do the job. You should be. You should be able to do it by yourself. We hope that 500 00:53:52,950 --> 00:54:00,620 you will be able to do it. Of course. To summarize the whole situation around 501 00:54:00,620 --> 00:54:07,320 DCSSs, it is if you have seen other industrial solutions like SCADAS, like 502 00:54:07,320 --> 00:54:13,210 substations and if any actually, you would find a lot of similarities and they the 503 00:54:13,210 --> 00:54:18,230 whole like it will have the same pain points as all other solutions. There is a 504 00:54:18,230 --> 00:54:24,330 good documents from there. IAC 62443 which describes how like power plant 505 00:54:24,330 --> 00:54:29,260 operator or asset owner should talk to the system integrator and the vendor. With the 506 00:54:29,260 --> 00:54:33,360 vendor in terms of what security they should require and how they should control 507 00:54:33,360 --> 00:54:40,960 it. We urge any power plant operator to read this standards and to require 508 00:54:40,960 --> 00:54:46,130 security from their vendors and system integrators, because nowadays it depends 509 00:54:46,130 --> 00:54:49,390 from vendor to vendor. Maybe vendor is more interested in the security or the 510 00:54:49,390 --> 00:54:53,710 plant or some regulator and the like. Nobody knows how to act. This is the 511 00:54:53,710 --> 00:55:00,050 document where a which describes how you should talk with all other entities. Of 512 00:55:00,050 --> 00:55:07,680 course, read the slides, read the white paper in the January. Call Siemens updatal 513 00:55:07,680 --> 00:55:12,160 systems, change your passwords and configurations. This is actually very easy 514 00:55:12,160 --> 00:55:18,790 to at least to shrink the attack surface. A lot of things inside SPPS ??? network is 515 00:55:18,790 --> 00:55:23,460 a modern windows boxes and it's kind of easy to set up some form of monitoring, so 516 00:55:23,460 --> 00:55:27,849 you should talk to your security operations center. They would be able to 517 00:55:27,849 --> 00:55:32,720 look for some locks, not most of the impact that we showed, like it was their 518 00:55:32,720 --> 00:55:36,770 input from the java application and you won't be able to monitor all of these. 519 00:55:36,770 --> 00:55:41,770 We have like security events in windows. But at least it's still some form of 520 00:55:41,770 --> 00:55:49,440 detection process inside your network. And again, finally, to summarize, it is not 521 00:55:49,440 --> 00:55:55,210 like a problem of one DCS from Siemens. There are exactly the same issues for 522 00:55:55,210 --> 00:56:01,910 other vendors not mentioned here. We will release a lot of things today, tomorrow 523 00:56:01,910 --> 00:56:07,210 and in January. Basically like the big white paper about everything that we have 524 00:56:07,210 --> 00:56:11,149 found out, we have recommendations, what to do with the wordlists, with the do it 525 00:56:11,149 --> 00:56:16,319 yourself security assessments with a lot of tools up. One of the tools would help 526 00:56:16,319 --> 00:56:19,420 you to do the research, another tools would help you, for example, if you are 527 00:56:19,420 --> 00:56:24,080 using intrusion detection detection systems like IDSS, you would be able to 528 00:56:24,080 --> 00:56:29,700 parse the protocols and maybe write some signatures for them. We work closely with 529 00:56:29,700 --> 00:56:33,880 Siemens. We want to say thank you for the Siemens product search. They did a great 530 00:56:33,880 --> 00:56:37,970 job in communications between us and the product team that develops the products 531 00:56:37,970 --> 00:56:42,020 that Siemens SPPA team for ??? in itself. The main outlines from the vendor 532 00:56:42,020 --> 00:56:47,150 response is, that if a power plant operator, you should hurry and install a 533 00:56:47,150 --> 00:56:55,339 new version 8.2 SP2. There are Siemens is trying to like educate and raise 534 00:56:55,339 --> 00:56:59,700 awareness outside their customers. That's first of all, they should change passwords 535 00:56:59,700 --> 00:57:04,070 that there are critical vulnerabilities and they should do something with it. And 536 00:57:04,070 --> 00:57:10,970 there is not all the problems are fixable by Siemens themselves. There is an operator 537 00:57:10,970 --> 00:57:19,310 is viable for some of the activities to do the security by themselves. So that's 538 00:57:19,310 --> 00:57:24,110 actually it. Thank you. Thank you very much. Thank you, Congress. If you have any 539 00:57:24,110 --> 00:57:26,930 questions, please welcome. 540 00:57:26,930 --> 00:57:36,030 Applause 541 00:57:36,030 --> 00:57:40,790 Herald: Thank all of you for this excellent talk, we have a short three minutes for 542 00:57:40,790 --> 00:57:45,270 questions. If you have questions, please line up at the microphones in the hall. If 543 00:57:45,270 --> 00:57:49,380 you're using hearing aids, there is an induction loop at microphone number three. 544 00:57:49,380 --> 00:57:54,440 Do we have questions from the Internets? Yes. Question from our signal angel, 545 00:57:54,440 --> 00:57:59,109 please. Signal-Engel: So we've got a question with 546 00:57:59,109 --> 00:58:03,270 the vulnerabilities found. Could you take over those cans from the worldwide web cam 547 00:58:03,270 --> 00:58:10,900 without the freedom and the minimum tax? Herald: Can you please repeat. 548 00:58:10,900 --> 00:58:13,509 repdet: A little bit louder, please? Signal-Engel: Sorry. With your own 549 00:58:13,509 --> 00:58:19,430 vulnerability found, could you take control over those plants without worldwide 550 00:58:19,430 --> 00:58:26,560 them from public Internet, without further amending the ??? ? 551 00:58:26,560 --> 00:58:31,069 repdet: Actually, no. This is and this is some poor some form of the good news. 552 00:58:31,069 --> 00:58:35,010 Those systems are exclusively supported by one system integrator, by Siemens. They 553 00:58:35,010 --> 00:58:39,400 are more or less protected from the external access. Of course, there would be 554 00:58:39,400 --> 00:58:43,830 external access, but it's not that easy to reach it. And of course, it's we're not 555 00:58:43,830 --> 00:58:46,569 talking about Internet. We're talking about some corporate networks of things 556 00:58:46,569 --> 00:58:50,420 like this. Herald: Next question, microphone three, 557 00:58:50,420 --> 00:58:54,500 please. Mic. 3: Yes, hello. Uh, I also have a 558 00:58:54,500 --> 00:59:00,070 power plant on my planet and, uh, it's kind of bad for the atmosphere, I figured. 559 00:59:00,070 --> 00:59:05,670 So, uh, my question is, can you skip back to where the red button is to switch it 560 00:59:05,670 --> 00:59:14,460 off? And I'm asking for a friend. Laughter, Applause 561 00:59:14,460 --> 00:59:18,750 repdet: As we never thought about that, these materials can be used in this way. 562 00:59:18,750 --> 00:59:24,920 But yeah. Specifically, if you have an operator of engineers, friends on the 563 00:59:24,920 --> 00:59:29,530 power plants, you can talk to them. Herald: Do we have any more questions from 564 00:59:29,530 --> 00:59:38,410 the Internets? No questions. Any questions from the hall? I guess not. Well, then, 565 00:59:38,410 --> 00:59:41,401 thank you very much for this talk and a warm round of applause. 566 00:59:41,401 --> 00:59:45,901 Applause 567 00:59:45,901 --> 00:59:48,771 36c3 Postroll music 568 00:59:48,771 --> 01:00:13,000 Subtitles created by c3subtitles.de in the year 2020. Join, and help us!