WEBVTT
00:00:00.000 --> 00:00:19.640
36C3 Preroll music
00:00:19.640 --> 00:00:23.070
Herald: One of the obvious critical
infrastructures we have nowadays is power
00:00:23.070 --> 00:00:29.539
generation. If there is no power, we're
pretty much screwed. Our next speakers
00:00:29.539 --> 00:00:34.690
will take a very close look at common
industrial control systems used in power
00:00:34.690 --> 00:00:42.690
turbines and their shortcomings. So please
give a warm round of applause to repdet,
00:00:42.690 --> 00:00:44.830
moradek and cOrs.
00:00:44.830 --> 00:00:52.240
Applause
00:00:52.240 --> 00:00:58.610
repdet: Good morning, Congress. Thank you
for waking up in the morning. We will talk
00:00:58.610 --> 00:01:05.000
about the security of power plants today,
specifically about automation systems,
00:01:05.000 --> 00:01:11.139
that are used in the power plants up. You
might think that this is another talk
00:01:11.139 --> 00:01:18.149
about how insecure the whole industrial
things around us are and more or less it
00:01:18.149 --> 00:01:24.759
is. So for four years, we are we and our
colleagues speak about problems in
00:01:24.759 --> 00:01:30.819
industrial security. We are happy to say
that things are getting better, but it's
00:01:30.819 --> 00:01:34.389
just that the temper is a little bit
different and feels a little bit
00:01:34.389 --> 00:01:38.990
uncomfortable though. Anyway, we will
speak about to like how a power plants are
00:01:38.990 --> 00:01:43.150
built. What is the automation inside? What
are the vulnerabilities? And like the high
00:01:43.150 --> 00:01:48.730
level overview of what you can do with
this. But up at first a little bit of
00:01:48.730 --> 00:01:56.529
introduction. We are security consultants.
We work with a lot of industrial things
00:01:56.529 --> 00:02:02.939
like PLC, RTuse, SCADAS, DCSs, LCS
whatever it is, we were doing this for too
00:02:02.939 --> 00:02:10.300
long. We should have fought, for so long
that we have a huge map of contacts with a
00:02:10.300 --> 00:02:15.890
lot of system integrators and vendors. And
from the time we are not just doing the
00:02:15.890 --> 00:02:21.440
consultancy work for some asset owner, for
example, for a power plant. We also talk
00:02:21.440 --> 00:02:27.330
to other entities and we try to fix
things altogether. We work at Kaspersky
00:02:27.330 --> 00:02:32.320
and actually the whole research was done
not just by me, Rado and Alexander, who
00:02:32.320 --> 00:02:44.060
are here, but also with the help of
Eugenia and two Sergeys. Yep. So things
00:02:44.060 --> 00:02:49.170
that are very important to note is that
everything that we will discuss right now
00:02:49.170 --> 00:02:57.920
is reported to our respective vendor.
Basically long time ago you can see like
00:02:57.920 --> 00:03:03.270
vendors here, but more or less we will
speak only about one vendor today. It's
00:03:03.270 --> 00:03:09.690
it's it is Siemens. But we would like you
to understand that a similar security
00:03:09.690 --> 00:03:15.250
issues can be found in all other
industrial solutions from other vendors.
00:03:15.250 --> 00:03:19.951
You would find some of the findings, not,
for example, that seller does not require
00:03:19.951 --> 00:03:26.280
like weeks off work to find them out. And
this would be through specifically for all
00:03:26.280 --> 00:03:33.090
other vendors which are not mentioned in
the talk. Jokes aside, we will share
00:03:33.090 --> 00:03:41.850
security issues of real power plants out
there and it might look like we are we are
00:03:41.850 --> 00:03:48.900
kind of irresponsible guys. But in fact,
this is the other way around. I mean that
00:03:48.900 --> 00:03:54.280
to do some kind of research on with these
systems that are working in the power
00:03:54.280 --> 00:03:59.580
plants, you need to get access to them.
You need time to do this research. You
00:03:59.580 --> 00:04:05.709
need to have some knowledge to do this
research and all these resources, they are
00:04:05.709 --> 00:04:10.430
limited for guys like us, for penetration
testers, for auditors, for power plant
00:04:10.430 --> 00:04:16.209
operators and engineers, but for the bad
guys like the potential attacker or so
00:04:16.209 --> 00:04:22.280
adversaries. This is actually their job.
They they have a lot of investments to do
00:04:22.280 --> 00:04:27.699
some research. So we assume that bad guys
already know this. And we just we would
00:04:27.699 --> 00:04:32.569
like to share some information with the
good guys so they would be able to act
00:04:32.569 --> 00:04:42.240
upon this. So let's go to the talk itself.
Power plants, power plants is the most
00:04:42.240 --> 00:04:48.520
common way how humans get their power,
their electricity, their every everywhere
00:04:48.520 --> 00:04:54.259
around us. And there I believe the closest
one to Leipzig is called the Lippendorf
00:04:54.259 --> 00:04:59.099
power station. And during this research
when we were preparing an introduction, we
00:04:59.099 --> 00:05:02.300
were surprised how many information about
power plants you can get from the
00:05:02.300 --> 00:05:07.430
Internet. It's not just, for example, a
picture of this of the same power station
00:05:07.430 --> 00:05:14.800
on the Google Maps. It is actually a very
it's a very good scheme of what you can
00:05:14.800 --> 00:05:20.020
see on the marketing materials from
vendors, because when they sell some
00:05:20.020 --> 00:05:24.199
system that ultimate power plant
operations, they sometimes start with
00:05:24.199 --> 00:05:29.759
building construction. And on their on
their websites, you can find the schematic
00:05:29.759 --> 00:05:34.400
pictures of actually which building does
what and where you will find some
00:05:34.400 --> 00:05:39.900
equipment, which versions of equipment are
used in these systems. But if you like, if
00:05:39.900 --> 00:05:45.189
you don't have this experience, you can
just Google things and you will find out
00:05:45.189 --> 00:05:50.029
which systems are used for automation in
power plants, for example, for Lippendorf
00:05:50.029 --> 00:05:57.129
it's some system that is called Siemens
SPP T2000 and P3000, which is actually
00:05:57.129 --> 00:06:02.819
have another Siemens system inside called
Siemens SPPA-T/P3000. So it's a little bit
00:06:02.819 --> 00:06:09.539
confusing and it is. And we are still
confused. This is exactly the system that
00:06:09.539 --> 00:06:18.479
would be that we will focus today. Siemens
SPPT 3000. And again, it could be any
00:06:18.479 --> 00:06:23.619
other automation system, but it just
happened the way that we've seen this
00:06:23.619 --> 00:06:31.889
system more and more often than others. Up
there is a way how you can actually see
00:06:31.889 --> 00:06:37.529
older generation sites throughout the
world. Thanks to their carbon monitoring
00:06:37.529 --> 00:06:42.600
communities, this is not just power
plants. This is also like nuclear sites,
00:06:42.600 --> 00:06:49.409
wind generation, solar, solar plants, etc.
and etc. They are all here, marked by
00:06:49.409 --> 00:06:56.479
different fuel types of generation. For
example, there is a coil and gas power
00:06:56.479 --> 00:07:03.379
plants. Mark, marked there. So the topic
is really huge. And like what we will
00:07:03.379 --> 00:07:08.580
focus today in our talk is mostly the
power plants which are work on coal and
00:07:08.580 --> 00:07:14.360
gas, which is important to mention. The
heart of each power plant is actually a
00:07:14.360 --> 00:07:18.170
turbine. We don't have a picture of a
turbine on the slides, but more or less, I
00:07:18.170 --> 00:07:24.010
think everybody saw it on the airplane.
