1
00:00:00,000 --> 00:00:19,640
36C3 Preroll music
2
00:00:19,640 --> 00:00:23,070
Herald: One of the obvious critical
infrastructures we have nowadays is power
3
00:00:23,070 --> 00:00:29,539
generation. If there is no power, we're
pretty much screwed. Our next speakers
4
00:00:29,539 --> 00:00:34,690
will take a very close look at common
industrial control systems used in power
5
00:00:34,690 --> 00:00:42,690
turbines and their shortcomings. So please
give a warm round of applause to repdet,
6
00:00:42,690 --> 00:00:44,830
moradek and cOrs.
7
00:00:44,830 --> 00:00:52,240
Applause
8
00:00:52,240 --> 00:00:58,610
repdet: Good morning, Congress. Thank you
for waking up in the morning. We will talk
9
00:00:58,610 --> 00:01:05,000
about the security of power plants today,
specifically about automation systems,
10
00:01:05,000 --> 00:01:11,139
that are used in the power plants up. You
might think that this is another talk
11
00:01:11,139 --> 00:01:18,149
about how insecure the whole industrial
things around us are and more or less it
12
00:01:18,149 --> 00:01:24,759
is. So for four years, we are we and our
colleagues speak about problems in
13
00:01:24,759 --> 00:01:30,819
industrial security. We are happy to say
that things are getting better, but it's
14
00:01:30,819 --> 00:01:34,389
just that the temper is a little bit
different and feels a little bit
15
00:01:34,389 --> 00:01:38,990
uncomfortable though. Anyway, we will
speak about to like how a power plants are
16
00:01:38,990 --> 00:01:43,150
built. What is the automation inside? What
are the vulnerabilities? And like the high
17
00:01:43,150 --> 00:01:48,730
level overview of what you can do with
this. But up at first a little bit of
18
00:01:48,730 --> 00:01:56,529
introduction. We are security consultants.
We work with a lot of industrial things
19
00:01:56,529 --> 00:02:02,939
like PLC, RTuse, SCADAS, DCSs, LCS
whatever it is, we were doing this for too
20
00:02:02,939 --> 00:02:10,300
long. We should have fought, for so long
that we have a huge map of contacts with a
21
00:02:10,300 --> 00:02:15,890
lot of system integrators and vendors. And
from the time we are not just doing the
22
00:02:15,890 --> 00:02:21,440
consultancy work for some asset owner, for
example, for a power plant. We also talk
23
00:02:21,440 --> 00:02:27,330
to other entities and we try to fix
things altogether. We work at Kaspersky
24
00:02:27,330 --> 00:02:32,320
and actually the whole research was done
not just by me, Rado and Alexander, who
25
00:02:32,320 --> 00:02:44,060
are here, but also with the help of
Eugenia and two Sergeys. Yep. So things
26
00:02:44,060 --> 00:02:49,170
that are very important to note is that
everything that we will discuss right now
27
00:02:49,170 --> 00:02:57,920
is reported to our respective vendor.
Basically long time ago you can see like
28
00:02:57,920 --> 00:03:03,270
vendors here, but more or less we will
speak only about one vendor today. It's
29
00:03:03,270 --> 00:03:09,690
it's it is Siemens. But we would like you
to understand that a similar security
30
00:03:09,690 --> 00:03:15,250
issues can be found in all other
industrial solutions from other vendors.
31
00:03:15,250 --> 00:03:19,951
You would find some of the findings, not,
for example, that seller does not require
32
00:03:19,951 --> 00:03:26,280
like weeks off work to find them out. And
this would be through specifically for all
33
00:03:26,280 --> 00:03:33,090
other vendors which are not mentioned in
the talk. Jokes aside, we will share
34
00:03:33,090 --> 00:03:41,850
security issues of real power plants out
there and it might look like we are we are
35
00:03:41,850 --> 00:03:48,900
kind of irresponsible guys. But in fact,
this is the other way around. I mean that
36
00:03:48,900 --> 00:03:54,280
to do some kind of research on with these
systems that are working in the power
37
00:03:54,280 --> 00:03:59,580
plants, you need to get access to them.
You need time to do this research. You
38
00:03:59,580 --> 00:04:05,709
need to have some knowledge to do this
research and all these resources, they are
39
00:04:05,709 --> 00:04:10,430
limited for guys like us, for penetration
testers, for auditors, for power plant
40
00:04:10,430 --> 00:04:16,209
operators and engineers, but for the bad
guys like the potential attacker or so
41
00:04:16,209 --> 00:04:22,280
adversaries. This is actually their job.
They they have a lot of investments to do
42
00:04:22,280 --> 00:04:27,699
some research. So we assume that bad guys
already know this. And we just we would
43
00:04:27,699 --> 00:04:32,569
like to share some information with the
good guys so they would be able to act
44
00:04:32,569 --> 00:04:42,240
upon this. So let's go to the talk itself.
Power plants, power plants is the most
45
00:04:42,240 --> 00:04:48,520
common way how humans get their power,
their electricity, their every everywhere
46
00:04:48,520 --> 00:04:54,259
around us. And there I believe the closest
one to Leipzig is called the Lippendorf
47
00:04:54,259 --> 00:04:59,099
power station. And during this research
when we were preparing an introduction, we
48
00:04:59,099 --> 00:05:02,300
were surprised how many information about
power plants you can get from the
49
00:05:02,300 --> 00:05:07,430
Internet. It's not just, for example, a
picture of this of the same power station
50
00:05:07,430 --> 00:05:14,800
on the Google Maps. It is actually a very
it's a very good scheme of what you can
51
00:05:14,800 --> 00:05:20,020
see on the marketing materials from
vendors, because when they sell some
52
00:05:20,020 --> 00:05:24,199
system that ultimate power plant
operations, they sometimes start with
53
00:05:24,199 --> 00:05:29,759
building construction. And on their on
their websites, you can find the schematic
54
00:05:29,759 --> 00:05:34,400
pictures of actually which building does
what and where you will find some
55
00:05:34,400 --> 00:05:39,900
equipment, which versions of equipment are
used in these systems. But if you like, if
56
00:05:39,900 --> 00:05:45,189
you don't have this experience, you can
just Google things and you will find out
57
00:05:45,189 --> 00:05:50,029
which systems are used for automation in
power plants, for example, for Lippendorf
58
00:05:50,029 --> 00:05:57,129
it's some system that is called Siemens
SPP T2000 and P3000, which is actually
59
00:05:57,129 --> 00:06:02,819
have another Siemens system inside called
Siemens SPPA-T/P3000. So it's a little bit
60
00:06:02,819 --> 00:06:09,539
confusing and it is. And we are still
confused. This is exactly the system that
61
00:06:09,539 --> 00:06:18,479
would be that we will focus today. Siemens
SPPT 3000. And again, it could be any
62
00:06:18,479 --> 00:06:23,619
other automation system, but it just
happened the way that we've seen this
63
00:06:23,619 --> 00:06:31,889
system more and more often than others. Up
there is a way how you can actually see
64
00:06:31,889 --> 00:06:37,529
older generation sites throughout the
world. Thanks to their carbon monitoring
65
00:06:37,529 --> 00:06:42,600
communities, this is not just power
plants. This is also like nuclear sites,
66
00:06:42,600 --> 00:06:49,409
wind generation, solar, solar plants, etc.
and etc. They are all here, marked by
67
00:06:49,409 --> 00:06:56,479
different fuel types of generation. For
example, there is a coil and gas power
68
00:06:56,479 --> 00:07:03,379
plants. Mark, marked there. So the topic
is really huge. And like what we will
69
00:07:03,379 --> 00:07:08,580
focus today in our talk is mostly the
power plants which are work on coal and
70
00:07:08,580 --> 00:07:14,360
gas, which is important to mention. The
heart of each power plant is actually a
71
00:07:14,360 --> 00:07:18,170
turbine. We don't have a picture of a
turbine on the slides, but more or less, I
72
00:07:18,170 --> 00:07:24,010
think everybody saw it on the airplane.
