0:00:00.000,0:00:19.640
<i>36C3 Preroll music</i>

0:00:19.640,0:00:23.070
Herald: One of the obvious critical[br]infrastructures we have nowadays is power

0:00:23.070,0:00:29.539
generation. If there is no power, we're[br]pretty much screwed. Our next speakers

0:00:29.539,0:00:34.690
will take a very close look at common[br]industrial control systems used in power

0:00:34.690,0:00:42.690
turbines and their shortcomings. So please[br]give a warm round of applause to repdet,

0:00:42.690,0:00:44.830
moradek and cOrs.

0:00:44.830,0:00:52.240
<i>Applause</i>

0:00:52.240,0:00:58.610
repdet: Good morning, Congress. Thank you[br]for waking up in the morning. We will talk

0:00:58.610,0:01:05.000
about the security of power plants today,[br]specifically about automation systems,

0:01:05.000,0:01:11.139
that are used in the power plants up. You[br]might think that this is another talk

0:01:11.139,0:01:18.149
about how insecure the whole industrial[br]things around us are and more or less it

0:01:18.149,0:01:24.759
is. So for four years, we are we and our[br]colleagues speak about problems in

0:01:24.759,0:01:30.819
industrial security. We are happy to say[br]that things are getting better, but it's

0:01:30.819,0:01:34.389
just that the temper is a little bit[br]different and feels a little bit

0:01:34.389,0:01:38.990
uncomfortable though. Anyway, we will[br]speak about to like how a power plants are

0:01:38.990,0:01:43.150
built. What is the automation inside? What[br]are the vulnerabilities? And like the high

0:01:43.150,0:01:48.730
level overview of what you can do with[br]this. But up at first a little bit of

0:01:48.730,0:01:56.529
introduction. We are security consultants.[br]We work with a lot of industrial things

0:01:56.529,0:02:02.939
like PLC, RTuse, SCADAS, DCSs, LCS[br]whatever it is, we were doing this for too

0:02:02.939,0:02:10.300
long. We should have fought, for so long[br]that we have a huge map of contacts with a

0:02:10.300,0:02:15.890
lot of system integrators and vendors. And[br]from the time we are not just doing the

0:02:15.890,0:02:21.440
consultancy work for some asset owner, for[br]example, for a power plant. We also talk

0:02:21.440,0:02:27.330
to other entities and we try to fix[br]things altogether. We work at Kaspersky

0:02:27.330,0:02:32.320
and actually the whole research was done[br]not just by me, Rado and Alexander, who

0:02:32.320,0:02:44.060
are here, but also with the help of[br]Eugenia and two Sergeys. Yep. So things

0:02:44.060,0:02:49.170
that are very important to note is that[br]everything that we will discuss right now

0:02:49.170,0:02:57.920
is reported to our respective vendor.[br]Basically long time ago you can see like

0:02:57.920,0:03:03.270
vendors here, but more or less we will[br]speak only about one vendor today. It's

0:03:03.270,0:03:09.690
it's it is Siemens. But we would like you[br]to understand that a similar security

0:03:09.690,0:03:15.250
issues can be found in all other[br]industrial solutions from other vendors.

0:03:15.250,0:03:19.951
You would find some of the findings, not,[br]for example, that seller does not require

0:03:19.951,0:03:26.280
like weeks off work to find them out. And[br]this would be through specifically for all

0:03:26.280,0:03:33.090
other vendors which are not mentioned in[br]the talk. Jokes aside, we will share

0:03:33.090,0:03:41.850
security issues of real power plants out[br]there and it might look like we are we are

0:03:41.850,0:03:48.900
kind of irresponsible guys. But in fact,[br]this is the other way around. I mean that

0:03:48.900,0:03:54.280
to do some kind of research on with these[br]systems that are working in the power

0:03:54.280,0:03:59.580
plants, you need to get access to them.[br]You need time to do this research. You

0:03:59.580,0:04:05.709
need to have some knowledge to do this[br]research and all these resources, they are

0:04:05.709,0:04:10.430
limited for guys like us, for penetration[br]testers, for auditors, for power plant

0:04:10.430,0:04:16.209
operators and engineers, but for the bad[br]guys like the potential attacker or so

0:04:16.209,0:04:22.280
adversaries. This is actually their job.[br]They they have a lot of investments to do

0:04:22.280,0:04:27.699
some research. So we assume that bad guys[br]already know this. And we just we would

0:04:27.699,0:04:32.569
like to share some information with the[br]good guys so they would be able to act

0:04:32.569,0:04:42.240
upon this. So let's go to the talk itself.[br]Power plants, power plants is the most

0:04:42.240,0:04:48.520
common way how humans get their power,[br]their electricity, their every everywhere

0:04:48.520,0:04:54.259
around us. And there I believe the closest[br]one to Leipzig is called the Lippendorf

0:04:54.259,0:04:59.099
power station. And during this research[br]when we were preparing an introduction, we

0:04:59.099,0:05:02.300
were surprised how many information about[br]power plants you can get from the

0:05:02.300,0:05:07.430
Internet. It's not just, for example, a[br]picture of this of the same power station

0:05:07.430,0:05:14.800
on the Google Maps. It is actually a very[br]it's a very good scheme of what you can

0:05:14.800,0:05:20.020
see on the marketing materials from[br]vendors, because when they sell some

0:05:20.020,0:05:24.199
system that ultimate power plant[br]operations, they sometimes start with

0:05:24.199,0:05:29.759
building construction. And on their on[br]their websites, you can find the schematic

0:05:29.759,0:05:34.400
pictures of actually which building does[br]what and where you will find some

0:05:34.400,0:05:39.900
equipment, which versions of equipment are[br]used in these systems. But if you like, if

0:05:39.900,0:05:45.189
you don't have this experience, you can[br]just Google things and you will find out

0:05:45.189,0:05:50.029
which systems are used for automation in[br]power plants, for example, for Lippendorf

0:05:50.029,0:05:57.129
it's some system that is called Siemens[br]SPP T2000 and P3000, which is actually

0:05:57.129,0:06:02.819
have another Siemens system inside called[br]Siemens SPPA-T/P3000. So it's a little bit

0:06:02.819,0:06:09.539
confusing and it is. And we are still[br]confused. This is exactly the system that

0:06:09.539,0:06:18.479
would be that we will focus today. Siemens[br]SPPT 3000. And again, it could be any

0:06:18.479,0:06:23.619
other automation system, but it just[br]happened the way that we've seen this

0:06:23.619,0:06:31.889
system more and more often than others. Up[br]there is a way how you can actually see

0:06:31.889,0:06:37.529
older generation sites throughout the[br]world. Thanks to their carbon monitoring

0:06:37.529,0:06:42.600
communities, this is not just power[br]plants. This is also like nuclear sites,

0:06:42.600,0:06:49.409
wind generation, solar, solar plants, etc.[br]and etc. They are all here, marked by

0:06:49.409,0:06:56.479
different fuel types of generation. For[br]example, there is a coil and gas power

0:06:56.479,0:07:03.379
plants. Mark, marked there. So the topic[br]is really huge. And like what we will

0:07:03.379,0:07:08.580
focus today in our talk is mostly the[br]power plants which are work on coal and

0:07:08.580,0:07:14.360
gas, which is important to mention. The[br]heart of each power plant is actually a

0:07:14.360,0:07:18.170
turbine. We don't have a picture of a[br]turbine on the slides, but more or less, I

0:07:18.170,0:07:24.010
think everybody saw it on the airplane.[br]There are various that there are similar

0:07:24.010,0:07:31.189
specifically in terms of size and mostly[br]how they work up on different vendor's Web

0:07:31.189,0:07:36.979
sites. You can actually find a lot of[br]information where those turbines are used.

