36C3 - On the insecure nature of turbine control systems in power generation

0:00 - 0:20

36C3 Preroll music
0:20 - 0:23

Herald: One of the obvious critical
infrastructures we have nowadays is power
0:23 - 0:30

generation. If there is no power, we're
pretty much screwed. Our next speakers
0:30 - 0:35

will take a very close look at common
industrial control systems used in power
0:35 - 0:43

turbines and their shortcomings. So please
give a warm round of applause to repdet,
0:43 - 0:45

moradek and cOrs.
0:45 - 0:52

Applause
0:52 - 0:59

repdet: Good morning, Congress. Thank you
for waking up in the morning. We will talk
0:59 - 1:05

about the security of power plants today,
specifically about automation systems,
1:05 - 1:11

that are used in the power plants up. You
might think that this is another talk
1:11 - 1:18

about how insecure the whole industrial
things around us are and more or less it
1:18 - 1:25

is. So for four years, we are we and our
colleagues speak about problems in
1:25 - 1:31

industrial security. We are happy to say
that things are getting better, but it's
1:31 - 1:34

just that the temper is a little bit
different and feels a little bit
1:34 - 1:39

uncomfortable though. Anyway, we will
speak about to like how a power plants are
1:39 - 1:43

built. What is the automation inside? What
are the vulnerabilities? And like the high
1:43 - 1:49

level overview of what you can do with
this. But up at first a little bit of
1:49 - 1:57

introduction. We are security consultants.
We work with a lot of industrial things
1:57 - 2:03

like PLC, RTuse, SCADAS, DCSs, LCS
whatever it is, we were doing this for too
2:03 - 2:10

long. We should have fought, for so long
that we have a huge map of contacts with a
2:10 - 2:16

lot of system integrators and vendors. And
from the time we are not just doing the
2:16 - 2:21

consultancy work for some asset owner, for
example, for a power plant. We also talk
2:21 - 2:27

to other entities and we try to fix
things altogether. We work at Kaspersky
2:27 - 2:32

and actually the whole research was done
not just by me, Rado and Alexander, who
2:32 - 2:44

are here, but also with the help of
Eugenia and two Sergeys. Yep. So things
2:44 - 2:49

that are very important to note is that
everything that we will discuss right now
2:49 - 2:58

is reported to our respective vendor.
Basically long time ago you can see like
2:58 - 3:03

vendors here, but more or less we will
speak only about one vendor today. It's
3:03 - 3:10

it's it is Siemens. But we would like you
to understand that a similar security
3:10 - 3:15

issues can be found in all other
industrial solutions from other vendors.
3:15 - 3:20

You would find some of the findings, not,
for example, that seller does not require
3:20 - 3:26

like weeks off work to find them out. And
this would be through specifically for all
3:26 - 3:33

other vendors which are not mentioned in
the talk. Jokes aside, we will share
3:33 - 3:42

security issues of real power plants out
there and it might look like we are we are
3:42 - 3:49

kind of irresponsible guys. But in fact,
this is the other way around. I mean that
3:49 - 3:54

to do some kind of research on with these
systems that are working in the power
3:54 - 4:00

plants, you need to get access to them.
You need time to do this research. You
4:00 - 4:06

need to have some knowledge to do this
research and all these resources, they are
4:06 - 4:10

limited for guys like us, for penetration
testers, for auditors, for power plant
4:10 - 4:16

operators and engineers, but for the bad
guys like the potential attacker or so
4:16 - 4:22

adversaries. This is actually their job.
They they have a lot of investments to do
4:22 - 4:28

some research. So we assume that bad guys
already know this. And we just we would
4:28 - 4:33

like to share some information with the
good guys so they would be able to act
4:33 - 4:42

upon this. So let's go to the talk itself.
Power plants, power plants is the most
4:42 - 4:49

common way how humans get their power,
their electricity, their every everywhere
4:49 - 4:54

around us. And there I believe the closest
one to Leipzig is called the Lippendorf
4:54 - 4:59

power station. And during this research
when we were preparing an introduction, we
4:59 - 5:02

were surprised how many information about
power plants you can get from the
5:02 - 5:07

Internet. It's not just, for example, a
picture of this of the same power station
5:07 - 5:15

on the Google Maps. It is actually a very
it's a very good scheme of what you can
5:15 - 5:20

see on the marketing materials from
vendors, because when they sell some
5:20 - 5:24

system that ultimate power plant
operations, they sometimes start with
5:24 - 5:30

building construction. And on their on
their websites, you can find the schematic
5:30 - 5:34

pictures of actually which building does
what and where you will find some
5:34 - 5:40

equipment, which versions of equipment are
used in these systems. But if you like, if
5:40 - 5:45

you don't have this experience, you can
just Google things and you will find out
5:45 - 5:50

which systems are used for automation in
power plants, for example, for Lippendorf
5:50 - 5:57

it's some system that is called Siemens
SPP T2000 and P3000, which is actually
5:57 - 6:03

have another Siemens system inside called
Siemens SPPA-T/P3000. So it's a little bit
6:03 - 6:10

confusing and it is. And we are still
confused. This is exactly the system that
6:10 - 6:18

would be that we will focus today. Siemens
SPPT 3000. And again, it could be any
6:18 - 6:24

other automation system, but it just
happened the way that we've seen this
6:24 - 6:32

system more and more often than others. Up
there is a way how you can actually see
6:32 - 6:38

older generation sites throughout the
world. Thanks to their carbon monitoring
6:38 - 6:43

communities, this is not just power
plants. This is also like nuclear sites,
6:43 - 6:49

wind generation, solar, solar plants, etc.
and etc. They are all here, marked by
6:49 - 6:56

different fuel types of generation. For
example, there is a coil and gas power
6:56 - 7:03

plants. Mark, marked there. So the topic
is really huge. And like what we will
7:03 - 7:09

focus today in our talk is mostly the
power plants which are work on coal and
7:09 - 7:14

gas, which is important to mention. The
heart of each power plant is actually a
7:14 - 7:18

turbine. We don't have a picture of a
turbine on the slides, but more or less, I
7:18 - 7:24

think everybody saw it on the airplane.
There are various that there are similar
7:24 - 7:31

specifically in terms of size and mostly
how they work up on different vendor's Web
7:31 - 7:37

sites. You can actually find a lot of
information where those turbines are used.
7:37 - 7:44

