WEBVTT

00:00:00.000 --> 00:00:19.640
<i>36C3 Preroll music</i>

00:00:19.640 --> 00:00:23.070
Herald: One of the obvious critical
infrastructures we have nowadays is power

00:00:23.070 --> 00:00:29.539
generation. If there is no power, we're
pretty much screwed. Our next speakers

00:00:29.539 --> 00:00:34.690
will take a very close look at common
industrial control systems used in power

00:00:34.690 --> 00:00:42.690
turbines and their shortcomings. So please
give a warm round of applause to repdet,

00:00:42.690 --> 00:00:44.830
moradek and cOrs.

00:00:44.830 --> 00:00:52.240
<i>Applause</i>

00:00:52.240 --> 00:00:58.610
repdet: Good morning, Congress. Thank you
for waking up in the morning. We will talk

00:00:58.610 --> 00:01:05.000
about the security of power plants today,
specifically about automation systems,

00:01:05.000 --> 00:01:11.139
that are used in the power plants up. You
might think that this is another talk

00:01:11.139 --> 00:01:18.149
about how insecure the whole industrial
things around us are and more or less it

00:01:18.149 --> 00:01:24.759
is. So for four years, we are we and our
colleagues speak about problems in

00:01:24.759 --> 00:01:30.819
industrial security. We are happy to say
that things are getting better, but it's

00:01:30.819 --> 00:01:34.389
just that the temper is a little bit
different and feels a little bit

00:01:34.389 --> 00:01:38.990
uncomfortable though. Anyway, we will
speak about to like how a power plants are

00:01:38.990 --> 00:01:43.150
built. What is the automation inside? What
are the vulnerabilities? And like the high

00:01:43.150 --> 00:01:48.730
level overview of what you can do with
this. But up at first a little bit of

00:01:48.730 --> 00:01:56.529
introduction. We are security consultants.
We work with a lot of industrial things

00:01:56.529 --> 00:02:02.939
like PLC, RTuse, SCADAS, DCSs, LCS
whatever it is, we were doing this for too

00:02:02.939 --> 00:02:10.300
long. We should have fought, for so long
that we have a huge map of contacts with a

00:02:10.300 --> 00:02:15.890
lot of system integrators and vendors. And
from the time we are not just doing the

00:02:15.890 --> 00:02:21.440
consultancy work for some asset owner, for
example, for a power plant. We also talk

00:02:21.440 --> 00:02:27.330
to other entities and we try to fix
things altogether. We work at Kaspersky

00:02:27.330 --> 00:02:32.320
and actually the whole research was done
not just by me, Rado and Alexander, who

00:02:32.320 --> 00:02:44.060
are here, but also with the help of
Eugenia and two Sergeys. Yep. So things

00:02:44.060 --> 00:02:49.170
that are very important to note is that
everything that we will discuss right now

00:02:49.170 --> 00:02:57.920
is reported to our respective vendor.
Basically long time ago you can see like

00:02:57.920 --> 00:03:03.270
vendors here, but more or less we will
speak only about one vendor today. It's

00:03:03.270 --> 00:03:09.690
it's it is Siemens. But we would like you
to understand that a similar security

00:03:09.690 --> 00:03:15.250
issues can be found in all other
industrial solutions from other vendors.

00:03:15.250 --> 00:03:19.951
You would find some of the findings, not,
for example, that seller does not require

00:03:19.951 --> 00:03:26.280
like weeks off work to find them out. And
this would be through specifically for all

00:03:26.280 --> 00:03:33.090
other vendors which are not mentioned in
the talk. Jokes aside, we will share

00:03:33.090 --> 00:03:41.850
security issues of real power plants out
there and it might look like we are we are

00:03:41.850 --> 00:03:48.900
kind of irresponsible guys. But in fact,
this is the other way around. I mean that

00:03:48.900 --> 00:03:54.280
to do some kind of research on with these
systems that are working in the power

00:03:54.280 --> 00:03:59.580
plants, you need to get access to them.
You need time to do this research. You

00:03:59.580 --> 00:04:05.709
need to have some knowledge to do this
research and all these resources, they are

00:04:05.709 --> 00:04:10.430
limited for guys like us, for penetration
testers, for auditors, for power plant

00:04:10.430 --> 00:04:16.209
operators and engineers, but for the bad
guys like the potential attacker or so

00:04:16.209 --> 00:04:22.280
adversaries. This is actually their job.
They they have a lot of investments to do

00:04:22.280 --> 00:04:27.699
some research. So we assume that bad guys
already know this. And we just we would

00:04:27.699 --> 00:04:32.569
like to share some information with the
good guys so they would be able to act

00:04:32.569 --> 00:04:42.240
upon this. So let's go to the talk itself.
Power plants, power plants is the most

00:04:42.240 --> 00:04:48.520
common way how humans get their power,
their electricity, their every everywhere

00:04:48.520 --> 00:04:54.259
around us. And there I believe the closest
one to Leipzig is called the Lippendorf

00:04:54.259 --> 00:04:59.099
power station. And during this research
when we were preparing an introduction, we

00:04:59.099 --> 00:05:02.300
were surprised how many information about
power plants you can get from the

00:05:02.300 --> 00:05:07.430
Internet. It's not just, for example, a
picture of this of the same power station

00:05:07.430 --> 00:05:14.800
on the Google Maps. It is actually a very
it's a very good scheme of what you can

00:05:14.800 --> 00:05:20.020
see on the marketing materials from
vendors, because when they sell some

00:05:20.020 --> 00:05:24.199
system that ultimate power plant
operations, they sometimes start with

00:05:24.199 --> 00:05:29.759
building construction. And on their on
their websites, you can find the schematic

00:05:29.759 --> 00:05:34.400
pictures of actually which building does
what and where you will find some

00:05:34.400 --> 00:05:39.900
equipment, which versions of equipment are
used in these systems. But if you like, if

00:05:39.900 --> 00:05:45.189
you don't have this experience, you can
just Google things and you will find out

00:05:45.189 --> 00:05:50.029
which systems are used for automation in
power plants, for example, for Lippendorf

00:05:50.029 --> 00:05:57.129
it's some system that is called Siemens
SPP T2000 and P3000, which is actually

00:05:57.129 --> 00:06:02.819
have another Siemens system inside called
Siemens SPPA-T/P3000. So it's a little bit

00:06:02.819 --> 00:06:09.539
confusing and it is. And we are still
confused. This is exactly the system that

00:06:09.539 --> 00:06:18.479
would be that we will focus today. Siemens
SPPT 3000. And again, it could be any

00:06:18.479 --> 00:06:23.619
other automation system, but it just
happened the way that we've seen this

00:06:23.619 --> 00:06:31.889
system more and more often than others. Up
there is a way how you can actually see

00:06:31.889 --> 00:06:37.529
older generation sites throughout the
world. Thanks to their carbon monitoring

00:06:37.529 --> 00:06:42.600
communities, this is not just power
plants. This is also like nuclear sites,

00:06:42.600 --> 00:06:49.409
wind generation, solar, solar plants, etc.
and etc. They are all here, marked by

00:06:49.409 --> 00:06:56.479
different fuel types of generation. For
example, there is a coil and gas power

00:06:56.479 --> 00:07:03.379
plants. Mark, marked there. So the topic
is really huge. And like what we will

00:07:03.379 --> 00:07:08.580
focus today in our talk is mostly the
power plants which are work on coal and

00:07:08.580 --> 00:07:14.360
gas, which is important to mention. The
heart of each power plant is actually a

00:07:14.360 --> 00:07:18.170
turbine. We don't have a picture of a
turbine on the slides, but more or less, I

00:07:18.170 --> 00:07:24.010
think everybody saw it on the airplane.
There are various that there are similar

00:07:24.010 --> 00:07:31.189
specifically in terms of size and mostly
how they work up on different vendor's Web

00:07:31.189 --> 00:07:36.979
sites. You can actually find a lot of
information where those turbines are used.