0:07:36.979,0:07:44.449
And this is, for example, the map of the[br]turbines from Siemens. Not all turbines

0:07:44.449,0:07:48.150
specifically are used in power plants. So[br]there have a lot of different applications

0:07:48.150,0:07:53.089
like chemical plants, oil and gas. A lot[br]of other things. But if you correlate this

0:07:53.089,0:07:57.439
information from previous slides, you[br]would be able to identify which systems

0:07:57.439,0:08:01.069
are used by which power plant. And if you[br]will, Google more information, you can

0:08:01.069,0:08:05.409
actually tell their versions and the[br]generations of the systems that are used

0:08:05.409,0:08:10.110
on these power plants. This is important[br]because of the vulnerabilities that we

0:08:10.110,0:08:17.199
will discuss later on on the slide. So[br]before we will speak about so what is the

0:08:17.199,0:08:21.909
automation on power plants, we should[br]understand a little bit how they work. So

0:08:21.909,0:08:27.659
we will go from right to left and it's[br]very easy. A little a little noticed. For

0:08:27.659,0:08:31.259
all the talk, we will simplify a lot of[br]things for two reasons. One of them to

0:08:31.259,0:08:36.520
make it more suitable for the audience.[br]And another thing. We don't really

0:08:36.520,0:08:43.080
understand everything by ourselves. So the[br]first thing you should get is a fuel. Fuel

0:08:43.080,0:08:49.110
could be, for example, a coil or coal or a[br]gas. And you will just put this inside the

0:08:49.110,0:08:54.830
combustion chamber where you would put it[br]to set it up on fire, actually. And it

0:08:54.830,0:08:59.260
will generate a lot of pressure which will[br]go to the turbine. And because of the

0:08:59.260,0:09:05.100
pressure, the turbine will begin to[br]rotate. The turbine, have a shaft which

0:09:05.100,0:09:10.100
will drive the electricity generator,[br]which is obviously will generate

0:09:10.100,0:09:16.050
electricity and put it on the power grid.[br]So it is important from now I want to

0:09:16.050,0:09:21.350
understand that when we generate some some[br]electricity on the power plant, we put

0:09:21.350,0:09:27.750
this this power not just for, for example,[br]for this Congress center or for some city.

0:09:27.750,0:09:33.810
We put it in a big thing called the power[br]grid, where other entities will sell this

0:09:33.810,0:09:40.380
electricity to different customers.[br]There is also very interesting point about

0:09:40.380,0:09:46.500
like, when we do generate this pressure[br]and the combustion chamber is on fire, we

0:09:46.500,0:09:51.070
have a lot of excessive heat. And we have[br]two options like one of them is to safely

0:09:51.070,0:09:55.100
put it in the air. We have condensing[br]towers. This is option number one. And

0:09:55.100,0:10:00.650
another option is we can do some form of[br]recuperation. For example, we would take

0:10:00.650,0:10:06.730
this heat. We will warm water. The water[br]will produce steam. And we will put this

0:10:06.730,0:10:11.960
steam in the steam turbine and produce[br]additional electricity. This is kind of

0:10:11.960,0:10:20.450
the optimization of some of some form. So[br]what is the automation in this process?

0:10:20.450,0:10:24.190
The automation systems that are used on[br]the power plants are usually called

0:10:24.190,0:10:31.090
distributed control systems or DCSs. And[br]everything that I just said that it just

0:10:31.090,0:10:36.790
described actually is automated inside[br]those systems. The vendor of the solution

0:10:36.790,0:10:41.650
want to simplify all things for the[br]operator, because we don't want like

0:10:41.650,0:10:46.250
hundreds of people working on the power[br]plant. We just want like maybe dozens of

0:10:46.250,0:10:50.830
people working there and they want to[br]simplify the whole the whole process of

0:10:50.830,0:10:55.780
length. They don't care about where they[br]get this ???, gas or coal how much they

0:10:55.780,0:11:01.220
need it. They just should be able to stop[br]the generation process started. And they

0:11:01.220,0:11:04.930
control one main thing, which is called[br]how much power we should produce to the

0:11:04.930,0:11:13.420
power grid. So like how many megawatts of[br]electricity we should produce. This is

0:11:13.420,0:11:19.930
this. This describes the actually the[br]complexity, complexity hidden inside these

0:11:19.930,0:11:24.070
solutions because there are a lot of small[br]things happening inside and we will

0:11:24.070,0:11:29.080
discuss it a little bit later. As I said,[br]this GCF says they're not exclusively used

0:11:29.080,0:11:33.560
on the power plants. There are a lot of[br]other sites that would use the same

0:11:33.560,0:11:40.180
solutions, the same software and hardware.[br]The DCS is not just like a software that

0:11:40.180,0:11:44.980
you can install. It's a set of hardware[br]and software, various inputs, output,

0:11:44.980,0:11:49.550
models, sensors, etc., etc.. As I said,[br]sometimes they start from building

0:11:49.550,0:11:55.260
construction of like there is a field.[br]Please build a super power station. So

0:11:55.260,0:12:01.190
it's a more complex projects. Most, most[br]of the time. There are a lot of vendors

0:12:01.190,0:12:06.250
that are doing it. As I said, we are[br]focusing on this stock, on the Siemens

0:12:06.250,0:12:15.720
one. Just a short little short description[br]of how simplified things are for operators

0:12:15.720,0:12:21.330
of this DCA software. So, for example, if[br]we would like to answer the question how

0:12:21.330,0:12:28.020
we would regulate the output and megabytes[br]of our power plant, we would need to

0:12:28.020,0:12:33.030
control basically three things. Again, we[br]are oversimplifying here. First of all,

0:12:33.030,0:12:37.900
you would control how many. This is an[br]example for there for the gas turbine. So

0:12:37.900,0:12:43.060
we would need to regulate how many? Guess,[br]we would put inside the combustion chamber

0:12:43.060,0:12:49.490
where would control the flame temperature.[br]And we will control the thing that gets

0:12:49.490,0:12:54.870
air inside the turbine that basically[br]three things that are controlled by simple

0:12:54.870,0:13:00.380
peel cease in the whole system. And you[br]would be able, for example, to change 100

0:13:00.380,0:13:08.830
megawatts to 150 megawatts based on these[br]settings. So the system itself that we are

0:13:08.830,0:13:15.480
going to discuss is called Siemens[br]SPPT3000. And actually, again, as allow

0:13:15.480,0:13:21.750
all other DCA systems or from other[br]vendors. This is a typical industrial

0:13:21.750,0:13:28.630
systems system. It has all these things[br]called plcs, RTUse, to use HMAS, servers,

0:13:28.630,0:13:34.070
OPEC traffic, et cetera, et cetera. The[br]only thing that has a difference

0:13:34.070,0:13:41.100
specifically for Siemens as SPPT3000 is[br]that they have two main things called

0:13:41.100,0:13:46.320
application server and automation server.[br]That's this software running on the

0:13:46.320,0:13:53.380
servers is not what you will find on other[br]installations. Despite the fact that there

0:13:53.380,0:13:59.900
are a lot of like if you will read the[br]manuals for for the systems from Siemens.

