[Script Info] Title: [Events] Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text Dialogue: 0,0:00:00.00,0:00:19.64,Default,,0000,0000,0000,,{\i1}36C3 Preroll music{\i0} Dialogue: 0,0:00:19.64,0:00:23.07,Default,,0000,0000,0000,,Herald: One of the obvious critical\Ninfrastructures we have nowadays is power Dialogue: 0,0:00:23.07,0:00:29.54,Default,,0000,0000,0000,,generation. If there is no power, we're\Npretty much screwed. Our next speakers Dialogue: 0,0:00:29.54,0:00:34.69,Default,,0000,0000,0000,,will take a very close look at common\Nindustrial control systems used in power Dialogue: 0,0:00:34.69,0:00:42.69,Default,,0000,0000,0000,,turbines and their shortcomings. So please\Ngive a warm round of applause to repdet, Dialogue: 0,0:00:42.69,0:00:44.83,Default,,0000,0000,0000,,moradek and cOrs. Dialogue: 0,0:00:44.83,0:00:52.24,Default,,0000,0000,0000,,{\i1}Applause{\i0} Dialogue: 0,0:00:52.24,0:00:58.61,Default,,0000,0000,0000,,repdet: Good morning, Congress. Thank you\Nfor waking up in the morning. We will talk Dialogue: 0,0:00:58.61,0:01:05.00,Default,,0000,0000,0000,,about the security of power plants today,\Nspecifically about automation systems, Dialogue: 0,0:01:05.00,0:01:11.14,Default,,0000,0000,0000,,that are used in the power plants up. You\Nmight think that this is another talk Dialogue: 0,0:01:11.14,0:01:18.15,Default,,0000,0000,0000,,about how insecure the whole industrial\Nthings around us are and more or less it Dialogue: 0,0:01:18.15,0:01:24.76,Default,,0000,0000,0000,,is. So for four years, we are we and our\Ncolleagues speak about problems in Dialogue: 0,0:01:24.76,0:01:30.82,Default,,0000,0000,0000,,industrial security. We are happy to say\Nthat things are getting better, but it's Dialogue: 0,0:01:30.82,0:01:34.39,Default,,0000,0000,0000,,just that the temper is a little bit\Ndifferent and feels a little bit Dialogue: 0,0:01:34.39,0:01:38.99,Default,,0000,0000,0000,,uncomfortable though. Anyway, we will\Nspeak about to like how a power plants are Dialogue: 0,0:01:38.99,0:01:43.15,Default,,0000,0000,0000,,built. What is the automation inside? What\Nare the vulnerabilities? And like the high Dialogue: 0,0:01:43.15,0:01:48.73,Default,,0000,0000,0000,,level overview of what you can do with\Nthis. But up at first a little bit of Dialogue: 0,0:01:48.73,0:01:56.53,Default,,0000,0000,0000,,introduction. We are security consultants.\NWe work with a lot of industrial things Dialogue: 0,0:01:56.53,0:02:02.94,Default,,0000,0000,0000,,like PLC, RTuse, SCADAS, DCSs, LCS\Nwhatever it is, we were doing this for too Dialogue: 0,0:02:02.94,0:02:10.30,Default,,0000,0000,0000,,long. We should have fought, for so long\Nthat we have a huge map of contacts with a Dialogue: 0,0:02:10.30,0:02:15.89,Default,,0000,0000,0000,,lot of system integrators and vendors. And\Nfrom the time we are not just doing the Dialogue: 0,0:02:15.89,0:02:21.44,Default,,0000,0000,0000,,consultancy work for some asset owner, for\Nexample, for a power plant. We also talk Dialogue: 0,0:02:21.44,0:02:27.33,Default,,0000,0000,0000,,to other entities and we try to fix\Nthings altogether. We work at Kaspersky Dialogue: 0,0:02:27.33,0:02:32.32,Default,,0000,0000,0000,,and actually the whole research was done\Nnot just by me, Rado and Alexander, who Dialogue: 0,0:02:32.32,0:02:44.06,Default,,0000,0000,0000,,are here, but also with the help of\NEugenia and two Sergeys. Yep. So things Dialogue: 0,0:02:44.06,0:02:49.17,Default,,0000,0000,0000,,that are very important to note is that\Neverything that we will discuss right now Dialogue: 0,0:02:49.17,0:02:57.92,Default,,0000,0000,0000,,is reported to our respective vendor.