00:07:36.979 --> 00:07:44.449
And this is, for example, the map of the
turbines from Siemens. Not all turbines

00:07:44.449 --> 00:07:48.150
specifically are used in power plants. So
there have a lot of different applications

00:07:48.150 --> 00:07:53.089
like chemical plants, oil and gas. A lot
of other things. But if you correlate this

00:07:53.089 --> 00:07:57.439
information from previous slides, you
would be able to identify which systems

00:07:57.439 --> 00:08:01.069
are used by which power plant. And if you
will, Google more information, you can

00:08:01.069 --> 00:08:05.409
actually tell their versions and the
generations of the systems that are used

00:08:05.409 --> 00:08:10.110
on these power plants. This is important
because of the vulnerabilities that we

00:08:10.110 --> 00:08:17.199
will discuss later on on the slide. So
before we will speak about so what is the

00:08:17.199 --> 00:08:21.909
automation on power plants, we should
understand a little bit how they work. So

00:08:21.909 --> 00:08:27.659
we will go from right to left and it's
very easy. A little a little noticed. For

00:08:27.659 --> 00:08:31.259
all the talk, we will simplify a lot of
things for two reasons. One of them to

00:08:31.259 --> 00:08:36.520
make it more suitable for the audience.
And another thing. We don't really

00:08:36.520 --> 00:08:43.080
understand everything by ourselves. So the
first thing you should get is a fuel. Fuel

00:08:43.080 --> 00:08:49.110
could be, for example, a coil or coal or a
gas. And you will just put this inside the

00:08:49.110 --> 00:08:54.830
combustion chamber where you would put it
to set it up on fire, actually. And it

00:08:54.830 --> 00:08:59.260
will generate a lot of pressure which will
go to the turbine. And because of the

00:08:59.260 --> 00:09:05.100
pressure, the turbine will begin to
rotate. The turbine, have a shaft which

00:09:05.100 --> 00:09:10.100
will drive the electricity generator,
which is obviously will generate

00:09:10.100 --> 00:09:16.050
electricity and put it on the power grid.
So it is important from now I want to

00:09:16.050 --> 00:09:21.350
understand that when we generate some some
electricity on the power plant, we put

00:09:21.350 --> 00:09:27.750
this this power not just for, for example,
for this Congress center or for some city.

00:09:27.750 --> 00:09:33.810
We put it in a big thing called the power
grid, where other entities will sell this

00:09:33.810 --> 00:09:40.380
electricity to different customers.
There is also very interesting point about

00:09:40.380 --> 00:09:46.500
like, when we do generate this pressure
and the combustion chamber is on fire, we

00:09:46.500 --> 00:09:51.070
have a lot of excessive heat. And we have
two options like one of them is to safely

00:09:51.070 --> 00:09:55.100
put it in the air. We have condensing
towers. This is option number one. And

00:09:55.100 --> 00:10:00.650
another option is we can do some form of
recuperation. For example, we would take

00:10:00.650 --> 00:10:06.730
this heat. We will warm water. The water
will produce steam. And we will put this

00:10:06.730 --> 00:10:11.960
steam in the steam turbine and produce
additional electricity. This is kind of

00:10:11.960 --> 00:10:20.450
the optimization of some of some form. So
what is the automation in this process?

00:10:20.450 --> 00:10:24.190
The automation systems that are used on
the power plants are usually called

00:10:24.190 --> 00:10:31.090
distributed control systems or DCSs. And
everything that I just said that it just

00:10:31.090 --> 00:10:36.790
described actually is automated inside
those systems. The vendor of the solution

00:10:36.790 --> 00:10:41.650
want to simplify all things for the
operator, because we don't want like

00:10:41.650 --> 00:10:46.250
hundreds of people working on the power
plant. We just want like maybe dozens of

00:10:46.250 --> 00:10:50.830
people working there and they want to
simplify the whole the whole process of

00:10:50.830 --> 00:10:55.780 line:1
length. They don't care about where they
get this ???, gas or coal how much they

00:10:55.780 --> 00:11:01.220
need it. They just should be able to stop
the generation process started. And they

00:11:01.220 --> 00:11:04.930
control one main thing, which is called
how much power we should produce to the

00:11:04.930 --> 00:11:13.420
power grid. So like how many megawatts of
electricity we should produce. This is

00:11:13.420 --> 00:11:19.930
this. This describes the actually the
complexity, complexity hidden inside these

00:11:19.930 --> 00:11:24.070
solutions because there are a lot of small
things happening inside and we will

00:11:24.070 --> 00:11:29.080
discuss it a little bit later. As I said,
this GCF says they're not exclusively used

00:11:29.080 --> 00:11:33.560
on the power plants. There are a lot of
other sites that would use the same

00:11:33.560 --> 00:11:40.180
solutions, the same software and hardware.
The DCS is not just like a software that

00:11:40.180 --> 00:11:44.980
you can install. It's a set of hardware
and software, various inputs, output,

00:11:44.980 --> 00:11:49.550
models, sensors, etc., etc.. As I said,
sometimes they start from building

00:11:49.550 --> 00:11:55.260
construction of like there is a field.
Please build a super power station. So

00:11:55.260 --> 00:12:01.190
it's a more complex projects. Most, most
of the time. There are a lot of vendors

00:12:01.190 --> 00:12:06.250
that are doing it. As I said, we are
focusing on this stock, on the Siemens

00:12:06.250 --> 00:12:15.720
one. Just a short little short description
of how simplified things are for operators

00:12:15.720 --> 00:12:21.330
of this DCA software. So, for example, if
we would like to answer the question how

00:12:21.330 --> 00:12:28.020
we would regulate the output and megabytes
of our power plant, we would need to

00:12:28.020 --> 00:12:33.030
control basically three things. Again, we
are oversimplifying here. First of all,

00:12:33.030 --> 00:12:37.900
you would control how many. This is an
example for there for the gas turbine. So

00:12:37.900 --> 00:12:43.060
we would need to regulate how many? Guess,
we would put inside the combustion chamber

00:12:43.060 --> 00:12:49.490
where would control the flame temperature.
And we will control the thing that gets

00:12:49.490 --> 00:12:54.870
air inside the turbine that basically
three things that are controlled by simple

00:12:54.870 --> 00:13:00.380
peel cease in the whole system. And you
would be able, for example, to change 100

00:13:00.380 --> 00:13:08.830
megawatts to 150 megawatts based on these
settings. So the system itself that we are

00:13:08.830 --> 00:13:15.480
going to discuss is called Siemens
SPPT3000. And actually, again, as allow

00:13:15.480 --> 00:13:21.750
all other DCA systems or from other
vendors. This is a typical industrial

00:13:21.750 --> 00:13:28.630
systems system. It has all these things
called plcs, RTUse, to use HMAS, servers,

00:13:28.630 --> 00:13:34.070
OPEC traffic, et cetera, et cetera. The
only thing that has a difference

00:13:34.070 --> 00:13:41.100
specifically for Siemens as SPPT3000 is
that they have two main things called

00:13:41.100 --> 00:13:46.320
application server and automation server.
That's this software running on the

00:13:46.320 --> 00:13:53.380
servers is not what you will find on other
installations. Despite the fact that there

00:13:53.380 --> 00:13:59.900
are a lot of like if you will read the
manuals for for the systems from Siemens.