And this is, for example, the map of the
turbines from Siemens. Not all turbines
7:44 - 7:48

specifically are used in power plants. So
there have a lot of different applications
7:48 - 7:53

like chemical plants, oil and gas. A lot
of other things. But if you correlate this
7:53 - 7:57

information from previous slides, you
would be able to identify which systems
7:57 - 8:01

are used by which power plant. And if you
will, Google more information, you can
8:01 - 8:05

actually tell their versions and the
generations of the systems that are used
8:05 - 8:10

on these power plants. This is important
because of the vulnerabilities that we
8:10 - 8:17

will discuss later on on the slide. So
before we will speak about so what is the
8:17 - 8:22

automation on power plants, we should
understand a little bit how they work. So
8:22 - 8:28

we will go from right to left and it's
very easy. A little a little noticed. For
8:28 - 8:31

all the talk, we will simplify a lot of
things for two reasons. One of them to
8:31 - 8:37

make it more suitable for the audience.
And another thing. We don't really
8:37 - 8:43

understand everything by ourselves. So the
first thing you should get is a fuel. Fuel
8:43 - 8:49

could be, for example, a coil or coal or a
gas. And you will just put this inside the
8:49 - 8:55

combustion chamber where you would put it
to set it up on fire, actually. And it
8:55 - 8:59

will generate a lot of pressure which will
go to the turbine. And because of the
8:59 - 9:05

pressure, the turbine will begin to
rotate. The turbine, have a shaft which
9:05 - 9:10

will drive the electricity generator,
which is obviously will generate
9:10 - 9:16

electricity and put it on the power grid.
So it is important from now I want to
9:16 - 9:21

understand that when we generate some some
electricity on the power plant, we put
9:21 - 9:28

this this power not just for, for example,
for this Congress center or for some city.
9:28 - 9:34

We put it in a big thing called the power
grid, where other entities will sell this
9:34 - 9:40

electricity to different customers.
There is also very interesting point about
9:40 - 9:46

like, when we do generate this pressure
and the combustion chamber is on fire, we
9:46 - 9:51

have a lot of excessive heat. And we have
two options like one of them is to safely
9:51 - 9:55

put it in the air. We have condensing
towers. This is option number one. And
9:55 - 10:01

another option is we can do some form of
recuperation. For example, we would take
10:01 - 10:07

this heat. We will warm water. The water
will produce steam. And we will put this
10:07 - 10:12

steam in the steam turbine and produce
additional electricity. This is kind of
10:12 - 10:20

the optimization of some of some form. So
what is the automation in this process?
10:20 - 10:24

The automation systems that are used on
the power plants are usually called
10:24 - 10:31

distributed control systems or DCSs. And
everything that I just said that it just
10:31 - 10:37

described actually is automated inside
those systems. The vendor of the solution
10:37 - 10:42

want to simplify all things for the
operator, because we don't want like
10:42 - 10:46

hundreds of people working on the power
plant. We just want like maybe dozens of
10:46 - 10:51

people working there and they want to
simplify the whole the whole process of
10:51 - 10:56

length. They don't care about where they
get this ???, gas or coal how much they
10:56 - 11:01

need it. They just should be able to stop
the generation process started. And they
11:01 - 11:05

control one main thing, which is called
how much power we should produce to the
11:05 - 11:13

power grid. So like how many megawatts of
electricity we should produce. This is
11:13 - 11:20

this. This describes the actually the
complexity, complexity hidden inside these
11:20 - 11:24

solutions because there are a lot of small
things happening inside and we will
11:24 - 11:29

discuss it a little bit later. As I said,
this GCF says they're not exclusively used
11:29 - 11:34

on the power plants. There are a lot of
other sites that would use the same
11:34 - 11:40

solutions, the same software and hardware.
The DCS is not just like a software that
11:40 - 11:45

you can install. It's a set of hardware
and software, various inputs, output,
11:45 - 11:50

models, sensors, etc., etc.. As I said,
sometimes they start from building
11:50 - 11:55

construction of like there is a field.
Please build a super power station. So
11:55 - 12:01

it's a more complex projects. Most, most
of the time. There are a lot of vendors
12:01 - 12:06

that are doing it. As I said, we are
focusing on this stock, on the Siemens
12:06 - 12:16

one. Just a short little short description
of how simplified things are for operators
12:16 - 12:21

of this DCA software. So, for example, if
we would like to answer the question how
12:21 - 12:28

we would regulate the output and megabytes
of our power plant, we would need to
12:28 - 12:33

control basically three things. Again, we
are oversimplifying here. First of all,
12:33 - 12:38

you would control how many. This is an
example for there for the gas turbine. So
12:38 - 12:43

we would need to regulate how many? Guess,
we would put inside the combustion chamber
12:43 - 12:49

where would control the flame temperature.
And we will control the thing that gets
12:49 - 12:55

air inside the turbine that basically
three things that are controlled by simple
12:55 - 13:00

peel cease in the whole system. And you
would be able, for example, to change 100
13:00 - 13:09

megawatts to 150 megawatts based on these
settings. So the system itself that we are
13:09 - 13:15

going to discuss is called Siemens
SPPT3000. And actually, again, as allow
13:15 - 13:22

all other DCA systems or from other
vendors. This is a typical industrial
13:22 - 13:29

systems system. It has all these things
called plcs, RTUse, to use HMAS, servers,
13:29 - 13:34

OPEC traffic, et cetera, et cetera. The
only thing that has a difference
13:34 - 13:41

specifically for Siemens as SPPT3000 is
that they have two main things called
13:41 - 13:46

application server and automation server.
That's this software running on the
13:46 - 13:53

servers is not what you will find on other
installations. Despite the fact that there
13:53 - 14:00

are a lot of like if you will read the
manuals for for the systems from Siemens.
14:00 - 14:07

There would be a lot of different networks
and highways and a lot of things like
14:07 - 14:11

