36C3 Preroll music
Herald: One of the obvious critical
infrastructures we have nowadays is power
generation. If there is no power, we're
pretty much screwed. Our next speakers
will take a very close look at common
industrial control systems used in power
turbines and their shortcomings. So please
give a warm round of applause to repdet,
moradek and cOrs.
Applause
repdet: Good morning, Congress. Thank you
for waking up in the morning. We will talk
about the security of power plants today,
specifically about automation systems,
that are used in the power plants up. You
might think that this is another talk
about how insecure the whole industrial
things around us are and more or less it
is. So for four years, we are we and our
colleagues speak about problems in
industrial security. We are happy to say
that things are getting better, but it's
just that the temper is a little bit
different and feels a little bit
uncomfortable though. Anyway, we will
speak about to like how a power plants are
built. What is the automation inside? What
are the vulnerabilities? And like the high
level overview of what you can do with
this. But up at first a little bit of
introduction. We are security consultants.
We work with a lot of industrial things
like PLC, RTuse, SCADAS, DCSs, LCS
whatever it is, we were doing this for too
long. We should have fought, for so long
that we have a huge map of contacts with a
lot of system integrators and vendors. And
from the time we are not just doing the
consultancy work for some asset owner, for
example, for a power plant. We also talk
to other entities and we try to fix
things altogether. We work at Kaspersky
and actually the whole research was done
not just by me, Rado and Alexander, who
are here, but also with the help of
Eugenia and two Sergeys. Yep. So things
that are very important to note is that
everything that we will discuss right now
is reported to our respective vendor.
Basically long time ago you can see like
vendors here, but more or less we will
speak only about one vendor today. It's
it's it is Siemens. But we would like you
to understand that a similar security
issues can be found in all other
industrial solutions from other vendors.
You would find some of the findings, not,
for example, that seller does not require
like weeks off work to find them out. And
this would be through specifically for all
other vendors which are not mentioned in
the talk. Jokes aside, we will share
security issues of real power plants out
there and it might look like we are we are
kind of irresponsible guys. But in fact,
this is the other way around. I mean that
to do some kind of research on with these
systems that are working in the power
plants, you need to get access to them.
You need time to do this research. You
need to have some knowledge to do this
research and all these resources, they are
limited for guys like us, for penetration
testers, for auditors, for power plant
operators and engineers, but for the bad
guys like the potential attacker or so
adversaries. This is actually their job.
They they have a lot of investments to do
some research. So we assume that bad guys
already know this. And we just we would
like to share some information with the
good guys so they would be able to act
upon this. So let's go to the talk itself.
Power plants, power plants is the most
common way how humans get their power,
their electricity, their every everywhere
around us. And there I believe the closest
one to Leipzig is called the Lippendorf
power station. And during this research
when we were preparing an introduction, we
were surprised how many information about
power plants you can get from the
Internet. It's not just, for example, a
picture of this of the same power station
on the Google Maps. It is actually a very
it's a very good scheme of what you can
see on the marketing materials from
vendors, because when they sell some
system that ultimate power plant
operations, they sometimes start with
building construction. And on their on
their websites, you can find the schematic
pictures of actually which building does
what and where you will find some
equipment, which versions of equipment are
used in these systems. But if you like, if
you don't have this experience, you can
just Google things and you will find out
which systems are used for automation in
power plants, for example, for Lippendorf
it's some system that is called Siemens
SPP T2000 and P3000, which is actually
have another Siemens system inside called
Siemens SPPA-T/P3000. So it's a little bit
confusing and it is. And we are still
confused. This is exactly the system that
would be that we will focus today. Siemens
SPPT 3000. And again, it could be any
other automation system, but it just
happened the way that we've seen this
system more and more often than others. Up
there is a way how you can actually see
older generation sites throughout the
world. Thanks to their carbon monitoring
communities, this is not just power
plants. This is also like nuclear sites,
wind generation, solar, solar plants, etc.
and etc. They are all here, marked by
different fuel types of generation. For
example, there is a coil and gas power
plants. Mark, marked there. So the topic
is really huge. And like what we will
focus today in our talk is mostly the
power plants which are work on coal and
gas, which is important to mention. The
heart of each power plant is actually a
turbine. We don't have a picture of a
turbine on the slides, but more or less, I
think everybody saw it on the airplane.