\NBasically long time ago you can see like Dialogue: 0,0:02:57.92,0:03:03.27,Default,,0000,0000,0000,,vendors here, but more or less we will\Nspeak only about one vendor today. It's Dialogue: 0,0:03:03.27,0:03:09.69,Default,,0000,0000,0000,,it's it is Siemens. But we would like you\Nto understand that a similar security Dialogue: 0,0:03:09.69,0:03:15.25,Default,,0000,0000,0000,,issues can be found in all other\Nindustrial solutions from other vendors. Dialogue: 0,0:03:15.25,0:03:19.95,Default,,0000,0000,0000,,You would find some of the findings, not,\Nfor example, that seller does not require Dialogue: 0,0:03:19.95,0:03:26.28,Default,,0000,0000,0000,,like weeks off work to find them out. And\Nthis would be through specifically for all Dialogue: 0,0:03:26.28,0:03:33.09,Default,,0000,0000,0000,,other vendors which are not mentioned in\Nthe talk. Jokes aside, we will share Dialogue: 0,0:03:33.09,0:03:41.85,Default,,0000,0000,0000,,security issues of real power plants out\Nthere and it might look like we are we are Dialogue: 0,0:03:41.85,0:03:48.90,Default,,0000,0000,0000,,kind of irresponsible guys. But in fact,\Nthis is the other way around. I mean that Dialogue: 0,0:03:48.90,0:03:54.28,Default,,0000,0000,0000,,to do some kind of research on with these\Nsystems that are working in the power Dialogue: 0,0:03:54.28,0:03:59.58,Default,,0000,0000,0000,,plants, you need to get access to them.\NYou need time to do this research. You Dialogue: 0,0:03:59.58,0:04:05.71,Default,,0000,0000,0000,,need to have some knowledge to do this\Nresearch and all these resources, they are Dialogue: 0,0:04:05.71,0:04:10.43,Default,,0000,0000,0000,,limited for guys like us, for penetration\Ntesters, for auditors, for power plant Dialogue: 0,0:04:10.43,0:04:16.21,Default,,0000,0000,0000,,operators and engineers, but for the bad\Nguys like the potential attacker or so Dialogue: 0,0:04:16.21,0:04:22.28,Default,,0000,0000,0000,,adversaries. This is actually their job.\NThey they have a lot of investments to do Dialogue: 0,0:04:22.28,0:04:27.70,Default,,0000,0000,0000,,some research. So we assume that bad guys\Nalready know this. And we just we would Dialogue: 0,0:04:27.70,0:04:32.57,Default,,0000,0000,0000,,like to share some information with the\Ngood guys so they would be able to act Dialogue: 0,0:04:32.57,0:04:42.24,Default,,0000,0000,0000,,upon this. So let's go to the talk itself.\NPower plants, power plants is the most Dialogue: 0,0:04:42.24,0:04:48.52,Default,,0000,0000,0000,,common way how humans get their power,\Ntheir electricity, their every everywhere Dialogue: 0,0:04:48.52,0:04:54.26,Default,,0000,0000,0000,,around us. And there I believe the closest\None to Leipzig is called the Lippendorf Dialogue: 0,0:04:54.26,0:04:59.10,Default,,0000,0000,0000,,power station. And during this research\Nwhen we were preparing an introduction, we Dialogue: 0,0:04:59.10,0:05:02.30,Default,,0000,0000,0000,,were surprised how many information about\Npower plants you can get from the Dialogue: 0,0:05:02.30,0:05:07.43,Default,,0000,0000,0000,,Internet. It's not just, for example, a\Npicture of this of the same power station Dialogue: 0,0:05:07.43,0:05:14.80,Default,,0000,0000,0000,,on the Google Maps. It is actually a very\Nit's a very good scheme of what you can Dialogue: 0,0:05:14.80,0:05:20.02,Default,,0000,0000,0000,,see on the marketing materials from\Nvendors, because when they sell some Dialogue: 0,0:05:20.02,0:05:24.20,Default,,0000,0000,0000,,system that ultimate power plant\Noperations, they sometimes start with Dialogue: 0,0:05:24.20,0:05:29.76,Default,,0000,0000,0000,,building construction. And on their on\Ntheir websites, you can find the schematic Dialogue: 0,0:05:29.76,0:05:34.40,Default,,0000,0000,0000,,pictures of actually which building does\Nwhat and where you will find some Dialogue: 0,0:05:34.40,0:05:39.90,Default,,0000,0000,0000,,equipment, which versions of equipment are\Nused in these systems. But if you like, if Dialogue: 0,0:05:39.90,0:05:45.19,Default,,0000,0000,0000,,you don't have this experience, you can\Njust Google things and you will find out Dialogue: 0,0:05:45.19,0:05:50.03,Default,,0000,0000,0000,,which systems are used for automation in\Npower plants, for example, for Lippendorf Dialogue: 0,0:05:50.03,0:05:57.13,Default,,0000,0000,0000,,it's some system that is called Siemens\NSPP T2000 and P3000, which is actually Dialogue: 0,0:05:57.13,0:06:02.82,Default,,0000,0000,0000,,have another Siemens system inside called\NSiemens SPPA-T/P3000. So it's a little bit Dialogue: 