There are various that there are similar
73
00:07:24,010 --> 00:07:31,189
specifically in terms of size and mostly
how they work up on different vendor's Web
74
00:07:31,189 --> 00:07:36,979
sites. You can actually find a lot of
information where those turbines are used.
75
00:07:36,979 --> 00:07:44,449
And this is, for example, the map of the
turbines from Siemens. Not all turbines
76
00:07:44,449 --> 00:07:48,150
specifically are used in power plants. So
there have a lot of different applications
77
00:07:48,150 --> 00:07:53,089
like chemical plants, oil and gas. A lot
of other things. But if you correlate this
78
00:07:53,089 --> 00:07:57,439
information from previous slides, you
would be able to identify which systems
79
00:07:57,439 --> 00:08:01,069
are used by which power plant. And if you
will, Google more information, you can
80
00:08:01,069 --> 00:08:05,409
actually tell their versions and the
generations of the systems that are used
81
00:08:05,409 --> 00:08:10,110
on these power plants. This is important
because of the vulnerabilities that we
82
00:08:10,110 --> 00:08:17,199
will discuss later on on the slide. So
before we will speak about so what is the
83
00:08:17,199 --> 00:08:21,909
automation on power plants, we should
understand a little bit how they work. So
84
00:08:21,909 --> 00:08:27,659
we will go from right to left and it's
very easy. A little a little noticed. For
85
00:08:27,659 --> 00:08:31,259
all the talk, we will simplify a lot of
things for two reasons. One of them to
86
00:08:31,259 --> 00:08:36,520
make it more suitable for the audience.
And another thing. We don't really
87
00:08:36,520 --> 00:08:43,080
understand everything by ourselves. So the
first thing you should get is a fuel. Fuel
88
00:08:43,080 --> 00:08:49,110
could be, for example, a coil or coal or a
gas. And you will just put this inside the
89
00:08:49,110 --> 00:08:54,830
combustion chamber where you would put it
to set it up on fire, actually. And it
90
00:08:54,830 --> 00:08:59,260
will generate a lot of pressure which will
go to the turbine. And because of the
91
00:08:59,260 --> 00:09:05,100
pressure, the turbine will begin to
rotate. The turbine, have a shaft which
92
00:09:05,100 --> 00:09:10,100
will drive the electricity generator,
which is obviously will generate
93
00:09:10,100 --> 00:09:16,050
electricity and put it on the power grid.
So it is important from now I want to
94
00:09:16,050 --> 00:09:21,350
understand that when we generate some some
electricity on the power plant, we put
95
00:09:21,350 --> 00:09:27,750
this this power not just for, for example,
for this Congress center or for some city.
96
00:09:27,750 --> 00:09:33,810
We put it in a big thing called the power
grid, where other entities will sell this
97
00:09:33,810 --> 00:09:40,380
electricity to different customers.
There is also very interesting point about
98
00:09:40,380 --> 00:09:46,500
like, when we do generate this pressure
and the combustion chamber is on fire, we
99
00:09:46,500 --> 00:09:51,070
have a lot of excessive heat. And we have
two options like one of them is to safely
100
00:09:51,070 --> 00:09:55,100
put it in the air. We have condensing
towers. This is option number one. And
101
00:09:55,100 --> 00:10:00,650
another option is we can do some form of
recuperation. For example, we would take
102
00:10:00,650 --> 00:10:06,730
this heat. We will warm water. The water
will produce steam. And we will put this
103
00:10:06,730 --> 00:10:11,960
steam in the steam turbine and produce
additional electricity. This is kind of
104
00:10:11,960 --> 00:10:20,450
the optimization of some of some form. So
what is the automation in this process?
105
00:10:20,450 --> 00:10:24,190
The automation systems that are used on
the power plants are usually called
106
00:10:24,190 --> 00:10:31,090
distributed control systems or DCSs. And
everything that I just said that it just
107
00:10:31,090 --> 00:10:36,790
described actually is automated inside
those systems. The vendor of the solution
108
00:10:36,790 --> 00:10:41,650
want to simplify all things for the
operator, because we don't want like
109
00:10:41,650 --> 00:10:46,250
hundreds of people working on the power
plant. We just want like maybe dozens of
110
00:10:46,250 --> 00:10:50,830
people working there and they want to
simplify the whole the whole process of
111
00:10:50,830 --> 00:10:55,780
length. They don't care about where they
get this ???, gas or coal how much they
112
00:10:55,780 --> 00:11:01,220
need it. They just should be able to stop
the generation process started. And they
113
00:11:01,220 --> 00:11:04,930
control one main thing, which is called
how much power we should produce to the
114
00:11:04,930 --> 00:11:13,420
power grid. So like how many megawatts of
electricity we should produce. This is
115
00:11:13,420 --> 00:11:19,930
this. This describes the actually the
complexity, complexity hidden inside these
116
00:11:19,930 --> 00:11:24,070
solutions because there are a lot of small
things happening inside and we will
117
00:11:24,070 --> 00:11:29,080
discuss it a little bit later. As I said,
this GCF says they're not exclusively used
118
00:11:29,080 --> 00:11:33,560
on the power plants. There are a lot of
other sites that would use the same
119
00:11:33,560 --> 00:11:40,180
solutions, the same software and hardware.
The DCS is not just like a software that
120
00:11:40,180 --> 00:11:44,980
you can install. It's a set of hardware
and software, various inputs, output,
121
00:11:44,980 --> 00:11:49,550
models, sensors, etc., etc.. As I said,
sometimes they start from building
122
00:11:49,550 --> 00:11:55,260
construction of like there is a field.
Please build a super power station. So
123
00:11:55,260 --> 00:12:01,190
it's a more complex projects. Most, most
of the time. There are a lot of vendors
124
00:12:01,190 --> 00:12:06,250
that are doing it. As I said, we are
focusing on this stock, on the Siemens
125
00:12:06,250 --> 00:12:15,720
one. Just a short little short description
of how simplified things are for operators
126
00:12:15,720 --> 00:12:21,330
of this DCA software. So, for example, if
we would like to answer the question how
127
00:12:21,330 --> 00:12:28,020
we would regulate the output and megabytes
of our power plant, we would need to
128
00:12:28,020 --> 00:12:33,030
control basically three things. Again, we
are oversimplifying here. First of all,
129
00:12:33,030 --> 00:12:37,900
you would control how many. This is an
example for there for the gas turbine. So
130
00:12:37,900 --> 00:12:43,060
we would need to regulate how many? Guess,
we would put inside the combustion chamber
131
00:12:43,060 --> 00:12:49,490
where would control the flame temperature.
And we will control the thing that gets
132
00:12:49,490 --> 00:12:54,870
air inside the turbine that basically
three things that are controlled by simple
133
00:12:54,870 --> 00:13:00,380
peel cease in the whole system. And you
would be able, for example, to change 100
134
00:13:00,380 --> 00:13:08,830
megawatts to 150 megawatts based on these
settings. So the system itself that we are
135
00:13:08,830 --> 00:13:15,480
going to discuss is called Siemens
SPPT3000. And actually, again, as allow
136
00:13:15,480 --> 00:13:21,750
all other DCA systems or from other
vendors. This is a typical industrial
137
00:13:21,750 --> 00:13:28,630
systems system. It has all these things
called plcs, RTUse, to use HMAS, servers,
138
00:13:28,630 --> 00:13:34,070
OPEC traffic, et cetera, et cetera. The
only thing that has a difference
139
00:13:34,070 --> 00:13:41,100
specifically for Siemens as SPPT3000 is
that they have two main things called
140
00:13:41,100 --> 00:13:46,320
application server and automation server.
That's this software running on the
141
00:13:46,320 --> 00:13:53,380
servers is not what you will find on other
installations. Despite the fact that there
142
00:13:53,380 --> 00:13:59,900
are a lot of like if you will read the
manuals for for the systems from Siemens.