There are various that there are similar
specifically in terms of size and mostly
how they work up on different vendor's Web
sites. You can actually find a lot of
information where those turbines are used.
And this is, for example, the map of the
turbines from Siemens. Not all turbines
specifically are used in power plants. So
there have a lot of different applications
like chemical plants, oil and gas. A lot
of other things. But if you correlate this
information from previous slides, you
would be able to identify which systems
are used by which power plant. And if you
will, Google more information, you can
actually tell their versions and the
generations of the systems that are used
on these power plants. This is important
because of the vulnerabilities that we
will discuss later on on the slide. So
before we will speak about so what is the
automation on power plants, we should
understand a little bit how they work. So
we will go from right to left and it's
very easy. A little a little noticed. For
all the talk, we will simplify a lot of
things for two reasons. One of them to
make it more suitable for the audience.
And another thing. We don't really
understand everything by ourselves. So the
first thing you should get is a fuel. Fuel
could be, for example, a coil or coal or a
gas. And you will just put this inside the
combustion chamber where you would put it
to set it up on fire, actually. And it
will generate a lot of pressure which will
go to the turbine. And because of the
pressure, the turbine will begin to
rotate. The turbine, have a shaft which
will drive the electricity generator,
which is obviously will generate
electricity and put it on the power grid.
So it is important from now I want to
understand that when we generate some some
electricity on the power plant, we put
this this power not just for, for example,
for this Congress center or for some city.
We put it in a big thing called the power
grid, where other entities will sell this
electricity to different customers.
There is also very interesting point about
like, when we do generate this pressure
and the combustion chamber is on fire, we
have a lot of excessive heat. And we have
two options like one of them is to safely
put it in the air. We have condensing
towers. This is option number one. And
another option is we can do some form of
recuperation. For example, we would take
this heat. We will warm water. The water
will produce steam. And we will put this
steam in the steam turbine and produce
additional electricity. This is kind of
the optimization of some of some form. So
what is the automation in this process?
The automation systems that are used on
the power plants are usually called
distributed control systems or DCSs. And
everything that I just said that it just
described actually is automated inside
those systems. The vendor of the solution
want to simplify all things for the
operator, because we don't want like
hundreds of people working on the power
plant. We just want like maybe dozens of
people working there and they want to
simplify the whole the whole process of
length. They don't care about where they
get this ???, gas or coal how much they
need it. They just should be able to stop
the generation process started. And they
control one main thing, which is called
how much power we should produce to the
power grid. So like how many megawatts of
electricity we should produce. This is
this. This describes the actually the
complexity, complexity hidden inside these
solutions because there are a lot of small
things happening inside and we will
discuss it a little bit later. As I said,
this GCF says they're not exclusively used
on the power plants. There are a lot of
other sites that would use the same
solutions, the same software and hardware.
The DCS is not just like a software that
you can install. It's a set of hardware
and software, various inputs, output,
models, sensors, etc., etc.. As I said,
sometimes they start from building
construction of like there is a field.
Please build a super power station. So
it's a more complex projects. Most, most
of the time. There are a lot of vendors
that are doing it. As I said, we are
focusing on this stock, on the Siemens
one. Just a short little short description
of how simplified things are for operators
of this DCA software. So, for example, if
we would like to answer the question how
we would regulate the output and megabytes
of our power plant, we would need to
control basically three things. Again, we
are oversimplifying here. First of all,
you would control how many. This is an
example for there for the gas turbine. So
we would need to regulate how many? Guess,
we would put inside the combustion chamber
where would control the flame temperature.
And we will control the thing that gets
air inside the turbine that basically
three things that are controlled by simple
peel cease in the whole system. And you
would be able, for example, to change 100
megawatts to 150 megawatts based on these
settings. So the system itself that we are
going to discuss is called Siemens
SPPT3000. And actually, again, as allow
all other DCA systems or from other
vendors. This is a typical industrial
systems system. It has all these things
called plcs, RTUse, to use HMAS, servers,
OPEC traffic, et cetera, et cetera. The
only thing that has a difference
specifically for Siemens as SPPT3000 is
that they have two main things called
application server and automation server.
That's this software running on the
servers is not what you will find on other
installations. Despite the fact that there
are a lot of like if you will read the
manuals for for the systems from Siemens.