0:13:59.900,0:14:07.010
There would be a lot of different networks[br]and highways and a lot of things like

0:14:07.010,0:14:11.410
Siemens would state that there is no[br]connection between the application network

0:14:11.410,0:14:18.300
and external networks. In practice and in[br]reality, you will find things like spick

0:14:18.300,0:14:23.170
sensor network, like monitoring both[br]vibration, foreign objects and some noises

0:14:23.170,0:14:28.970
inside the turbine. You will find the[br]demilitarized zone because all in all,

0:14:28.970,0:14:33.900
like all power plant operators, they won't[br]have like onsite maintenance guys,

0:14:33.900,0:14:37.860
engineers. They would try to do a remote[br]support. They would need to install

0:14:37.860,0:14:42.630
updates for operating system, although for[br]their signatures of their anti viruses,

0:14:42.630,0:14:46.420
they would need to push some opposite[br]traffic. So like information about the

0:14:46.420,0:14:50.620
generation process outside either to[br]corporate network or to some regulator,

0:14:50.620,0:14:54.360
because the whole energy market is[br]regulated and there are different entities

0:14:54.360,0:14:58.570
who would monitor common electricity[br]generation or they basically will tell you

0:14:58.570,0:15:02.680
how many electricity you should generate.[br]Because this is common electricity was

0:15:02.680,0:15:09.110
sold on the energy market. Basically,[br]the whole talk is structured like this. We

0:15:09.110,0:15:13.790
will speak first about application server,[br]then automation server and then some

0:15:13.790,0:15:20.650
summary. It all started with the process[br]called Coordinated Vulnerability

0:15:20.650,0:15:28.000
Disclosure. We notified Siemens about some[br]issues almost a year ago and like a month

0:15:28.000,0:15:34.950
at the beginning of December, Siemens[br]published an advisory. It was it was not

0:15:34.950,0:15:39.890
an advisory just from from the issues,[br]just from us. A lot of other teams also

0:15:39.890,0:15:45.540
contributed to it. And this December, this[br]year, December, doesn't mean that Siemens

0:15:45.540,0:15:51.230
just released the patches. When they say[br]that this system, SPPT3000, is exclusively

0:15:51.230,0:15:56.060
supported. So the system integrator for[br]the system is Siemens itself. So

0:15:56.060,0:15:59.930
throughout the year after we notified them[br]about some security issues, they started

0:15:59.930,0:16:05.770
to roll out patches and install updates on[br]critical infrastructure they support and

0:16:05.770,0:16:13.260
hopefully they did it with all the[br]sensitive issues. There is a lot of things

0:16:13.260,0:16:18.580
to discuss here we will skip, because we[br]are a little bit in a hurry. Things like

0:16:18.580,0:16:24.100
not all vulnerabilities are the same. And[br]we use, for example, CVSS here to talk

0:16:24.100,0:16:28.300
about like how critical the vulnerability[br]is, but it's actually not very applicable

0:16:28.300,0:16:33.750
to the industrial sites. You should[br]understand what you can do with each

0:16:33.750,0:16:39.190
vulnerability, how you can impact the[br]process, and we will skip this part. There

0:16:39.190,0:16:45.350
is actually kind of a threat model in the[br]white paper that we will release later on,

0:16:45.350,0:16:53.440
like during January. We will hope. So,[br]application server, application server is

0:16:53.440,0:17:02.550
this main is is a main resource that you[br]would find in the SPPT3000 network. Like

0:17:02.550,0:17:07.870
if if someone will remotely connect to the[br]system, it would end up in application

0:17:07.870,0:17:12.020
server. If someone wants to start the[br]generation process or to change some

0:17:12.020,0:17:17.800
values, it would be the application[br]server. If there are other servers that

0:17:17.800,0:17:21.270
would, for example, try to communicate the[br]application server, they will actually

0:17:21.270,0:17:25.530
start their work by downloading their[br]software from application server and then

0:17:25.530,0:17:31.850
executing it. So the first thing you might[br]notice here is there are a lot of a lot of

0:17:31.850,0:17:37.960
network ports available on this on this[br]machine. And actually, this is the first

0:17:37.960,0:17:45.190
point. There is a, a huge attack surface[br]for that bursary??? to choose whether or

0:17:45.190,0:17:49.460
not he would like to compromise some[br]Siemens software or its Windows software

0:17:49.460,0:17:55.030
or its some another third party. Huge[br]attack surface starting from the fact that

0:17:55.030,0:18:01.240
there are, all of the installation of this[br]SPP systems are kind of different. So

0:18:01.240,0:18:05.850
depending on the version and other[br]generation, you can find different Windows

0:18:05.850,0:18:17.970
versions from 2003 to 2016. Hopefully they[br]are all updated right now, but because the

0:18:17.970,0:18:24.220
that the update process for such as for[br]such installations is is a hard thing to

0:18:24.220,0:18:29.059
do. I mean you should wait for maintenance[br]and it should be like maybe once in a

0:18:29.059,0:18:33.470
healthy year or once a year. You will[br]always find some window where you can use

0:18:33.470,0:18:38.480
some remotely exploitable vulnerabilities[br]like the eternal blue or blue keeper mark

0:18:38.480,0:18:45.240
mentioned on the slide. There is tons of[br]different additional software like all

0:18:45.240,0:18:48.570
signwin??? that will allow you to do[br]privilege escalation, badly configured

0:18:48.570,0:18:55.300
Tomcats and we have here this funny pie[br]charts that show how configuration of

0:18:55.300,0:19:00.330
different software is aligned with the[br]best practices from CIS benchmarks. Those

0:19:00.330,0:19:06.621
are those are basically security[br]configuration gardening guides. The most

0:19:06.621,0:19:12.760
important thing in the application server[br]is a lot of Java software and in a minute

0:19:12.760,0:19:19.230
repdet will tell you about this. Surprise,[br]surprise there, the one of the most

0:19:19.230,0:19:27.510
notable problems in this Siemens SPPT3000[br]is actually passwords. There, there are

0:19:27.510,0:19:32.420
three important ranges. The first the[br]first of them is like what's all the

0:19:32.420,0:19:39.681
installations before 2014 and maybe 2015.[br]All passwords for the for for all the

0:19:39.681,0:19:44.360
power stations were the same. And you can[br]easily Google them. We've also published

0:19:44.360,0:19:50.280
like the full world list in the white[br]paper. After this year's Siemens started

0:19:50.280,0:19:57.800
to generate the unique passwords for all[br]power plants. But until this year, it was

0:19:57.800,0:20:01.540
kind of hard to change this password. So[br]you need to be aware of how to do this.

0:20:01.540,0:20:04.310
You need to know the process. You maybe[br]need to contact to contact your system

0:20:04.310,0:20:08.260
integrator to do this. Starting up from[br]this December, it would be much easier

0:20:08.260,0:20:13.910
specifically to change passwords. So it's[br]in the past. Even if you know, you have

0:20:13.910,0:20:19.910
you have these issues, you were not able[br]to simply change or all these things.