There are various that there are similar
00:07:24.010 --> 00:07:31.189
specifically in terms of size and mostly
how they work up on different vendor's Web
00:07:31.189 --> 00:07:36.979
sites. You can actually find a lot of
information where those turbines are used.
00:07:36.979 --> 00:07:44.449
And this is, for example, the map of the
turbines from Siemens. Not all turbines
00:07:44.449 --> 00:07:48.150
specifically are used in power plants. So
there have a lot of different applications
00:07:48.150 --> 00:07:53.089
like chemical plants, oil and gas. A lot
of other things. But if you correlate this
00:07:53.089 --> 00:07:57.439
information from previous slides, you
would be able to identify which systems
00:07:57.439 --> 00:08:01.069
are used by which power plant. And if you
will, Google more information, you can
00:08:01.069 --> 00:08:05.409
actually tell their versions and the
generations of the systems that are used
00:08:05.409 --> 00:08:10.110
on these power plants. This is important
because of the vulnerabilities that we
00:08:10.110 --> 00:08:17.199
will discuss later on on the slide. So
before we will speak about so what is the
00:08:17.199 --> 00:08:21.909
automation on power plants, we should
understand a little bit how they work. So
00:08:21.909 --> 00:08:27.659
we will go from right to left and it's
very easy. A little a little noticed. For
00:08:27.659 --> 00:08:31.259
all the talk, we will simplify a lot of
things for two reasons. One of them to
00:08:31.259 --> 00:08:36.520
make it more suitable for the audience.
And another thing. We don't really
00:08:36.520 --> 00:08:43.080
understand everything by ourselves. So the
first thing you should get is a fuel. Fuel
00:08:43.080 --> 00:08:49.110
could be, for example, a coil or coal or a
gas. And you will just put this inside the
00:08:49.110 --> 00:08:54.830
combustion chamber where you would put it
to set it up on fire, actually. And it
00:08:54.830 --> 00:08:59.260
will generate a lot of pressure which will
go to the turbine. And because of the
00:08:59.260 --> 00:09:05.100
pressure, the turbine will begin to
rotate. The turbine, have a shaft which
00:09:05.100 --> 00:09:10.100
will drive the electricity generator,
which is obviously will generate
00:09:10.100 --> 00:09:16.050
electricity and put it on the power grid.
So it is important from now I want to
00:09:16.050 --> 00:09:21.350
understand that when we generate some some
electricity on the power plant, we put
00:09:21.350 --> 00:09:27.750
this this power not just for, for example,
for this Congress center or for some city.
00:09:27.750 --> 00:09:33.810
We put it in a big thing called the power
grid, where other entities will sell this
00:09:33.810 --> 00:09:40.380
electricity to different customers.
There is also very interesting point about
00:09:40.380 --> 00:09:46.500
like, when we do generate this pressure
and the combustion chamber is on fire, we
00:09:46.500 --> 00:09:51.070
have a lot of excessive heat. And we have
two options like one of them is to safely
00:09:51.070 --> 00:09:55.100
put it in the air. We have condensing
towers. This is option number one. And
00:09:55.100 --> 00:10:00.650
another option is we can do some form of
recuperation. For example, we would take
00:10:00.650 --> 00:10:06.730
this heat. We will warm water. The water
will produce steam. And we will put this
00:10:06.730 --> 00:10:11.960
steam in the steam turbine and produce
additional electricity. This is kind of
00:10:11.960 --> 00:10:20.450
the optimization of some of some form. So
what is the automation in this process?
00:10:20.450 --> 00:10:24.190
The automation systems that are used on
the power plants are usually called
00:10:24.190 --> 00:10:31.090
distributed control systems or DCSs. And
everything that I just said that it just
00:10:31.090 --> 00:10:36.790
described actually is automated inside
those systems. The vendor of the solution
00:10:36.790 --> 00:10:41.650
want to simplify all things for the
operator, because we don't want like
00:10:41.650 --> 00:10:46.250
hundreds of people working on the power
plant. We just want like maybe dozens of
00:10:46.250 --> 00:10:50.830
people working there and they want to
simplify the whole the whole process of
00:10:50.830 --> 00:10:55.780 line:1
length. They don't care about where they
get this ???, gas or coal how much they
00:10:55.780 --> 00:11:01.220
need it. They just should be able to stop
the generation process started. And they
00:11:01.220 --> 00:11:04.930
control one main thing, which is called
how much power we should produce to the
00:11:04.930 --> 00:11:13.420
power grid. So like how many megawatts of
electricity we should produce. This is
00:11:13.420 --> 00:11:19.930
this. This describes the actually the
complexity, complexity hidden inside these
00:11:19.930 --> 00:11:24.070
solutions because there are a lot of small
things happening inside and we will
00:11:24.070 --> 00:11:29.080
discuss it a little bit later. As I said,
this GCF says they're not exclusively used
00:11:29.080 --> 00:11:33.560
on the power plants. There are a lot of
other sites that would use the same
00:11:33.560 --> 00:11:40.180
solutions, the same software and hardware.
The DCS is not just like a software that
00:11:40.180 --> 00:11:44.980
you can install. It's a set of hardware
and software, various inputs, output,
00:11:44.980 --> 00:11:49.550
models, sensors, etc., etc.. As I said,
sometimes they start from building
00:11:49.550 --> 00:11:55.260
construction of like there is a field.
Please build a super power station. So
00:11:55.260 --> 00:12:01.190
it's a more complex projects. Most, most
of the time. There are a lot of vendors
00:12:01.190 --> 00:12:06.250
that are doing it. As I said, we are
focusing on this stock, on the Siemens
00:12:06.250 --> 00:12:15.720
one. Just a short little short description
of how simplified things are for operators
00:12:15.720 --> 00:12:21.330
of this DCA software. So, for example, if
we would like to answer the question how
00:12:21.330 --> 00:12:28.020
we would regulate the output and megabytes
of our power plant, we would need to
00:12:28.020 --> 00:12:33.030
control basically three things. Again, we
are oversimplifying here. First of all,
00:12:33.030 --> 00:12:37.900
you would control how many. This is an
example for there for the gas turbine. So
00:12:37.900 --> 00:12:43.060
we would need to regulate how many? Guess,
we would put inside the combustion chamber
00:12:43.060 --> 00:12:49.490
where would control the flame temperature.
And we will control the thing that gets
00:12:49.490 --> 00:12:54.870
air inside the turbine that basically
three things that are controlled by simple
00:12:54.870 --> 00:13:00.380
peel cease in the whole system. And you
would be able, for example, to change 100
00:13:00.380 --> 00:13:08.830
megawatts to 150 megawatts based on these
settings. So the system itself that we are
00:13:08.830 --> 00:13:15.480
going to discuss is called Siemens
SPPT3000. And actually, again, as allow
00:13:15.480 --> 00:13:21.750
all other DCA systems or from other
vendors. This is a typical industrial
00:13:21.750 --> 00:13:28.630
systems system. It has all these things
called plcs, RTUse, to use HMAS, servers,
00:13:28.630 --> 00:13:34.070
OPEC traffic, et cetera, et cetera. The
only thing that has a difference
00:13:34.070 --> 00:13:41.100
specifically for Siemens as SPPT3000 is
that they have two main things called
00:13:41.100 --> 00:13:46.320
application server and automation server.
That's this software running on the
00:13:46.320 --> 00:13:53.380
servers is not what you will find on other
installations. Despite the fact that there
00:13:53.380 --> 00:13:59.900
are a lot of like if you will read the
manuals for for the systems from Siemens.