There would be a lot of different networks
and highways and a lot of things like
Siemens would state that there is no
connection between the application network
and external networks. In practice and in
reality, you will find things like spick
sensor network, like monitoring both
vibration, foreign objects and some noises
inside the turbine. You will find the
demilitarized zone because all in all,
like all power plant operators, they won't
have like onsite maintenance guys,
engineers. They would try to do a remote
support. They would need to install
updates for operating system, although for
their signatures of their anti viruses,
they would need to push some opposite
traffic. So like information about the
generation process outside either to
corporate network or to some regulator,
because the whole energy market is
regulated and there are different entities
who would monitor common electricity
generation or they basically will tell you
how many electricity you should generate.
Because this is common electricity was
sold on the energy market. Basically,
the whole talk is structured like this. We
will speak first about application server,
then automation server and then some
summary. It all started with the process
called Coordinated Vulnerability
Disclosure. We notified Siemens about some
issues almost a year ago and like a month
at the beginning of December, Siemens
published an advisory. It was it was not
an advisory just from from the issues,
just from us. A lot of other teams also
contributed to it. And this December, this
year, December, doesn't mean that Siemens
just released the patches. When they say
that this system, SPPT3000, is exclusively
supported. So the system integrator for
the system is Siemens itself. So
throughout the year after we notified them
about some security issues, they started
to roll out patches and install updates on
critical infrastructure they support and
hopefully they did it with all the
sensitive issues. There is a lot of things
to discuss here we will skip, because we
are a little bit in a hurry. Things like
not all vulnerabilities are the same. And
we use, for example, CVSS here to talk
about like how critical the vulnerability
is, but it's actually not very applicable
to the industrial sites. You should
understand what you can do with each
vulnerability, how you can impact the
process, and we will skip this part. There
is actually kind of a threat model in the
white paper that we will release later on,
like during January. We will hope. So,
application server, application server is
this main is is a main resource that you
would find in the SPPT3000 network. Like
if if someone will remotely connect to the
system, it would end up in application
server. If someone wants to start the
generation process or to change some
values, it would be the application
server. If there are other servers that
would, for example, try to communicate the
application server, they will actually
start their work by downloading their
software from application server and then
executing it. So the first thing you might
notice here is there are a lot of a lot of
network ports available on this on this
machine. And actually, this is the first
point. There is a, a huge attack surface
for that bursary??? to choose whether or
not he would like to compromise some
Siemens software or its Windows software
or its some another third party. Huge
attack surface starting from the fact that
there are, all of the installation of this
SPP systems are kind of different. So
depending on the version and other
generation, you can find different Windows
versions from 2003 to 2016. Hopefully they
are all updated right now, but because the
that the update process for such as for
such installations is is a hard thing to
do. I mean you should wait for maintenance
and it should be like maybe once in a
healthy year or once a year. You will
always find some window where you can use
some remotely exploitable vulnerabilities
like the eternal blue or blue keeper mark
mentioned on the slide. There is tons of
different additional software like all
signwin??? that will allow you to do
privilege escalation, badly configured
Tomcats and we have here this funny pie
charts that show how configuration of
different software is aligned with the
best practices from CIS benchmarks. Those
are those are basically security
configuration gardening guides. The most
important thing in the application server
is a lot of Java software and in a minute
repdet will tell you about this. Surprise,
surprise there, the one of the most
notable problems in this Siemens SPPT3000
is actually passwords. There, there are
three important ranges. The first the
first of them is like what's all the
installations before 2014 and maybe 2015.
All passwords for the for for all the
power stations were the same. And you can
easily Google them. We've also published
like the full world list in the white
paper. After this year's Siemens started
to generate the unique passwords for all
power plants. But until this year, it was
kind of hard to change this password. So
you need to be aware of how to do this.
You need to know the process. You maybe
need to contact to contact your system
integrator to do this. Starting up from
this December, it would be much easier
specifically to change passwords. So it's
in the past. Even if you know, you have
you have these issues, you were not able
to simply change or all these things.
Along with the passwords, passwords, you
can find the like the full diagrams and
the integrator documentation that can show
you how the system is built, how it's
operating, specific accounts, etc, etc. Of
course, this was not published by Siemens,
thouse some power plant operators who
thought that would be a good idea to share
this information. So as I said, the most
important thing the application server is
a bunch of Java applications and please
welcome moradek will share the details
about this.