0:20:19.910,0:20:23.679
Along with the passwords, passwords, you[br]can find the like the full diagrams and

0:20:23.679,0:20:30.190
the integrator documentation that can show[br]you how the system is built, how it's

0:20:30.190,0:20:34.340
operating, specific accounts, etc, etc. Of[br]course, this was not published by Siemens,

0:20:34.340,0:20:38.600
thouse some power plant operators who[br]thought that would be a good idea to share

0:20:38.600,0:20:44.810
this information. So as I said, the most[br]important thing the application server is

0:20:44.810,0:20:48.870
a bunch of Java applications and please[br]welcome moradek will share the details

0:20:48.870,0:20:57.070
about this.[br]<i>Applause</i>

0:20:57.070,0:21:01.310
moradek: Hi, everyone. Let's look at how[br]this perverse software works on aplication

0:21:01.310,0:21:06.980
server. The operator can communicate with[br]system through at Thin client and Fat client

0:21:06.980,0:21:15.810
and. A Thin client act as Java applet[br]inside Internet Explorer browser and

0:21:15.810,0:21:23.130
communicate with server through HTTPS, so[br]it can be outside of application of fork

0:21:23.130,0:21:28.800
and its communications can be constrained[br]by a firewall. In opposite in case of Fat

0:21:28.800,0:21:34.910
client, software should be installed on[br]operator machine and client directly

0:21:34.910,0:21:40.800
communicates with RMA registry to find[br]services. And after that directly

0:21:40.800,0:21:49.760
communicates with this myservices. So Fat[br]client should belong to application fork.

0:21:49.760,0:21:57.910
Illustration of where architecture was[br]kindly provided by SPPA throws a URL. Not

0:21:57.910,0:22:04.410
to be missed, let divided into spaces in[br]red zone. The items that brought this

0:22:04.410,0:22:10.960
request from Thin client and redirect them[br]to rmyservices. And in green zones there

0:22:10.960,0:22:17.570
are myservices which act as network[br]services on their name on TCP ports. SPP

0:22:17.570,0:22:23.690
consists of containers, each container can[br]encapsulate inside one or more or

0:22:23.690,0:22:32.010
myservices. All type of containers are[br]represented on illustration and all of

0:22:32.010,0:22:40.340
them have self explanatory names. Before[br]we going deep inside in tunnels office

0:22:40.340,0:22:45.410
PPA, let me introduce some tools which[br]used in this research. First of all, old

0:22:45.410,0:22:51.500
jars files inside this PPA are obfuscated[br]with commercial product. But these

0:22:51.500,0:22:59.350
security measures can be easily bypassed[br]by public available tool the Obfuscator.

0:22:59.350,0:23:05.580
Elswhere sometimes it is useful to see how[br]legit software communicates with system.

0:23:05.580,0:23:13.720
It helps to understand architecture of[br]system and workflow of clients. In case of

0:23:13.720,0:23:21.570
PPA it my district was written, it[br]represents a role TCP streams in human

0:23:21.570,0:23:30.010
readable format inside it. Use method read[br]object from jsdk. It is known that this

0:23:30.010,0:23:35.160
method is unsafe to insecure[br]diserealisation, so be careful not

0:23:35.160,0:23:42.910
to be exploited through remote pickup. The[br]first pillar of SPP it's apache webserver.

0:23:42.910,0:23:51.740
According it config folder or software[br]config can be accessed by unauthorized

0:23:51.740,0:23:59.040
user. In fact, this folder contains some[br]sensitive information of system. For

0:23:59.040,0:24:07.170
example, files PC system configuration,[br]datasmells and files inside. If C contain

0:24:07.170,0:24:14.660
startup options and configuration of all[br]containers either application work or

0:24:14.660,0:24:20.559
automation work. Else configuration of[br]Oracle and publication in Tomcat DLC can be

0:24:20.559,0:24:26.409
accessed using this vulnerability. And about[br]Tomcat. There are three web

0:24:26.409,0:24:33.790
applications registered, remote diagnostic[br]viewer, manager and orion. According to

0:24:33.790,0:24:38.970
configuration of Tomcat, it's apache[br]webserver. I've observed as a ordering

0:24:38.970,0:24:48.660
service can be accessed through HTTPS and[br]uh, in the file web dot xml there are list

0:24:48.660,0:24:56.710
of all servlets of orion application and the[br]list is really huge. So some of these

0:24:56.710,0:25:04.710
servlets have attractive name forTiger, for[br]example, brow seservlet. In fact it allows

0:25:04.710,0:25:12.700
a third of the user directory, and listing[br]directories of operation system. But in

0:25:12.700,0:25:19.910
case of exploitation another servlet is[br]more attractive. File upload servlet it

0:25:19.910,0:25:28.980
allows you allows on the file upload with[br]system parameters based you in touch with

0:25:28.980,0:25:34.680
me in full control the name of the file.[br]So this vulnerability can be easily

0:25:34.680,0:25:39.420
transformed to a remote code execution.[br]You can override some startups scripts

0:25:39.420,0:25:46.390
office PPA or simply inject a shel in the[br]application and get the remote code

0:25:46.390,0:25:54.770
execution with system rights. Also there[br]are some set alerts which contains good

0:25:54.770,0:26:03.809
service factory names. In fact, they[br]redirect http request to my services.

0:26:03.809,0:26:12.210
Inside they passed around to foreign http[br]requests and search desirable my servives.

0:26:12.210,0:26:19.980
According to parameter service url and[br]further invoke go to the public method of

0:26:19.980,0:26:26.190
security service. And the name of the[br]method defined in centralized object in

0:26:26.190,0:26:34.439
the data section of which to progress.[br]Else parameters, the parameters of these

0:26:34.439,0:26:43.490
goals are also defined in this object. So[br]now we have situation one Thin client and

0:26:43.490,0:26:52.500
Fat client can access my services, but in[br]case of Fat client, it, it can also

0:26:52.500,0:26:59.340
directly communicate with RMA registry. So[br]if application server missed some

0:26:59.340,0:27:04.430
important java security updates, it[br]contains insecure deserialization

0:27:04.430,0:27:13.059
vulnerability. And using public to use[br]serial we can simply exploit it and get a

0:27:13.059,0:27:18.730
code execution with system rights again.[br]The next task will be to list all

0:27:18.730,0:27:25.670
available rMyservices on this SPPA system.[br]At first step, we simply use class look at

0:27:25.670,0:27:35.201
triggers and Java SDK and get a big list[br]of services. All but one jmakes it to

0:27:35.201,0:27:43.370
myservices, I assume that they perform[br]some general interface for com, for

0:27:43.370,0:27:52.630
control and manage containers of SPPA. For[br]the further investigation we only choose

0:27:52.630,0:28:01.160
LookUp Service. In fact, this service[br]looks like some a collection of another

0:28:01.160,0:28:10.480
RMA services using its public method list[br]we get the name of all available services

0:28:10.480,0:28:17.620
and using the name and public method[br]lookup we get the reference of RMA

0:28:17.620,0:28:27.000
service. All RMA services in this tip[br]implement interface satisfactory. So

0:28:27.000,0:28:36.100
buttons as this. We can assume that and[br]that this is a game collection of another

0:28:36.100,0:28:41.100
RMA services. But in fact it doesn't have[br]public method to get the name of the

0:28:41.100,0:28:52.700
service. So we need to decompile. So we[br]need to decompile the class and find some

0:28:52.700,0:29:00.470
factory methods which create RMA service,[br]for example, create adminscript and

0:29:00.470,0:29:08.330
inside we can find as the name of the[br]created service. As it can be guessed,

0:29:08.330,0:29:14.230
it's admin service. So using public[br]method, get service in this name, we find

0:29:14.230,0:29:22.880
that I gets the reference to the next[br]level RMA service and in final step we get

0:29:22.880,0:29:31.350
the reference to RMA services which[br]perform real job SPPA. But it this RMA

0:29:31.350,0:29:39.070
service also contains a lot of public[br]methods for unauthorized user. So to sum

0:29:39.070,0:29:46.380
up which referes registry and at each[br]level we find a lot of RMA services. And

0:29:46.380,0:29:54.290
as the last item also contains a lot of[br]public methods. So the attack surface of

0:29:54.290,0:30:01.799
Supply C system is really huge. Now when[br]we list all available RMA services, the

0:30:01.799,0:30:10.140
next question is how does authentication[br]of client request performs on the system?