00:13:59.900 --> 00:14:07.010
There would be a lot of different networks
and highways and a lot of things like
00:14:07.010 --> 00:14:11.410
Siemens would state that there is no
connection between the application network
00:14:11.410 --> 00:14:18.300
and external networks. In practice and in
reality, you will find things like spick
00:14:18.300 --> 00:14:23.170
sensor network, like monitoring both
vibration, foreign objects and some noises
00:14:23.170 --> 00:14:28.970
inside the turbine. You will find the
demilitarized zone because all in all,
00:14:28.970 --> 00:14:33.900
like all power plant operators, they won't
have like onsite maintenance guys,
00:14:33.900 --> 00:14:37.860
engineers. They would try to do a remote
support. They would need to install
00:14:37.860 --> 00:14:42.630
updates for operating system, although for
their signatures of their anti viruses,
00:14:42.630 --> 00:14:46.420
they would need to push some opposite
traffic. So like information about the
00:14:46.420 --> 00:14:50.620
generation process outside either to
corporate network or to some regulator,
00:14:50.620 --> 00:14:54.360
because the whole energy market is
regulated and there are different entities
00:14:54.360 --> 00:14:58.570
who would monitor common electricity
generation or they basically will tell you
00:14:58.570 --> 00:15:02.680
how many electricity you should generate.
Because this is common electricity was
00:15:02.680 --> 00:15:09.110
sold on the energy market. Basically,
the whole talk is structured like this. We
00:15:09.110 --> 00:15:13.790
will speak first about application server,
then automation server and then some
00:15:13.790 --> 00:15:20.650
summary. It all started with the process
called Coordinated Vulnerability
00:15:20.650 --> 00:15:28.000
Disclosure. We notified Siemens about some
issues almost a year ago and like a month
00:15:28.000 --> 00:15:34.950
at the beginning of December, Siemens
published an advisory. It was it was not
00:15:34.950 --> 00:15:39.890
an advisory just from from the issues,
just from us. A lot of other teams also
00:15:39.890 --> 00:15:45.540
contributed to it. And this December, this
year, December, doesn't mean that Siemens
00:15:45.540 --> 00:15:51.230
just released the patches. When they say
that this system, SPPT3000, is exclusively
00:15:51.230 --> 00:15:56.060
supported. So the system integrator for
the system is Siemens itself. So
00:15:56.060 --> 00:15:59.930
throughout the year after we notified them
about some security issues, they started
00:15:59.930 --> 00:16:05.770
to roll out patches and install updates on
critical infrastructure they support and
00:16:05.770 --> 00:16:13.260
hopefully they did it with all the
sensitive issues. There is a lot of things
00:16:13.260 --> 00:16:18.580
to discuss here we will skip, because we
are a little bit in a hurry. Things like
00:16:18.580 --> 00:16:24.100
not all vulnerabilities are the same. And
we use, for example, CVSS here to talk
00:16:24.100 --> 00:16:28.300
about like how critical the vulnerability
is, but it's actually not very applicable
00:16:28.300 --> 00:16:33.750
to the industrial sites. You should
understand what you can do with each
00:16:33.750 --> 00:16:39.190
vulnerability, how you can impact the
process, and we will skip this part. There
00:16:39.190 --> 00:16:45.350
is actually kind of a threat model in the
white paper that we will release later on,
00:16:45.350 --> 00:16:53.440
like during January. We will hope. So,
application server, application server is
00:16:53.440 --> 00:17:02.550
this main is is a main resource that you
would find in the SPPT3000 network. Like
00:17:02.550 --> 00:17:07.870
if if someone will remotely connect to the
system, it would end up in application
00:17:07.870 --> 00:17:12.020
server. If someone wants to start the
generation process or to change some
00:17:12.020 --> 00:17:17.800
values, it would be the application
server. If there are other servers that
00:17:17.800 --> 00:17:21.270
would, for example, try to communicate the
application server, they will actually
00:17:21.270 --> 00:17:25.530
start their work by downloading their
software from application server and then
00:17:25.530 --> 00:17:31.850
executing it. So the first thing you might
notice here is there are a lot of a lot of
00:17:31.850 --> 00:17:37.960
network ports available on this on this
machine. And actually, this is the first
00:17:37.960 --> 00:17:45.190
point. There is a, a huge attack surface
for that bursary??? to choose whether or
00:17:45.190 --> 00:17:49.460
not he would like to compromise some
Siemens software or its Windows software
00:17:49.460 --> 00:17:55.030
or its some another third party. Huge
attack surface starting from the fact that
00:17:55.030 --> 00:18:01.240
there are, all of the installation of this
SPP systems are kind of different. So
00:18:01.240 --> 00:18:05.850
depending on the version and other
generation, you can find different Windows
00:18:05.850 --> 00:18:17.970
versions from 2003 to 2016. Hopefully they
are all updated right now, but because the
00:18:17.970 --> 00:18:24.220
that the update process for such as for
such installations is is a hard thing to
00:18:24.220 --> 00:18:29.059
do. I mean you should wait for maintenance
and it should be like maybe once in a
00:18:29.059 --> 00:18:33.470
healthy year or once a year. You will
always find some window where you can use
00:18:33.470 --> 00:18:38.480
some remotely exploitable vulnerabilities
like the eternal blue or blue keeper mark
00:18:38.480 --> 00:18:45.240
mentioned on the slide. There is tons of
different additional software like all
00:18:45.240 --> 00:18:48.570
signwin??? that will allow you to do
privilege escalation, badly configured
00:18:48.570 --> 00:18:55.300
Tomcats and we have here this funny pie
charts that show how configuration of
00:18:55.300 --> 00:19:00.330
different software is aligned with the
best practices from CIS benchmarks. Those
00:19:00.330 --> 00:19:06.621
are those are basically security
configuration gardening guides. The most
00:19:06.621 --> 00:19:12.760
important thing in the application server
is a lot of Java software and in a minute
00:19:12.760 --> 00:19:19.230
repdet will tell you about this. Surprise,
surprise there, the one of the most
00:19:19.230 --> 00:19:27.510
notable problems in this Siemens SPPT3000
is actually passwords. There, there are
00:19:27.510 --> 00:19:32.420
three important ranges. The first the
first of them is like what's all the
00:19:32.420 --> 00:19:39.681
installations before 2014 and maybe 2015.
All passwords for the for for all the
00:19:39.681 --> 00:19:44.360
power stations were the same. And you can
easily Google them. We've also published
00:19:44.360 --> 00:19:50.280
like the full world list in the white
paper. After this year's Siemens started
00:19:50.280 --> 00:19:57.800
to generate the unique passwords for all
power plants. But until this year, it was
00:19:57.800 --> 00:20:01.540
kind of hard to change this password. So
you need to be aware of how to do this.
00:20:01.540 --> 00:20:04.310
You need to know the process. You maybe
need to contact to contact your system
00:20:04.310 --> 00:20:08.260
integrator to do this. Starting up from
this December, it would be much easier
00:20:08.260 --> 00:20:13.910
specifically to change passwords. So it's
in the past. Even if you know, you have
00:20:13.910 --> 00:20:19.910
you have these issues, you were not able
to simply change or all these things.