Siemens would state that there is no
connection between the application network
14:11 - 14:18

and external networks. In practice and in
reality, you will find things like spick
14:18 - 14:23

sensor network, like monitoring both
vibration, foreign objects and some noises
14:23 - 14:29

inside the turbine. You will find the
demilitarized zone because all in all,
14:29 - 14:34

like all power plant operators, they won't
have like onsite maintenance guys,
14:34 - 14:38

engineers. They would try to do a remote
support. They would need to install
14:38 - 14:43

updates for operating system, although for
their signatures of their anti viruses,
14:43 - 14:46

they would need to push some opposite
traffic. So like information about the
14:46 - 14:51

generation process outside either to
corporate network or to some regulator,
14:51 - 14:54

because the whole energy market is
regulated and there are different entities
14:54 - 14:59

who would monitor common electricity
generation or they basically will tell you
14:59 - 15:03

how many electricity you should generate.
Because this is common electricity was
15:03 - 15:09

sold on the energy market. Basically,
the whole talk is structured like this. We
15:09 - 15:14

will speak first about application server,
then automation server and then some
15:14 - 15:21

summary. It all started with the process
called Coordinated Vulnerability
15:21 - 15:28

Disclosure. We notified Siemens about some
issues almost a year ago and like a month
15:28 - 15:35

at the beginning of December, Siemens
published an advisory. It was it was not
15:35 - 15:40

an advisory just from from the issues,
just from us. A lot of other teams also
15:40 - 15:46

contributed to it. And this December, this
year, December, doesn't mean that Siemens
15:46 - 15:51

just released the patches. When they say
that this system, SPPT3000, is exclusively
15:51 - 15:56

supported. So the system integrator for
the system is Siemens itself. So
15:56 - 16:00

throughout the year after we notified them
about some security issues, they started
16:00 - 16:06

to roll out patches and install updates on
critical infrastructure they support and
16:06 - 16:13

hopefully they did it with all the
sensitive issues. There is a lot of things
16:13 - 16:19

to discuss here we will skip, because we
are a little bit in a hurry. Things like
16:19 - 16:24

not all vulnerabilities are the same. And
we use, for example, CVSS here to talk
16:24 - 16:28

about like how critical the vulnerability
is, but it's actually not very applicable
16:28 - 16:34

to the industrial sites. You should
understand what you can do with each
16:34 - 16:39

vulnerability, how you can impact the
process, and we will skip this part. There
16:39 - 16:45

is actually kind of a threat model in the
white paper that we will release later on,
16:45 - 16:53

like during January. We will hope. So,
application server, application server is
16:53 - 17:03

this main is is a main resource that you
would find in the SPPT3000 network. Like
17:03 - 17:08

if if someone will remotely connect to the
system, it would end up in application
17:08 - 17:12

server. If someone wants to start the
generation process or to change some
17:12 - 17:18

values, it would be the application
server. If there are other servers that
17:18 - 17:21

would, for example, try to communicate the
application server, they will actually
17:21 - 17:26

start their work by downloading their
software from application server and then
17:26 - 17:32

executing it. So the first thing you might
notice here is there are a lot of a lot of
17:32 - 17:38

network ports available on this on this
machine. And actually, this is the first
17:38 - 17:45

point. There is a, a huge attack surface
for that bursary??? to choose whether or
17:45 - 17:49

not he would like to compromise some
Siemens software or its Windows software
17:49 - 17:55

or its some another third party. Huge
attack surface starting from the fact that
17:55 - 18:01

there are, all of the installation of this
SPP systems are kind of different. So
18:01 - 18:06

depending on the version and other
generation, you can find different Windows
18:06 - 18:18

versions from 2003 to 2016. Hopefully they
are all updated right now, but because the
18:18 - 18:24

that the update process for such as for
such installations is is a hard thing to
18:24 - 18:29

do. I mean you should wait for maintenance
and it should be like maybe once in a
18:29 - 18:33

healthy year or once a year. You will
always find some window where you can use
18:33 - 18:38

some remotely exploitable vulnerabilities
like the eternal blue or blue keeper mark
18:38 - 18:45

mentioned on the slide. There is tons of
different additional software like all
18:45 - 18:49

signwin??? that will allow you to do
privilege escalation, badly configured
18:49 - 18:55

Tomcats and we have here this funny pie
charts that show how configuration of
18:55 - 19:00

different software is aligned with the
best practices from CIS benchmarks. Those
19:00 - 19:07

are those are basically security
configuration gardening guides. The most
19:07 - 19:13

important thing in the application server
is a lot of Java software and in a minute
19:13 - 19:19

repdet will tell you about this. Surprise,
surprise there, the one of the most
19:19 - 19:28

notable problems in this Siemens SPPT3000
is actually passwords. There, there are
19:28 - 19:32

three important ranges. The first the
first of them is like what's all the
19:32 - 19:40

installations before 2014 and maybe 2015.
All passwords for the for for all the
19:40 - 19:44

power stations were the same. And you can
easily Google them. We've also published
19:44 - 19:50

like the full world list in the white
paper. After this year's Siemens started
19:50 - 19:58

to generate the unique passwords for all
power plants. But until this year, it was
19:58 - 20:02

kind of hard to change this password. So
you need to be aware of how to do this.
20:02 - 20:04

You need to know the process. You maybe
need to contact to contact your system
20:04 - 20:08

integrator to do this. Starting up from
this December, it would be much easier
20:08 - 20:14

specifically to change passwords. So it's
in the past. Even if you know, you have
20:14 - 20:20

you have these issues, you were not able
to simply change or all these things.
20:20 - 20:24

Along with the passwords, passwords, you
can find the like the full diagrams and
20:24 - 20:30

the integrator documentation that can show
you how the system is built, how it's
20:30 - 20:34

operating, specific accounts, etc, etc. Of
course, this was not published by Siemens,
20:34 - 20:39

thouse some power plant operators who
thought that would be a good idea to share
20:39 - 20:45

this information. So as I said, the most
important thing the application server is
20:45 - 20:49

a bunch of Java applications and please
welcome moradek will share the details
20:49 - 20:57

about this.
Applause
20:57 - 21:01

moradek: Hi, everyone. Let's look at how
this perverse software works on aplication
21:01 - 21:07

server. The operator can communicate with
system through at Thin client and Fat client
21:07 - 21:16

and. A Thin client act as Java applet
inside Internet Explorer browser and
21:16 - 21:23

communicate with server through HTTPS, so
it can be outside of application of fork
21:23 - 21:29

and its communications can be constrained
by a firewall. In opposite in case of Fat
21:29 - 21:35

client, software should be installed on
operator machine and client directly
21:35 - 21:41

communicates with RMA registry to find
services. And after that directly
21:41 - 21:50

communicates with this myservices. So Fat
client should belong to application fork.
21:50 - 21:58