00:13:59.900 --> 00:14:07.010
There would be a lot of different networks
and highways and a lot of things like

00:14:07.010 --> 00:14:11.410
Siemens would state that there is no
connection between the application network

00:14:11.410 --> 00:14:18.300
and external networks. In practice and in
reality, you will find things like spick

00:14:18.300 --> 00:14:23.170
sensor network, like monitoring both
vibration, foreign objects and some noises

00:14:23.170 --> 00:14:28.970
inside the turbine. You will find the
demilitarized zone because all in all,

00:14:28.970 --> 00:14:33.900
like all power plant operators, they won't
have like onsite maintenance guys,

00:14:33.900 --> 00:14:37.860
engineers. They would try to do a remote
support. They would need to install

00:14:37.860 --> 00:14:42.630
updates for operating system, although for
their signatures of their anti viruses,

00:14:42.630 --> 00:14:46.420
they would need to push some opposite
traffic. So like information about the

00:14:46.420 --> 00:14:50.620
generation process outside either to
corporate network or to some regulator,

00:14:50.620 --> 00:14:54.360
because the whole energy market is
regulated and there are different entities

00:14:54.360 --> 00:14:58.570
who would monitor common electricity
generation or they basically will tell you

00:14:58.570 --> 00:15:02.680
how many electricity you should generate.
Because this is common electricity was

00:15:02.680 --> 00:15:09.110
sold on the energy market. Basically,
the whole talk is structured like this. We

00:15:09.110 --> 00:15:13.790
will speak first about application server,
then automation server and then some

00:15:13.790 --> 00:15:20.650
summary. It all started with the process
called Coordinated Vulnerability

00:15:20.650 --> 00:15:28.000
Disclosure. We notified Siemens about some
issues almost a year ago and like a month

00:15:28.000 --> 00:15:34.950
at the beginning of December, Siemens
published an advisory. It was it was not

00:15:34.950 --> 00:15:39.890
an advisory just from from the issues,
just from us. A lot of other teams also

00:15:39.890 --> 00:15:45.540
contributed to it. And this December, this
year, December, doesn't mean that Siemens

00:15:45.540 --> 00:15:51.230
just released the patches. When they say
that this system, SPPT3000, is exclusively

00:15:51.230 --> 00:15:56.060
supported. So the system integrator for
the system is Siemens itself. So

00:15:56.060 --> 00:15:59.930
throughout the year after we notified them
about some security issues, they started

00:15:59.930 --> 00:16:05.770
to roll out patches and install updates on
critical infrastructure they support and

00:16:05.770 --> 00:16:13.260
hopefully they did it with all the
sensitive issues. There is a lot of things

00:16:13.260 --> 00:16:18.580
to discuss here we will skip, because we
are a little bit in a hurry. Things like

00:16:18.580 --> 00:16:24.100
not all vulnerabilities are the same. And
we use, for example, CVSS here to talk

00:16:24.100 --> 00:16:28.300
about like how critical the vulnerability
is, but it's actually not very applicable

00:16:28.300 --> 00:16:33.750
to the industrial sites. You should
understand what you can do with each

00:16:33.750 --> 00:16:39.190
vulnerability, how you can impact the
process, and we will skip this part. There

00:16:39.190 --> 00:16:45.350
is actually kind of a threat model in the
white paper that we will release later on,

00:16:45.350 --> 00:16:53.440
like during January. We will hope. So,
application server, application server is

00:16:53.440 --> 00:17:02.550
this main is is a main resource that you
would find in the SPPT3000 network. Like

00:17:02.550 --> 00:17:07.870
if if someone will remotely connect to the
system, it would end up in application

00:17:07.870 --> 00:17:12.020
server. If someone wants to start the
generation process or to change some

00:17:12.020 --> 00:17:17.800
values, it would be the application
server. If there are other servers that

00:17:17.800 --> 00:17:21.270
would, for example, try to communicate the
application server, they will actually

00:17:21.270 --> 00:17:25.530
start their work by downloading their
software from application server and then

00:17:25.530 --> 00:17:31.850
executing it. So the first thing you might
notice here is there are a lot of a lot of

00:17:31.850 --> 00:17:37.960
network ports available on this on this
machine. And actually, this is the first

00:17:37.960 --> 00:17:45.190
point. There is a, a huge attack surface
for that bursary??? to choose whether or

00:17:45.190 --> 00:17:49.460
not he would like to compromise some
Siemens software or its Windows software

00:17:49.460 --> 00:17:55.030
or its some another third party. Huge
attack surface starting from the fact that

00:17:55.030 --> 00:18:01.240
there are, all of the installation of this
SPP systems are kind of different. So

00:18:01.240 --> 00:18:05.850
depending on the version and other
generation, you can find different Windows

00:18:05.850 --> 00:18:17.970
versions from 2003 to 2016. Hopefully they
are all updated right now, but because the

00:18:17.970 --> 00:18:24.220
that the update process for such as for
such installations is is a hard thing to

00:18:24.220 --> 00:18:29.059
do. I mean you should wait for maintenance
and it should be like maybe once in a

00:18:29.059 --> 00:18:33.470
healthy year or once a year. You will
always find some window where you can use

00:18:33.470 --> 00:18:38.480
some remotely exploitable vulnerabilities
like the eternal blue or blue keeper mark

00:18:38.480 --> 00:18:45.240
mentioned on the slide. There is tons of
different additional software like all

00:18:45.240 --> 00:18:48.570
signwin??? that will allow you to do
privilege escalation, badly configured

00:18:48.570 --> 00:18:55.300
Tomcats and we have here this funny pie
charts that show how configuration of

00:18:55.300 --> 00:19:00.330
different software is aligned with the
best practices from CIS benchmarks. Those

00:19:00.330 --> 00:19:06.621
are those are basically security
configuration gardening guides. The most

00:19:06.621 --> 00:19:12.760
important thing in the application server
is a lot of Java software and in a minute

00:19:12.760 --> 00:19:19.230
repdet will tell you about this. Surprise,
surprise there, the one of the most

00:19:19.230 --> 00:19:27.510
notable problems in this Siemens SPPT3000
is actually passwords. There, there are

00:19:27.510 --> 00:19:32.420
three important ranges. The first the
first of them is like what's all the

00:19:32.420 --> 00:19:39.681
installations before 2014 and maybe 2015.
All passwords for the for for all the

00:19:39.681 --> 00:19:44.360
power stations were the same. And you can
easily Google them. We've also published

00:19:44.360 --> 00:19:50.280
like the full world list in the white
paper. After this year's Siemens started

00:19:50.280 --> 00:19:57.800
to generate the unique passwords for all
power plants. But until this year, it was

00:19:57.800 --> 00:20:01.540
kind of hard to change this password. So
you need to be aware of how to do this.

00:20:01.540 --> 00:20:04.310
You need to know the process. You maybe
need to contact to contact your system

00:20:04.310 --> 00:20:08.260
integrator to do this. Starting up from
this December, it would be much easier

00:20:08.260 --> 00:20:13.910
specifically to change passwords. So it's
in the past. Even if you know, you have

00:20:13.910 --> 00:20:19.910
you have these issues, you were not able
to simply change or all these things.