143
00:13:59,900 --> 00:14:07,010
There would be a lot of different networks
and highways and a lot of things like
144
00:14:07,010 --> 00:14:11,410
Siemens would state that there is no
connection between the application network
145
00:14:11,410 --> 00:14:18,300
and external networks. In practice and in
reality, you will find things like spick
146
00:14:18,300 --> 00:14:23,170
sensor network, like monitoring both
vibration, foreign objects and some noises
147
00:14:23,170 --> 00:14:28,970
inside the turbine. You will find the
demilitarized zone because all in all,
148
00:14:28,970 --> 00:14:33,900
like all power plant operators, they won't
have like onsite maintenance guys,
149
00:14:33,900 --> 00:14:37,860
engineers. They would try to do a remote
support. They would need to install
150
00:14:37,860 --> 00:14:42,630
updates for operating system, although for
their signatures of their anti viruses,
151
00:14:42,630 --> 00:14:46,420
they would need to push some opposite
traffic. So like information about the
152
00:14:46,420 --> 00:14:50,620
generation process outside either to
corporate network or to some regulator,
153
00:14:50,620 --> 00:14:54,360
because the whole energy market is
regulated and there are different entities
154
00:14:54,360 --> 00:14:58,570
who would monitor common electricity
generation or they basically will tell you
155
00:14:58,570 --> 00:15:02,680
how many electricity you should generate.
Because this is common electricity was
156
00:15:02,680 --> 00:15:09,110
sold on the energy market. Basically,
the whole talk is structured like this. We
157
00:15:09,110 --> 00:15:13,790
will speak first about application server,
then automation server and then some
158
00:15:13,790 --> 00:15:20,650
summary. It all started with the process
called Coordinated Vulnerability
159
00:15:20,650 --> 00:15:28,000
Disclosure. We notified Siemens about some
issues almost a year ago and like a month
160
00:15:28,000 --> 00:15:34,950
at the beginning of December, Siemens
published an advisory. It was it was not
161
00:15:34,950 --> 00:15:39,890
an advisory just from from the issues,
just from us. A lot of other teams also
162
00:15:39,890 --> 00:15:45,540
contributed to it. And this December, this
year, December, doesn't mean that Siemens
163
00:15:45,540 --> 00:15:51,230
just released the patches. When they say
that this system, SPPT3000, is exclusively
164
00:15:51,230 --> 00:15:56,060
supported. So the system integrator for
the system is Siemens itself. So
165
00:15:56,060 --> 00:15:59,930
throughout the year after we notified them
about some security issues, they started
166
00:15:59,930 --> 00:16:05,770
to roll out patches and install updates on
critical infrastructure they support and
167
00:16:05,770 --> 00:16:13,260
hopefully they did it with all the
sensitive issues. There is a lot of things
168
00:16:13,260 --> 00:16:18,580
to discuss here we will skip, because we
are a little bit in a hurry. Things like
169
00:16:18,580 --> 00:16:24,100
not all vulnerabilities are the same. And
we use, for example, CVSS here to talk
170
00:16:24,100 --> 00:16:28,300
about like how critical the vulnerability
is, but it's actually not very applicable
171
00:16:28,300 --> 00:16:33,750
to the industrial sites. You should
understand what you can do with each
172
00:16:33,750 --> 00:16:39,190
vulnerability, how you can impact the
process, and we will skip this part. There
173
00:16:39,190 --> 00:16:45,350
is actually kind of a threat model in the
white paper that we will release later on,
174
00:16:45,350 --> 00:16:53,440
like during January. We will hope. So,
application server, application server is
175
00:16:53,440 --> 00:17:02,550
this main is is a main resource that you
would find in the SPPT3000 network. Like
176
00:17:02,550 --> 00:17:07,870
if if someone will remotely connect to the
system, it would end up in application
177
00:17:07,870 --> 00:17:12,020
server. If someone wants to start the
generation process or to change some
178
00:17:12,020 --> 00:17:17,800
values, it would be the application
server. If there are other servers that
179
00:17:17,800 --> 00:17:21,270
would, for example, try to communicate the
application server, they will actually
180
00:17:21,270 --> 00:17:25,530
start their work by downloading their
software from application server and then
181
00:17:25,530 --> 00:17:31,850
executing it. So the first thing you might
notice here is there are a lot of a lot of
182
00:17:31,850 --> 00:17:37,960
network ports available on this on this
machine. And actually, this is the first
183
00:17:37,960 --> 00:17:45,190
point. There is a, a huge attack surface
for that bursary??? to choose whether or
184
00:17:45,190 --> 00:17:49,460
not he would like to compromise some
Siemens software or its Windows software
185
00:17:49,460 --> 00:17:55,030
or its some another third party. Huge
attack surface starting from the fact that
186
00:17:55,030 --> 00:18:01,240
there are, all of the installation of this
SPP systems are kind of different. So
187
00:18:01,240 --> 00:18:05,850
depending on the version and other
generation, you can find different Windows
188
00:18:05,850 --> 00:18:17,970
versions from 2003 to 2016. Hopefully they
are all updated right now, but because the
189
00:18:17,970 --> 00:18:24,220
that the update process for such as for
such installations is is a hard thing to
190
00:18:24,220 --> 00:18:29,059
do. I mean you should wait for maintenance
and it should be like maybe once in a
191
00:18:29,059 --> 00:18:33,470
healthy year or once a year. You will
always find some window where you can use
192
00:18:33,470 --> 00:18:38,480
some remotely exploitable vulnerabilities
like the eternal blue or blue keeper mark
193
00:18:38,480 --> 00:18:45,240
mentioned on the slide. There is tons of
different additional software like all
194
00:18:45,240 --> 00:18:48,570
signwin??? that will allow you to do
privilege escalation, badly configured
195
00:18:48,570 --> 00:18:55,300
Tomcats and we have here this funny pie
charts that show how configuration of
196
00:18:55,300 --> 00:19:00,330
different software is aligned with the
best practices from CIS benchmarks. Those
197
00:19:00,330 --> 00:19:06,621
are those are basically security
configuration gardening guides. The most
198
00:19:06,621 --> 00:19:12,760
important thing in the application server
is a lot of Java software and in a minute
199
00:19:12,760 --> 00:19:19,230
repdet will tell you about this. Surprise,
surprise there, the one of the most
200
00:19:19,230 --> 00:19:27,510
notable problems in this Siemens SPPT3000
is actually passwords. There, there are
201
00:19:27,510 --> 00:19:32,420
three important ranges. The first the
first of them is like what's all the
202
00:19:32,420 --> 00:19:39,681
installations before 2014 and maybe 2015.
All passwords for the for for all the
203
00:19:39,681 --> 00:19:44,360
power stations were the same. And you can
easily Google them. We've also published
204
00:19:44,360 --> 00:19:50,280
like the full world list in the white
paper. After this year's Siemens started
205
00:19:50,280 --> 00:19:57,800
to generate the unique passwords for all
power plants. But until this year, it was
206
00:19:57,800 --> 00:20:01,540
kind of hard to change this password. So
you need to be aware of how to do this.
207
00:20:01,540 --> 00:20:04,310
You need to know the process. You maybe
need to contact to contact your system
208
00:20:04,310 --> 00:20:08,260
integrator to do this. Starting up from
this December, it would be much easier
209
00:20:08,260 --> 00:20:13,910
specifically to change passwords. So it's
in the past. Even if you know, you have
210
00:20:13,910 --> 00:20:19,910
you have these issues, you were not able
to simply change or all these things.