0:30:10.140,0:30:15.750
To answer this question, let's look how[br]client requests to security service

0:30:15.750,0:30:22.190
processed from system. First of all,[br]clients get the reference to security

0:30:22.190,0:30:31.150
service using some client ID. Further[br]PCServiceFactory tries to get valid

0:30:31.150,0:30:38.350
session. Using this clientID in[br]SessionManager. If SessionManager will

0:30:38.350,0:30:45.240
failed in his task, the exception will be[br]throat and client will be failed. But if

0:30:45.240,0:30:54.470
it succeeds, valid sessionID will return[br]to PCSfactory. And further in its turn

0:30:54.470,0:31:00.830
instance of SecurityService will be[br]created in factory method. While the

0:31:00.830,0:31:12.220
session Id will be stored in loginID inside[br]SecurityService. And finally client will

0:31:12.220,0:31:18.620
get the reference to Security Service.[br]Further he can call some public method of

0:31:18.620,0:31:28.600
it. But as this method can perform[br]privileged checks of user using loginId in

0:31:28.600,0:31:35.940
SecurityManager. So to sum up, we have two[br]security measures in this system. But as

0:31:35.940,0:31:41.660
is the question how user client can[br]perform login operation. If he doesn't

0:31:41.660,0:31:47.830
have any valid clientID. In this case,[br]it's start up of the system,

0:31:47.830,0:31:53.959
SessionManager will be added on anonymus[br]session with clientID that equals zero.

0:31:53.959,0:32:00.150
And client will use this clientID, and[br]perform login operation. But attacker can

0:32:00.150,0:32:07.100
also use this feature and simply bypass[br]those look. So to sum up, there is only

0:32:07.100,0:32:14.770
one security measure on the system ends[br]and each fully delegated to two method or

0:32:14.770,0:32:22.450
for RMA services. But amount of itemized[br]services is huge, amount of public methods

0:32:22.450,0:32:29.249
is really huge. And so it's become really[br]difficult to manage security service of

0:32:29.249,0:32:40.120
system. According to this information. So[br]we know we know all inputs of system. We

0:32:40.120,0:32:45.070
know all possible security measures or[br]systems. So it's time to find

0:32:45.070,0:32:53.180
vulnerabilities in the list of RMA[br]services. This one, which looks so

0:32:53.180,0:32:58.350
attractive, its admins service, it can be[br]accessed with a anonymus session inside.

0:32:58.350,0:33:04.150
If this public method transcript, this[br]method doesn't perform any privileged

0:33:04.150,0:33:13.250
checks, so we can call its resulting[br]Ternium credentials and so on. At first

0:33:13.250,0:33:19.980
step, these methods creates instance of[br]class loader using bytes from arguments

0:33:19.980,0:33:27.429
and in fact this step will allow to[br]arbitrary java class. This class should

0:33:27.429,0:33:33.750
implement interface admins screams and[br]defined method to execute and this method

0:33:33.750,0:33:43.030
to execute will be called by run script of[br]RMA services. For this case we create Java

0:33:43.030,0:33:51.210
class as a simply run os common from[br]arguments of run script. And we get code

0:33:51.210,0:33:58.520
execution on the system, we system, right?[br]Of course, there's a more powerful post

0:33:58.520,0:34:05.790
exploitation of this vulnerability than[br]simply run os command. You can. This

0:34:05.790,0:34:13.579
vulerability allows inject arbitrary java[br]class inside running its SPPA application

0:34:13.579,0:34:25.480
so you can use some Java reflection to to[br]patch some variables of system and and

0:34:25.480,0:34:36.029
have influence on technological properties[br]of SPPA. Else, privilege check inside

0:34:36.029,0:34:43.870
methods of RMA service can be bypassed[br]with SEC vulnerability in session service. This

0:34:43.870,0:34:49.650
service has public method[br]getloggingsessions(). In fact, this method

0:34:49.650,0:34:58.770
return all sessiondata of loginin users on[br]the system. This information includes user

0:34:58.770,0:35:10.040
names, IP and client Id. So if it this[br]amounts these clientId of user that has

0:35:10.040,0:35:16.569
some admin privileges, attacker can use[br]this clientId to get a reference to

0:35:16.569,0:35:22.620
security service and this reference will[br]be with some more privileged session.

0:35:22.620,0:35:36.290
Further further, attacker can goal public[br]method of security service, get all users

0:35:36.290,0:35:43.290
and get all private information about all[br]users of the system and password hashes

0:35:43.290,0:35:53.820
included in this private information. So[br]to sum up, we have to or both of these

0:35:53.820,0:36:06.590
vulnerabilities can be accessed through[br]https and federal rules can be bypassed.

0:36:06.590,0:36:14.200
In general, all communication with RMA[br]services are encrypted. So usernames and

0:36:14.200,0:36:24.880
password hashes are transfered in plain text.[br]This is this because, this is more critical for

0:36:24.880,0:36:37.800
for Fat client case. So more all passwort[br]hashes doesn't perform any doesn't have

0:36:37.800,0:36:44.400
any session protection mechanism. So if[br]attacker can perform when and zoom into a

0:36:44.400,0:36:51.670
key attack against some user office prior[br]and captures the traffic between this user

0:36:51.670,0:36:59.109
and application server, he can get valid[br]username and password hash of the system

0:36:59.109,0:37:05.940
and simply reuses this credentials and[br]perform login operation on the system.

0:37:05.940,0:37:13.820
More. over, he also can change the[br]password of this user. I talk a lot about

0:37:13.820,0:37:18.750
user names and password hashes, so it's[br]time to understand how these items

0:37:18.750,0:37:27.080
organized on the system. Alex.[br]Alex: Hello everyone. I will continue our

0:37:27.080,0:37:33.170
discussion about application server. On[br]the previous slide you can see how remote

0:37:33.170,0:37:42.910
authentification works. Now. Sorry, I[br]repeat. On the parent slide you could see

0:37:42.910,0:37:49.620
how remote authentification works. And[br]now I'm going to tell you about how it is

0:37:49.620,0:37:57.590
organized locally. After the system, after[br]system gets started, it begins to read two

0:37:57.590,0:38:04.900
files: user1.xml and pdata1.exm to get[br]user list and their password respectevly.