00:20:19.910 --> 00:20:23.679
Along with the passwords, passwords, you
can find the like the full diagrams and

00:20:23.679 --> 00:20:30.190
the integrator documentation that can show
you how the system is built, how it's

00:20:30.190 --> 00:20:34.340
operating, specific accounts, etc, etc. Of
course, this was not published by Siemens,

00:20:34.340 --> 00:20:38.600
thouse some power plant operators who
thought that would be a good idea to share

00:20:38.600 --> 00:20:44.810
this information. So as I said, the most
important thing the application server is

00:20:44.810 --> 00:20:48.870
a bunch of Java applications and please
welcome moradek will share the details

00:20:48.870 --> 00:20:57.070
about this.
<i>Applause</i>

00:20:57.070 --> 00:21:01.310
moradek: Hi, everyone. Let's look at how
this perverse software works on aplication

00:21:01.310 --> 00:21:06.980
server. The operator can communicate with
system through at Thin client and Fat client

00:21:06.980 --> 00:21:15.810
and. A Thin client act as Java applet
inside Internet Explorer browser and

00:21:15.810 --> 00:21:23.130
communicate with server through HTTPS, so
it can be outside of application of fork

00:21:23.130 --> 00:21:28.800
and its communications can be constrained
by a firewall. In opposite in case of Fat

00:21:28.800 --> 00:21:34.910
client, software should be installed on
operator machine and client directly

00:21:34.910 --> 00:21:40.800
communicates with RMA registry to find
services. And after that directly

00:21:40.800 --> 00:21:49.760
communicates with this myservices. So Fat
client should belong to application fork.

00:21:49.760 --> 00:21:57.910
Illustration of where architecture was
kindly provided by SPPA throws a URL. Not

00:21:57.910 --> 00:22:04.410
to be missed, let divided into spaces in
red zone. The items that brought this

00:22:04.410 --> 00:22:10.960
request from Thin client and redirect them
to rmyservices. And in green zones there

00:22:10.960 --> 00:22:17.570
are myservices which act as network
services on their name on TCP ports. SPP

00:22:17.570 --> 00:22:23.690
consists of containers, each container can
encapsulate inside one or more or

00:22:23.690 --> 00:22:32.010
myservices. All type of containers are
represented on illustration and all of

00:22:32.010 --> 00:22:40.340
them have self explanatory names. Before
we going deep inside in tunnels office

00:22:40.340 --> 00:22:45.410
PPA, let me introduce some tools which
used in this research. First of all, old

00:22:45.410 --> 00:22:51.500
jars files inside this PPA are obfuscated
with commercial product. But these

00:22:51.500 --> 00:22:59.350
security measures can be easily bypassed
by public available tool the Obfuscator.

00:22:59.350 --> 00:23:05.580
Elswhere sometimes it is useful to see how
legit software communicates with system.

00:23:05.580 --> 00:23:13.720
It helps to understand architecture of
system and workflow of clients. In case of

00:23:13.720 --> 00:23:21.570
PPA it my district was written, it
represents a role TCP streams in human

00:23:21.570 --> 00:23:30.010
readable format inside it. Use method read
object from jsdk. It is known that this

00:23:30.010 --> 00:23:35.160
method is unsafe to insecure
diserealisation, so be careful not

00:23:35.160 --> 00:23:42.910
to be exploited through remote pickup. The
first pillar of SPP it's apache webserver.

00:23:42.910 --> 00:23:51.740
According it config folder or software
config can be accessed by unauthorized

00:23:51.740 --> 00:23:59.040
user. In fact, this folder contains some
sensitive information of system. For

00:23:59.040 --> 00:24:07.170
example, files PC system configuration,
datasmells and files inside. If C contain

00:24:07.170 --> 00:24:14.660
startup options and configuration of all
containers either application work or

00:24:14.660 --> 00:24:20.559
automation work. Else configuration of
Oracle and publication in Tomcat DLC can be

00:24:20.559 --> 00:24:26.409
accessed using this vulnerability. And about
Tomcat. There are three web

00:24:26.409 --> 00:24:33.790
applications registered, remote diagnostic
viewer, manager and orion. According to

00:24:33.790 --> 00:24:38.970
configuration of Tomcat, it's apache
webserver. I've observed as a ordering

00:24:38.970 --> 00:24:48.660
service can be accessed through HTTPS and
uh, in the file web dot xml there are list

00:24:48.660 --> 00:24:56.710
of all servlets of orion application and the
list is really huge. So some of these

00:24:56.710 --> 00:25:04.710
servlets have attractive name forTiger, for
example, brow seservlet. In fact it allows

00:25:04.710 --> 00:25:12.700
a third of the user directory, and listing
directories of operation system. But in

00:25:12.700 --> 00:25:19.910
case of exploitation another servlet is
more attractive. File upload servlet it

00:25:19.910 --> 00:25:28.980
allows you allows on the file upload with
system parameters based you in touch with

00:25:28.980 --> 00:25:34.680
me in full control the name of the file.
So this vulnerability can be easily

00:25:34.680 --> 00:25:39.420
transformed to a remote code execution.
You can override some startups scripts

00:25:39.420 --> 00:25:46.390
office PPA or simply inject a shel in the
application and get the remote code

00:25:46.390 --> 00:25:54.770
execution with system rights. Also there
are some set alerts which contains good

00:25:54.770 --> 00:26:03.809
service factory names. In fact, they
redirect http request to my services.

00:26:03.809 --> 00:26:12.210
Inside they passed around to foreign http
requests and search desirable my servives.

00:26:12.210 --> 00:26:19.980
According to parameter service url and
further invoke go to the public method of

00:26:19.980 --> 00:26:26.190
security service. And the name of the
method defined in centralized object in

00:26:26.190 --> 00:26:34.439
the data section of which to progress.
Else parameters, the parameters of these

00:26:34.439 --> 00:26:43.490
goals are also defined in this object. So
now we have situation one Thin client and

00:26:43.490 --> 00:26:52.500
Fat client can access my services, but in
case of Fat client, it, it can also

00:26:52.500 --> 00:26:59.340
directly communicate with RMA registry. So
if application server missed some

00:26:59.340 --> 00:27:04.430
important java security updates, it
contains insecure deserialization

00:27:04.430 --> 00:27:13.059
vulnerability. And using public to use
serial we can simply exploit it and get a

00:27:13.059 --> 00:27:18.730
code execution with system rights again.
The next task will be to list all

00:27:18.730 --> 00:27:25.670 line:1
available rMyservices on this SPPA system.
At first step, we simply use class look at

00:27:25.670 --> 00:27:35.201
triggers and Java SDK and get a big list
of services. All but one jmakes it to

00:27:35.201 --> 00:27:43.370
myservices, I assume that they perform
some general interface for com, for

00:27:43.370 --> 00:27:52.630
control and manage containers of SPPA. For
the further investigation we only choose

00:27:52.630 --> 00:28:01.160
LookUp Service. In fact, this service
looks like some a collection of another

00:28:01.160 --> 00:28:10.480
RMA services using its public method list
we get the name of all available services

00:28:10.480 --> 00:28:17.620
and using the name and public method
lookup we get the reference of RMA

00:28:17.620 --> 00:28:27.000
service. All RMA services in this tip
implement interface satisfactory. So

00:28:27.000 --> 00:28:36.100
buttons as this. We can assume that and
that this is a game collection of another

00:28:36.100 --> 00:28:41.100
RMA services. But in fact it doesn't have
public method to get the name of the

00:28:41.100 --> 00:28:52.700
service. So we need to decompile. So we
need to decompile the class and find some

00:28:52.700 --> 00:29:00.470
factory methods which create RMA service,
for example, create adminscript and

00:29:00.470 --> 00:29:08.330
inside we can find as the name of the
created service. As it can be guessed,

00:29:08.330 --> 00:29:14.230
it's admin service. So using public
method, get service in this name, we find

00:29:14.230 --> 00:29:22.880
that I gets the reference to the next
level RMA service and in final step we get

00:29:22.880 --> 00:29:31.350
the reference to RMA services which
perform real job SPPA. But it this RMA

00:29:31.350 --> 00:29:39.070
service also contains a lot of public
methods for unauthorized user. So to sum

00:29:39.070 --> 00:29:46.380
up which referes registry and at each
level we find a lot of RMA services. And

00:29:46.380 --> 00:29:54.290
as the last item also contains a lot of
public methods. So the attack surface of

00:29:54.290 --> 00:30:01.799
Supply C system is really huge. Now when
we list all available RMA services, the

00:30:01.799 --> 00:30:10.140
next question is how does authentication
of client request performs on the system?