Applause
moradek: Hi, everyone. Let's look at how
this perverse software works on aplication
server. The operator can communicate with
system through at Thin client and Fat client
and. A Thin client act as Java applet
inside Internet Explorer browser and
communicate with server through HTTPS, so
it can be outside of application of fork
and its communications can be constrained
by a firewall. In opposite in case of Fat
client, software should be installed on
operator machine and client directly
communicates with RMA registry to find
services. And after that directly
communicates with this myservices. So Fat
client should belong to application fork.
Illustration of where architecture was
kindly provided by SPPA throws a URL. Not
to be missed, let divided into spaces in
red zone. The items that brought this
request from Thin client and redirect them
to rmyservices. And in green zones there
are myservices which act as network
services on their name on TCP ports. SPP
consists of containers, each container can
encapsulate inside one or more or
myservices. All type of containers are
represented on illustration and all of
them have self explanatory names. Before
we going deep inside in tunnels office
PPA, let me introduce some tools which
used in this research. First of all, old
jars files inside this PPA are obfuscated
with commercial product. But these
security measures can be easily bypassed
by public available tool the Obfuscator.
Elswhere sometimes it is useful to see how
legit software communicates with system.
It helps to understand architecture of
system and workflow of clients. In case of
PPA it my district was written, it
represents a role TCP streams in human
readable format inside it. Use method read
object from jsdk. It is known that this
method is unsafe to insecure
diserealisation, so be careful not
to be exploited through remote pickup. The
first pillar of SPP it's apache webserver.
According it config folder or software
config can be accessed by unauthorized
user. In fact, this folder contains some
sensitive information of system. For
example, files PC system configuration,
datasmells and files inside. If C contain
startup options and configuration of all
containers either application work or
automation work. Else configuration of
Oracle and publication in Tomcat DLC can be
accessed using this vulnerability. And about
Tomcat. There are three web
applications registered, remote diagnostic
viewer, manager and orion. According to
configuration of Tomcat, it's apache
webserver. I've observed as a ordering
service can be accessed through HTTPS and
uh, in the file web dot xml there are list
of all servlets of orion application and the
list is really huge. So some of these
servlets have attractive name forTiger, for
example, brow seservlet. In fact it allows
a third of the user directory, and listing
directories of operation system. But in
case of exploitation another servlet is
more attractive. File upload servlet it
allows you allows on the file upload with
system parameters based you in touch with
me in full control the name of the file.
So this vulnerability can be easily
transformed to a remote code execution.
You can override some startups scripts
office PPA or simply inject a shel in the
application and get the remote code
execution with system rights. Also there
are some set alerts which contains good
service factory names. In fact, they
redirect http request to my services.
Inside they passed around to foreign http
requests and search desirable my servives.
According to parameter service url and
further invoke go to the public method of
security service. And the name of the
method defined in centralized object in
the data section of which to progress.
Else parameters, the parameters of these
goals are also defined in this object. So
now we have situation one Thin client and
Fat client can access my services, but in
case of Fat client, it, it can also
directly communicate with RMA registry. So
if application server missed some
important java security updates, it
contains insecure deserialization
vulnerability. And using public to use
serial we can simply exploit it and get a
code execution with system rights again.
The next task will be to list all
available rMyservices on this SPPA system.
At first step, we simply use class look at
triggers and Java SDK and get a big list
of services. All but one jmakes it to
myservices, I assume that they perform
some general interface for com, for
control and manage containers of SPPA. For
the further investigation we only choose
LookUp Service. In fact, this service
looks like some a collection of another
RMA services using its public method list
we get the name of all available services
and using the name and public method
lookup we get the reference of RMA
service. All RMA services in this tip
implement interface satisfactory. So
buttons as this. We can assume that and
that this is a game collection of another
RMA services. But in fact it doesn't have
public method to get the name of the
service. So we need to decompile. So we
need to decompile the class and find some
factory methods which create RMA service,
for example, create adminscript and
inside we can find as the name of the
created service. As it can be guessed,
it's admin service. So using public
method, get service in this name, we find
that I gets the reference to the next
level RMA service and in final step we get
the reference to RMA services which
perform real job SPPA. But it this RMA
service also contains a lot of public
methods for unauthorized user. So to sum
up which referes registry and at each
level we find a lot of RMA services. And
as the last item also contains a lot of
public methods. So the attack surface of
Supply C system is really huge. Now when
we list all available RMA services, the
next question is how does authentication
of client request performs on the system?