00:20:19.910 --> 00:20:23.679
Along with the passwords, passwords, you
can find the like the full diagrams and
00:20:23.679 --> 00:20:30.190
the integrator documentation that can show
you how the system is built, how it's
00:20:30.190 --> 00:20:34.340
operating, specific accounts, etc, etc. Of
course, this was not published by Siemens,
00:20:34.340 --> 00:20:38.600
thouse some power plant operators who
thought that would be a good idea to share
00:20:38.600 --> 00:20:44.810
this information. So as I said, the most
important thing the application server is
00:20:44.810 --> 00:20:48.870
a bunch of Java applications and please
welcome moradek will share the details
00:20:48.870 --> 00:20:57.070
about this.
Applause
00:20:57.070 --> 00:21:01.310
moradek: Hi, everyone. Let's look at how
this perverse software works on aplication
00:21:01.310 --> 00:21:06.980
server. The operator can communicate with
system through at Thin client and Fat client
00:21:06.980 --> 00:21:15.810
and. A Thin client act as Java applet
inside Internet Explorer browser and
00:21:15.810 --> 00:21:23.130
communicate with server through HTTPS, so
it can be outside of application of fork
00:21:23.130 --> 00:21:28.800
and its communications can be constrained
by a firewall. In opposite in case of Fat
00:21:28.800 --> 00:21:34.910
client, software should be installed on
operator machine and client directly
00:21:34.910 --> 00:21:40.800
communicates with RMA registry to find
services. And after that directly
00:21:40.800 --> 00:21:49.760
communicates with this myservices. So Fat
client should belong to application fork.
00:21:49.760 --> 00:21:57.910
Illustration of where architecture was
kindly provided by SPPA throws a URL. Not
00:21:57.910 --> 00:22:04.410
to be missed, let divided into spaces in
red zone. The items that brought this
00:22:04.410 --> 00:22:10.960
request from Thin client and redirect them
to rmyservices. And in green zones there
00:22:10.960 --> 00:22:17.570
are myservices which act as network
services on their name on TCP ports. SPP
00:22:17.570 --> 00:22:23.690
consists of containers, each container can
encapsulate inside one or more or
00:22:23.690 --> 00:22:32.010
myservices. All type of containers are
represented on illustration and all of
00:22:32.010 --> 00:22:40.340
them have self explanatory names. Before
we going deep inside in tunnels office
00:22:40.340 --> 00:22:45.410
PPA, let me introduce some tools which
used in this research. First of all, old
00:22:45.410 --> 00:22:51.500
jars files inside this PPA are obfuscated
with commercial product. But these
00:22:51.500 --> 00:22:59.350
security measures can be easily bypassed
by public available tool the Obfuscator.
00:22:59.350 --> 00:23:05.580
Elswhere sometimes it is useful to see how
legit software communicates with system.
00:23:05.580 --> 00:23:13.720
It helps to understand architecture of
system and workflow of clients. In case of
00:23:13.720 --> 00:23:21.570
PPA it my district was written, it
represents a role TCP streams in human
00:23:21.570 --> 00:23:30.010
readable format inside it. Use method read
object from jsdk. It is known that this
00:23:30.010 --> 00:23:35.160
method is unsafe to insecure
diserealisation, so be careful not
00:23:35.160 --> 00:23:42.910
to be exploited through remote pickup. The
first pillar of SPP it's apache webserver.
00:23:42.910 --> 00:23:51.740
According it config folder or software
config can be accessed by unauthorized
00:23:51.740 --> 00:23:59.040
user. In fact, this folder contains some
sensitive information of system. For
00:23:59.040 --> 00:24:07.170
example, files PC system configuration,
datasmells and files inside. If C contain
00:24:07.170 --> 00:24:14.660
startup options and configuration of all
containers either application work or
00:24:14.660 --> 00:24:20.559
automation work. Else configuration of
Oracle and publication in Tomcat DLC can be
00:24:20.559 --> 00:24:26.409
accessed using this vulnerability. And about
Tomcat. There are three web
00:24:26.409 --> 00:24:33.790
applications registered, remote diagnostic
viewer, manager and orion. According to
00:24:33.790 --> 00:24:38.970
configuration of Tomcat, it's apache
webserver. I've observed as a ordering
00:24:38.970 --> 00:24:48.660
service can be accessed through HTTPS and
uh, in the file web dot xml there are list
00:24:48.660 --> 00:24:56.710
of all servlets of orion application and the
list is really huge. So some of these
00:24:56.710 --> 00:25:04.710
servlets have attractive name forTiger, for
example, brow seservlet. In fact it allows
00:25:04.710 --> 00:25:12.700
a third of the user directory, and listing
directories of operation system. But in
00:25:12.700 --> 00:25:19.910
case of exploitation another servlet is
more attractive. File upload servlet it
00:25:19.910 --> 00:25:28.980
allows you allows on the file upload with
system parameters based you in touch with
00:25:28.980 --> 00:25:34.680
me in full control the name of the file.
So this vulnerability can be easily
00:25:34.680 --> 00:25:39.420
transformed to a remote code execution.
You can override some startups scripts
00:25:39.420 --> 00:25:46.390
office PPA or simply inject a shel in the
application and get the remote code
00:25:46.390 --> 00:25:54.770
execution with system rights. Also there
are some set alerts which contains good
00:25:54.770 --> 00:26:03.809
service factory names. In fact, they
redirect http request to my services.
00:26:03.809 --> 00:26:12.210
Inside they passed around to foreign http
requests and search desirable my servives.
00:26:12.210 --> 00:26:19.980
According to parameter service url and
further invoke go to the public method of
00:26:19.980 --> 00:26:26.190
security service. And the name of the
method defined in centralized object in
00:26:26.190 --> 00:26:34.439
the data section of which to progress.
Else parameters, the parameters of these
00:26:34.439 --> 00:26:43.490
goals are also defined in this object. So
now we have situation one Thin client and
00:26:43.490 --> 00:26:52.500
Fat client can access my services, but in
case of Fat client, it, it can also
00:26:52.500 --> 00:26:59.340
directly communicate with RMA registry. So
if application server missed some
00:26:59.340 --> 00:27:04.430
important java security updates, it
contains insecure deserialization
00:27:04.430 --> 00:27:13.059
vulnerability. And using public to use
serial we can simply exploit it and get a
00:27:13.059 --> 00:27:18.730
code execution with system rights again.
The next task will be to list all
00:27:18.730 --> 00:27:25.670 line:1
available rMyservices on this SPPA system.
At first step, we simply use class look at
00:27:25.670 --> 00:27:35.201
triggers and Java SDK and get a big list
of services. All but one jmakes it to
00:27:35.201 --> 00:27:43.370
myservices, I assume that they perform
some general interface for com, for
00:27:43.370 --> 00:27:52.630
control and manage containers of SPPA. For
the further investigation we only choose
00:27:52.630 --> 00:28:01.160
LookUp Service. In fact, this service
looks like some a collection of another
00:28:01.160 --> 00:28:10.480
RMA services using its public method list
we get the name of all available services
00:28:10.480 --> 00:28:17.620
and using the name and public method
lookup we get the reference of RMA
00:28:17.620 --> 00:28:27.000
service. All RMA services in this tip
implement interface satisfactory. So
00:28:27.000 --> 00:28:36.100
buttons as this. We can assume that and
that this is a game collection of another
00:28:36.100 --> 00:28:41.100
RMA services. But in fact it doesn't have
public method to get the name of the
00:28:41.100 --> 00:28:52.700
service. So we need to decompile. So we
need to decompile the class and find some
00:28:52.700 --> 00:29:00.470
factory methods which create RMA service,
for example, create adminscript and
00:29:00.470 --> 00:29:08.330
inside we can find as the name of the
created service. As it can be guessed,
00:29:08.330 --> 00:29:14.230
it's admin service. So using public
method, get service in this name, we find
00:29:14.230 --> 00:29:22.880
that I gets the reference to the next
level RMA service and in final step we get
00:29:22.880 --> 00:29:31.350
the reference to RMA services which
perform real job SPPA. But it this RMA
00:29:31.350 --> 00:29:39.070
service also contains a lot of public
methods for unauthorized user. So to sum
00:29:39.070 --> 00:29:46.380
up which referes registry and at each
level we find a lot of RMA services. And
00:29:46.380 --> 00:29:54.290
as the last item also contains a lot of
public methods. So the attack surface of
00:29:54.290 --> 00:30:01.799
Supply C system is really huge. Now when
we list all available RMA services, the
00:30:01.799 --> 00:30:10.140
next question is how does authentication
of client request performs on the system?