00:30:10.140 --> 00:30:15.750
To answer this question, let's look how
client requests to security service

00:30:15.750 --> 00:30:22.190
processed from system. First of all,
clients get the reference to security

00:30:22.190 --> 00:30:31.150
service using some client ID. Further
PCServiceFactory tries to get valid

00:30:31.150 --> 00:30:38.350
session. Using this clientID in
SessionManager. If SessionManager will

00:30:38.350 --> 00:30:45.240
failed in his task, the exception will be
throat and client will be failed. But if

00:30:45.240 --> 00:30:54.470
it succeeds, valid sessionID will return
to PCSfactory. And further in its turn

00:30:54.470 --> 00:31:00.830
instance of SecurityService will be
created in factory method. While the

00:31:00.830 --> 00:31:12.220
session Id will be stored in loginID inside
SecurityService. And finally client will

00:31:12.220 --> 00:31:18.620
get the reference to Security Service.
Further he can call some public method of

00:31:18.620 --> 00:31:28.600
it. But as this method can perform
privileged checks of user using loginId in

00:31:28.600 --> 00:31:35.940
SecurityManager. So to sum up, we have two
security measures in this system. But as

00:31:35.940 --> 00:31:41.660
is the question how user client can
perform login operation. If he doesn't

00:31:41.660 --> 00:31:47.830
have any valid clientID. In this case,
it's start up of the system,

00:31:47.830 --> 00:31:53.959
SessionManager will be added on anonymus
session with clientID that equals zero.

00:31:53.959 --> 00:32:00.150
And client will use this clientID, and
perform login operation. But attacker can

00:32:00.150 --> 00:32:07.100
also use this feature and simply bypass
those look. So to sum up, there is only

00:32:07.100 --> 00:32:14.770
one security measure on the system ends
and each fully delegated to two method or

00:32:14.770 --> 00:32:22.450
for RMA services. But amount of itemized
services is huge, amount of public methods

00:32:22.450 --> 00:32:29.249
is really huge. And so it's become really
difficult to manage security service of

00:32:29.249 --> 00:32:40.120
system. According to this information. So
we know we know all inputs of system. We

00:32:40.120 --> 00:32:45.070
know all possible security measures or
systems. So it's time to find

00:32:45.070 --> 00:32:53.180
vulnerabilities in the list of RMA
services. This one, which looks so

00:32:53.180 --> 00:32:58.350
attractive, its admins service, it can be
accessed with a anonymus session inside.

00:32:58.350 --> 00:33:04.150
If this public method transcript, this
method doesn't perform any privileged

00:33:04.150 --> 00:33:13.250
checks, so we can call its resulting
Ternium credentials and so on. At first

00:33:13.250 --> 00:33:19.980
step, these methods creates instance of
class loader using bytes from arguments

00:33:19.980 --> 00:33:27.429
and in fact this step will allow to
arbitrary java class. This class should

00:33:27.429 --> 00:33:33.750
implement interface admins screams and
defined method to execute and this method

00:33:33.750 --> 00:33:43.030
to execute will be called by run script of
RMA services. For this case we create Java

00:33:43.030 --> 00:33:51.210
class as a simply run os common from
arguments of run script. And we get code

00:33:51.210 --> 00:33:58.520
execution on the system, we system, right?
Of course, there's a more powerful post

00:33:58.520 --> 00:34:05.790
exploitation of this vulnerability than
simply run os command. You can. This

00:34:05.790 --> 00:34:13.579
vulerability allows inject arbitrary java
class inside running its SPPA application

00:34:13.579 --> 00:34:25.480
so you can use some Java reflection to to
patch some variables of system and and

00:34:25.480 --> 00:34:36.029
have influence on technological properties
of SPPA. Else, privilege check inside

00:34:36.029 --> 00:34:43.870
methods of RMA service can be bypassed
with SEC vulnerability in session service. This

00:34:43.870 --> 00:34:49.650
service has public method
getloggingsessions(). In fact, this method

00:34:49.650 --> 00:34:58.770
return all sessiondata of loginin users on
the system. This information includes user

00:34:58.770 --> 00:35:10.040
names, IP and client Id. So if it this
amounts these clientId of user that has

00:35:10.040 --> 00:35:16.569
some admin privileges, attacker can use
this clientId to get a reference to

00:35:16.569 --> 00:35:22.620
security service and this reference will
be with some more privileged session.

00:35:22.620 --> 00:35:36.290
Further further, attacker can goal public
method of security service, get all users

00:35:36.290 --> 00:35:43.290
and get all private information about all
users of the system and password hashes

00:35:43.290 --> 00:35:53.820
included in this private information. So
to sum up, we have to or both of these

00:35:53.820 --> 00:36:06.590
vulnerabilities can be accessed through
https and federal rules can be bypassed.

00:36:06.590 --> 00:36:14.200
In general, all communication with RMA
services are encrypted. So usernames and

00:36:14.200 --> 00:36:24.880
password hashes are transfered in plain text.
This is this because, this is more critical for

00:36:24.880 --> 00:36:37.800
for Fat client case. So more all passwort
hashes doesn't perform any doesn't have

00:36:37.800 --> 00:36:44.400
any session protection mechanism. So if
attacker can perform when and zoom into a

00:36:44.400 --> 00:36:51.670
key attack against some user office prior
and captures the traffic between this user

00:36:51.670 --> 00:36:59.109
and application server, he can get valid
username and password hash of the system

00:36:59.109 --> 00:37:05.940
and simply reuses this credentials and
perform login operation on the system.

00:37:05.940 --> 00:37:13.820
More. over, he also can change the
password of this user. I talk a lot about

00:37:13.820 --> 00:37:18.750
user names and password hashes, so it's
time to understand how these items

00:37:18.750 --> 00:37:27.080
organized on the system. Alex.
Alex: Hello everyone. I will continue our

00:37:27.080 --> 00:37:33.170
discussion about application server. On
the previous slide you can see how remote

00:37:33.170 --> 00:37:42.910
authentification works. Now. Sorry, I
repeat. On the parent slide you could see

00:37:42.910 --> 00:37:49.620
how remote authentification works. And
now I'm going to tell you about how it is

00:37:49.620 --> 00:37:57.590
organized locally. After the system, after
system gets started, it begins to read two

00:37:57.590 --> 00:38:04.900
files: user1.xml and pdata1.exm to get
user list and their password respectevly.