To answer this question, let's look how
client requests to security service
processed from system. First of all,
clients get the reference to security
service using some client ID. Further
PCServiceFactory tries to get valid
session. Using this clientID in
SessionManager. If SessionManager will
failed in his task, the exception will be
throat and client will be failed. But if
it succeeds, valid sessionID will return
to PCSfactory. And further in its turn
instance of SecurityService will be
created in factory method. While the
session Id will be stored in loginID inside
SecurityService. And finally client will
get the reference to Security Service.
Further he can call some public method of
it. But as this method can perform
privileged checks of user using loginId in
SecurityManager. So to sum up, we have two
security measures in this system. But as
is the question how user client can
perform login operation. If he doesn't
have any valid clientID. In this case,
it's start up of the system,
SessionManager will be added on anonymus
session with clientID that equals zero.
And client will use this clientID, and
perform login operation. But attacker can
also use this feature and simply bypass
those look. So to sum up, there is only
one security measure on the system ends
and each fully delegated to two method or
for RMA services. But amount of itemized
services is huge, amount of public methods
is really huge. And so it's become really
difficult to manage security service of
system. According to this information. So
we know we know all inputs of system. We
know all possible security measures or
systems. So it's time to find
vulnerabilities in the list of RMA
services. This one, which looks so
attractive, its admins service, it can be
accessed with a anonymus session inside.
If this public method transcript, this
method doesn't perform any privileged
checks, so we can call its resulting
Ternium credentials and so on. At first
step, these methods creates instance of
class loader using bytes from arguments
and in fact this step will allow to
arbitrary java class. This class should
implement interface admins screams and
defined method to execute and this method
to execute will be called by run script of
RMA services. For this case we create Java
class as a simply run os common from
arguments of run script. And we get code
execution on the system, we system, right?
Of course, there's a more powerful post
exploitation of this vulnerability than
simply run os command. You can. This
vulerability allows inject arbitrary java
class inside running its SPPA application
so you can use some Java reflection to to
patch some variables of system and and
have influence on technological properties
of SPPA. Else, privilege check inside
methods of RMA service can be bypassed
with SEC vulnerability in session service. This
service has public method
getloggingsessions(). In fact, this method
return all sessiondata of loginin users on
the system. This information includes user
names, IP and client Id. So if it this
amounts these clientId of user that has
some admin privileges, attacker can use
this clientId to get a reference to
security service and this reference will
be with some more privileged session.
Further further, attacker can goal public
method of security service, get all users
and get all private information about all
users of the system and password hashes
included in this private information. So
to sum up, we have to or both of these
vulnerabilities can be accessed through
https and federal rules can be bypassed.
In general, all communication with RMA
services are encrypted. So usernames and
password hashes are transfered in plain text.
This is this because, this is more critical for
for Fat client case. So more all passwort
hashes doesn't perform any doesn't have
any session protection mechanism. So if
attacker can perform when and zoom into a
key attack against some user office prior
and captures the traffic between this user
and application server, he can get valid
username and password hash of the system
and simply reuses this credentials and
perform login operation on the system.
More. over, he also can change the
password of this user. I talk a lot about
user names and password hashes, so it's
time to understand how these items
organized on the system. Alex.
Alex: Hello everyone. I will continue our
discussion about application server. On
the previous slide you can see how remote
authentification works. Now. Sorry, I
repeat. On the parent slide you could see
how remote authentification works. And
now I'm going to tell you about how it is
organized locally. After the system, after
system gets started, it begins to read two
files: user1.xml and pdata1.exm to get
user list and their password respectevly.
The user1 file is the simple xml while the
data1 has a slightly more difficult
structure. It is jzip archive encoded in
base64, so as java actualization object in
jzip archive contained in a specific xml.