00:30:10.140 --> 00:30:15.750
To answer this question, let's look how
client requests to security service
00:30:15.750 --> 00:30:22.190
processed from system. First of all,
clients get the reference to security
00:30:22.190 --> 00:30:31.150
service using some client ID. Further
PCServiceFactory tries to get valid
00:30:31.150 --> 00:30:38.350
session. Using this clientID in
SessionManager. If SessionManager will
00:30:38.350 --> 00:30:45.240
failed in his task, the exception will be
throat and client will be failed. But if
00:30:45.240 --> 00:30:54.470
it succeeds, valid sessionID will return
to PCSfactory. And further in its turn
00:30:54.470 --> 00:31:00.830
instance of SecurityService will be
created in factory method. While the
00:31:00.830 --> 00:31:12.220
session Id will be stored in loginID inside
SecurityService. And finally client will
00:31:12.220 --> 00:31:18.620
get the reference to Security Service.
Further he can call some public method of
00:31:18.620 --> 00:31:28.600
it. But as this method can perform
privileged checks of user using loginId in
00:31:28.600 --> 00:31:35.940
SecurityManager. So to sum up, we have two
security measures in this system. But as
00:31:35.940 --> 00:31:41.660
is the question how user client can
perform login operation. If he doesn't
00:31:41.660 --> 00:31:47.830
have any valid clientID. In this case,
it's start up of the system,
00:31:47.830 --> 00:31:53.959
SessionManager will be added on anonymus
session with clientID that equals zero.
00:31:53.959 --> 00:32:00.150
And client will use this clientID, and
perform login operation. But attacker can
00:32:00.150 --> 00:32:07.100
also use this feature and simply bypass
those look. So to sum up, there is only
00:32:07.100 --> 00:32:14.770
one security measure on the system ends
and each fully delegated to two method or
00:32:14.770 --> 00:32:22.450
for RMA services. But amount of itemized
services is huge, amount of public methods
00:32:22.450 --> 00:32:29.249
is really huge. And so it's become really
difficult to manage security service of
00:32:29.249 --> 00:32:40.120
system. According to this information. So
we know we know all inputs of system. We
00:32:40.120 --> 00:32:45.070
know all possible security measures or
systems. So it's time to find
00:32:45.070 --> 00:32:53.180
vulnerabilities in the list of RMA
services. This one, which looks so
00:32:53.180 --> 00:32:58.350
attractive, its admins service, it can be
accessed with a anonymus session inside.
00:32:58.350 --> 00:33:04.150
If this public method transcript, this
method doesn't perform any privileged
00:33:04.150 --> 00:33:13.250
checks, so we can call its resulting
Ternium credentials and so on. At first
00:33:13.250 --> 00:33:19.980
step, these methods creates instance of
class loader using bytes from arguments
00:33:19.980 --> 00:33:27.429
and in fact this step will allow to
arbitrary java class. This class should
00:33:27.429 --> 00:33:33.750
implement interface admins screams and
defined method to execute and this method
00:33:33.750 --> 00:33:43.030
to execute will be called by run script of
RMA services. For this case we create Java
00:33:43.030 --> 00:33:51.210
class as a simply run os common from
arguments of run script. And we get code
00:33:51.210 --> 00:33:58.520
execution on the system, we system, right?
Of course, there's a more powerful post
00:33:58.520 --> 00:34:05.790
exploitation of this vulnerability than
simply run os command. You can. This
00:34:05.790 --> 00:34:13.579
vulerability allows inject arbitrary java
class inside running its SPPA application
00:34:13.579 --> 00:34:25.480
so you can use some Java reflection to to
patch some variables of system and and
00:34:25.480 --> 00:34:36.029
have influence on technological properties
of SPPA. Else, privilege check inside
00:34:36.029 --> 00:34:43.870
methods of RMA service can be bypassed
with SEC vulnerability in session service. This
00:34:43.870 --> 00:34:49.650
service has public method
getloggingsessions(). In fact, this method
00:34:49.650 --> 00:34:58.770
return all sessiondata of loginin users on
the system. This information includes user
00:34:58.770 --> 00:35:10.040
names, IP and client Id. So if it this
amounts these clientId of user that has
00:35:10.040 --> 00:35:16.569
some admin privileges, attacker can use
this clientId to get a reference to
00:35:16.569 --> 00:35:22.620
security service and this reference will
be with some more privileged session.
00:35:22.620 --> 00:35:36.290
Further further, attacker can goal public
method of security service, get all users
00:35:36.290 --> 00:35:43.290
and get all private information about all
users of the system and password hashes
00:35:43.290 --> 00:35:53.820
included in this private information. So
to sum up, we have to or both of these
00:35:53.820 --> 00:36:06.590
vulnerabilities can be accessed through
https and federal rules can be bypassed.
00:36:06.590 --> 00:36:14.200
In general, all communication with RMA
services are encrypted. So usernames and
00:36:14.200 --> 00:36:24.880
password hashes are transfered in plain text.
This is this because, this is more critical for
00:36:24.880 --> 00:36:37.800
for Fat client case. So more all passwort
hashes doesn't perform any doesn't have
00:36:37.800 --> 00:36:44.400
any session protection mechanism. So if
attacker can perform when and zoom into a
00:36:44.400 --> 00:36:51.670
key attack against some user office prior
and captures the traffic between this user
00:36:51.670 --> 00:36:59.109
and application server, he can get valid
username and password hash of the system
00:36:59.109 --> 00:37:05.940
and simply reuses this credentials and
perform login operation on the system.
00:37:05.940 --> 00:37:13.820
More. over, he also can change the
password of this user. I talk a lot about
00:37:13.820 --> 00:37:18.750
user names and password hashes, so it's
time to understand how these items
00:37:18.750 --> 00:37:27.080
organized on the system. Alex.
Alex: Hello everyone. I will continue our
00:37:27.080 --> 00:37:33.170
discussion about application server. On
the previous slide you can see how remote
00:37:33.170 --> 00:37:42.910
authentification works. Now. Sorry, I
repeat. On the parent slide you could see
00:37:42.910 --> 00:37:49.620
how remote authentification works. And
now I'm going to tell you about how it is
00:37:49.620 --> 00:37:57.590
organized locally. After the system, after
system gets started, it begins to read two
00:37:57.590 --> 00:38:04.900
files: user1.xml and pdata1.exm to get
user list and their password respectevly.
00:38:04.900 --> 00:38:11.660
The user1 file is the simple xml while the
data1 has a slightly more difficult
00:38:11.660 --> 00:38:17.921
structure. It is jzip archive encoded in
base64, so as java actualization object in
00:38:17.921 --> 00:38:23.540
jzip archive contained in a specific xml.