Illustration of where architecture was
kindly provided by SPPA throws a URL. Not
21:58 - 22:04

to be missed, let divided into spaces in
red zone. The items that brought this
22:04 - 22:11

request from Thin client and redirect them
to rmyservices. And in green zones there
22:11 - 22:18

are myservices which act as network
services on their name on TCP ports. SPP
22:18 - 22:24

consists of containers, each container can
encapsulate inside one or more or
22:24 - 22:32

myservices. All type of containers are
represented on illustration and all of
22:32 - 22:40

them have self explanatory names. Before
we going deep inside in tunnels office
22:40 - 22:45

PPA, let me introduce some tools which
used in this research. First of all, old
22:45 - 22:52

jars files inside this PPA are obfuscated
with commercial product. But these
22:52 - 22:59

security measures can be easily bypassed
by public available tool the Obfuscator.
22:59 - 23:06

Elswhere sometimes it is useful to see how
legit software communicates with system.
23:06 - 23:14

It helps to understand architecture of
system and workflow of clients. In case of
23:14 - 23:22

PPA it my district was written, it
represents a role TCP streams in human
23:22 - 23:30

readable format inside it. Use method read
object from jsdk. It is known that this
23:30 - 23:35

method is unsafe to insecure
diserealisation, so be careful not
23:35 - 23:43

to be exploited through remote pickup. The
first pillar of SPP it's apache webserver.
23:43 - 23:52

According it config folder or software
config can be accessed by unauthorized
23:52 - 23:59

user. In fact, this folder contains some
sensitive information of system. For
23:59 - 24:07

example, files PC system configuration,
datasmells and files inside. If C contain
24:07 - 24:15

startup options and configuration of all
containers either application work or
24:15 - 24:21

automation work. Else configuration of
Oracle and publication in Tomcat DLC can be
24:21 - 24:26

accessed using this vulnerability. And about
Tomcat. There are three web
24:26 - 24:34

applications registered, remote diagnostic
viewer, manager and orion. According to
24:34 - 24:39

configuration of Tomcat, it's apache
webserver. I've observed as a ordering
24:39 - 24:49

service can be accessed through HTTPS and
uh, in the file web dot xml there are list
24:49 - 24:57

of all servlets of orion application and the
list is really huge. So some of these
24:57 - 25:05

servlets have attractive name forTiger, for
example, brow seservlet. In fact it allows
25:05 - 25:13

a third of the user directory, and listing
directories of operation system. But in
25:13 - 25:20

case of exploitation another servlet is
more attractive. File upload servlet it
25:20 - 25:29

allows you allows on the file upload with
system parameters based you in touch with
25:29 - 25:35

me in full control the name of the file.
So this vulnerability can be easily
25:35 - 25:39

transformed to a remote code execution.
You can override some startups scripts
25:39 - 25:46

office PPA or simply inject a shel in the
application and get the remote code
25:46 - 25:55

execution with system rights. Also there
are some set alerts which contains good
25:55 - 26:04

service factory names. In fact, they
redirect http request to my services.
26:04 - 26:12

Inside they passed around to foreign http
requests and search desirable my servives.
26:12 - 26:20

According to parameter service url and
further invoke go to the public method of
26:20 - 26:26

security service. And the name of the
method defined in centralized object in
26:26 - 26:34

the data section of which to progress.
Else parameters, the parameters of these
26:34 - 26:43

goals are also defined in this object. So
now we have situation one Thin client and
26:43 - 26:52

Fat client can access my services, but in
case of Fat client, it, it can also
26:52 - 26:59

directly communicate with RMA registry. So
if application server missed some
26:59 - 27:04

important java security updates, it
contains insecure deserialization
27:04 - 27:13

vulnerability. And using public to use
serial we can simply exploit it and get a
27:13 - 27:19

code execution with system rights again.
The next task will be to list all
27:19 - 27:26

available rMyservices on this SPPA system.
At first step, we simply use class look at
27:26 - 27:35

triggers and Java SDK and get a big list
of services. All but one jmakes it to
27:35 - 27:43

myservices, I assume that they perform
some general interface for com, for
27:43 - 27:53

control and manage containers of SPPA. For
the further investigation we only choose
27:53 - 28:01

LookUp Service. In fact, this service
looks like some a collection of another
28:01 - 28:10

RMA services using its public method list
we get the name of all available services
28:10 - 28:18

and using the name and public method
lookup we get the reference of RMA
28:18 - 28:27

service. All RMA services in this tip
implement interface satisfactory. So
28:27 - 28:36

buttons as this. We can assume that and
that this is a game collection of another
28:36 - 28:41

RMA services. But in fact it doesn't have
public method to get the name of the
28:41 - 28:53

service. So we need to decompile. So we
need to decompile the class and find some
28:53 - 29:00

factory methods which create RMA service,
for example, create adminscript and
29:00 - 29:08

inside we can find as the name of the
created service. As it can be guessed,
29:08 - 29:14

it's admin service. So using public
method, get service in this name, we find
29:14 - 29:23

that I gets the reference to the next
level RMA service and in final step we get
29:23 - 29:31

the reference to RMA services which
perform real job SPPA. But it this RMA
29:31 - 29:39

service also contains a lot of public
methods for unauthorized user. So to sum
29:39 - 29:46

up which referes registry and at each
level we find a lot of RMA services. And
29:46 - 29:54

as the last item also contains a lot of
public methods. So the attack surface of
29:54 - 30:02

Supply C system is really huge. Now when
we list all available RMA services, the
30:02 - 30:10

next question is how does authentication
of client request performs on the system?
30:10 - 30:16