0:38:04.900,0:38:11.660
The user1 file is the simple xml while the[br]data1 has a slightly more difficult

0:38:11.660,0:38:17.921
structure. It is jzip archive encoded in[br]base64, so as java actualization object in

0:38:17.921,0:38:23.540
jzip archive contained in a specific xml.[br]The field of this xml presents on the

0:38:23.540,0:38:29.990
slide. They are used to calculate cash[br]value and check passport during their

0:38:29.990,0:38:36.660
authentification. On the buttom of the[br]slide you can see password check algorithm

0:38:36.660,0:38:44.790
in a pseudo code. It's a photographic scam is[br]the type of called crypted hashing scheme

0:38:44.790,0:38:52.190
like on Unix and Linux machine. It has a[br]number of iterations salts and only one

0:38:52.190,0:38:56.910
things is edited was, was edited that is[br]hardcore the salt, which is the same for

0:38:56.910,0:39:03.900
all user. The tool for password, as a tool[br]to extract password hashes and set

0:39:03.900,0:39:11.730
parameters from the data1-file had been[br]developed on this slide. You can see its

0:39:11.730,0:39:18.420
output as a tool. The tool can be used[br]during the password auditing, them to

0:39:18.420,0:39:22.730
check her password to check week or[br]dictionary password and their actual hash

0:39:22.730,0:39:31.960
collision parameters. A tool is available[br]at the link below. And draws the line,

0:39:31.960,0:39:40.660
draws a line on the application server[br]analysis first, as we have seen, attack

0:39:40.660,0:39:47.490
surface is really huge and includes a lot[br]of different components. Secondly, it's

0:39:47.490,0:39:57.310
about remote connections. What's that[br]about? Whether SPP has remote connection

0:39:57.310,0:39:59.620
or because no remote connection. I[br]couldn't I couldn't do end this or someone

0:39:59.620,0:40:13.089
else, who told you? You should check it[br]anyway. And the last thing is a attacker

0:40:13.089,0:40:19.490
has opportunity to impact power generation[br]process. For example, it can start stop

0:40:19.490,0:40:26.070
generation, change some output value. Or[br]get some additional information about

0:40:26.070,0:40:32.230
generation process and all this. Action[br]can be done from application server. It's

0:40:32.230,0:40:40.720
all about application server. And let's[br]start discussion about automation. Its

0:40:40.720,0:40:45.619
main goal of automation server is to[br]execute realtime real time automation

0:40:45.619,0:40:54.209
functions and tasks depending on a[br]depending on the power plant project

0:40:54.209,0:41:01.260
architecture and its features. They're all[br]over automation server can be different. We have

0:41:01.260,0:41:07.020
to distinguish three roles. The first one[br]is automation role. They may be a slight

0:41:07.020,0:41:14.190
confusion because the term is used was for[br]server and for it's role, but analyzing

0:41:14.190,0:41:18.839
uplink automation server configuration and[br]publicly available information we have

0:41:18.839,0:41:25.490
found that whatever the role is, almost[br]the same hardware and software are used

0:41:25.490,0:41:34.090
and we have decided to use these kind of[br]classifications. That seems less confusing

0:41:34.090,0:41:40.740
to us. At the same time, it's slightly[br]different from the Windows

0:41:40.740,0:41:49.210
classification anyway. I mean, in[br]automation role, automation role means

0:41:49.210,0:41:53.040
that the server is responsible for[br]interaction with input-output modules to

0:41:53.040,0:41:58.390
each control and monitor power plant[br]equipment such as turbine electric

0:41:58.390,0:42:04.550
generator or some some other. The second[br]role is communication in this role. This

0:42:04.550,0:42:10.360
role is used for connection the third[br]party software and system in other words

0:42:10.360,0:42:18.760
it's just a protocol converter supporting[br]such protocols as modbus, I see 101, 104

0:42:18.760,0:42:25.339
and some other. And the last roll is a[br]migration role. This role is used to

0:42:25.339,0:42:32.890
connect previous version or for SPPA-T2000[br]and as legacy systems such as SPPA- 80

0:42:32.890,0:42:42.570
2002, or tel per MI.. Automation role in[br]automation server in automation role can

0:42:42.570,0:42:52.150
be run on the semantic SLMPC and in an[br]industrial or industrial P.C.. Other roles

0:42:52.150,0:42:55.730
can be run only on industrial PCs. Now[br]let's talk a little more about each role

0:42:55.730,0:43:03.560
and let's start with automation role based[br]on PLC. PLC I will directly control field

0:43:03.560,0:43:09.760
devices like voles and turbine and access[br]to them in excess numbers. The game

0:43:09.760,0:43:16.750
over for any security discussion. They[br]usually represent low, the lowest level in

0:43:16.750,0:43:21.750
different reference models, such as do[br]model, for example. Any credential, any

0:43:21.750,0:43:27.630
configuration changes and updates for PLC[br]required to stop to stop technological

0:43:27.630,0:43:33.710
process. So these devices always have[br]security misconfiguration, firmware,

0:43:33.710,0:43:40.260
visible security updates and secure[br]industrial protocols. In case of SPPA they

0:43:40.260,0:43:48.060
are assembler ??? (Server???) protocols[br]LCT data. ??? Logic information about its

0:43:48.060,0:43:54.349
own protocols in the internet, but not so[br]much about PLC data protocol. So we had to

0:43:54.349,0:44:01.859
deal with it and analyze it ourselves.[br]It's not a special protocol for SPPA. When

0:44:01.859,0:44:06.810
you program your Symantec, PLC an need to[br]exchange some that some data between them

0:44:06.810,0:44:14.880
in real time. You use this protocol. It's[br]a quite simple protocol and maybe its

0:44:14.880,0:44:21.140
description is available somewhere in the[br]internet. But we couldn't find it. So just

0:44:21.140,0:44:28.830
the case show you need structure. In ways[br]that knows security mechanism in this

0:44:28.830,0:44:35.790
protocol, so, so, so only obstacle while[br]do remain in the middle attack to spool

0:44:35.790,0:44:40.680
data in the sequence number, which we can[br]get from a packet that just follows the

0:44:40.680,0:44:48.160
implementation. For practical analyses we[br]have developed the sector, which is

0:44:48.160,0:44:55.220
available at the link below. During the[br]security assessment of PLC configurations,

0:44:55.220,0:45:02.380
one of the main things, which we check, is[br]unauthorized access to the two reading and

0:45:02.380,0:45:09.550
writing PLC memory. Availability of[br]unauthorized access is determinate by

0:45:09.550,0:45:17.480
position of the mod selector of the PLC[br]and some other configuration parameters.

0:45:17.480,0:45:22.870
During the previous research conducted to[br]one of our colleg Daniel Parnischev???? is

0:45:22.870,0:45:30.580
a privilege matrix has been obtained. They[br]shows unsecure states and configurations

0:45:30.580,0:45:37.440
of PLC. The tool for gathering information[br]from the PLC. over the network and its

0:45:37.440,0:45:42.350
analysis has been developed by Danil and[br]also available in our repository. Now

0:45:42.350,0:45:48.250
let's talk about application server based[br]on industial PC. Its just a Linux box.

0:45:48.250,0:45:52.270
During the start it tries to download some[br]additional files from the application

0:45:52.270,0:45:59.520
server. This file includes to include jar[br]files, the bar scrapes, some configuration

0:45:59.520,0:46:07.260
protocols files and some other. You know,[br]to execute jar files PTC Perc virtual

0:46:07.260,0:46:15.250
machine is used. Is it a runtime java[br]machine widely spread in industrial IJ and

0:46:15.250,0:46:22.700
military area. PTC Perc contains a[br]completion mechanism. So that is all jar

0:46:22.700,0:46:28.190
files contains a bitecode transformation.[br]That's why regularly decompiles Fails

0:46:28.190,0:46:36.490
exam. To solve this problem, we have[br]written a php script to perform reverse

0:46:36.490,0:46:44.110
transformation. After that, regular[br]decompilers have been successful. Running

0:46:44.110,0:46:49.000
jars open RMI services on the automation[br]server and the sound ??? of their

0:46:49.000,0:46:55.849
extension. For example, in case of[br]migration server on PC services, which are

0:46:55.849,0:47:00.260
extension of classic Java RMA services are[br]used and on the slide you can see is the

0:47:00.260,0:47:07.280
list of of these services. Just the key[br]issues of automation. So based on

0:47:07.280,0:47:13.250
industrial PCM present represents just[br]light. Firstly, as you can see, it's there

0:47:13.250,0:47:19.790
is a possibility to spoof downloaded files[br]from application server files downloaded

0:47:19.790,0:47:24.980
over https and there are no security[br]security mechanisms during the process.