The field of this xml presents on the
slide. They are used to calculate cash
value and check passport during their
authentification. On the buttom of the
slide you can see password check algorithm
in a pseudo code. It's a photographic scam is
the type of called crypted hashing scheme
like on Unix and Linux machine. It has a
number of iterations salts and only one
things is edited was, was edited that is
hardcore the salt, which is the same for
all user. The tool for password, as a tool
to extract password hashes and set
parameters from the data1-file had been
developed on this slide. You can see its
output as a tool. The tool can be used
during the password auditing, them to
check her password to check week or
dictionary password and their actual hash
collision parameters. A tool is available
at the link below. And draws the line,
draws a line on the application server
analysis first, as we have seen, attack
surface is really huge and includes a lot
of different components. Secondly, it's
about remote connections. What's that
about? Whether SPP has remote connection
or because no remote connection. I
couldn't I couldn't do end this or someone
else, who told you? You should check it
anyway. And the last thing is a attacker
has opportunity to impact power generation
process. For example, it can start stop
generation, change some output value. Or
get some additional information about
generation process and all this. Action
can be done from application server. It's
all about application server. And let's
start discussion about automation. Its
main goal of automation server is to
execute realtime real time automation
functions and tasks depending on a
depending on the power plant project
architecture and its features. They're all
over automation server can be different. We have
to distinguish three roles. The first one
is automation role. They may be a slight
confusion because the term is used was for
server and for it's role, but analyzing
uplink automation server configuration and
publicly available information we have
found that whatever the role is, almost
the same hardware and software are used
and we have decided to use these kind of
classifications. That seems less confusing
to us. At the same time, it's slightly
different from the Windows
classification anyway. I mean, in
automation role, automation role means
that the server is responsible for
interaction with input-output modules to
each control and monitor power plant
equipment such as turbine electric
generator or some some other. The second
role is communication in this role. This
role is used for connection the third
party software and system in other words
it's just a protocol converter supporting
such protocols as modbus, I see 101, 104
and some other. And the last roll is a
migration role. This role is used to
connect previous version or for SPPA-T2000
and as legacy systems such as SPPA- 80
2002, or tel per MI.. Automation role in
automation server in automation role can
be run on the semantic SLMPC and in an
industrial or industrial P.C.. Other roles
can be run only on industrial PCs. Now
let's talk a little more about each role
and let's start with automation role based
on PLC. PLC I will directly control field
devices like voles and turbine and access
to them in excess numbers. The game
over for any security discussion. They
usually represent low, the lowest level in
different reference models, such as do
model, for example. Any credential, any
configuration changes and updates for PLC
required to stop to stop technological
process. So these devices always have
security misconfiguration, firmware,
visible security updates and secure
industrial protocols. In case of SPPA they
are assembler ??? (Server???) protocols
LCT data. ??? Logic information about its
own protocols in the internet, but not so
much about PLC data protocol. So we had to
deal with it and analyze it ourselves.
It's not a special protocol for SPPA. When
you program your Symantec, PLC an need to
exchange some that some data between them
in real time. You use this protocol. It's
a quite simple protocol and maybe its
description is available somewhere in the
internet. But we couldn't find it. So just
the case show you need structure. In ways
that knows security mechanism in this
protocol, so, so, so only obstacle while
do remain in the middle attack to spool
data in the sequence number, which we can
get from a packet that just follows the
implementation. For practical analyses we
have developed the sector, which is
available at the link below. During the
security assessment of PLC configurations,
one of the main things, which we check, is
unauthorized access to the two reading and
writing PLC memory. Availability of
unauthorized access is determinate by
position of the mod selector of the PLC
and some other configuration parameters.
During the previous research conducted to
one of our colleg Daniel Parnischev???? is
a privilege matrix has been obtained. They
shows unsecure states and configurations
of PLC. The tool for gathering information
from the PLC. over the network and its
analysis has been developed by Danil and
also available in our repository. Now
let's talk about application server based
on industial PC. Its just a Linux box.
During the start it tries to download some
additional files from the application
server. This file includes to include jar
files, the bar scrapes, some configuration
protocols files and some other. You know,
to execute jar files PTC Perc virtual
machine is used. Is it a runtime java
machine widely spread in industrial IJ and
military area. PTC Perc contains a
completion mechanism. So that is all jar
files contains a bitecode transformation.