211
00:20:19,910 --> 00:20:23,679
Along with the passwords, passwords, you
can find the like the full diagrams and
212
00:20:23,679 --> 00:20:30,190
the integrator documentation that can show
you how the system is built, how it's
213
00:20:30,190 --> 00:20:34,340
operating, specific accounts, etc, etc. Of
course, this was not published by Siemens,
214
00:20:34,340 --> 00:20:38,600
thouse some power plant operators who
thought that would be a good idea to share
215
00:20:38,600 --> 00:20:44,810
this information. So as I said, the most
important thing the application server is
216
00:20:44,810 --> 00:20:48,870
a bunch of Java applications and please
welcome moradek will share the details
217
00:20:48,870 --> 00:20:57,070
about this.
Applause
218
00:20:57,070 --> 00:21:01,310
moradek: Hi, everyone. Let's look at how
this perverse software works on aplication
219
00:21:01,310 --> 00:21:06,980
server. The operator can communicate with
system through at Thin client and Fat client
220
00:21:06,980 --> 00:21:15,810
and. A Thin client act as Java applet
inside Internet Explorer browser and
221
00:21:15,810 --> 00:21:23,130
communicate with server through HTTPS, so
it can be outside of application of fork
222
00:21:23,130 --> 00:21:28,800
and its communications can be constrained
by a firewall. In opposite in case of Fat
223
00:21:28,800 --> 00:21:34,910
client, software should be installed on
operator machine and client directly
224
00:21:34,910 --> 00:21:40,800
communicates with RMA registry to find
services. And after that directly
225
00:21:40,800 --> 00:21:49,760
communicates with this myservices. So Fat
client should belong to application fork.
226
00:21:49,760 --> 00:21:57,910
Illustration of where architecture was
kindly provided by SPPA throws a URL. Not
227
00:21:57,910 --> 00:22:04,410
to be missed, let divided into spaces in
red zone. The items that brought this
228
00:22:04,410 --> 00:22:10,960
request from Thin client and redirect them
to rmyservices. And in green zones there
229
00:22:10,960 --> 00:22:17,570
are myservices which act as network
services on their name on TCP ports. SPP
230
00:22:17,570 --> 00:22:23,690
consists of containers, each container can
encapsulate inside one or more or
231
00:22:23,690 --> 00:22:32,010
myservices. All type of containers are
represented on illustration and all of
232
00:22:32,010 --> 00:22:40,340
them have self explanatory names. Before
we going deep inside in tunnels office
233
00:22:40,340 --> 00:22:45,410
PPA, let me introduce some tools which
used in this research. First of all, old
234
00:22:45,410 --> 00:22:51,500
jars files inside this PPA are obfuscated
with commercial product. But these
235
00:22:51,500 --> 00:22:59,350
security measures can be easily bypassed
by public available tool the Obfuscator.
236
00:22:59,350 --> 00:23:05,580
Elswhere sometimes it is useful to see how
legit software communicates with system.
237
00:23:05,580 --> 00:23:13,720
It helps to understand architecture of
system and workflow of clients. In case of
238
00:23:13,720 --> 00:23:21,570
PPA it my district was written, it
represents a role TCP streams in human
239
00:23:21,570 --> 00:23:30,010
readable format inside it. Use method read
object from jsdk. It is known that this
240
00:23:30,010 --> 00:23:35,160
method is unsafe to insecure
diserealisation, so be careful not
241
00:23:35,160 --> 00:23:42,910
to be exploited through remote pickup. The
first pillar of SPP it's apache webserver.
242
00:23:42,910 --> 00:23:51,740
According it config folder or software
config can be accessed by unauthorized
243
00:23:51,740 --> 00:23:59,040
user. In fact, this folder contains some
sensitive information of system. For
244
00:23:59,040 --> 00:24:07,170
example, files PC system configuration,
datasmells and files inside. If C contain
245
00:24:07,170 --> 00:24:14,660
startup options and configuration of all
containers either application work or
246
00:24:14,660 --> 00:24:20,559
automation work. Else configuration of
Oracle and publication in Tomcat DLC can be
247
00:24:20,559 --> 00:24:26,409
accessed using this vulnerability. And about
Tomcat. There are three web
248
00:24:26,409 --> 00:24:33,790
applications registered, remote diagnostic
viewer, manager and orion. According to
249
00:24:33,790 --> 00:24:38,970
configuration of Tomcat, it's apache
webserver. I've observed as a ordering
250
00:24:38,970 --> 00:24:48,660
service can be accessed through HTTPS and
uh, in the file web dot xml there are list
251
00:24:48,660 --> 00:24:56,710
of all servlets of orion application and the
list is really huge. So some of these
252
00:24:56,710 --> 00:25:04,710
servlets have attractive name forTiger, for
example, brow seservlet. In fact it allows
253
00:25:04,710 --> 00:25:12,700
a third of the user directory, and listing
directories of operation system. But in
254
00:25:12,700 --> 00:25:19,910
case of exploitation another servlet is
more attractive. File upload servlet it
255
00:25:19,910 --> 00:25:28,980
allows you allows on the file upload with
system parameters based you in touch with
256
00:25:28,980 --> 00:25:34,680
me in full control the name of the file.
So this vulnerability can be easily
257
00:25:34,680 --> 00:25:39,420
transformed to a remote code execution.
You can override some startups scripts
258
00:25:39,420 --> 00:25:46,390
office PPA or simply inject a shel in the
application and get the remote code
259
00:25:46,390 --> 00:25:54,770
execution with system rights. Also there
are some set alerts which contains good
260
00:25:54,770 --> 00:26:03,809
service factory names. In fact, they
redirect http request to my services.
261
00:26:03,809 --> 00:26:12,210
Inside they passed around to foreign http
requests and search desirable my servives.
262
00:26:12,210 --> 00:26:19,980
According to parameter service url and
further invoke go to the public method of
263
00:26:19,980 --> 00:26:26,190
security service. And the name of the
method defined in centralized object in
264
00:26:26,190 --> 00:26:34,439
the data section of which to progress.
Else parameters, the parameters of these
265
00:26:34,439 --> 00:26:43,490
goals are also defined in this object. So
now we have situation one Thin client and
266
00:26:43,490 --> 00:26:52,500
Fat client can access my services, but in
case of Fat client, it, it can also
267
00:26:52,500 --> 00:26:59,340
directly communicate with RMA registry. So
if application server missed some
268
00:26:59,340 --> 00:27:04,430
important java security updates, it
contains insecure deserialization
269
00:27:04,430 --> 00:27:13,059
vulnerability. And using public to use
serial we can simply exploit it and get a
270
00:27:13,059 --> 00:27:18,730
code execution with system rights again.
The next task will be to list all
271
00:27:18,730 --> 00:27:25,670
available rMyservices on this SPPA system.
At first step, we simply use class look at
272
00:27:25,670 --> 00:27:35,201
triggers and Java SDK and get a big list
of services. All but one jmakes it to
273
00:27:35,201 --> 00:27:43,370
myservices, I assume that they perform
some general interface for com, for
274
00:27:43,370 --> 00:27:52,630
control and manage containers of SPPA. For
the further investigation we only choose
275
00:27:52,630 --> 00:28:01,160
LookUp Service. In fact, this service
looks like some a collection of another
276
00:28:01,160 --> 00:28:10,480
RMA services using its public method list
we get the name of all available services
277
00:28:10,480 --> 00:28:17,620
and using the name and public method
lookup we get the reference of RMA
278
00:28:17,620 --> 00:28:27,000
service. All RMA services in this tip
implement interface satisfactory. So
279
00:28:27,000 --> 00:28:36,100
buttons as this. We can assume that and
that this is a game collection of another
280
00:28:36,100 --> 00:28:41,100
RMA services. But in fact it doesn't have
public method to get the name of the
281
00:28:41,100 --> 00:28:52,700
service. So we need to decompile. So we
need to decompile the class and find some
282
00:28:52,700 --> 00:29:00,470
factory methods which create RMA service,
for example, create adminscript and
283
00:29:00,470 --> 00:29:08,330
inside we can find as the name of the
created service. As it can be guessed,
284
00:29:08,330 --> 00:29:14,230
it's admin service. So using public
method, get service in this name, we find
285
00:29:14,230 --> 00:29:22,880
that I gets the reference to the next
level RMA service and in final step we get
286
00:29:22,880 --> 00:29:31,350
the reference to RMA services which
perform real job SPPA. But it this RMA
287
00:29:31,350 --> 00:29:39,070
service also contains a lot of public
methods for unauthorized user. So to sum
288
00:29:39,070 --> 00:29:46,380
up which referes registry and at each
level we find a lot of RMA services. And
289
00:29:46,380 --> 00:29:54,290
as the last item also contains a lot of
public methods. So the attack surface of
290
00:29:54,290 --> 00:30:01,799
Supply C system is really huge. Now when
we list all available RMA services, the
291
00:30:01,799 --> 00:30:10,140
next question is how does authentication
of client request performs on the system?