0,0:06:02.82,0:06:09.54,Default,,0000,0000,0000,,confusing and it is. And we are still\Nconfused. This is exactly the system that Dialogue: 0,0:06:09.54,0:06:18.48,Default,,0000,0000,0000,,would be that we will focus today. Siemens\NSPPT 3000. And again, it could be any Dialogue: 0,0:06:18.48,0:06:23.62,Default,,0000,0000,0000,,other automation system, but it just\Nhappened the way that we've seen this Dialogue: 0,0:06:23.62,0:06:31.89,Default,,0000,0000,0000,,system more and more often than others. Up\Nthere is a way how you can actually see Dialogue: 0,0:06:31.89,0:06:37.53,Default,,0000,0000,0000,,older generation sites throughout the\Nworld. Thanks to their carbon monitoring Dialogue: 0,0:06:37.53,0:06:42.60,Default,,0000,0000,0000,,communities, this is not just power\Nplants. This is also like nuclear sites, Dialogue: 0,0:06:42.60,0:06:49.41,Default,,0000,0000,0000,,wind generation, solar, solar plants, etc.\Nand etc. They are all here, marked by Dialogue: 0,0:06:49.41,0:06:56.48,Default,,0000,0000,0000,,different fuel types of generation. For\Nexample, there is a coil and gas power Dialogue: 0,0:06:56.48,0:07:03.38,Default,,0000,0000,0000,,plants. Mark, marked there. So the topic\Nis really huge. And like what we will Dialogue: 0,0:07:03.38,0:07:08.58,Default,,0000,0000,0000,,focus today in our talk is mostly the\Npower plants which are work on coal and Dialogue: 0,0:07:08.58,0:07:14.36,Default,,0000,0000,0000,,gas, which is important to mention. The\Nheart of each power plant is actually a Dialogue: 0,0:07:14.36,0:07:18.17,Default,,0000,0000,0000,,turbine. We don't have a picture of a\Nturbine on the slides, but more or less, I Dialogue: 0,0:07:18.17,0:07:24.01,Default,,0000,0000,0000,,think everybody saw it on the airplane.\NThere are various that there are similar Dialogue: 0,0:07:24.01,0:07:31.19,Default,,0000,0000,0000,,specifically in terms of size and mostly\Nhow they work up on different vendor's Web Dialogue: 0,0:07:31.19,0:07:36.98,Default,,0000,0000,0000,,sites. You can actually find a lot of\Ninformation where those turbines are used. Dialogue: 0,0:07:36.98,0:07:44.45,Default,,0000,0000,0000,,And this is, for example, the map of the\Nturbines from Siemens. Not all turbines Dialogue: 0,0:07:44.45,0:07:48.15,Default,,0000,0000,0000,,specifically are used in power plants. So\Nthere have a lot of different applications Dialogue: 0,0:07:48.15,0:07:53.09,Default,,0000,0000,0000,,like chemical plants, oil and gas. A lot\Nof other things. But if you correlate this Dialogue: 0,0:07:53.09,0:07:57.44,Default,,0000,0000,0000,,information from previous slides, you\Nwould be able to identify which systems Dialogue: 0,0:07:57.44,0:08:01.07,Default,,0000,0000,0000,,are used by which power plant. And if you\Nwill, Google more information, you can Dialogue: 0,0:08:01.07,0:08:05.41,Default,,0000,0000,0000,,actually tell their versions and the\Ngenerations of the systems that are used Dialogue: 0,0:08:05.41,0:08:10.11,Default,,0000,0000,0000,,on these power plants. This is important\Nbecause of the vulnerabilities that we Dialogue: 0,0:08:10.11,0:08:17.20,Default,,0000,0000,0000,,will discuss later on on the slide. So\Nbefore we will speak about so what is the Dialogue: 0,0:08:17.20,0:08:21.91,Default,,0000,0000,0000,,automation on power plants, we should\Nunderstand a little bit how they work. So Dialogue: 0,0:08:21.91,0:08:27.66,Default,,0000,0000,0000,,we will go from right to left and it's\Nvery easy. A little a little noticed. For Dialogue: 0,0:08:27.66,0:08:31.26,Default,,0000,0000,0000,,all the talk, we will simplify a lot of\Nthings for two reasons. One of them to Dialogue: 0,0:08:31.26,0:08:36.52,Default,,0000,0000,0000,,make it more suitable for the audience.