The field of this xml presents on the
00:38:23.540 --> 00:38:29.990
slide. They are used to calculate cash
value and check passport during their
00:38:29.990 --> 00:38:36.660
authentification. On the buttom of the
slide you can see password check algorithm
00:38:36.660 --> 00:38:44.790
in a pseudo code. It's a photographic scam is
the type of called crypted hashing scheme
00:38:44.790 --> 00:38:52.190
like on Unix and Linux machine. It has a
number of iterations salts and only one
00:38:52.190 --> 00:38:56.910
things is edited was, was edited that is
hardcore the salt, which is the same for
00:38:56.910 --> 00:39:03.900
all user. The tool for password, as a tool
to extract password hashes and set
00:39:03.900 --> 00:39:11.730
parameters from the data1-file had been
developed on this slide. You can see its
00:39:11.730 --> 00:39:18.420
output as a tool. The tool can be used
during the password auditing, them to
00:39:18.420 --> 00:39:22.730
check her password to check week or
dictionary password and their actual hash
00:39:22.730 --> 00:39:31.960
collision parameters. A tool is available
at the link below. And draws the line,
00:39:31.960 --> 00:39:40.660
draws a line on the application server
analysis first, as we have seen, attack
00:39:40.660 --> 00:39:47.490
surface is really huge and includes a lot
of different components. Secondly, it's
00:39:47.490 --> 00:39:57.310
about remote connections. What's that
about? Whether SPP has remote connection
00:39:57.310 --> 00:39:59.620
or because no remote connection. I
couldn't I couldn't do end this or someone
00:39:59.620 --> 00:40:13.089
else, who told you? You should check it
anyway. And the last thing is a attacker
00:40:13.089 --> 00:40:19.490
has opportunity to impact power generation
process. For example, it can start stop
00:40:19.490 --> 00:40:26.070
generation, change some output value. Or
get some additional information about
00:40:26.070 --> 00:40:32.230
generation process and all this. Action
can be done from application server. It's
00:40:32.230 --> 00:40:40.720
all about application server. And let's
start discussion about automation. Its
00:40:40.720 --> 00:40:45.619
main goal of automation server is to
execute realtime real time automation
00:40:45.619 --> 00:40:54.209
functions and tasks depending on a
depending on the power plant project
00:40:54.209 --> 00:41:01.260
architecture and its features. They're all
over automation server can be different. We have
00:41:01.260 --> 00:41:07.020
to distinguish three roles. The first one
is automation role. They may be a slight
00:41:07.020 --> 00:41:14.190
confusion because the term is used was for
server and for it's role, but analyzing
00:41:14.190 --> 00:41:18.839
uplink automation server configuration and
publicly available information we have
00:41:18.839 --> 00:41:25.490
found that whatever the role is, almost
the same hardware and software are used
00:41:25.490 --> 00:41:34.090
and we have decided to use these kind of
classifications. That seems less confusing
00:41:34.090 --> 00:41:40.740
to us. At the same time, it's slightly
different from the Windows
00:41:40.740 --> 00:41:49.210
classification anyway. I mean, in
automation role, automation role means
00:41:49.210 --> 00:41:53.040
that the server is responsible for
interaction with input-output modules to
00:41:53.040 --> 00:41:58.390
each control and monitor power plant
equipment such as turbine electric
00:41:58.390 --> 00:42:04.550
generator or some some other. The second
role is communication in this role. This
00:42:04.550 --> 00:42:10.360
role is used for connection the third
party software and system in other words
00:42:10.360 --> 00:42:18.760
it's just a protocol converter supporting
such protocols as modbus, I see 101, 104
00:42:18.760 --> 00:42:25.339
and some other. And the last roll is a
migration role. This role is used to
00:42:25.339 --> 00:42:32.890
connect previous version or for SPPA-T2000
and as legacy systems such as SPPA- 80
00:42:32.890 --> 00:42:42.570
2002, or tel per MI.. Automation role in
automation server in automation role can
00:42:42.570 --> 00:42:52.150
be run on the semantic SLMPC and in an
industrial or industrial P.C.. Other roles
00:42:52.150 --> 00:42:55.730
can be run only on industrial PCs. Now
let's talk a little more about each role
00:42:55.730 --> 00:43:03.560
and let's start with automation role based
on PLC. PLC I will directly control field
00:43:03.560 --> 00:43:09.760
devices like voles and turbine and access
to them in excess numbers. The game
00:43:09.760 --> 00:43:16.750
over for any security discussion. They
usually represent low, the lowest level in
00:43:16.750 --> 00:43:21.750
different reference models, such as do
model, for example. Any credential, any
00:43:21.750 --> 00:43:27.630
configuration changes and updates for PLC
required to stop to stop technological
00:43:27.630 --> 00:43:33.710
process. So these devices always have
security misconfiguration, firmware,
00:43:33.710 --> 00:43:40.260
visible security updates and secure
industrial protocols. In case of SPPA they
00:43:40.260 --> 00:43:48.060
are assembler ??? (Server???) protocols
LCT data. ??? Logic information about its
00:43:48.060 --> 00:43:54.349
own protocols in the internet, but not so
much about PLC data protocol. So we had to
00:43:54.349 --> 00:44:01.859
deal with it and analyze it ourselves.
It's not a special protocol for SPPA. When
00:44:01.859 --> 00:44:06.810
you program your Symantec, PLC an need to
exchange some that some data between them
00:44:06.810 --> 00:44:14.880
in real time. You use this protocol. It's
a quite simple protocol and maybe its
00:44:14.880 --> 00:44:21.140
description is available somewhere in the
internet. But we couldn't find it. So just
00:44:21.140 --> 00:44:28.830
the case show you need structure. In ways
that knows security mechanism in this
00:44:28.830 --> 00:44:35.790
protocol, so, so, so only obstacle while
do remain in the middle attack to spool
00:44:35.790 --> 00:44:40.680
data in the sequence number, which we can
get from a packet that just follows the
00:44:40.680 --> 00:44:48.160
implementation. For practical analyses we
have developed the sector, which is
00:44:48.160 --> 00:44:55.220
available at the link below. During the
security assessment of PLC configurations,
00:44:55.220 --> 00:45:02.380
one of the main things, which we check, is
unauthorized access to the two reading and
00:45:02.380 --> 00:45:09.550
writing PLC memory. Availability of
unauthorized access is determinate by
00:45:09.550 --> 00:45:17.480
position of the mod selector of the PLC
and some other configuration parameters.
00:45:17.480 --> 00:45:22.870
During the previous research conducted to
one of our colleg Daniel Parnischev???? is
00:45:22.870 --> 00:45:30.580
a privilege matrix has been obtained. They
shows unsecure states and configurations
00:45:30.580 --> 00:45:37.440
of PLC. The tool for gathering information
from the PLC. over the network and its
00:45:37.440 --> 00:45:42.350
analysis has been developed by Danil and
also available in our repository. Now
00:45:42.350 --> 00:45:48.250
let's talk about application server based
on industial PC. Its just a Linux box.
00:45:48.250 --> 00:45:52.270
During the start it tries to download some
additional files from the application
00:45:52.270 --> 00:45:59.520
server. This file includes to include jar
files, the bar scrapes, some configuration
00:45:59.520 --> 00:46:07.260
protocols files and some other. You know,
to execute jar files PTC Perc virtual
00:46:07.260 --> 00:46:15.250
machine is used. Is it a runtime java
machine widely spread in industrial IJ and
00:46:15.250 --> 00:46:22.700
military area. PTC Perc contains a
completion mechanism. So that is all jar
00:46:22.700 --> 00:46:28.190
files contains a bitecode transformation.