That's why regularly decompiles Fails
exam. To solve this problem, we have
written a php script to perform reverse
transformation. After that, regular
decompilers have been successful. Running
jars open RMI services on the automation
server and the sound ??? of their
extension. For example, in case of
migration server on PC services, which are
extension of classic Java RMA services are
used and on the slide you can see is the
list of of these services. Just the key
issues of automation. So based on
industrial PCM present represents just
light. Firstly, as you can see, it's there
is a possibility to spoof downloaded files
from application server files downloaded
over https and there are no security
security mechanisms during the process.
Secondly, it's about the default
credentials. You can get access over SSH
SSH to server vs user SAM admin and
password. See him next. It's
vulnerabilities in archives in our around
IPC services. This will not be allowed to
perform sensitive data explosion and
remote code execution. And finally, the
last group with vulnerabilities found in
the software used to feel an immigration
role for communication vs SB 82000, also
known as the DSP system has a number of
issues on the immigration server vs old
TXP. You are not. You are in magic
position. If you wrote about your own
obviously vulnerabilities as they are in
runtime as you need and service as this
service contains request runtime contain a
method where the first argument defines as
the action to be executed. Using the
action read file it is possible to get
content of any file from the system. Using
the right config file it's possible to
write information to the server. To the
server. And for example, it can be a jar
files, which execute shell comand on from
the command line and use in some SPPA
specific functions, you can execute these
jar files later. This is all about
automation server. To sum up, automated
automation server can based on PLC or
industrial PC. In case of PLC it says a
simple PLC is usual PLC with no security
issues. In case of industrial PLC.. it's
just a Linux box., which try to download
some additional files from the application
server and some of them execute with the
virtual machine. So far, we haven't
mentioned any network equipment using
distributed control system Using the
research we saw a wide variety of network
devices and network infrastructure,
including switches, firewalls and more
rare devices such as data diet, for
example. We tried to summarize all this
information and got it common SPPA on
network topology and scam. Lookup shown in
purple usual places for network devices.
By the same device it can be found in
other vendors distributed control system.
Network devices in industrial network
usually have a lot of security issues. The
reason for this is that most of them don't
require any configuration before start and
can be run out of the box. And that's why
the things like get NLP??? and then be
coming in to stream with credentials for
different services. Fill ware? with
publicly, publicly available, exploits and
just a lack of security configurations.
All the things are usual for usual for
network devices and they are usually usual
usual security issues for our industrial
network. I think that's all I know now
Gleb wil sum up our discussion.
repdet: Yep. Yep. So the topic of power
plants is huge. The system is huge and we
try to cover this and that's a lot of
small things in the talk. And in fact
everything can be summed up on this slide.
These those are just the vulnerabilities,
as you can see in the problems in Java, in
Web applications, in different simple
mechanisms that you can exploit actually
directly even not go into the PLC or field
level, field level. You can impact the
process itself. What we don't cover in
this talk, is actually what select
havoc???? or disaster could be caused by
attacking such systems because it's actually
not that bad. I mean they're talking about
things like blackouts of the series or
things like this. This is not what you can
do with as a consensus system, because the
like the distribution of the power power
in the grid is not there according to the
threat model is not the problem of the
power generation. There shouldn't be like
another regulator who should watch for
like enough capacity in the network to
fill this, to fill the electricity for the
customers. So what we're really speaking
here is like the is how we can impact
there. For example, the turbine, the
turbine is itself, for example, but we had
no access to the real turbine. They're
big, expensive, and we haven't found
anyone willing to provide us one. So we
will destroy it. But the point is, we have
an educated guess like PLCs, they control
a lot of parameters of this turbine. And
the turbine is like a big mechanical
monster that is actually self degrading by
working and putting it into different like
incomfortable operating modes will degrade
it even faster or it will break its end.
It's not easy. You can have a spare PLC or
some other device. You won't have a spare
turbine. So that the impact is there. But
it's not like a very huge. So what we
tried to do with this research mostly is
to understand, how we can help the power
plant, the apparatus out there. And we
have to fight in all the issues and
analysing this infrastructures and the
customer sites, we understood that all of
the installations actually did the same.