\NAnd another thing. We don't really Dialogue: 0,0:08:36.52,0:08:43.08,Default,,0000,0000,0000,,understand everything by ourselves. So the\Nfirst thing you should get is a fuel. Fuel Dialogue: 0,0:08:43.08,0:08:49.11,Default,,0000,0000,0000,,could be, for example, a coil or coal or a\Ngas. And you will just put this inside the Dialogue: 0,0:08:49.11,0:08:54.83,Default,,0000,0000,0000,,combustion chamber where you would put it\Nto set it up on fire, actually. And it Dialogue: 0,0:08:54.83,0:08:59.26,Default,,0000,0000,0000,,will generate a lot of pressure which will\Ngo to the turbine. And because of the Dialogue: 0,0:08:59.26,0:09:05.10,Default,,0000,0000,0000,,pressure, the turbine will begin to\Nrotate. The turbine, have a shaft which Dialogue: 0,0:09:05.10,0:09:10.10,Default,,0000,0000,0000,,will drive the electricity generator,\Nwhich is obviously will generate Dialogue: 0,0:09:10.10,0:09:16.05,Default,,0000,0000,0000,,electricity and put it on the power grid.\NSo it is important from now I want to Dialogue: 0,0:09:16.05,0:09:21.35,Default,,0000,0000,0000,,understand that when we generate some some\Nelectricity on the power plant, we put Dialogue: 0,0:09:21.35,0:09:27.75,Default,,0000,0000,0000,,this this power not just for, for example,\Nfor this Congress center or for some city. Dialogue: 0,0:09:27.75,0:09:33.81,Default,,0000,0000,0000,,We put it in a big thing called the power\Ngrid, where other entities will sell this Dialogue: 0,0:09:33.81,0:09:40.38,Default,,0000,0000,0000,,electricity to different customers.\NThere is also very interesting point about Dialogue: 0,0:09:40.38,0:09:46.50,Default,,0000,0000,0000,,like, when we do generate this pressure\Nand the combustion chamber is on fire, we Dialogue: 0,0:09:46.50,0:09:51.07,Default,,0000,0000,0000,,have a lot of excessive heat. And we have\Ntwo options like one of them is to safely Dialogue: 0,0:09:51.07,0:09:55.10,Default,,0000,0000,0000,,put it in the air. We have condensing\Ntowers. This is option number one. And Dialogue: 0,0:09:55.10,0:10:00.65,Default,,0000,0000,0000,,another option is we can do some form of\Nrecuperation. For example, we would take Dialogue: 0,0:10:00.65,0:10:06.73,Default,,0000,0000,0000,,this heat. We will warm water. The water\Nwill produce steam. And we will put this Dialogue: 0,0:10:06.73,0:10:11.96,Default,,0000,0000,0000,,steam in the steam turbine and produce\Nadditional electricity. This is kind of Dialogue: 0,0:10:11.96,0:10:20.45,Default,,0000,0000,0000,,the optimization of some of some form. So\Nwhat is the automation in this process? Dialogue: 0,0:10:20.45,0:10:24.19,Default,,0000,0000,0000,,The automation systems that are used on\Nthe power plants are usually called Dialogue: 0,0:10:24.19,0:10:31.09,Default,,0000,0000,0000,,distributed control systems or DCSs. And\Neverything that I just said that it just Dialogue: 0,0:10:31.09,0:10:36.79,Default,,0000,0000,0000,,described actually is automated inside\Nthose systems. The vendor of the solution Dialogue: 0,0:10:36.79,0:10:41.65,Default,,0000,0000,0000,,want to simplify all things for the\Noperator, because we don't want like Dialogue: 0,0:10:41.65,0:10:46.25,Default,,0000,0000,0000,,hundreds of people working on the power\Nplant. We just want like maybe dozens of Dialogue: 0,0:10:46.25,0:10:50.83,Default,,0000,0000,0000,,people working there and they want to\Nsimplify the whole the whole process of Dialogue: 0,0:10:50.83,0:10:55.78,Default,,0000,0000,0000,,length. They don't care about where they\Nget this ???, gas or coal how much they Dialogue: 0,0:10:55.78,0:11:01.22,Default,,0000,0000,0000,,need it. They just should be able to stop\Nthe generation process started. And they Dialogue: 0,0:11:01.22,0:11:04.93,Default,,0000,0000,0000,,control one main thing, which is called\Nhow much power we should produce to the Dialogue: 0,0:11:04.93,0:11:13.42,Default,,0000,0000,0000,,power grid. So like how many megawatts of\Nelectricity we should produce. This is Dialogue: 0,0:11:13.42,0:11:19.93,Default,,0000,0000,0000,,this. This describes the actually the\Ncomplexity, complexity hidden inside these Dialogue: 0,0:11:19.93,0:11:24.07,Default,,0000,0000,0000,,solutions because there are a lot of small\Nthings happening inside and we will Dialogue: 0,0:11:24.07,0:11:29.08,Default,,0000,0000,0000,,discuss it a little bit later. As I said,\Nthis GCF says they're not exclusively used Dialogue: 0,0:11:29.08,0:11:33.56,Default,,0000,0000,0000,,on the power plants. There are a lot of\Nother sites that would use the same Dialogue: 0,0:11:33.56,0:11:40.18,Default,,0000,0000,0000,,solutions, the same software and hardware.