00:38:04.900 --> 00:38:11.660
The user1 file is the simple xml while the
data1 has a slightly more difficult

00:38:11.660 --> 00:38:17.921
structure. It is jzip archive encoded in
base64, so as java actualization object in

00:38:17.921 --> 00:38:23.540
jzip archive contained in a specific xml.
The field of this xml presents on the

00:38:23.540 --> 00:38:29.990
slide. They are used to calculate cash
value and check passport during their

00:38:29.990 --> 00:38:36.660
authentification. On the buttom of the
slide you can see password check algorithm

00:38:36.660 --> 00:38:44.790
in a pseudo code. It's a photographic scam is
the type of called crypted hashing scheme

00:38:44.790 --> 00:38:52.190
like on Unix and Linux machine. It has a
number of iterations salts and only one

00:38:52.190 --> 00:38:56.910
things is edited was, was edited that is
hardcore the salt, which is the same for

00:38:56.910 --> 00:39:03.900
all user. The tool for password, as a tool
to extract password hashes and set

00:39:03.900 --> 00:39:11.730
parameters from the data1-file had been
developed on this slide. You can see its

00:39:11.730 --> 00:39:18.420
output as a tool. The tool can be used
during the password auditing, them to

00:39:18.420 --> 00:39:22.730
check her password to check week or
dictionary password and their actual hash

00:39:22.730 --> 00:39:31.960
collision parameters. A tool is available
at the link below. And draws the line,

00:39:31.960 --> 00:39:40.660
draws a line on the application server
analysis first, as we have seen, attack

00:39:40.660 --> 00:39:47.490
surface is really huge and includes a lot
of different components. Secondly, it's

00:39:47.490 --> 00:39:57.310
about remote connections. What's that
about? Whether SPP has remote connection

00:39:57.310 --> 00:39:59.620
or because no remote connection. I
couldn't I couldn't do end this or someone

00:39:59.620 --> 00:40:13.089
else, who told you? You should check it
anyway. And the last thing is a attacker

00:40:13.089 --> 00:40:19.490
has opportunity to impact power generation
process. For example, it can start stop

00:40:19.490 --> 00:40:26.070
generation, change some output value. Or
get some additional information about

00:40:26.070 --> 00:40:32.230
generation process and all this. Action
can be done from application server. It's

00:40:32.230 --> 00:40:40.720
all about application server. And let's
start discussion about automation. Its

00:40:40.720 --> 00:40:45.619
main goal of automation server is to
execute realtime real time automation

00:40:45.619 --> 00:40:54.209
functions and tasks depending on a
depending on the power plant project

00:40:54.209 --> 00:41:01.260
architecture and its features. They're all
over automation server can be different. We have

00:41:01.260 --> 00:41:07.020
to distinguish three roles. The first one
is automation role. They may be a slight

00:41:07.020 --> 00:41:14.190
confusion because the term is used was for
server and for it's role, but analyzing

00:41:14.190 --> 00:41:18.839
uplink automation server configuration and
publicly available information we have

00:41:18.839 --> 00:41:25.490
found that whatever the role is, almost
the same hardware and software are used

00:41:25.490 --> 00:41:34.090
and we have decided to use these kind of
classifications. That seems less confusing

00:41:34.090 --> 00:41:40.740
to us. At the same time, it's slightly
different from the Windows

00:41:40.740 --> 00:41:49.210
classification anyway. I mean, in
automation role, automation role means

00:41:49.210 --> 00:41:53.040
that the server is responsible for
interaction with input-output modules to

00:41:53.040 --> 00:41:58.390
each control and monitor power plant
equipment such as turbine electric

00:41:58.390 --> 00:42:04.550
generator or some some other. The second
role is communication in this role. This

00:42:04.550 --> 00:42:10.360
role is used for connection the third
party software and system in other words

00:42:10.360 --> 00:42:18.760
it's just a protocol converter supporting
such protocols as modbus, I see 101, 104

00:42:18.760 --> 00:42:25.339
and some other. And the last roll is a
migration role. This role is used to

00:42:25.339 --> 00:42:32.890
connect previous version or for SPPA-T2000
and as legacy systems such as SPPA- 80

00:42:32.890 --> 00:42:42.570
2002, or tel per MI.. Automation role in
automation server in automation role can

00:42:42.570 --> 00:42:52.150
be run on the semantic SLMPC and in an
industrial or industrial P.C.. Other roles

00:42:52.150 --> 00:42:55.730
can be run only on industrial PCs. Now
let's talk a little more about each role

00:42:55.730 --> 00:43:03.560
and let's start with automation role based
on PLC. PLC I will directly control field

00:43:03.560 --> 00:43:09.760
devices like voles and turbine and access
to them in excess numbers. The game

00:43:09.760 --> 00:43:16.750
over for any security discussion. They
usually represent low, the lowest level in

00:43:16.750 --> 00:43:21.750
different reference models, such as do
model, for example. Any credential, any

00:43:21.750 --> 00:43:27.630
configuration changes and updates for PLC
required to stop to stop technological

00:43:27.630 --> 00:43:33.710
process. So these devices always have
security misconfiguration, firmware,

00:43:33.710 --> 00:43:40.260
visible security updates and secure
industrial protocols. In case of SPPA they

00:43:40.260 --> 00:43:48.060
are assembler ??? (Server???) protocols
LCT data. ??? Logic information about its

00:43:48.060 --> 00:43:54.349
own protocols in the internet, but not so
much about PLC data protocol. So we had to

00:43:54.349 --> 00:44:01.859
deal with it and analyze it ourselves.
It's not a special protocol for SPPA. When

00:44:01.859 --> 00:44:06.810
you program your Symantec, PLC an need to
exchange some that some data between them

00:44:06.810 --> 00:44:14.880
in real time. You use this protocol. It's
a quite simple protocol and maybe its

00:44:14.880 --> 00:44:21.140
description is available somewhere in the
internet. But we couldn't find it. So just

00:44:21.140 --> 00:44:28.830
the case show you need structure. In ways
that knows security mechanism in this

00:44:28.830 --> 00:44:35.790
protocol, so, so, so only obstacle while
do remain in the middle attack to spool

00:44:35.790 --> 00:44:40.680
data in the sequence number, which we can
get from a packet that just follows the

00:44:40.680 --> 00:44:48.160
implementation. For practical analyses we
have developed the sector, which is

00:44:48.160 --> 00:44:55.220
available at the link below. During the
security assessment of PLC configurations,

00:44:55.220 --> 00:45:02.380
one of the main things, which we check, is
unauthorized access to the two reading and

00:45:02.380 --> 00:45:09.550
writing PLC memory. Availability of
unauthorized access is determinate by

00:45:09.550 --> 00:45:17.480
position of the mod selector of the PLC
and some other configuration parameters.

00:45:17.480 --> 00:45:22.870
During the previous research conducted to
one of our colleg Daniel Parnischev???? is

00:45:22.870 --> 00:45:30.580
a privilege matrix has been obtained. They
shows unsecure states and configurations

00:45:30.580 --> 00:45:37.440
of PLC. The tool for gathering information
from the PLC. over the network and its

00:45:37.440 --> 00:45:42.350
analysis has been developed by Danil and
also available in our repository. Now

00:45:42.350 --> 00:45:48.250
let's talk about application server based
on industial PC. Its just a Linux box.