292
00:30:10,140 --> 00:30:15,750
To answer this question, let's look how
client requests to security service
293
00:30:15,750 --> 00:30:22,190
processed from system. First of all,
clients get the reference to security
294
00:30:22,190 --> 00:30:31,150
service using some client ID. Further
PCServiceFactory tries to get valid
295
00:30:31,150 --> 00:30:38,350
session. Using this clientID in
SessionManager. If SessionManager will
296
00:30:38,350 --> 00:30:45,240
failed in his task, the exception will be
throat and client will be failed. But if
297
00:30:45,240 --> 00:30:54,470
it succeeds, valid sessionID will return
to PCSfactory. And further in its turn
298
00:30:54,470 --> 00:31:00,830
instance of SecurityService will be
created in factory method. While the
299
00:31:00,830 --> 00:31:12,220
session Id will be stored in loginID inside
SecurityService. And finally client will
300
00:31:12,220 --> 00:31:18,620
get the reference to Security Service.
Further he can call some public method of
301
00:31:18,620 --> 00:31:28,600
it. But as this method can perform
privileged checks of user using loginId in
302
00:31:28,600 --> 00:31:35,940
SecurityManager. So to sum up, we have two
security measures in this system. But as
303
00:31:35,940 --> 00:31:41,660
is the question how user client can
perform login operation. If he doesn't
304
00:31:41,660 --> 00:31:47,830
have any valid clientID. In this case,
it's start up of the system,
305
00:31:47,830 --> 00:31:53,959
SessionManager will be added on anonymus
session with clientID that equals zero.
306
00:31:53,959 --> 00:32:00,150
And client will use this clientID, and
perform login operation. But attacker can
307
00:32:00,150 --> 00:32:07,100
also use this feature and simply bypass
those look. So to sum up, there is only
308
00:32:07,100 --> 00:32:14,770
one security measure on the system ends
and each fully delegated to two method or
309
00:32:14,770 --> 00:32:22,450
for RMA services. But amount of itemized
services is huge, amount of public methods
310
00:32:22,450 --> 00:32:29,249
is really huge. And so it's become really
difficult to manage security service of
311
00:32:29,249 --> 00:32:40,120
system. According to this information. So
we know we know all inputs of system. We
312
00:32:40,120 --> 00:32:45,070
know all possible security measures or
systems. So it's time to find
313
00:32:45,070 --> 00:32:53,180
vulnerabilities in the list of RMA
services. This one, which looks so
314
00:32:53,180 --> 00:32:58,350
attractive, its admins service, it can be
accessed with a anonymus session inside.
315
00:32:58,350 --> 00:33:04,150
If this public method transcript, this
method doesn't perform any privileged
316
00:33:04,150 --> 00:33:13,250
checks, so we can call its resulting
Ternium credentials and so on. At first
317
00:33:13,250 --> 00:33:19,980
step, these methods creates instance of
class loader using bytes from arguments
318
00:33:19,980 --> 00:33:27,429
and in fact this step will allow to
arbitrary java class. This class should
319
00:33:27,429 --> 00:33:33,750
implement interface admins screams and
defined method to execute and this method
320
00:33:33,750 --> 00:33:43,030
to execute will be called by run script of
RMA services. For this case we create Java
321
00:33:43,030 --> 00:33:51,210
class as a simply run os common from
arguments of run script. And we get code
322
00:33:51,210 --> 00:33:58,520
execution on the system, we system, right?
Of course, there's a more powerful post
323
00:33:58,520 --> 00:34:05,790
exploitation of this vulnerability than
simply run os command. You can. This
324
00:34:05,790 --> 00:34:13,579
vulerability allows inject arbitrary java
class inside running its SPPA application
325
00:34:13,579 --> 00:34:25,480
so you can use some Java reflection to to
patch some variables of system and and
326
00:34:25,480 --> 00:34:36,029
have influence on technological properties
of SPPA. Else, privilege check inside
327
00:34:36,029 --> 00:34:43,870
methods of RMA service can be bypassed
with SEC vulnerability in session service. This
328
00:34:43,870 --> 00:34:49,650
service has public method
getloggingsessions(). In fact, this method
329
00:34:49,650 --> 00:34:58,770
return all sessiondata of loginin users on
the system. This information includes user
330
00:34:58,770 --> 00:35:10,040
names, IP and client Id. So if it this
amounts these clientId of user that has
331
00:35:10,040 --> 00:35:16,569
some admin privileges, attacker can use
this clientId to get a reference to
332
00:35:16,569 --> 00:35:22,620
security service and this reference will
be with some more privileged session.
333
00:35:22,620 --> 00:35:36,290
Further further, attacker can goal public
method of security service, get all users
334
00:35:36,290 --> 00:35:43,290
and get all private information about all
users of the system and password hashes
335
00:35:43,290 --> 00:35:53,820
included in this private information. So
to sum up, we have to or both of these
336
00:35:53,820 --> 00:36:06,590
vulnerabilities can be accessed through
https and federal rules can be bypassed.
337
00:36:06,590 --> 00:36:14,200
In general, all communication with RMA
services are encrypted. So usernames and
338
00:36:14,200 --> 00:36:24,880
password hashes are transfered in plain text.
This is this because, this is more critical for
339
00:36:24,880 --> 00:36:37,800
for Fat client case. So more all passwort
hashes doesn't perform any doesn't have
340
00:36:37,800 --> 00:36:44,400
any session protection mechanism. So if
attacker can perform when and zoom into a
341
00:36:44,400 --> 00:36:51,670
key attack against some user office prior
and captures the traffic between this user
342
00:36:51,670 --> 00:36:59,109
and application server, he can get valid
username and password hash of the system
343
00:36:59,109 --> 00:37:05,940
and simply reuses this credentials and
perform login operation on the system.
344
00:37:05,940 --> 00:37:13,820
More. over, he also can change the
password of this user. I talk a lot about
345
00:37:13,820 --> 00:37:18,750
user names and password hashes, so it's
time to understand how these items
346
00:37:18,750 --> 00:37:27,080
organized on the system. Alex.
Alex: Hello everyone. I will continue our
347
00:37:27,080 --> 00:37:33,170
discussion about application server. On
the previous slide you can see how remote
348
00:37:33,170 --> 00:37:42,910
authentification works. Now. Sorry, I
repeat. On the parent slide you could see
349
00:37:42,910 --> 00:37:49,620
how remote authentification works. And
now I'm going to tell you about how it is
350
00:37:49,620 --> 00:37:57,590
organized locally. After the system, after
system gets started, it begins to read two
351
00:37:57,590 --> 00:38:04,900
files: user1.xml and pdata1.exm to get
user list and their password respectevly.
352
00:38:04,900 --> 00:38:11,660
The user1 file is the simple xml while the
data1 has a slightly more difficult
353
00:38:11,660 --> 00:38:17,921
structure. It is jzip archive encoded in
base64, so as java actualization object in
354
00:38:17,921 --> 00:38:23,540
jzip archive contained in a specific xml.