\NThe DCS is not just like a software that Dialogue: 0,0:11:40.18,0:11:44.98,Default,,0000,0000,0000,,you can install. It's a set of hardware\Nand software, various inputs, output, Dialogue: 0,0:11:44.98,0:11:49.55,Default,,0000,0000,0000,,models, sensors, etc., etc.. As I said,\Nsometimes they start from building Dialogue: 0,0:11:49.55,0:11:55.26,Default,,0000,0000,0000,,construction of like there is a field.\NPlease build a super power station. So Dialogue: 0,0:11:55.26,0:12:01.19,Default,,0000,0000,0000,,it's a more complex projects. Most, most\Nof the time. There are a lot of vendors Dialogue: 0,0:12:01.19,0:12:06.25,Default,,0000,0000,0000,,that are doing it. As I said, we are\Nfocusing on this stock, on the Siemens Dialogue: 0,0:12:06.25,0:12:15.72,Default,,0000,0000,0000,,one. Just a short little short description\Nof how simplified things are for operators Dialogue: 0,0:12:15.72,0:12:21.33,Default,,0000,0000,0000,,of this DCA software. So, for example, if\Nwe would like to answer the question how Dialogue: 0,0:12:21.33,0:12:28.02,Default,,0000,0000,0000,,we would regulate the output and megabytes\Nof our power plant, we would need to Dialogue: 0,0:12:28.02,0:12:33.03,Default,,0000,0000,0000,,control basically three things. Again, we\Nare oversimplifying here. First of all, Dialogue: 0,0:12:33.03,0:12:37.90,Default,,0000,0000,0000,,you would control how many. This is an\Nexample for there for the gas turbine. So Dialogue: 0,0:12:37.90,0:12:43.06,Default,,0000,0000,0000,,we would need to regulate how many? Guess,\Nwe would put inside the combustion chamber Dialogue: 0,0:12:43.06,0:12:49.49,Default,,0000,0000,0000,,where would control the flame temperature.\NAnd we will control the thing that gets Dialogue: 0,0:12:49.49,0:12:54.87,Default,,0000,0000,0000,,air inside the turbine that basically\Nthree things that are controlled by simple Dialogue: 0,0:12:54.87,0:13:00.38,Default,,0000,0000,0000,,peel cease in the whole system. And you\Nwould be able, for example, to change 100 Dialogue: 0,0:13:00.38,0:13:08.83,Default,,0000,0000,0000,,megawatts to 150 megawatts based on these\Nsettings. So the system itself that we are Dialogue: 0,0:13:08.83,0:13:15.48,Default,,0000,0000,0000,,going to discuss is called Siemens\NSPPT3000. And actually, again, as allow Dialogue: 0,0:13:15.48,0:13:21.75,Default,,0000,0000,0000,,all other DCA systems or from other\Nvendors. This is a typical industrial Dialogue: 0,0:13:21.75,0:13:28.63,Default,,0000,0000,0000,,systems system. It has all these things\Ncalled plcs, RTUse, to use HMAS, servers, Dialogue: 0,0:13:28.63,0:13:34.07,Default,,0000,0000,0000,,OPEC traffic, et cetera, et cetera. The\Nonly thing that has a difference Dialogue: 0,0:13:34.07,0:13:41.10,Default,,0000,0000,0000,,specifically for Siemens as SPPT3000 is\Nthat they have two main things called Dialogue: 0,0:13:41.10,0:13:46.32,Default,,0000,0000,0000,,application server and automation server.\NThat's this software running on the Dialogue: 0,0:13:46.32,0:13:53.38,Default,,0000,0000,0000,,servers is not what you will find on other\Ninstallations. Despite the fact that there Dialogue: 0,0:13:53.38,0:13:59.90,Default,,0000,0000,0000,,are a lot of like if you will read the\Nmanuals for for the systems from Siemens. Dialogue: 0,0:13:59.90,0:14:07.01,Default,,0000,0000,0000,,There would be a lot of different networks\Nand highways and a lot of things like Dialogue: 0,0:14:07.01,0:14:11.41,Default,,0000,0000,0000,,Siemens would state that there is no\Nconnection between the application network Dialogue: 0,0:14:11.41,0:14:18.30,Default,,0000,0000,0000,,and external networks. In practice and in\Nreality, you will find things like spick Dialogue: 0,0:14:18.30,0:14:23.17,Default,,0000,0000,0000,,sensor network, like monitoring both\Nvibration, foreign objects and some noises Dialogue: 0,0:14:23.17,0:14:28.97,Default,,0000,0000,0000,,inside the turbine. You will find the\Ndemilitarized zone because all in