That's why regularly decompiles Fails
00:46:28.190 --> 00:46:36.490
exam. To solve this problem, we have
written a php script to perform reverse
00:46:36.490 --> 00:46:44.110
transformation. After that, regular
decompilers have been successful. Running
00:46:44.110 --> 00:46:49.000
jars open RMI services on the automation
server and the sound ??? of their
00:46:49.000 --> 00:46:55.849
extension. For example, in case of
migration server on PC services, which are
00:46:55.849 --> 00:47:00.260
extension of classic Java RMA services are
used and on the slide you can see is the
00:47:00.260 --> 00:47:07.280
list of of these services. Just the key
issues of automation. So based on
00:47:07.280 --> 00:47:13.250
industrial PCM present represents just
light. Firstly, as you can see, it's there
00:47:13.250 --> 00:47:19.790
is a possibility to spoof downloaded files
from application server files downloaded
00:47:19.790 --> 00:47:24.980
over https and there are no security
security mechanisms during the process.
00:47:24.980 --> 00:47:32.000
Secondly, it's about the default
credentials. You can get access over SSH
00:47:32.000 --> 00:47:40.740
SSH to server vs user SAM admin and
password. See him next. It's
00:47:40.740 --> 00:47:46.130
vulnerabilities in archives in our around
IPC services. This will not be allowed to
00:47:46.130 --> 00:47:50.840
perform sensitive data explosion and
remote code execution. And finally, the
00:47:50.840 --> 00:47:54.520
last group with vulnerabilities found in
the software used to feel an immigration
00:47:54.520 --> 00:48:01.770
role for communication vs SB 82000, also
known as the DSP system has a number of
00:48:01.770 --> 00:48:06.480
issues on the immigration server vs old
TXP. You are not. You are in magic
00:48:06.480 --> 00:48:14.190
position. If you wrote about your own
obviously vulnerabilities as they are in
00:48:14.190 --> 00:48:21.210
runtime as you need and service as this
service contains request runtime contain a
00:48:21.210 --> 00:48:29.480
method where the first argument defines as
the action to be executed. Using the
00:48:29.480 --> 00:48:34.620
action read file it is possible to get
content of any file from the system. Using
00:48:34.620 --> 00:48:39.460
the right config file it's possible to
write information to the server. To the
00:48:39.460 --> 00:48:46.700
server. And for example, it can be a jar
files, which execute shell comand on from
00:48:46.700 --> 00:48:52.800
the command line and use in some SPPA
specific functions, you can execute these
00:48:52.800 --> 00:49:00.580
jar files later. This is all about
automation server. To sum up, automated
00:49:00.580 --> 00:49:07.540
automation server can based on PLC or
industrial PC. In case of PLC it says a
00:49:07.540 --> 00:49:16.420
simple PLC is usual PLC with no security
issues. In case of industrial PLC.. it's
00:49:16.420 --> 00:49:21.990
just a Linux box., which try to download
some additional files from the application
00:49:21.990 --> 00:49:28.639
server and some of them execute with the
virtual machine. So far, we haven't
00:49:28.639 --> 00:49:33.390
mentioned any network equipment using
distributed control system Using the
00:49:33.390 --> 00:49:41.340
research we saw a wide variety of network
devices and network infrastructure,
00:49:41.340 --> 00:49:46.820
including switches, firewalls and more
rare devices such as data diet, for
00:49:46.820 --> 00:49:55.790
example. We tried to summarize all this
information and got it common SPPA on
00:49:55.790 --> 00:50:02.160
network topology and scam. Lookup shown in
purple usual places for network devices.
00:50:02.160 --> 00:50:08.510
By the same device it can be found in
other vendors distributed control system.
00:50:08.510 --> 00:50:13.110
Network devices in industrial network
usually have a lot of security issues. The
00:50:13.110 --> 00:50:18.579
reason for this is that most of them don't
require any configuration before start and
00:50:18.579 --> 00:50:29.199
can be run out of the box. And that's why
the things like get NLP??? and then be
00:50:29.199 --> 00:50:35.220
coming in to stream with credentials for
different services. Fill ware? with
00:50:35.220 --> 00:50:43.910
publicly, publicly available, exploits and
just a lack of security configurations.
00:50:43.910 --> 00:50:53.321
All the things are usual for usual for
network devices and they are usually usual
00:50:53.321 --> 00:51:01.380
usual security issues for our industrial
network. I think that's all I know now
00:51:01.380 --> 00:51:07.170
Gleb wil sum up our discussion.
repdet: Yep. Yep. So the topic of power
00:51:07.170 --> 00:51:13.660
plants is huge. The system is huge and we
try to cover this and that's a lot of
00:51:13.660 --> 00:51:17.690
small things in the talk. And in fact
everything can be summed up on this slide.
00:51:17.690 --> 00:51:22.550
These those are just the vulnerabilities,
as you can see in the problems in Java, in
00:51:22.550 --> 00:51:28.220
Web applications, in different simple
mechanisms that you can exploit actually
00:51:28.220 --> 00:51:33.340
directly even not go into the PLC or field
level, field level. You can impact the
00:51:33.340 --> 00:51:39.460
process itself. What we don't cover in
this talk, is actually what select
00:51:39.460 --> 00:51:44.200
havoc???? or disaster could be caused by
attacking such systems because it's actually
00:51:44.200 --> 00:51:48.930
not that bad. I mean they're talking about
things like blackouts of the series or
00:51:48.930 --> 00:51:54.470
things like this. This is not what you can
do with as a consensus system, because the
00:51:54.470 --> 00:51:59.000
like the distribution of the power power
in the grid is not there according to the
00:51:59.000 --> 00:52:02.100
threat model is not the problem of the
power generation. There shouldn't be like
00:52:02.100 --> 00:52:05.950
another regulator who should watch for
like enough capacity in the network to
00:52:05.950 --> 00:52:10.860
fill this, to fill the electricity for the
customers. So what we're really speaking
00:52:10.860 --> 00:52:17.350
here is like the is how we can impact
there. For example, the turbine, the
00:52:17.350 --> 00:52:23.090
turbine is itself, for example, but we had
no access to the real turbine. They're
00:52:23.090 --> 00:52:27.580
big, expensive, and we haven't found
anyone willing to provide us one. So we
00:52:27.580 --> 00:52:34.060
will destroy it. But the point is, we have
an educated guess like PLCs, they control
00:52:34.060 --> 00:52:38.780
a lot of parameters of this turbine. And
the turbine is like a big mechanical
00:52:38.780 --> 00:52:44.599
monster that is actually self degrading by
working and putting it into different like
00:52:44.599 --> 00:52:49.880
incomfortable operating modes will degrade
it even faster or it will break its end.
00:52:49.880 --> 00:52:54.330
It's not easy. You can have a spare PLC or
some other device. You won't have a spare
00:52:54.330 --> 00:53:03.021
turbine. So that the impact is there. But
it's not like a very huge. So what we
00:53:03.021 --> 00:53:09.440
tried to do with this research mostly is
to understand, how we can help the power
00:53:09.440 --> 00:53:14.910
plant, the apparatus out there. And we
have to fight in all the issues and
00:53:14.910 --> 00:53:19.750
analysing this infrastructures and the
customer sites, we understood that all of
00:53:19.750 --> 00:53:23.950
the installations actually did the same.