The field of this xml presents on the
355
00:38:23,540 --> 00:38:29,990
slide. They are used to calculate cash
value and check passport during their
356
00:38:29,990 --> 00:38:36,660
authentification. On the buttom of the
slide you can see password check algorithm
357
00:38:36,660 --> 00:38:44,790
in a pseudo code. It's a photographic scam is
the type of called crypted hashing scheme
358
00:38:44,790 --> 00:38:52,190
like on Unix and Linux machine. It has a
number of iterations salts and only one
359
00:38:52,190 --> 00:38:56,910
things is edited was, was edited that is
hardcore the salt, which is the same for
360
00:38:56,910 --> 00:39:03,900
all user. The tool for password, as a tool
to extract password hashes and set
361
00:39:03,900 --> 00:39:11,730
parameters from the data1-file had been
developed on this slide. You can see its
362
00:39:11,730 --> 00:39:18,420
output as a tool. The tool can be used
during the password auditing, them to
363
00:39:18,420 --> 00:39:22,730
check her password to check week or
dictionary password and their actual hash
364
00:39:22,730 --> 00:39:31,960
collision parameters. A tool is available
at the link below. And draws the line,
365
00:39:31,960 --> 00:39:40,660
draws a line on the application server
analysis first, as we have seen, attack
366
00:39:40,660 --> 00:39:47,490
surface is really huge and includes a lot
of different components. Secondly, it's
367
00:39:47,490 --> 00:39:57,310
about remote connections. What's that
about? Whether SPP has remote connection
368
00:39:57,310 --> 00:39:59,620
or because no remote connection. I
couldn't I couldn't do end this or someone
369
00:39:59,620 --> 00:40:13,089
else, who told you? You should check it
anyway. And the last thing is a attacker
370
00:40:13,089 --> 00:40:19,490
has opportunity to impact power generation
process. For example, it can start stop
371
00:40:19,490 --> 00:40:26,070
generation, change some output value. Or
get some additional information about
372
00:40:26,070 --> 00:40:32,230
generation process and all this. Action
can be done from application server. It's
373
00:40:32,230 --> 00:40:40,720
all about application server. And let's
start discussion about automation. Its
374
00:40:40,720 --> 00:40:45,619
main goal of automation server is to
execute realtime real time automation
375
00:40:45,619 --> 00:40:54,209
functions and tasks depending on a
depending on the power plant project
376
00:40:54,209 --> 00:41:01,260
architecture and its features. They're all
over automation server can be different. We have
377
00:41:01,260 --> 00:41:07,020
to distinguish three roles. The first one
is automation role. They may be a slight
378
00:41:07,020 --> 00:41:14,190
confusion because the term is used was for
server and for it's role, but analyzing
379
00:41:14,190 --> 00:41:18,839
uplink automation server configuration and
publicly available information we have
380
00:41:18,839 --> 00:41:25,490
found that whatever the role is, almost
the same hardware and software are used
381
00:41:25,490 --> 00:41:34,090
and we have decided to use these kind of
classifications. That seems less confusing
382
00:41:34,090 --> 00:41:40,740
to us. At the same time, it's slightly
different from the Windows
383
00:41:40,740 --> 00:41:49,210
classification anyway. I mean, in
automation role, automation role means
384
00:41:49,210 --> 00:41:53,040
that the server is responsible for
interaction with input-output modules to
385
00:41:53,040 --> 00:41:58,390
each control and monitor power plant
equipment such as turbine electric
386
00:41:58,390 --> 00:42:04,550
generator or some some other. The second
role is communication in this role. This
387
00:42:04,550 --> 00:42:10,360
role is used for connection the third
party software and system in other words
388
00:42:10,360 --> 00:42:18,760
it's just a protocol converter supporting
such protocols as modbus, I see 101, 104
389
00:42:18,760 --> 00:42:25,339
and some other. And the last roll is a
migration role. This role is used to
390
00:42:25,339 --> 00:42:32,890
connect previous version or for SPPA-T2000
and as legacy systems such as SPPA- 80
391
00:42:32,890 --> 00:42:42,570
2002, or tel per MI.. Automation role in
automation server in automation role can
392
00:42:42,570 --> 00:42:52,150
be run on the semantic SLMPC and in an
industrial or industrial P.C.. Other roles
393
00:42:52,150 --> 00:42:55,730
can be run only on industrial PCs. Now
let's talk a little more about each role
394
00:42:55,730 --> 00:43:03,560
and let's start with automation role based
on PLC. PLC I will directly control field
395
00:43:03,560 --> 00:43:09,760
devices like voles and turbine and access
to them in excess numbers. The game
396
00:43:09,760 --> 00:43:16,750
over for any security discussion. They
usually represent low, the lowest level in
397
00:43:16,750 --> 00:43:21,750
different reference models, such as do
model, for example. Any credential, any
398
00:43:21,750 --> 00:43:27,630
configuration changes and updates for PLC
required to stop to stop technological
399
00:43:27,630 --> 00:43:33,710
process. So these devices always have
security misconfiguration, firmware,
400
00:43:33,710 --> 00:43:40,260
visible security updates and secure
industrial protocols. In case of SPPA they
401
00:43:40,260 --> 00:43:48,060
are assembler ??? (Server???) protocols
LCT data. ??? Logic information about its
402
00:43:48,060 --> 00:43:54,349
own protocols in the internet, but not so
much about PLC data protocol. So we had to
403
00:43:54,349 --> 00:44:01,859
deal with it and analyze it ourselves.
It's not a special protocol for SPPA. When
404
00:44:01,859 --> 00:44:06,810
you program your Symantec, PLC an need to
exchange some that some data between them
405
00:44:06,810 --> 00:44:14,880
in real time. You use this protocol. It's
a quite simple protocol and maybe its
406
00:44:14,880 --> 00:44:21,140
description is available somewhere in the
internet. But we couldn't find it. So just
407
00:44:21,140 --> 00:44:28,830
the case show you need structure. In ways
that knows security mechanism in this
408
00:44:28,830 --> 00:44:35,790
protocol, so, so, so only obstacle while
do remain in the middle attack to spool
409
00:44:35,790 --> 00:44:40,680
data in the sequence number, which we can
get from a packet that just follows the
410
00:44:40,680 --> 00:44:48,160
implementation. For practical analyses we
have developed the sector, which is
411
00:44:48,160 --> 00:44:55,220
available at the link below. During the
security assessment of PLC configurations,
412
00:44:55,220 --> 00:45:02,380
one of the main things, which we check, is
unauthorized access to the two reading and
413
00:45:02,380 --> 00:45:09,550
writing PLC memory. Availability of
unauthorized access is determinate by
414
00:45:09,550 --> 00:45:17,480
position of the mod selector of the PLC
and some other configuration parameters.
415
00:45:17,480 --> 00:45:22,870
During the previous research conducted to
one of our colleg Daniel Parnischev???? is
416
00:45:22,870 --> 00:45:30,580
a privilege matrix has been obtained. They
shows unsecure states and configurations
417
00:45:30,580 --> 00:45:37,440
of PLC. The tool for gathering information
from the PLC. over the network and its
418
00:45:37,440 --> 00:45:42,350
analysis has been developed by Danil and
also available in our repository. Now
419
00:45:42,350 --> 00:45:48,250
let's talk about application server based
on industial PC. Its just a Linux box.
420
00:45:48,250 --> 00:45:52,270
During the start it tries to download some
additional files from the application
421
00:45:52,270 --> 00:45:59,520
server. This file includes to include jar
files, the bar scrapes, some configuration
422
00:45:59,520 --> 00:46:07,260
protocols files and some other. You know,
to execute jar files PTC Perc virtual
423
00:46:07,260 --> 00:46:15,250
machine is used. Is it a runtime java
machine widely spread in industrial IJ and
424
00:46:15,250 --> 00:46:22,700
military area. PTC Perc contains a
completion mechanism. So that is all jar
425
00:46:22,700 --> 00:46:28,190
files contains a bitecode transformation.