all, Dialogue: 0,0:14:28.97,0:14:33.90,Default,,0000,0000,0000,,like all power plant operators, they won't\Nhave like onsite maintenance guys, Dialogue: 0,0:14:33.90,0:14:37.86,Default,,0000,0000,0000,,engineers. They would try to do a remote\Nsupport. They would need to install Dialogue: 0,0:14:37.86,0:14:42.63,Default,,0000,0000,0000,,updates for operating system, although for\Ntheir signatures of their anti viruses, Dialogue: 0,0:14:42.63,0:14:46.42,Default,,0000,0000,0000,,they would need to push some opposite\Ntraffic. So like information about the Dialogue: 0,0:14:46.42,0:14:50.62,Default,,0000,0000,0000,,generation process outside either to\Ncorporate network or to some regulator, Dialogue: 0,0:14:50.62,0:14:54.36,Default,,0000,0000,0000,,because the whole energy market is\Nregulated and there are different entities Dialogue: 0,0:14:54.36,0:14:58.57,Default,,0000,0000,0000,,who would monitor common electricity\Ngeneration or they basically will tell you Dialogue: 0,0:14:58.57,0:15:02.68,Default,,0000,0000,0000,,how many electricity you should generate.\NBecause this is common electricity was Dialogue: 0,0:15:02.68,0:15:09.11,Default,,0000,0000,0000,,sold on the energy market. Basically,\Nthe whole talk is structured like this. We Dialogue: 0,0:15:09.11,0:15:13.79,Default,,0000,0000,0000,,will speak first about application server,\Nthen automation server and then some Dialogue: 0,0:15:13.79,0:15:20.65,Default,,0000,0000,0000,,summary. It all started with the process\Ncalled Coordinated Vulnerability Dialogue: 0,0:15:20.65,0:15:28.00,Default,,0000,0000,0000,,Disclosure. We notified Siemens about some\Nissues almost a year ago and like a month Dialogue: 0,0:15:28.00,0:15:34.95,Default,,0000,0000,0000,,at the beginning of December, Siemens\Npublished an advisory. It was it was not Dialogue: 0,0:15:34.95,0:15:39.89,Default,,0000,0000,0000,,an advisory just from from the issues,\Njust from us. A lot of other teams also Dialogue: 0,0:15:39.89,0:15:45.54,Default,,0000,0000,0000,,contributed to it. And this December, this\Nyear, December, doesn't mean that Siemens Dialogue: 0,0:15:45.54,0:15:51.23,Default,,0000,0000,0000,,just released the patches. When they say\Nthat this system, SPPT3000, is exclusively Dialogue: 0,0:15:51.23,0:15:56.06,Default,,0000,0000,0000,,supported. So the system integrator for\Nthe system is Siemens itself. So Dialogue: 0,0:15:56.06,0:15:59.93,Default,,0000,0000,0000,,throughout the year after we notified them\Nabout some security issues, they started Dialogue: 0,0:15:59.93,0:16:05.77,Default,,0000,0000,0000,,to roll out patches and install updates on\Ncritical infrastructure they support and Dialogue: 0,0:16:05.77,0:16:13.26,Default,,0000,0000,0000,,hopefully they did it with all the\Nsensitive issues. There is a lot of things Dialogue: 0,0:16:13.26,0:16:18.58,Default,,0000,0000,0000,,to discuss here we will skip, because we\Nare a little bit in a hurry. Things like Dialogue: 0,0:16:18.58,0:16:24.10,Default,,0000,0000,0000,,not all vulnerabilities are the same. And\Nwe use, for example, CVSS here to talk Dialogue: 0,0:16:24.10,0:16:28.30,Default,,0000,0000,0000,,about like how critical the vulnerability\Nis, but it's actually not very applicable Dialogue: 0,0:16:28.30,0:16:33.75,Default,,0000,0000,0000,,to the industrial sites. You should\Nunderstand what you can do with each Dialogue: 0,0:16:33.75,0:16:39.19,Default,,0000,0000,0000,,vulnerability, how you can impact the\Nprocess, and we will skip this part. There Dialogue: 0,0:16:39.19,0:16:45.35,Default,,0000,0000,0000,,is actually kind of a threat model in the\Nwhite paper that we will release later on, Dialogue: 0,0:16:45.35,0:16:53.44,Default,,0000,0000,0000,,like during January. We will hope. So,\Napplication server, application server is Dialogue: 0,0:16:53.44,0:17:02.55,Default,,0000,0000,0000,,this main is is a main resource that you\Nwould find in the SPPT3000 network. Like Dialogue: 0,0:17:02.55,0:17:07.87,Default,,0000,0000,0000,,if if someone will remotely connect to the\Nsystem, it would end up in application Dialogue: 0,0:17:07.87,0:17:12.02,Default,,0000,0000,0000,,server. If