To answer this question, let's look how
client requests to security service
30:16 - 30:22

processed from system. First of all,
clients get the reference to security
30:22 - 30:31

service using some client ID. Further
PCServiceFactory tries to get valid
30:31 - 30:38

session. Using this clientID in
SessionManager. If SessionManager will
30:38 - 30:45

failed in his task, the exception will be
throat and client will be failed. But if
30:45 - 30:54

it succeeds, valid sessionID will return
to PCSfactory. And further in its turn
30:54 - 31:01

instance of SecurityService will be
created in factory method. While the
31:01 - 31:12

session Id will be stored in loginID inside
SecurityService. And finally client will
31:12 - 31:19

get the reference to Security Service.
Further he can call some public method of
31:19 - 31:29

it. But as this method can perform
privileged checks of user using loginId in
31:29 - 31:36

SecurityManager. So to sum up, we have two
security measures in this system. But as
31:36 - 31:42

is the question how user client can
perform login operation. If he doesn't
31:42 - 31:48

have any valid clientID. In this case,
it's start up of the system,
31:48 - 31:54

SessionManager will be added on anonymus
session with clientID that equals zero.
31:54 - 32:00

And client will use this clientID, and
perform login operation. But attacker can
32:00 - 32:07

also use this feature and simply bypass
those look. So to sum up, there is only
32:07 - 32:15

one security measure on the system ends
and each fully delegated to two method or
32:15 - 32:22

for RMA services. But amount of itemized
services is huge, amount of public methods
32:22 - 32:29

is really huge. And so it's become really
difficult to manage security service of
32:29 - 32:40

system. According to this information. So
we know we know all inputs of system. We
32:40 - 32:45

know all possible security measures or
systems. So it's time to find
32:45 - 32:53

vulnerabilities in the list of RMA
services. This one, which looks so
32:53 - 32:58

attractive, its admins service, it can be
accessed with a anonymus session inside.
32:58 - 33:04

If this public method transcript, this
method doesn't perform any privileged
33:04 - 33:13

checks, so we can call its resulting
Ternium credentials and so on. At first
33:13 - 33:20

step, these methods creates instance of
class loader using bytes from arguments
33:20 - 33:27

and in fact this step will allow to
arbitrary java class. This class should
33:27 - 33:34

implement interface admins screams and
defined method to execute and this method
33:34 - 33:43

to execute will be called by run script of
RMA services. For this case we create Java
33:43 - 33:51

class as a simply run os common from
arguments of run script. And we get code
33:51 - 33:59

execution on the system, we system, right?
Of course, there's a more powerful post
33:59 - 34:06

exploitation of this vulnerability than
simply run os command. You can. This
34:06 - 34:14

vulerability allows inject arbitrary java
class inside running its SPPA application
34:14 - 34:25

so you can use some Java reflection to to
patch some variables of system and and
34:25 - 34:36

have influence on technological properties
of SPPA. Else, privilege check inside
34:36 - 34:44

methods of RMA service can be bypassed
with SEC vulnerability in session service. This
34:44 - 34:50

service has public method
getloggingsessions(). In fact, this method
34:50 - 34:59

return all sessiondata of loginin users on
the system. This information includes user
34:59 - 35:10

names, IP and client Id. So if it this
amounts these clientId of user that has
35:10 - 35:17

some admin privileges, attacker can use
this clientId to get a reference to
35:17 - 35:23

security service and this reference will
be with some more privileged session.
35:23 - 35:36

Further further, attacker can goal public
method of security service, get all users
35:36 - 35:43

and get all private information about all
users of the system and password hashes
35:43 - 35:54

included in this private information. So
to sum up, we have to or both of these
35:54 - 36:07

vulnerabilities can be accessed through
https and federal rules can be bypassed.
36:07 - 36:14

In general, all communication with RMA
services are encrypted. So usernames and
36:14 - 36:25

password hashes are transfered in plain text.
This is this because, this is more critical for
36:25 - 36:38

for Fat client case. So more all passwort
hashes doesn't perform any doesn't have
36:38 - 36:44

any session protection mechanism. So if
attacker can perform when and zoom into a
36:44 - 36:52

key attack against some user office prior
and captures the traffic between this user
36:52 - 36:59

and application server, he can get valid
username and password hash of the system
36:59 - 37:06

and simply reuses this credentials and
perform login operation on the system.
37:06 - 37:14

More. over, he also can change the
password of this user. I talk a lot about
37:14 - 37:19

user names and password hashes, so it's
time to understand how these items
37:19 - 37:27

organized on the system. Alex.
Alex: Hello everyone. I will continue our
37:27 - 37:33

discussion about application server. On
the previous slide you can see how remote
37:33 - 37:43

authentification works. Now. Sorry, I
repeat. On the parent slide you could see
37:43 - 37:50

how remote authentification works. And
now I'm going to tell you about how it is
37:50 - 37:58

organized locally. After the system, after
system gets started, it begins to read two
37:58 - 38:05

files: user1.xml and pdata1.exm to get
user list and their password respectevly.
38:05 - 38:12

The user1 file is the simple xml while the
data1 has a slightly more difficult
38:12 - 38:18

structure. It is jzip archive encoded in
base64, so as java actualization object in
38:18 - 38:24

jzip archive contained in a specific xml.
The field of this xml presents on the
38:24 - 38:30

slide. They are used to calculate cash
value and check passport during their
38:30 - 38:37

authentification. On the buttom of the
slide you can see password check algorithm
38:37 - 38:45

in a pseudo code. It's a photographic scam is
the type of called crypted hashing scheme
38:45 - 38:52

like on Unix and Linux machine. It has a
number of iterations salts and only one
38:52 - 38:57

things is edited was, was edited that is
hardcore the salt, which is the same for
38:57 - 39:04

all user. The tool for password, as a tool
to extract password hashes and set
39:04 - 39:12

parameters from the data1-file had been
developed on this slide. You can see its
39:12 - 39:18

output as a tool. The tool can be used
during the password auditing, them to
39:18 - 39:23

check her password to check week or
dictionary password and their actual hash
39:23 - 39:32