That's why regularly decompiles Fails
426
00:46:28,190 --> 00:46:36,490
exam. To solve this problem, we have
written a php script to perform reverse
427
00:46:36,490 --> 00:46:44,110
transformation. After that, regular
decompilers have been successful. Running
428
00:46:44,110 --> 00:46:49,000
jars open RMI services on the automation
server and the sound ??? of their
429
00:46:49,000 --> 00:46:55,849
extension. For example, in case of
migration server on PC services, which are
430
00:46:55,849 --> 00:47:00,260
extension of classic Java RMA services are
used and on the slide you can see is the
431
00:47:00,260 --> 00:47:07,280
list of of these services. Just the key
issues of automation. So based on
432
00:47:07,280 --> 00:47:13,250
industrial PCM present represents just
light. Firstly, as you can see, it's there
433
00:47:13,250 --> 00:47:19,790
is a possibility to spoof downloaded files
from application server files downloaded
434
00:47:19,790 --> 00:47:24,980
over https and there are no security
security mechanisms during the process.
435
00:47:24,980 --> 00:47:32,000
Secondly, it's about the default
credentials. You can get access over SSH
436
00:47:32,000 --> 00:47:40,740
SSH to server vs user SAM admin and
password. See him next. It's
437
00:47:40,740 --> 00:47:46,130
vulnerabilities in archives in our around
IPC services. This will not be allowed to
438
00:47:46,130 --> 00:47:50,840
perform sensitive data explosion and
remote code execution. And finally, the
439
00:47:50,840 --> 00:47:54,520
last group with vulnerabilities found in
the software used to feel an immigration
440
00:47:54,520 --> 00:48:01,770
role for communication vs SB 82000, also
known as the DSP system has a number of
441
00:48:01,770 --> 00:48:06,480
issues on the immigration server vs old
TXP. You are not. You are in magic
442
00:48:06,480 --> 00:48:14,190
position. If you wrote about your own
obviously vulnerabilities as they are in
443
00:48:14,190 --> 00:48:21,210
runtime as you need and service as this
service contains request runtime contain a
444
00:48:21,210 --> 00:48:29,480
method where the first argument defines as
the action to be executed. Using the
445
00:48:29,480 --> 00:48:34,620
action read file it is possible to get
content of any file from the system. Using
446
00:48:34,620 --> 00:48:39,460
the right config file it's possible to
write information to the server. To the
447
00:48:39,460 --> 00:48:46,700
server. And for example, it can be a jar
files, which execute shell comand on from
448
00:48:46,700 --> 00:48:52,800
the command line and use in some SPPA
specific functions, you can execute these
449
00:48:52,800 --> 00:49:00,580
jar files later. This is all about
automation server. To sum up, automated
450
00:49:00,580 --> 00:49:07,540
automation server can based on PLC or
industrial PC. In case of PLC it says a
451
00:49:07,540 --> 00:49:16,420
simple PLC is usual PLC with no security
issues. In case of industrial PLC.. it's
452
00:49:16,420 --> 00:49:21,990
just a Linux box., which try to download
some additional files from the application
453
00:49:21,990 --> 00:49:28,639
server and some of them execute with the
virtual machine. So far, we haven't
454
00:49:28,639 --> 00:49:33,390
mentioned any network equipment using
distributed control system Using the
455
00:49:33,390 --> 00:49:41,340
research we saw a wide variety of network
devices and network infrastructure,
456
00:49:41,340 --> 00:49:46,820
including switches, firewalls and more
rare devices such as data diet, for
457
00:49:46,820 --> 00:49:55,790
example. We tried to summarize all this
information and got it common SPPA on
458
00:49:55,790 --> 00:50:02,160
network topology and scam. Lookup shown in
purple usual places for network devices.
459
00:50:02,160 --> 00:50:08,510
By the same device it can be found in
other vendors distributed control system.
460
00:50:08,510 --> 00:50:13,110
Network devices in industrial network
usually have a lot of security issues. The
461
00:50:13,110 --> 00:50:18,579
reason for this is that most of them don't
require any configuration before start and
462
00:50:18,579 --> 00:50:29,199
can be run out of the box. And that's why
the things like get NLP??? and then be
463
00:50:29,199 --> 00:50:35,220
coming in to stream with credentials for
different services. Fill ware? with
464
00:50:35,220 --> 00:50:43,910
publicly, publicly available, exploits and
just a lack of security configurations.
465
00:50:43,910 --> 00:50:53,321
All the things are usual for usual for
network devices and they are usually usual
466
00:50:53,321 --> 00:51:01,380
usual security issues for our industrial
network. I think that's all I know now
467
00:51:01,380 --> 00:51:07,170
Gleb wil sum up our discussion.
repdet: Yep. Yep. So the topic of power
468
00:51:07,170 --> 00:51:13,660
plants is huge. The system is huge and we
try to cover this and that's a lot of
469
00:51:13,660 --> 00:51:17,690
small things in the talk. And in fact
everything can be summed up on this slide.
470
00:51:17,690 --> 00:51:22,550
These those are just the vulnerabilities,
as you can see in the problems in Java, in
471
00:51:22,550 --> 00:51:28,220
Web applications, in different simple
mechanisms that you can exploit actually
472
00:51:28,220 --> 00:51:33,340
directly even not go into the PLC or field
level, field level. You can impact the
473
00:51:33,340 --> 00:51:39,460
process itself. What we don't cover in
this talk, is actually what select
474
00:51:39,460 --> 00:51:44,200
havoc???? or disaster could be caused by
attacking such systems because it's actually
475
00:51:44,200 --> 00:51:48,930
not that bad. I mean they're talking about
things like blackouts of the series or
476
00:51:48,930 --> 00:51:54,470
things like this. This is not what you can
do with as a consensus system, because the
477
00:51:54,470 --> 00:51:59,000
like the distribution of the power power
in the grid is not there according to the
478
00:51:59,000 --> 00:52:02,100
threat model is not the problem of the
power generation. There shouldn't be like
479
00:52:02,100 --> 00:52:05,950
another regulator who should watch for
like enough capacity in the network to
480
00:52:05,950 --> 00:52:10,860
fill this, to fill the electricity for the
customers. So what we're really speaking
481
00:52:10,860 --> 00:52:17,350
here is like the is how we can impact
there. For example, the turbine, the
482
00:52:17,350 --> 00:52:23,090
turbine is itself, for example, but we had
no access to the real turbine. They're
483
00:52:23,090 --> 00:52:27,580
big, expensive, and we haven't found
anyone willing to provide us one. So we
484
00:52:27,580 --> 00:52:34,060
will destroy it. But the point is, we have
an educated guess like PLCs, they control
485
00:52:34,060 --> 00:52:38,780
a lot of parameters of this turbine. And
the turbine is like a big mechanical
486
00:52:38,780 --> 00:52:44,599
monster that is actually self degrading by
working and putting it into different like
487
00:52:44,599 --> 00:52:49,880
incomfortable operating modes will degrade
it even faster or it will break its end.
488
00:52:49,880 --> 00:52:54,330
It's not easy. You can have a spare PLC or
some other device. You won't have a spare
489
00:52:54,330 --> 00:53:03,021
turbine. So that the impact is there. But
it's not like a very huge. So what we
490
00:53:03,021 --> 00:53:09,440
tried to do with this research mostly is
to understand, how we can help the power
491
00:53:09,440 --> 00:53:14,910
plant, the apparatus out there. And we
have to fight in all the issues and
492
00:53:14,910 --> 00:53:19,750
analysing this infrastructures and the
customer sites, we understood that all of
493
00:53:19,750 --> 00:53:23,950
the installations actually did the same.