someone wants to start the\Ngeneration process or to change some Dialogue: 0,0:17:12.02,0:17:17.80,Default,,0000,0000,0000,,values, it would be the application\Nserver. If there are other servers that Dialogue: 0,0:17:17.80,0:17:21.27,Default,,0000,0000,0000,,would, for example, try to communicate the\Napplication server, they will actually Dialogue: 0,0:17:21.27,0:17:25.53,Default,,0000,0000,0000,,start their work by downloading their\Nsoftware from application server and then Dialogue: 0,0:17:25.53,0:17:31.85,Default,,0000,0000,0000,,executing it. So the first thing you might\Nnotice here is there are a lot of a lot of Dialogue: 0,0:17:31.85,0:17:37.96,Default,,0000,0000,0000,,network ports available on this on this\Nmachine. And actually, this is the first Dialogue: 0,0:17:37.96,0:17:45.19,Default,,0000,0000,0000,,point. There is a, a huge attack surface\Nfor that bursary??? to choose whether or Dialogue: 0,0:17:45.19,0:17:49.46,Default,,0000,0000,0000,,not he would like to compromise some\NSiemens software or its Windows software Dialogue: 0,0:17:49.46,0:17:55.03,Default,,0000,0000,0000,,or its some another third party. Huge\Nattack surface starting from the fact that Dialogue: 0,0:17:55.03,0:18:01.24,Default,,0000,0000,0000,,there are, all of the installation of this\NSPP systems are kind of different. So Dialogue: 0,0:18:01.24,0:18:05.85,Default,,0000,0000,0000,,depending on the version and other\Ngeneration, you can find different Windows Dialogue: 0,0:18:05.85,0:18:17.97,Default,,0000,0000,0000,,versions from 2003 to 2016. Hopefully they\Nare all updated right now, but because the Dialogue: 0,0:18:17.97,0:18:24.22,Default,,0000,0000,0000,,that the update process for such as for\Nsuch installations is is a hard thing to Dialogue: 0,0:18:24.22,0:18:29.06,Default,,0000,0000,0000,,do. I mean you should wait for maintenance\Nand it should be like maybe once in a Dialogue: 0,0:18:29.06,0:18:33.47,Default,,0000,0000,0000,,healthy year or once a year. You will\Nalways find some window where you can use Dialogue: 0,0:18:33.47,0:18:38.48,Default,,0000,0000,0000,,some remotely exploitable vulnerabilities\Nlike the eternal blue or blue keeper mark Dialogue: 0,0:18:38.48,0:18:45.24,Default,,0000,0000,0000,,mentioned on the slide. There is tons of\Ndifferent additional software like all Dialogue: 0,0:18:45.24,0:18:48.57,Default,,0000,0000,0000,,signwin??? that will allow you to do\Nprivilege escalation, badly configured Dialogue: 0,0:18:48.57,0:18:55.30,Default,,0000,0000,0000,,Tomcats and we have here this funny pie\Ncharts that show how configuration of Dialogue: 0,0:18:55.30,0:19:00.33,Default,,0000,0000,0000,,different software is aligned with the\Nbest practices from CIS benchmarks. Those Dialogue: 0,0:19:00.33,0:19:06.62,Default,,0000,0000,0000,,are those are basically security\Nconfiguration gardening guides. The most Dialogue: 0,0:19:06.62,0:19:12.76,Default,,0000,0000,0000,,important thing in the application server\Nis a lot of Java software and in a minute Dialogue: 0,0:19:12.76,0:19:19.23,Default,,0000,0000,0000,,repdet will tell you about this. Surprise,\Nsurprise there, the one of the most Dialogue: 0,0:19:19.23,0:19:27.51,Default,,0000,0000,0000,,notable problems in this Siemens SPPT3000\Nis actually passwords. There, there are Dialogue: 0,0:19:27.51,0:19:32.42,Default,,0000,0000,0000,,three important ranges. The first the\Nfirst of them is like what's all the Dialogue: 0,0:19:32.42,0:19:39.68,Default,,0000,0000,0000,,installations before 2014 and maybe 2015.