collision parameters. A tool is available
at the link below. And draws the line,
39:32 - 39:41

draws a line on the application server
analysis first, as we have seen, attack
39:41 - 39:47

surface is really huge and includes a lot
of different components. Secondly, it's
39:47 - 39:57

about remote connections. What's that
about? Whether SPP has remote connection
39:57 - 40:00

or because no remote connection. I
couldn't I couldn't do end this or someone
40:00 - 40:13

else, who told you? You should check it
anyway. And the last thing is a attacker
40:13 - 40:19

has opportunity to impact power generation
process. For example, it can start stop
40:19 - 40:26

generation, change some output value. Or
get some additional information about
40:26 - 40:32

generation process and all this. Action
can be done from application server. It's
40:32 - 40:41

all about application server. And let's
start discussion about automation. Its
40:41 - 40:46

main goal of automation server is to
execute realtime real time automation
40:46 - 40:54

functions and tasks depending on a
depending on the power plant project
40:54 - 41:01

architecture and its features. They're all
over automation server can be different. We have
41:01 - 41:07

to distinguish three roles. The first one
is automation role. They may be a slight
41:07 - 41:14

confusion because the term is used was for
server and for it's role, but analyzing
41:14 - 41:19

uplink automation server configuration and
publicly available information we have
41:19 - 41:25

found that whatever the role is, almost
the same hardware and software are used
41:25 - 41:34

and we have decided to use these kind of
classifications. That seems less confusing
41:34 - 41:41

to us. At the same time, it's slightly
different from the Windows
41:41 - 41:49

classification anyway. I mean, in
automation role, automation role means
41:49 - 41:53

that the server is responsible for
interaction with input-output modules to
41:53 - 41:58

each control and monitor power plant
equipment such as turbine electric
41:58 - 42:05

generator or some some other. The second
role is communication in this role. This
42:05 - 42:10

role is used for connection the third
party software and system in other words
42:10 - 42:19

it's just a protocol converter supporting
such protocols as modbus, I see 101, 104
42:19 - 42:25

and some other. And the last roll is a
migration role. This role is used to
42:25 - 42:33

connect previous version or for SPPA-T2000
and as legacy systems such as SPPA- 80
42:33 - 42:43

2002, or tel per MI.. Automation role in
automation server in automation role can
42:43 - 42:52

be run on the semantic SLMPC and in an
industrial or industrial P.C.. Other roles
42:52 - 42:56

can be run only on industrial PCs. Now
let's talk a little more about each role
42:56 - 43:04

and let's start with automation role based
on PLC. PLC I will directly control field
43:04 - 43:10

devices like voles and turbine and access
to them in excess numbers. The game
43:10 - 43:17

over for any security discussion. They
usually represent low, the lowest level in
43:17 - 43:22

different reference models, such as do
model, for example. Any credential, any
43:22 - 43:28

configuration changes and updates for PLC
required to stop to stop technological
43:28 - 43:34

process. So these devices always have
security misconfiguration, firmware,
43:34 - 43:40

visible security updates and secure
industrial protocols. In case of SPPA they
43:40 - 43:48

are assembler ??? (Server???) protocols
LCT data. ??? Logic information about its
43:48 - 43:54

own protocols in the internet, but not so
much about PLC data protocol. So we had to
43:54 - 44:02

deal with it and analyze it ourselves.
It's not a special protocol for SPPA. When
44:02 - 44:07

you program your Symantec, PLC an need to
exchange some that some data between them
44:07 - 44:15

in real time. You use this protocol. It's
a quite simple protocol and maybe its
44:15 - 44:21

description is available somewhere in the
internet. But we couldn't find it. So just
44:21 - 44:29

the case show you need structure. In ways
that knows security mechanism in this
44:29 - 44:36

protocol, so, so, so only obstacle while
do remain in the middle attack to spool
44:36 - 44:41

data in the sequence number, which we can
get from a packet that just follows the
44:41 - 44:48

implementation. For practical analyses we
have developed the sector, which is
44:48 - 44:55

available at the link below. During the
security assessment of PLC configurations,
44:55 - 45:02

one of the main things, which we check, is
unauthorized access to the two reading and
45:02 - 45:10

writing PLC memory. Availability of
unauthorized access is determinate by
45:10 - 45:17

position of the mod selector of the PLC
and some other configuration parameters.
45:17 - 45:23

During the previous research conducted to
one of our colleg Daniel Parnischev???? is
45:23 - 45:31

a privilege matrix has been obtained. They
shows unsecure states and configurations
45:31 - 45:37

of PLC. The tool for gathering information
from the PLC. over the network and its
45:37 - 45:42

analysis has been developed by Danil and
also available in our repository. Now
45:42 - 45:48

let's talk about application server based
on industial PC. Its just a Linux box.
45:48 - 45:52

During the start it tries to download some
additional files from the application
45:52 - 46:00

server. This file includes to include jar
files, the bar scrapes, some configuration
46:00 - 46:07

protocols files and some other. You know,
to execute jar files PTC Perc virtual
46:07 - 46:15

machine is used. Is it a runtime java
machine widely spread in industrial IJ and
46:15 - 46:23

military area. PTC Perc contains a
completion mechanism. So that is all jar
46:23 - 46:28

files contains a bitecode transformation.
That's why regularly decompiles Fails
46:28 - 46:36

exam. To solve this problem, we have
written a php script to perform reverse
46:36 - 46:44

transformation. After that, regular
decompilers have been successful. Running
46:44 - 46:49

jars open RMI services on the automation
server and the sound ??? of their
46:49 - 46:56

extension. For example, in case of
migration server on PC services, which are
46:56 - 47:00

extension of classic Java RMA services are
used and on the slide you can see is the
47:00 - 47:07

list of of these services. Just the key
issues of automation. So based on
47:07 - 47:13

industrial PCM present represents just
light. Firstly, as you can see, it's there
47:13 - 47:20

is a possibility to spoof downloaded files
from application server files downloaded
47:20 - 47:25

over https and there are no security
security mechanisms during the process.
47:25 - 47:32

Secondly, it's about the default
credentials. You can get access over SSH
47:32 - 47:41