And we can write a very simple do it
494
00:53:23,950 --> 00:53:30,249
yourself assessment. And hopefully even
like engineers on the power plants can
495
00:53:30,249 --> 00:53:35,050
test themselves. It is very easy. A set of
steps on two or three pages. You connect
496
00:53:35,050 --> 00:53:39,020
to application network, you connect to the
automation network, you run the tests, you
497
00:53:39,020 --> 00:53:43,050
get the results. And afterwards you talk
with Siemens. Well, you can fix something
498
00:53:43,050 --> 00:53:47,971
by yourselves. And basically you don't
have to hire like expensive consultants to
499
00:53:47,971 --> 00:53:52,950
do the job. You should be. You should be
able to do it by yourself. We hope that
500
00:53:52,950 --> 00:54:00,620
you will be able to do it. Of course. To
summarize the whole situation around
501
00:54:00,620 --> 00:54:07,320
DCSSs, it is if you have seen other
industrial solutions like SCADAS, like
502
00:54:07,320 --> 00:54:13,210
substations and if any actually, you would
find a lot of similarities and they the
503
00:54:13,210 --> 00:54:18,230
whole like it will have the same pain
points as all other solutions. There is a
504
00:54:18,230 --> 00:54:24,330
good documents from there. IAC 62443
which describes how like power plant
505
00:54:24,330 --> 00:54:29,260
operator or asset owner should talk to the
system integrator and the vendor. With the
506
00:54:29,260 --> 00:54:33,360
vendor in terms of what security they
should require and how they should control
507
00:54:33,360 --> 00:54:40,960
it. We urge any power plant operator to
read this standards and to require
508
00:54:40,960 --> 00:54:46,130
security from their vendors and system
integrators, because nowadays it depends
509
00:54:46,130 --> 00:54:49,390
from vendor to vendor. Maybe vendor is
more interested in the security or the
510
00:54:49,390 --> 00:54:53,710
plant or some regulator and the like.
Nobody knows how to act. This is the
511
00:54:53,710 --> 00:55:00,050
document where a which describes how you
should talk with all other entities. Of
512
00:55:00,050 --> 00:55:07,680
course, read the slides, read the white
paper in the January. Call Siemens updatal
513
00:55:07,680 --> 00:55:12,160
systems, change your passwords and
configurations. This is actually very easy
514
00:55:12,160 --> 00:55:18,790
to at least to shrink the attack surface.
A lot of things inside SPPS ??? network is
515
00:55:18,790 --> 00:55:23,460
a modern windows boxes and it's kind of
easy to set up some form of monitoring, so
516
00:55:23,460 --> 00:55:27,849
you should talk to your security
operations center. They would be able to
517
00:55:27,849 --> 00:55:32,720
look for some locks, not most of the
impact that we showed, like it was their
518
00:55:32,720 --> 00:55:36,770
input from the java application and
you won't be able to monitor all of these.
519
00:55:36,770 --> 00:55:41,770
We have like security events in windows.
But at least it's still some form of
520
00:55:41,770 --> 00:55:49,440
detection process inside your network. And
again, finally, to summarize, it is not
521
00:55:49,440 --> 00:55:55,210
like a problem of one DCS from Siemens.
There are exactly the same issues for
522
00:55:55,210 --> 00:56:01,910
other vendors not mentioned here. We will
release a lot of things today, tomorrow
523
00:56:01,910 --> 00:56:07,210
and in January. Basically like the big
white paper about everything that we have
524
00:56:07,210 --> 00:56:11,149
found out, we have recommendations, what
to do with the wordlists, with the do it
525
00:56:11,149 --> 00:56:16,319
yourself security assessments with a lot
of tools up. One of the tools would help
526
00:56:16,319 --> 00:56:19,420
you to do the research, another tools
would help you, for example, if you are
527
00:56:19,420 --> 00:56:24,080
using intrusion detection detection
systems like IDSS, you would be able to
528
00:56:24,080 --> 00:56:29,700
parse the protocols and maybe write some
signatures for them. We work closely with
529
00:56:29,700 --> 00:56:33,880
Siemens. We want to say thank you for the
Siemens product search. They did a great
530
00:56:33,880 --> 00:56:37,970
job in communications between us and the
product team that develops the products
531
00:56:37,970 --> 00:56:42,020
that Siemens SPPA team for ??? in
itself. The main outlines from the vendor
532
00:56:42,020 --> 00:56:47,150
response is, that if a power plant
operator, you should hurry and install a
533
00:56:47,150 --> 00:56:55,339
new version 8.2 SP2. There are Siemens
is trying to like educate and raise
534
00:56:55,339 --> 00:56:59,700
awareness outside their customers. That's
first of all, they should change passwords
535
00:56:59,700 --> 00:57:04,070
that there are critical vulnerabilities
and they should do something with it. And
536
00:57:04,070 --> 00:57:10,970
there is not all the problems are fixable by
Siemens themselves. There is an operator
537
00:57:10,970 --> 00:57:19,310
is viable for some of the activities to do
the security by themselves. So that's
538
00:57:19,310 --> 00:57:24,110
actually it. Thank you. Thank you very
much. Thank you, Congress. If you have any
539
00:57:24,110 --> 00:57:26,930
questions, please welcome.
540
00:57:26,930 --> 00:57:36,030
Applause
541
00:57:36,030 --> 00:57:40,790
Herald: Thank all of you for this excellent
talk, we have a short three minutes for
542
00:57:40,790 --> 00:57:45,270
questions. If you have questions, please
line up at the microphones in the hall. If
543
00:57:45,270 --> 00:57:49,380
you're using hearing aids, there is an
induction loop at microphone number three.
544
00:57:49,380 --> 00:57:54,440
Do we have questions from the Internets?
Yes. Question from our signal angel,
545
00:57:54,440 --> 00:57:59,109
please.
Signal-Engel: So we've got a question with
546
00:57:59,109 --> 00:58:03,270
the vulnerabilities found. Could you take
over those cans from the worldwide web cam
547
00:58:03,270 --> 00:58:10,900
without the freedom and the minimum tax?
Herald: Can you please repeat.
548
00:58:10,900 --> 00:58:13,509
repdet: A little bit louder, please?
Signal-Engel: Sorry. With your own
549
00:58:13,509 --> 00:58:19,430
vulnerability found, could you take
control over those plants without worldwide
550
00:58:19,430 --> 00:58:26,560
them from public Internet, without further
amending the ??? ?
551
00:58:26,560 --> 00:58:31,069
repdet: Actually, no. This is and this is
some poor some form of the good news.
552
00:58:31,069 --> 00:58:35,010
Those systems are exclusively supported by
one system integrator, by Siemens. They
553
00:58:35,010 --> 00:58:39,400
are more or less protected from the
external access. Of course, there would be
554
00:58:39,400 --> 00:58:43,830
external access, but it's not that easy to
reach it. And of course, it's we're not
555
00:58:43,830 --> 00:58:46,569
talking about Internet. We're talking
about some corporate networks of things
556
00:58:46,569 --> 00:58:50,420
like this.
Herald: Next question, microphone three,
557
00:58:50,420 --> 00:58:54,500
please.
Mic. 3: Yes, hello. Uh, I also have a
558
00:58:54,500 --> 00:59:00,070
power plant on my planet and, uh, it's
kind of bad for the atmosphere, I figured.
559
00:59:00,070 --> 00:59:05,670
So, uh, my question is, can you skip back
to where the red button is to switch it
560
00:59:05,670 --> 00:59:14,460
off? And I'm asking for a friend.
Laughter, Applause
561
00:59:14,460 --> 00:59:18,750
repdet: As we never thought about that,
these materials can be used in this way.
562
00:59:18,750 --> 00:59:24,920
But yeah. Specifically, if you have an
operator of engineers, friends on the
563
00:59:24,920 --> 00:59:29,530
power plants, you can talk to them.
Herald: Do we have any more questions from
564
00:59:29,530 --> 00:59:38,410
the Internets? No questions. Any questions
from the hall? I guess not. Well, then,
565
00:59:38,410 --> 00:59:41,401
thank you very much for this talk and a
warm round of applause.
566
00:59:41,401 --> 00:59:45,901
Applause
567
00:59:45,901 --> 00:59:48,771
36c3 Postroll music
568
00:59:48,771 --> 01:00:13,000
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!