00:45:48.250 --> 00:45:52.270
During the start it tries to download some
additional files from the application

00:45:52.270 --> 00:45:59.520
server. This file includes to include jar
files, the bar scrapes, some configuration

00:45:59.520 --> 00:46:07.260
protocols files and some other. You know,
to execute jar files PTC Perc virtual

00:46:07.260 --> 00:46:15.250
machine is used. Is it a runtime java
machine widely spread in industrial IJ and

00:46:15.250 --> 00:46:22.700
military area. PTC Perc contains a
completion mechanism. So that is all jar

00:46:22.700 --> 00:46:28.190
files contains a bitecode transformation.
That's why regularly decompiles Fails

00:46:28.190 --> 00:46:36.490
exam. To solve this problem, we have
written a php script to perform reverse

00:46:36.490 --> 00:46:44.110
transformation. After that, regular
decompilers have been successful. Running

00:46:44.110 --> 00:46:49.000
jars open RMI services on the automation
server and the sound ??? of their

00:46:49.000 --> 00:46:55.849
extension. For example, in case of
migration server on PC services, which are

00:46:55.849 --> 00:47:00.260
extension of classic Java RMA services are
used and on the slide you can see is the

00:47:00.260 --> 00:47:07.280
list of of these services. Just the key
issues of automation. So based on

00:47:07.280 --> 00:47:13.250
industrial PCM present represents just
light. Firstly, as you can see, it's there

00:47:13.250 --> 00:47:19.790
is a possibility to spoof downloaded files
from application server files downloaded

00:47:19.790 --> 00:47:24.980
over https and there are no security
security mechanisms during the process.

00:47:24.980 --> 00:47:32.000
Secondly, it's about the default
credentials. You can get access over SSH

00:47:32.000 --> 00:47:40.740
SSH to server vs user SAM admin and
password. See him next. It's

00:47:40.740 --> 00:47:46.130
vulnerabilities in archives in our around
IPC services. This will not be allowed to

00:47:46.130 --> 00:47:50.840
perform sensitive data explosion and
remote code execution. And finally, the

00:47:50.840 --> 00:47:54.520
last group with vulnerabilities found in
the software used to feel an immigration

00:47:54.520 --> 00:48:01.770
role for communication vs SB 82000, also
known as the DSP system has a number of

00:48:01.770 --> 00:48:06.480
issues on the immigration server vs old
TXP. You are not. You are in magic

00:48:06.480 --> 00:48:14.190
position. If you wrote about your own
obviously vulnerabilities as they are in

00:48:14.190 --> 00:48:21.210
runtime as you need and service as this
service contains request runtime contain a

00:48:21.210 --> 00:48:29.480
method where the first argument defines as
the action to be executed. Using the

00:48:29.480 --> 00:48:34.620
action read file it is possible to get
content of any file from the system. Using

00:48:34.620 --> 00:48:39.460
the right config file it's possible to
write information to the server. To the

00:48:39.460 --> 00:48:46.700
server. And for example, it can be a jar
files, which execute shell comand on from

00:48:46.700 --> 00:48:52.800
the command line and use in some SPPA
specific functions, you can execute these

00:48:52.800 --> 00:49:00.580
jar files later. This is all about
automation server. To sum up, automated

00:49:00.580 --> 00:49:07.540
automation server can based on PLC or
industrial PC. In case of PLC it says a

00:49:07.540 --> 00:49:16.420
simple PLC is usual PLC with no security
issues. In case of industrial PLC.. it's

00:49:16.420 --> 00:49:21.990
just a Linux box., which try to download
some additional files from the application

00:49:21.990 --> 00:49:28.639
server and some of them execute with the
virtual machine. So far, we haven't

00:49:28.639 --> 00:49:33.390
mentioned any network equipment using
distributed control system Using the

00:49:33.390 --> 00:49:41.340
research we saw a wide variety of network
devices and network infrastructure,

00:49:41.340 --> 00:49:46.820
including switches, firewalls and more
rare devices such as data diet, for

00:49:46.820 --> 00:49:55.790
example. We tried to summarize all this
information and got it common SPPA on

00:49:55.790 --> 00:50:02.160
network topology and scam. Lookup shown in
purple usual places for network devices.

00:50:02.160 --> 00:50:08.510
By the same device it can be found in
other vendors distributed control system.

00:50:08.510 --> 00:50:13.110
Network devices in industrial network
usually have a lot of security issues. The

00:50:13.110 --> 00:50:18.579
reason for this is that most of them don't
require any configuration before start and

00:50:18.579 --> 00:50:29.199
can be run out of the box. And that's why
the things like get NLP??? and then be

00:50:29.199 --> 00:50:35.220
coming in to stream with credentials for
different services. Fill ware? with

00:50:35.220 --> 00:50:43.910
publicly, publicly available, exploits and
just a lack of security configurations.

00:50:43.910 --> 00:50:53.321
All the things are usual for usual for
network devices and they are usually usual

00:50:53.321 --> 00:51:01.380
usual security issues for our industrial
network. I think that's all I know now

00:51:01.380 --> 00:51:07.170
Gleb wil sum up our discussion.
repdet: Yep. Yep. So the topic of power

00:51:07.170 --> 00:51:13.660
plants is huge. The system is huge and we
try to cover this and that's a lot of

00:51:13.660 --> 00:51:17.690
small things in the talk. And in fact
everything can be summed up on this slide.

00:51:17.690 --> 00:51:22.550
These those are just the vulnerabilities,
as you can see in the problems in Java, in

00:51:22.550 --> 00:51:28.220
Web applications, in different simple
mechanisms that you can exploit actually

00:51:28.220 --> 00:51:33.340
directly even not go into the PLC or field
level, field level. You can impact the

00:51:33.340 --> 00:51:39.460
process itself. What we don't cover in
this talk, is actually what select

00:51:39.460 --> 00:51:44.200
havoc???? or disaster could be caused by
attacking such systems because it's actually

00:51:44.200 --> 00:51:48.930
not that bad. I mean they're talking about
things like blackouts of the series or

00:51:48.930 --> 00:51:54.470
things like this. This is not what you can
do with as a consensus system, because the

00:51:54.470 --> 00:51:59.000
like the distribution of the power power
in the grid is not there according to the

00:51:59.000 --> 00:52:02.100
threat model is not the problem of the
power generation. There shouldn't be like

00:52:02.100 --> 00:52:05.950
another regulator who should watch for
like enough capacity in the network to

00:52:05.950 --> 00:52:10.860
fill this, to fill the electricity for the
customers. So what we're really speaking

00:52:10.860 --> 00:52:17.350
here is like the is how we can impact
there. For example, the turbine, the

00:52:17.350 --> 00:52:23.090
turbine is itself, for example, but we had
no access to the real turbine. They're

00:52:23.090 --> 00:52:27.580
big, expensive, and we haven't found
anyone willing to provide us one. So we

00:52:27.580 --> 00:52:34.060
will destroy it. But the point is, we have
an educated guess like PLCs, they control

00:52:34.060 --> 00:52:38.780
a lot of parameters of this turbine. And
the turbine is like a big mechanical

00:52:38.780 --> 00:52:44.599
monster that is actually self degrading by
working and putting it into different like

00:52:44.599 --> 00:52:49.880
incomfortable operating modes will degrade
it even faster or it will break its end.