SSH to server vs user SAM admin and
password. See him next. It's
47:41 - 47:46

vulnerabilities in archives in our around
IPC services. This will not be allowed to
47:46 - 47:51

perform sensitive data explosion and
remote code execution. And finally, the
47:51 - 47:55

last group with vulnerabilities found in
the software used to feel an immigration
47:55 - 48:02

role for communication vs SB 82000, also
known as the DSP system has a number of
48:02 - 48:06

issues on the immigration server vs old
TXP. You are not. You are in magic
48:06 - 48:14

position. If you wrote about your own
obviously vulnerabilities as they are in
48:14 - 48:21

runtime as you need and service as this
service contains request runtime contain a
48:21 - 48:29

method where the first argument defines as
the action to be executed. Using the
48:29 - 48:35

action read file it is possible to get
content of any file from the system. Using
48:35 - 48:39

the right config file it's possible to
write information to the server. To the
48:39 - 48:47

server. And for example, it can be a jar
files, which execute shell comand on from
48:47 - 48:53

the command line and use in some SPPA
specific functions, you can execute these
48:53 - 49:01

jar files later. This is all about
automation server. To sum up, automated
49:01 - 49:08

automation server can based on PLC or
industrial PC. In case of PLC it says a
49:08 - 49:16

simple PLC is usual PLC with no security
issues. In case of industrial PLC.. it's
49:16 - 49:22

just a Linux box., which try to download
some additional files from the application
49:22 - 49:29

server and some of them execute with the
virtual machine. So far, we haven't
49:29 - 49:33

mentioned any network equipment using
distributed control system Using the
49:33 - 49:41

research we saw a wide variety of network
devices and network infrastructure,
49:41 - 49:47

including switches, firewalls and more
rare devices such as data diet, for
49:47 - 49:56

example. We tried to summarize all this
information and got it common SPPA on
49:56 - 50:02

network topology and scam. Lookup shown in
purple usual places for network devices.
50:02 - 50:09

By the same device it can be found in
other vendors distributed control system.
50:09 - 50:13

Network devices in industrial network
usually have a lot of security issues. The
50:13 - 50:19

reason for this is that most of them don't
require any configuration before start and
50:19 - 50:29

can be run out of the box. And that's why
the things like get NLP??? and then be
50:29 - 50:35

coming in to stream with credentials for
different services. Fill ware? with
50:35 - 50:44

publicly, publicly available, exploits and
just a lack of security configurations.
50:44 - 50:53

All the things are usual for usual for
network devices and they are usually usual
50:53 - 51:01

usual security issues for our industrial
network. I think that's all I know now
51:01 - 51:07

Gleb wil sum up our discussion.
repdet: Yep. Yep. So the topic of power
51:07 - 51:14

plants is huge. The system is huge and we
try to cover this and that's a lot of
51:14 - 51:18

small things in the talk. And in fact
everything can be summed up on this slide.
51:18 - 51:23

These those are just the vulnerabilities,
as you can see in the problems in Java, in
51:23 - 51:28

Web applications, in different simple
mechanisms that you can exploit actually
51:28 - 51:33

directly even not go into the PLC or field
level, field level. You can impact the
51:33 - 51:39

process itself. What we don't cover in
this talk, is actually what select
51:39 - 51:44

havoc???? or disaster could be caused by
attacking such systems because it's actually
51:44 - 51:49

not that bad. I mean they're talking about
things like blackouts of the series or
51:49 - 51:54

things like this. This is not what you can
do with as a consensus system, because the
51:54 - 51:59

like the distribution of the power power
in the grid is not there according to the
51:59 - 52:02

threat model is not the problem of the
power generation. There shouldn't be like
52:02 - 52:06

another regulator who should watch for
like enough capacity in the network to
52:06 - 52:11

fill this, to fill the electricity for the
customers. So what we're really speaking
52:11 - 52:17

here is like the is how we can impact
there. For example, the turbine, the
52:17 - 52:23

turbine is itself, for example, but we had
no access to the real turbine. They're
52:23 - 52:28

big, expensive, and we haven't found
anyone willing to provide us one. So we
52:28 - 52:34

will destroy it. But the point is, we have
an educated guess like PLCs, they control
52:34 - 52:39

a lot of parameters of this turbine. And
the turbine is like a big mechanical
52:39 - 52:45

monster that is actually self degrading by
working and putting it into different like
52:45 - 52:50

incomfortable operating modes will degrade
it even faster or it will break its end.
52:50 - 52:54

It's not easy. You can have a spare PLC or
some other device. You won't have a spare
52:54 - 53:03

turbine. So that the impact is there. But
it's not like a very huge. So what we
53:03 - 53:09

tried to do with this research mostly is
to understand, how we can help the power
53:09 - 53:15

plant, the apparatus out there. And we
have to fight in all the issues and
53:15 - 53:20

analysing this infrastructures and the
customer sites, we understood that all of
53:20 - 53:24

the installations actually did the same.
And we can write a very simple do it
53:24 - 53:30

yourself assessment. And hopefully even
like engineers on the power plants can
53:30 - 53:35

test themselves. It is very easy. A set of
steps on two or three pages. You connect
53:35 - 53:39

to application network, you connect to the
automation network, you run the tests, you
53:39 - 53:43

get the results. And afterwards you talk
with Siemens. Well, you can fix something
53:43 - 53:48

by yourselves. And basically you don't
have to hire like expensive consultants to
53:48 - 53:53

do the job. You should be. You should be
able to do it by yourself. We hope that
53:53 - 54:01

you will be able to do it. Of course. To
summarize the whole situation around
54:01 - 54:07