And we can write a very simple do it
yourself assessment. And hopefully even
like engineers on the power plants can
test themselves. It is very easy. A set of
steps on two or three pages. You connect
to application network, you connect to the
automation network, you run the tests, you
get the results. And afterwards you talk
with Siemens. Well, you can fix something
by yourselves. And basically you don't
have to hire like expensive consultants to
do the job. You should be. You should be
able to do it by yourself. We hope that
you will be able to do it. Of course. To
summarize the whole situation around
DCSSs, it is if you have seen other
industrial solutions like SCADAS, like
substations and if any actually, you would
find a lot of similarities and they the
whole like it will have the same pain
points as all other solutions. There is a
good documents from there. IAC 62443
which describes how like power plant
operator or asset owner should talk to the
system integrator and the vendor. With the
vendor in terms of what security they
should require and how they should control
it. We urge any power plant operator to
read this standards and to require
security from their vendors and system
integrators, because nowadays it depends
from vendor to vendor. Maybe vendor is
more interested in the security or the
plant or some regulator and the like.
Nobody knows how to act. This is the
document where a which describes how you
should talk with all other entities. Of
course, read the slides, read the white
paper in the January. Call Siemens updatal
systems, change your passwords and
configurations. This is actually very easy
to at least to shrink the attack surface.
A lot of things inside SPPS ??? network is
a modern windows boxes and it's kind of
easy to set up some form of monitoring, so
you should talk to your security
operations center. They would be able to
look for some locks, not most of the
impact that we showed, like it was their
input from the java application and
you won't be able to monitor all of these.
We have like security events in windows.
But at least it's still some form of
detection process inside your network. And
again, finally, to summarize, it is not
like a problem of one DCS from Siemens.
There are exactly the same issues for
other vendors not mentioned here. We will
release a lot of things today, tomorrow
and in January. Basically like the big
white paper about everything that we have
found out, we have recommendations, what
to do with the wordlists, with the do it
yourself security assessments with a lot
of tools up. One of the tools would help
you to do the research, another tools
would help you, for example, if you are
using intrusion detection detection
systems like IDSS, you would be able to
parse the protocols and maybe write some
signatures for them. We work closely with
Siemens. We want to say thank you for the
Siemens product search. They did a great
job in communications between us and the
product team that develops the products
that Siemens SPPA team for ??? in
itself. The main outlines from the vendor
response is, that if a power plant
operator, you should hurry and install a
new version 8.2 SP2. There are Siemens
is trying to like educate and raise
awareness outside their customers. That's
first of all, they should change passwords
that there are critical vulnerabilities
and they should do something with it. And
there is not all the problems are fixable by
Siemens themselves. There is an operator
is viable for some of the activities to do
the security by themselves. So that's
actually it. Thank you. Thank you very
much. Thank you, Congress. If you have any
questions, please welcome.
Applause
Herald: Thank all of you for this excellent
talk, we have a short three minutes for
questions. If you have questions, please
line up at the microphones in the hall. If
you're using hearing aids, there is an
induction loop at microphone number three.
Do we have questions from the Internets?
Yes. Question from our signal angel,
please.
Signal-Engel: So we've got a question with
the vulnerabilities found. Could you take
over those cans from the worldwide web cam
without the freedom and the minimum tax?
Herald: Can you please repeat.
repdet: A little bit louder, please?
Signal-Engel: Sorry. With your own
vulnerability found, could you take
control over those plants without worldwide
them from public Internet, without further
amending the ??? ?
repdet: Actually, no. This is and this is
some poor some form of the good news.
Those systems are exclusively supported by
one system integrator, by Siemens. They
are more or less protected from the
external access. Of course, there would be
external access, but it's not that easy to
reach it. And of course, it's we're not
talking about Internet. We're talking
about some corporate networks of things
like this.
Herald: Next question, microphone three,
please.
Mic. 3: Yes, hello. Uh, I also have a
power plant on my planet and, uh, it's
kind of bad for the atmosphere, I figured.
So, uh, my question is, can you skip back
to where the red button is to switch it
off? And I'm asking for a friend.
Laughter, Applause
repdet: As we never thought about that,
these materials can be used in this way.
But yeah. Specifically, if you have an
operator of engineers, friends on the
power plants, you can talk to them.
Herald: Do we have any more questions from
the Internets? No questions. Any questions
from the hall? I guess not. Well, then,
thank you very much for this talk and a
warm round of applause.
Applause
36c3 Postroll music
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!