00:52:49.880 --> 00:52:54.330
It's not easy. You can have a spare PLC or
some other device. You won't have a spare

00:52:54.330 --> 00:53:03.021
turbine. So that the impact is there. But
it's not like a very huge. So what we

00:53:03.021 --> 00:53:09.440
tried to do with this research mostly is
to understand, how we can help the power

00:53:09.440 --> 00:53:14.910
plant, the apparatus out there. And we
have to fight in all the issues and

00:53:14.910 --> 00:53:19.750
analysing this infrastructures and the
customer sites, we understood that all of

00:53:19.750 --> 00:53:23.950
the installations actually did the same.
And we can write a very simple do it

00:53:23.950 --> 00:53:30.249
yourself assessment. And hopefully even
like engineers on the power plants can

00:53:30.249 --> 00:53:35.050
test themselves. It is very easy. A set of
steps on two or three pages. You connect

00:53:35.050 --> 00:53:39.020
to application network, you connect to the
automation network, you run the tests, you

00:53:39.020 --> 00:53:43.050
get the results. And afterwards you talk
with Siemens. Well, you can fix something

00:53:43.050 --> 00:53:47.971
by yourselves. And basically you don't
have to hire like expensive consultants to

00:53:47.971 --> 00:53:52.950
do the job. You should be. You should be
able to do it by yourself. We hope that

00:53:52.950 --> 00:54:00.620
you will be able to do it. Of course. To
summarize the whole situation around

00:54:00.620 --> 00:54:07.320
DCSSs, it is if you have seen other
industrial solutions like SCADAS, like

00:54:07.320 --> 00:54:13.210
substations and if any actually, you would
find a lot of similarities and they the

00:54:13.210 --> 00:54:18.230
whole like it will have the same pain
points as all other solutions. There is a

00:54:18.230 --> 00:54:24.330
good documents from there. IAC 62443
which describes how like power plant

00:54:24.330 --> 00:54:29.260
operator or asset owner should talk to the
system integrator and the vendor. With the

00:54:29.260 --> 00:54:33.360
vendor in terms of what security they
should require and how they should control

00:54:33.360 --> 00:54:40.960
it. We urge any power plant operator to
read this standards and to require

00:54:40.960 --> 00:54:46.130
security from their vendors and system
integrators, because nowadays it depends

00:54:46.130 --> 00:54:49.390
from vendor to vendor. Maybe vendor is
more interested in the security or the

00:54:49.390 --> 00:54:53.710
plant or some regulator and the like.
Nobody knows how to act. This is the

00:54:53.710 --> 00:55:00.050
document where a which describes how you
should talk with all other entities. Of

00:55:00.050 --> 00:55:07.680
course, read the slides, read the white
paper in the January. Call Siemens updatal

00:55:07.680 --> 00:55:12.160
systems, change your passwords and
configurations. This is actually very easy

00:55:12.160 --> 00:55:18.790
to at least to shrink the attack surface.
A lot of things inside SPPS ??? network is

00:55:18.790 --> 00:55:23.460
a modern windows boxes and it's kind of
easy to set up some form of monitoring, so

00:55:23.460 --> 00:55:27.849
you should talk to your security
operations center. They would be able to

00:55:27.849 --> 00:55:32.720
look for some locks, not most of the
impact that we showed, like it was their

00:55:32.720 --> 00:55:36.770
input from the java application and
you won't be able to monitor all of these.

00:55:36.770 --> 00:55:41.770
We have like security events in windows.
But at least it's still some form of

00:55:41.770 --> 00:55:49.440
detection process inside your network. And
again, finally, to summarize, it is not

00:55:49.440 --> 00:55:55.210
like a problem of one DCS from Siemens.
There are exactly the same issues for

00:55:55.210 --> 00:56:01.910
other vendors not mentioned here. We will
release a lot of things today, tomorrow

00:56:01.910 --> 00:56:07.210
and in January. Basically like the big
white paper about everything that we have

00:56:07.210 --> 00:56:11.149
found out, we have recommendations, what
to do with the wordlists, with the do it

00:56:11.149 --> 00:56:16.319
yourself security assessments with a lot
of tools up. One of the tools would help

00:56:16.319 --> 00:56:19.420
you to do the research, another tools
would help you, for example, if you are

00:56:19.420 --> 00:56:24.080
using intrusion detection detection
systems like IDSS, you would be able to

00:56:24.080 --> 00:56:29.700
parse the protocols and maybe write some
signatures for them. We work closely with

00:56:29.700 --> 00:56:33.880
Siemens. We want to say thank you for the
Siemens product search. They did a great

00:56:33.880 --> 00:56:37.970
job in communications between us and the
product team that develops the products

00:56:37.970 --> 00:56:42.020
that Siemens SPPA team for ??? in
itself. The main outlines from the vendor

00:56:42.020 --> 00:56:47.150
response is, that if a power plant
operator, you should hurry and install a

00:56:47.150 --> 00:56:55.339
new version 8.2 SP2. There are Siemens
is trying to like educate and raise

00:56:55.339 --> 00:56:59.700
awareness outside their customers. That's
first of all, they should change passwords

00:56:59.700 --> 00:57:04.070
that there are critical vulnerabilities
and they should do something with it. And

00:57:04.070 --> 00:57:10.970
there is not all the problems are fixable by
Siemens themselves. There is an operator

00:57:10.970 --> 00:57:19.310
is viable for some of the activities to do
the security by themselves. So that's

00:57:19.310 --> 00:57:24.110
actually it. Thank you. Thank you very
much. Thank you, Congress. If you have any

00:57:24.110 --> 00:57:26.930
questions, please welcome.

00:57:26.930 --> 00:57:36.030
<i>Applause</i>

00:57:36.030 --> 00:57:40.790
Herald: Thank all of you for this excellent
talk, we have a short three minutes for

00:57:40.790 --> 00:57:45.270
questions. If you have questions, please
line up at the microphones in the hall. If

00:57:45.270 --> 00:57:49.380
you're using hearing aids, there is an
induction loop at microphone number three.

00:57:49.380 --> 00:57:54.440
Do we have questions from the Internets?
Yes. Question from our signal angel,

00:57:54.440 --> 00:57:59.109
please.
Signal-Engel: So we've got a question with

00:57:59.109 --> 00:58:03.270
the vulnerabilities found. Could you take
over those cans from the worldwide web cam

00:58:03.270 --> 00:58:10.900
without the freedom and the minimum tax?
Herald: Can you please repeat.

00:58:10.900 --> 00:58:13.509
repdet: A little bit louder, please?
Signal-Engel: Sorry. With your own

00:58:13.509 --> 00:58:19.430
vulnerability found, could you take
control over those plants without worldwide

00:58:19.430 --> 00:58:26.560
them from public Internet, without further
amending the ??? ?

00:58:26.560 --> 00:58:31.069
repdet: Actually, no. This is and this is
some poor some form of the good news.

00:58:31.069 --> 00:58:35.010
Those systems are exclusively supported by
one system integrator, by Siemens. They

00:58:35.010 --> 00:58:39.400
are more or less protected from the
external access. Of course, there would be

00:58:39.400 --> 00:58:43.830
external access, but it's not that easy to
reach it. And of course, it's we're not

00:58:43.830 --> 00:58:46.569
talking about Internet. We're talking
about some corporate networks of things

00:58:46.569 --> 00:58:50.420
like this.
Herald: Next question, microphone three,

00:58:50.420 --> 00:58:54.500
please.
Mic. 3: Yes, hello. Uh, I also have a

00:58:54.500 --> 00:59:00.070
power plant on my planet and, uh, it's
kind of bad for the atmosphere, I figured.

00:59:00.070 --> 00:59:05.670
So, uh, my question is, can you skip back
to where the red button is to switch it

00:59:05.670 --> 00:59:14.460
off? And I'm asking for a friend.
<i>Laughter, Applause</i>

00:59:14.460 --> 00:59:18.750
repdet: As we never thought about that,
these materials can be used in this way.

00:59:18.750 --> 00:59:24.920
But yeah. Specifically, if you have an
operator of engineers, friends on the

00:59:24.920 --> 00:59:29.530
power plants, you can talk to them.
Herald: Do we have any more questions from

00:59:29.530 --> 00:59:38.410
the Internets? No questions. Any questions
from the hall? I guess not. Well, then,

00:59:38.410 --> 00:59:41.401
thank you very much for this talk and a
warm round of applause.

00:59:41.401 --> 00:59:45.901
<i>Applause</i>

00:59:45.901 --> 00:59:48.771
<i>36c3 Postroll music</i>

00:59:48.771 --> 01:00:13.000
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!