0:47:24.980,0:47:32.000
Secondly, it's about the default[br]credentials. You can get access over SSH

0:47:32.000,0:47:40.740
SSH to server vs user SAM admin and[br]password. See him next. It's

0:47:40.740,0:47:46.130
vulnerabilities in archives in our around[br]IPC services. This will not be allowed to

0:47:46.130,0:47:50.840
perform sensitive data explosion and[br]remote code execution. And finally, the

0:47:50.840,0:47:54.520
last group with vulnerabilities found in[br]the software used to feel an immigration

0:47:54.520,0:48:01.770
role for communication vs SB 82000, also[br]known as the DSP system has a number of

0:48:01.770,0:48:06.480
issues on the immigration server vs old[br]TXP. You are not. You are in magic

0:48:06.480,0:48:14.190
position. If you wrote about your own[br]obviously vulnerabilities as they are in

0:48:14.190,0:48:21.210
runtime as you need and service as this[br]service contains request runtime contain a

0:48:21.210,0:48:29.480
method where the first argument defines as[br]the action to be executed. Using the

0:48:29.480,0:48:34.620
action read file it is possible to get[br]content of any file from the system. Using

0:48:34.620,0:48:39.460
the right config file it's possible to[br]write information to the server. To the

0:48:39.460,0:48:46.700
server. And for example, it can be a jar[br]files, which execute shell comand on from

0:48:46.700,0:48:52.800
the command line and use in some SPPA[br]specific functions, you can execute these

0:48:52.800,0:49:00.580
jar files later. This is all about[br]automation server. To sum up, automated

0:49:00.580,0:49:07.540
automation server can based on PLC or[br]industrial PC. In case of PLC it says a

0:49:07.540,0:49:16.420
simple PLC is usual PLC with no security[br]issues. In case of industrial PLC.. it's

0:49:16.420,0:49:21.990
just a Linux box., which try to download[br]some additional files from the application

0:49:21.990,0:49:28.639
server and some of them execute with the[br]virtual machine. So far, we haven't

0:49:28.639,0:49:33.390
mentioned any network equipment using[br]distributed control system Using the

0:49:33.390,0:49:41.340
research we saw a wide variety of network[br]devices and network infrastructure,

0:49:41.340,0:49:46.820
including switches, firewalls and more[br]rare devices such as data diet, for

0:49:46.820,0:49:55.790
example. We tried to summarize all this[br]information and got it common SPPA on

0:49:55.790,0:50:02.160
network topology and scam. Lookup shown in[br]purple usual places for network devices.

0:50:02.160,0:50:08.510
By the same device it can be found in[br]other vendors distributed control system.

0:50:08.510,0:50:13.110
Network devices in industrial network[br]usually have a lot of security issues. The

0:50:13.110,0:50:18.579
reason for this is that most of them don't[br]require any configuration before start and

0:50:18.579,0:50:29.199
can be run out of the box. And that's why[br]the things like get NLP??? and then be

0:50:29.199,0:50:35.220
coming in to stream with credentials for[br]different services. Fill ware? with

0:50:35.220,0:50:43.910
publicly, publicly available, exploits and[br]just a lack of security configurations.

0:50:43.910,0:50:53.321
All the things are usual for usual for[br]network devices and they are usually usual

0:50:53.321,0:51:01.380
usual security issues for our industrial[br]network. I think that's all I know now

0:51:01.380,0:51:07.170
Gleb wil sum up our discussion.[br]repdet: Yep. Yep. So the topic of power

0:51:07.170,0:51:13.660
plants is huge. The system is huge and we[br]try to cover this and that's a lot of

0:51:13.660,0:51:17.690
small things in the talk. And in fact[br]everything can be summed up on this slide.

0:51:17.690,0:51:22.550
These those are just the vulnerabilities,[br]as you can see in the problems in Java, in

0:51:22.550,0:51:28.220
Web applications, in different simple[br]mechanisms that you can exploit actually

0:51:28.220,0:51:33.340
directly even not go into the PLC or field[br]level, field level. You can impact the

0:51:33.340,0:51:39.460
process itself. What we don't cover in[br]this talk, is actually what select

0:51:39.460,0:51:44.200
havoc???? or disaster could be caused by[br]attacking such systems because it's actually

0:51:44.200,0:51:48.930
not that bad. I mean they're talking about[br]things like blackouts of the series or

0:51:48.930,0:51:54.470
things like this. This is not what you can[br]do with as a consensus system, because the

0:51:54.470,0:51:59.000
like the distribution of the power power[br]in the grid is not there according to the

0:51:59.000,0:52:02.100
threat model is not the problem of the[br]power generation. There shouldn't be like

0:52:02.100,0:52:05.950
another regulator who should watch for[br]like enough capacity in the network to

0:52:05.950,0:52:10.860
fill this, to fill the electricity for the[br]customers. So what we're really speaking

0:52:10.860,0:52:17.350
here is like the is how we can impact[br]there. For example, the turbine, the

0:52:17.350,0:52:23.090
turbine is itself, for example, but we had[br]no access to the real turbine. They're

0:52:23.090,0:52:27.580
big, expensive, and we haven't found[br]anyone willing to provide us one. So we

0:52:27.580,0:52:34.060
will destroy it. But the point is, we have[br]an educated guess like PLCs, they control

0:52:34.060,0:52:38.780
a lot of parameters of this turbine. And[br]the turbine is like a big mechanical

0:52:38.780,0:52:44.599
monster that is actually self degrading by[br]working and putting it into different like

0:52:44.599,0:52:49.880
incomfortable operating modes will degrade[br]it even faster or it will break its end.