DCSSs, it is if you have seen other
industrial solutions like SCADAS, like
54:07 - 54:13

substations and if any actually, you would
find a lot of similarities and they the
54:13 - 54:18

whole like it will have the same pain
points as all other solutions. There is a
54:18 - 54:24

good documents from there. IAC 62443
which describes how like power plant
54:24 - 54:29

operator or asset owner should talk to the
system integrator and the vendor. With the
54:29 - 54:33

vendor in terms of what security they
should require and how they should control
54:33 - 54:41

it. We urge any power plant operator to
read this standards and to require
54:41 - 54:46

security from their vendors and system
integrators, because nowadays it depends
54:46 - 54:49

from vendor to vendor. Maybe vendor is
more interested in the security or the
54:49 - 54:54

plant or some regulator and the like.
Nobody knows how to act. This is the
54:54 - 55:00

document where a which describes how you
should talk with all other entities. Of
55:00 - 55:08

course, read the slides, read the white
paper in the January. Call Siemens updatal
55:08 - 55:12

systems, change your passwords and
configurations. This is actually very easy
55:12 - 55:19

to at least to shrink the attack surface.
A lot of things inside SPPS ??? network is
55:19 - 55:23

a modern windows boxes and it's kind of
easy to set up some form of monitoring, so
55:23 - 55:28

you should talk to your security
operations center. They would be able to
55:28 - 55:33

look for some locks, not most of the
impact that we showed, like it was their
55:33 - 55:37

input from the java application and
you won't be able to monitor all of these.
55:37 - 55:42

We have like security events in windows.
But at least it's still some form of
55:42 - 55:49

detection process inside your network. And
again, finally, to summarize, it is not
55:49 - 55:55

like a problem of one DCS from Siemens.
There are exactly the same issues for
55:55 - 56:02

other vendors not mentioned here. We will
release a lot of things today, tomorrow
56:02 - 56:07

and in January. Basically like the big
white paper about everything that we have
56:07 - 56:11

found out, we have recommendations, what
to do with the wordlists, with the do it
56:11 - 56:16

yourself security assessments with a lot
of tools up. One of the tools would help
56:16 - 56:19

you to do the research, another tools
would help you, for example, if you are
56:19 - 56:24

using intrusion detection detection
systems like IDSS, you would be able to
56:24 - 56:30

parse the protocols and maybe write some
signatures for them. We work closely with
56:30 - 56:34

Siemens. We want to say thank you for the
Siemens product search. They did a great
56:34 - 56:38

job in communications between us and the
product team that develops the products
56:38 - 56:42

that Siemens SPPA team for ??? in
itself. The main outlines from the vendor
56:42 - 56:47

response is, that if a power plant
operator, you should hurry and install a
56:47 - 56:55

new version 8.2 SP2. There are Siemens
is trying to like educate and raise
56:55 - 57:00

awareness outside their customers. That's
first of all, they should change passwords
57:00 - 57:04

that there are critical vulnerabilities
and they should do something with it. And
57:04 - 57:11

there is not all the problems are fixable by
Siemens themselves. There is an operator
57:11 - 57:19

is viable for some of the activities to do
the security by themselves. So that's
57:19 - 57:24

actually it. Thank you. Thank you very
much. Thank you, Congress. If you have any
57:24 - 57:27

questions, please welcome.
57:27 - 57:36

Applause
57:36 - 57:41

Herald: Thank all of you for this excellent
talk, we have a short three minutes for
57:41 - 57:45

questions. If you have questions, please
line up at the microphones in the hall. If
57:45 - 57:49

you're using hearing aids, there is an
induction loop at microphone number three.
57:49 - 57:54

Do we have questions from the Internets?
Yes. Question from our signal angel,
57:54 - 57:59

please.
Signal-Engel: So we've got a question with
57:59 - 58:03

the vulnerabilities found. Could you take
over those cans from the worldwide web cam
58:03 - 58:11

without the freedom and the minimum tax?
Herald: Can you please repeat.
58:11 - 58:14

repdet: A little bit louder, please?
Signal-Engel: Sorry. With your own
58:14 - 58:19

vulnerability found, could you take
control over those plants without worldwide
58:19 - 58:27

them from public Internet, without further
amending the ??? ?
58:27 - 58:31

repdet: Actually, no. This is and this is
some poor some form of the good news.
58:31 - 58:35

Those systems are exclusively supported by
one system integrator, by Siemens. They
58:35 - 58:39

are more or less protected from the
external access. Of course, there would be
58:39 - 58:44

external access, but it's not that easy to
reach it. And of course, it's we're not
58:44 - 58:47

talking about Internet. We're talking
about some corporate networks of things
58:47 - 58:50

like this.
Herald: Next question, microphone three,
58:50 - 58:54

please.
Mic. 3: Yes, hello. Uh, I also have a
58:54 - 59:00

power plant on my planet and, uh, it's
kind of bad for the atmosphere, I figured.
59:00 - 59:06

So, uh, my question is, can you skip back
to where the red button is to switch it
59:06 - 59:14

off? And I'm asking for a friend.
Laughter, Applause
59:14 - 59:19

repdet: As we never thought about that,
these materials can be used in this way.
59:19 - 59:25

But yeah. Specifically, if you have an
operator of engineers, friends on the
59:25 - 59:30

power plants, you can talk to them.
Herald: Do we have any more questions from
59:30 - 59:38

the Internets? No questions. Any questions
from the hall? I guess not. Well, then,
59:38 - 59:41

thank you very much for this talk and a
warm round of applause.
59:41 - 59:46

Applause
59:46 - 59:49

36c3 Postroll music
59:49 - 60:13

Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!

Title:: 36C3 - On the insecure nature of turbine control systems in power generation
Description:: more » « less
Video Language:: English
Duration:: 01:00:13

	Bar Sch edited English subtitles for 36C3 - On the insecure nature of turbine control systems in power generation
	Bar Sch edited English subtitles for 36C3 - On the insecure nature of turbine control systems in power generation
	Bar Sch edited English subtitles for 36C3 - On the insecure nature of turbine control systems in power generation
	Bar Sch edited English subtitles for 36C3 - On the insecure nature of turbine control systems in power generation
	Bar Sch edited English subtitles for 36C3 - On the insecure nature of turbine control systems in power generation
	Bar Sch edited English subtitles for 36C3 - On the insecure nature of turbine control systems in power generation
	Bar Sch edited English subtitles for 36C3 - On the insecure nature of turbine control systems in power generation
	Bar Sch edited English subtitles for 36C3 - On the insecure nature of turbine control systems in power generation

Show all

English subtitles

Revisions

Revision 10 Edited

Bar Sch

36C3 - On the insecure nature of turbine control systems in power generation

Revisions

Our website uses cookies

Operating cookies (Required)