And we can write a very simple do it
00:53:23.950 --> 00:53:30.249
yourself assessment. And hopefully even
like engineers on the power plants can
00:53:30.249 --> 00:53:35.050
test themselves. It is very easy. A set of
steps on two or three pages. You connect
00:53:35.050 --> 00:53:39.020
to application network, you connect to the
automation network, you run the tests, you
00:53:39.020 --> 00:53:43.050
get the results. And afterwards you talk
with Siemens. Well, you can fix something
00:53:43.050 --> 00:53:47.971
by yourselves. And basically you don't
have to hire like expensive consultants to
00:53:47.971 --> 00:53:52.950
do the job. You should be. You should be
able to do it by yourself. We hope that
00:53:52.950 --> 00:54:00.620
you will be able to do it. Of course. To
summarize the whole situation around
00:54:00.620 --> 00:54:07.320
DCSSs, it is if you have seen other
industrial solutions like SCADAS, like
00:54:07.320 --> 00:54:13.210
substations and if any actually, you would
find a lot of similarities and they the
00:54:13.210 --> 00:54:18.230
whole like it will have the same pain
points as all other solutions. There is a
00:54:18.230 --> 00:54:24.330
good documents from there. IAC 62443
which describes how like power plant
00:54:24.330 --> 00:54:29.260
operator or asset owner should talk to the
system integrator and the vendor. With the
00:54:29.260 --> 00:54:33.360
vendor in terms of what security they
should require and how they should control
00:54:33.360 --> 00:54:40.960
it. We urge any power plant operator to
read this standards and to require
00:54:40.960 --> 00:54:46.130
security from their vendors and system
integrators, because nowadays it depends
00:54:46.130 --> 00:54:49.390
from vendor to vendor. Maybe vendor is
more interested in the security or the
00:54:49.390 --> 00:54:53.710
plant or some regulator and the like.
Nobody knows how to act. This is the
00:54:53.710 --> 00:55:00.050
document where a which describes how you
should talk with all other entities. Of
00:55:00.050 --> 00:55:07.680
course, read the slides, read the white
paper in the January. Call Siemens updatal
00:55:07.680 --> 00:55:12.160
systems, change your passwords and
configurations. This is actually very easy
00:55:12.160 --> 00:55:18.790
to at least to shrink the attack surface.
A lot of things inside SPPS ??? network is
00:55:18.790 --> 00:55:23.460
a modern windows boxes and it's kind of
easy to set up some form of monitoring, so
00:55:23.460 --> 00:55:27.849
you should talk to your security
operations center. They would be able to
00:55:27.849 --> 00:55:32.720
look for some locks, not most of the
impact that we showed, like it was their
00:55:32.720 --> 00:55:36.770
input from the java application and
you won't be able to monitor all of these.
00:55:36.770 --> 00:55:41.770
We have like security events in windows.
But at least it's still some form of
00:55:41.770 --> 00:55:49.440
detection process inside your network. And
again, finally, to summarize, it is not
00:55:49.440 --> 00:55:55.210
like a problem of one DCS from Siemens.
There are exactly the same issues for
00:55:55.210 --> 00:56:01.910
other vendors not mentioned here. We will
release a lot of things today, tomorrow
00:56:01.910 --> 00:56:07.210
and in January. Basically like the big
white paper about everything that we have
00:56:07.210 --> 00:56:11.149
found out, we have recommendations, what
to do with the wordlists, with the do it
00:56:11.149 --> 00:56:16.319
yourself security assessments with a lot
of tools up. One of the tools would help
00:56:16.319 --> 00:56:19.420
you to do the research, another tools
would help you, for example, if you are
00:56:19.420 --> 00:56:24.080
using intrusion detection detection
systems like IDSS, you would be able to
00:56:24.080 --> 00:56:29.700
parse the protocols and maybe write some
signatures for them. We work closely with
00:56:29.700 --> 00:56:33.880
Siemens. We want to say thank you for the
Siemens product search. They did a great
00:56:33.880 --> 00:56:37.970
job in communications between us and the
product team that develops the products
00:56:37.970 --> 00:56:42.020
that Siemens SPPA team for ??? in
itself. The main outlines from the vendor
00:56:42.020 --> 00:56:47.150
response is, that if a power plant
operator, you should hurry and install a
00:56:47.150 --> 00:56:55.339
new version 8.2 SP2. There are Siemens
is trying to like educate and raise
00:56:55.339 --> 00:56:59.700
awareness outside their customers. That's
first of all, they should change passwords
00:56:59.700 --> 00:57:04.070
that there are critical vulnerabilities
and they should do something with it. And
00:57:04.070 --> 00:57:10.970
there is not all the problems are fixable by
Siemens themselves. There is an operator
00:57:10.970 --> 00:57:19.310
is viable for some of the activities to do
the security by themselves. So that's
00:57:19.310 --> 00:57:24.110
actually it. Thank you. Thank you very
much. Thank you, Congress. If you have any
00:57:24.110 --> 00:57:26.930
questions, please welcome.
00:57:26.930 --> 00:57:36.030
Applause
00:57:36.030 --> 00:57:40.790
Herald: Thank all of you for this excellent
talk, we have a short three minutes for
00:57:40.790 --> 00:57:45.270
questions. If you have questions, please
line up at the microphones in the hall. If
00:57:45.270 --> 00:57:49.380
you're using hearing aids, there is an
induction loop at microphone number three.
00:57:49.380 --> 00:57:54.440
Do we have questions from the Internets?
Yes. Question from our signal angel,
00:57:54.440 --> 00:57:59.109
please.
Signal-Engel: So we've got a question with
00:57:59.109 --> 00:58:03.270
the vulnerabilities found. Could you take
over those cans from the worldwide web cam
00:58:03.270 --> 00:58:10.900
without the freedom and the minimum tax?
Herald: Can you please repeat.
00:58:10.900 --> 00:58:13.509
repdet: A little bit louder, please?
Signal-Engel: Sorry. With your own
00:58:13.509 --> 00:58:19.430
vulnerability found, could you take
control over those plants without worldwide
00:58:19.430 --> 00:58:26.560
them from public Internet, without further
amending the ??? ?
00:58:26.560 --> 00:58:31.069
repdet: Actually, no. This is and this is
some poor some form of the good news.
00:58:31.069 --> 00:58:35.010
Those systems are exclusively supported by
one system integrator, by Siemens. They
00:58:35.010 --> 00:58:39.400
are more or less protected from the
external access. Of course, there would be
00:58:39.400 --> 00:58:43.830
external access, but it's not that easy to
reach it. And of course, it's we're not
00:58:43.830 --> 00:58:46.569
talking about Internet. We're talking
about some corporate networks of things
00:58:46.569 --> 00:58:50.420
like this.
Herald: Next question, microphone three,
00:58:50.420 --> 00:58:54.500
please.
Mic. 3: Yes, hello. Uh, I also have a
00:58:54.500 --> 00:59:00.070
power plant on my planet and, uh, it's
kind of bad for the atmosphere, I figured.
00:59:00.070 --> 00:59:05.670
So, uh, my question is, can you skip back
to where the red button is to switch it
00:59:05.670 --> 00:59:14.460
off? And I'm asking for a friend.
Laughter, Applause
00:59:14.460 --> 00:59:18.750
repdet: As we never thought about that,
these materials can be used in this way.
00:59:18.750 --> 00:59:24.920
But yeah. Specifically, if you have an
operator of engineers, friends on the
00:59:24.920 --> 00:59:29.530
power plants, you can talk to them.
Herald: Do we have any more questions from
00:59:29.530 --> 00:59:38.410
the Internets? No questions. Any questions
from the hall? I guess not. Well, then,
00:59:38.410 --> 00:59:41.401
thank you very much for this talk and a
warm round of applause.
00:59:41.401 --> 00:59:45.901
Applause
00:59:45.901 --> 00:59:48.771
36c3 Postroll music
00:59:48.771 --> 01:00:13.000
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!