0:52:49.880,0:52:54.330
It's not easy. You can have a spare PLC or[br]some other device. You won't have a spare

0:52:54.330,0:53:03.021
turbine. So that the impact is there. But[br]it's not like a very huge. So what we

0:53:03.021,0:53:09.440
tried to do with this research mostly is[br]to understand, how we can help the power

0:53:09.440,0:53:14.910
plant, the apparatus out there. And we[br]have to fight in all the issues and

0:53:14.910,0:53:19.750
analysing this infrastructures and the[br]customer sites, we understood that all of

0:53:19.750,0:53:23.950
the installations actually did the same.[br]And we can write a very simple do it

0:53:23.950,0:53:30.249
yourself assessment. And hopefully even[br]like engineers on the power plants can

0:53:30.249,0:53:35.050
test themselves. It is very easy. A set of[br]steps on two or three pages. You connect

0:53:35.050,0:53:39.020
to application network, you connect to the[br]automation network, you run the tests, you

0:53:39.020,0:53:43.050
get the results. And afterwards you talk[br]with Siemens. Well, you can fix something

0:53:43.050,0:53:47.971
by yourselves. And basically you don't[br]have to hire like expensive consultants to

0:53:47.971,0:53:52.950
do the job. You should be. You should be[br]able to do it by yourself. We hope that

0:53:52.950,0:54:00.620
you will be able to do it. Of course. To[br]summarize the whole situation around

0:54:00.620,0:54:07.320
DCSSs, it is if you have seen other[br]industrial solutions like SCADAS, like

0:54:07.320,0:54:13.210
substations and if any actually, you would[br]find a lot of similarities and they the

0:54:13.210,0:54:18.230
whole like it will have the same pain[br]points as all other solutions. There is a

0:54:18.230,0:54:24.330
good documents from there. IAC 62443[br]which describes how like power plant

0:54:24.330,0:54:29.260
operator or asset owner should talk to the[br]system integrator and the vendor. With the

0:54:29.260,0:54:33.360
vendor in terms of what security they[br]should require and how they should control

0:54:33.360,0:54:40.960
it. We urge any power plant operator to[br]read this standards and to require

0:54:40.960,0:54:46.130
security from their vendors and system[br]integrators, because nowadays it depends

0:54:46.130,0:54:49.390
from vendor to vendor. Maybe vendor is[br]more interested in the security or the

0:54:49.390,0:54:53.710
plant or some regulator and the like.[br]Nobody knows how to act. This is the

0:54:53.710,0:55:00.050
document where a which describes how you[br]should talk with all other entities. Of

0:55:00.050,0:55:07.680
course, read the slides, read the white[br]paper in the January. Call Siemens updatal

0:55:07.680,0:55:12.160
systems, change your passwords and[br]configurations. This is actually very easy

0:55:12.160,0:55:18.790
to at least to shrink the attack surface.[br]A lot of things inside SPPS ??? network is

0:55:18.790,0:55:23.460
a modern windows boxes and it's kind of[br]easy to set up some form of monitoring, so

0:55:23.460,0:55:27.849
you should talk to your security[br]operations center. They would be able to

0:55:27.849,0:55:32.720
look for some locks, not most of the[br]impact that we showed, like it was their

0:55:32.720,0:55:36.770
input from the java application and[br]you won't be able to monitor all of these.

0:55:36.770,0:55:41.770
We have like security events in windows.[br]But at least it's still some form of

0:55:41.770,0:55:49.440
detection process inside your network. And[br]again, finally, to summarize, it is not

0:55:49.440,0:55:55.210
like a problem of one DCS from Siemens.[br]There are exactly the same issues for

0:55:55.210,0:56:01.910
other vendors not mentioned here. We will[br]release a lot of things today, tomorrow

0:56:01.910,0:56:07.210
and in January. Basically like the big[br]white paper about everything that we have

0:56:07.210,0:56:11.149
found out, we have recommendations, what[br]to do with the wordlists, with the do it

0:56:11.149,0:56:16.319
yourself security assessments with a lot[br]of tools up. One of the tools would help

0:56:16.319,0:56:19.420
you to do the research, another tools[br]would help you, for example, if you are

0:56:19.420,0:56:24.080
using intrusion detection detection[br]systems like IDSS, you would be able to

0:56:24.080,0:56:29.700
parse the protocols and maybe write some[br]signatures for them. We work closely with

0:56:29.700,0:56:33.880
Siemens. We want to say thank you for the[br]Siemens product search. They did a great

0:56:33.880,0:56:37.970
job in communications between us and the[br]product team that develops the products

0:56:37.970,0:56:42.020
that Siemens SPPA team for ??? in[br]itself. The main outlines from the vendor

0:56:42.020,0:56:47.150
response is, that if a power plant[br]operator, you should hurry and install a

0:56:47.150,0:56:55.339
new version 8.2 SP2. There are Siemens[br]is trying to like educate and raise

0:56:55.339,0:56:59.700
awareness outside their customers. That's[br]first of all, they should change passwords

0:56:59.700,0:57:04.070
that there are critical vulnerabilities[br]and they should do something with it. And

0:57:04.070,0:57:10.970
there is not all the problems are fixable by[br]Siemens themselves. There is an operator

0:57:10.970,0:57:19.310
is viable for some of the activities to do[br]the security by themselves. So that's

0:57:19.310,0:57:24.110
actually it. Thank you. Thank you very[br]much. Thank you, Congress. If you have any

0:57:24.110,0:57:26.930
questions, please welcome.

0:57:26.930,0:57:36.030
<i>Applause</i>

0:57:36.030,0:57:40.790
Herald: Thank all of you for this excellent[br]talk, we have a short three minutes for

0:57:40.790,0:57:45.270
questions. If you have questions, please[br]line up at the microphones in the hall. If

0:57:45.270,0:57:49.380
you're using hearing aids, there is an[br]induction loop at microphone number three.

0:57:49.380,0:57:54.440
Do we have questions from the Internets?[br]Yes. Question from our signal angel,

0:57:54.440,0:57:59.109
please.[br]Signal-Engel: So we've got a question with

0:57:59.109,0:58:03.270
the vulnerabilities found. Could you take[br]over those cans from the worldwide web cam

0:58:03.270,0:58:10.900
without the freedom and the minimum tax?[br]Herald: Can you please repeat.

0:58:10.900,0:58:13.509
repdet: A little bit louder, please?[br]Signal-Engel: Sorry. With your own

0:58:13.509,0:58:19.430
vulnerability found, could you take[br]control over those plants without worldwide

0:58:19.430,0:58:26.560
them from public Internet, without further[br]amending the ??? ?

0:58:26.560,0:58:31.069
repdet: Actually, no. This is and this is[br]some poor some form of the good news.

0:58:31.069,0:58:35.010
Those systems are exclusively supported by[br]one system integrator, by Siemens. They

0:58:35.010,0:58:39.400
are more or less protected from the[br]external access. Of course, there would be

0:58:39.400,0:58:43.830
external access, but it's not that easy to[br]reach it. And of course, it's we're not

0:58:43.830,0:58:46.569
talking about Internet. We're talking[br]about some corporate networks of things

0:58:46.569,0:58:50.420
like this.[br]Herald: Next question, microphone three,

0:58:50.420,0:58:54.500
please.[br]Mic. 3: Yes, hello. Uh, I also have a

0:58:54.500,0:59:00.070
power plant on my planet and, uh, it's[br]kind of bad for the atmosphere, I figured.

0:59:00.070,0:59:05.670
So, uh, my question is, can you skip back[br]to where the red button is to switch it

0:59:05.670,0:59:14.460
off? And I'm asking for a friend.[br]<i>Laughter, Applause</i>

0:59:14.460,0:59:18.750
repdet: As we never thought about that,[br]these materials can be used in this way.

0:59:18.750,0:59:24.920
But yeah. Specifically, if you have an[br]operator of engineers, friends on the

0:59:24.920,0:59:29.530
power plants, you can talk to them.[br]Herald: Do we have any more questions from

0:59:29.530,0:59:38.410
the Internets? No questions. Any questions[br]from the hall? I guess not. Well, then,

0:59:38.410,0:59:41.401
thank you very much for this talk and a[br]warm round of applause.

0:59:41.401,0:59:45.901
<i>Applause</i>

0:59:45.901,0:59:48.771
<i>36c3 Postroll music</i>

0:59:48.771,1:00:13.000
Subtitles created by c3subtitles.de[br]in the year 2020. Join, and help us!