\NAll passwords for the for for all the Dialogue: 0,0:19:39.68,0:19:44.36,Default,,0000,0000,0000,,power stations were the same. And you can\Neasily Google them. We've also published Dialogue: 0,0:19:44.36,0:19:50.28,Default,,0000,0000,0000,,like the full world list in the white\Npaper. After this year's Siemens started Dialogue: 0,0:19:50.28,0:19:57.80,Default,,0000,0000,0000,,to generate the unique passwords for all\Npower plants. But until this year, it was Dialogue: 0,0:19:57.80,0:20:01.54,Default,,0000,0000,0000,,kind of hard to change this password. So\Nyou need to be aware of how to do this. Dialogue: 0,0:20:01.54,0:20:04.31,Default,,0000,0000,0000,,You need to know the process. You maybe\Nneed to contact to contact your system Dialogue: 0,0:20:04.31,0:20:08.26,Default,,0000,0000,0000,,integrator to do this. Starting up from\Nthis December, it would be much easier Dialogue: 0,0:20:08.26,0:20:13.91,Default,,0000,0000,0000,,specifically to change passwords. So it's\Nin the past. Even if you know, you have Dialogue: 0,0:20:13.91,0:20:19.91,Default,,0000,0000,0000,,you have these issues, you were not able\Nto simply change or all these things. Dialogue: 0,0:20:19.91,0:20:23.68,Default,,0000,0000,0000,,Along with the passwords, passwords, you\Ncan find the like the full diagrams and Dialogue: 0,0:20:23.68,0:20:30.19,Default,,0000,0000,0000,,the integrator documentation that can show\Nyou how the system is built, how it's Dialogue: 0,0:20:30.19,0:20:34.34,Default,,0000,0000,0000,,operating, specific accounts, etc, etc. Of\Ncourse, this was not published by Siemens, Dialogue: 0,0:20:34.34,0:20:38.60,Default,,0000,0000,0000,,thouse some power plant operators who\Nthought that would be a good idea to share Dialogue: 0,0:20:38.60,0:20:44.81,Default,,0000,0000,0000,,this information. So as I said, the most\Nimportant thing the application server is Dialogue: 0,0:20:44.81,0:20:48.87,Default,,0000,0000,0000,,a bunch of Java applications and please\Nwelcome moradek will share the details Dialogue: 0,0:20:48.87,0:20:57.07,Default,,0000,0000,0000,,about this.\N{\i1}Applause{\i0} Dialogue: 0,0:20:57.07,0:21:01.31,Default,,0000,0000,0000,,moradek: Hi, everyone. Let's look at how\Nthis perverse software works on aplication Dialogue: 0,0:21:01.31,0:21:06.98,Default,,0000,0000,0000,,server. The operator can communicate with\Nsystem through at Thin client and Fat client Dialogue: 0,0:21:06.98,0:21:15.81,Default,,0000,0000,0000,,and. A Thin client act as Java applet\Ninside Internet Explorer browser and Dialogue: 0,0:21:15.81,0:21:23.13,Default,,0000,0000,0000,,communicate with server through HTTPS, so\Nit can be outside of application of fork Dialogue: 0,0:21:23.13,0:21:28.80,Default,,0000,0000,0000,,and its communications can be constrained\Nby a firewall. In opposite in case of Fat Dialogue: 0,0:21:28.80,0:21:34.91,Default,,0000,0000,0000,,client, software should be installed on\Noperator machine and client directly Dialogue: 0,0:21:34.91,0:21:40.80,Default,,0000,0000,0000,,communicates with RMA registry to find\Nservices. And after that directly Dialogue: 0,0:21:40.80,0:21:49.76,Default,,0000,0000,0000,,communicates with this myservices. So Fat\Nclient should belong to application fork. Dialogue: 0,0:21:49.76,0:21:57.91,Default,,0000,0000,0000,,Illustration of where architecture was\Nkindly provided by SPPA throws a URL. Not Dialogue: 0,0:21:57.91,0:22:04.41,Default,,0000,0000,0000,,to be missed, let divided into spaces in\Nred zone. The items that brought this Dialogue: 0,0:22:04.41,0:22:10.96,Default,,0000,0000,0000,,request from Thin client and redirect them\Nto rmyservices. And in green zones there Dialogue: 0,0:22:10.96,0:22:17.57,Default,,0000,0000,0000,,are myservices which act as network\Nservices on their name on TCP ports. SPP Dialogue: 0,0:22:17.57,0:22:23.69,Default,,0000,0000,0000,,consists of containers, each container can\Nencapsulate inside one or more or Dialogue: 0,0:22:23.69,0:22:32.01,Default,,0000,0000,0000,,myservices. All type of containers are\Nrepresented on illustration and all of Dialogue: 0,0:22:32.01,0:22:40.34,Default,,0000,0000,0000,,them have self explanatory names. Before\Nwe going deep inside in tunnels office Dialogue: 0,0:22:40.34,0:22:45.41,Default,,0000,0000,0000,,PPA, let me introduce some tools which\Nused in this research. First of all, old Dialogue: 0,0:22:45.41,0:22:51.50,Default,,0000,0000,0000,,jars files inside this PPA are obfuscated\Nwith commercial product. But these Dialogue: 0,0:22:51.50,0:22:59.35,Default,,0000,0000,0000,,security measures can be easily bypassed\Nby public available tool the Obfuscator. Dialogue: 0,0:22:59.35,0:23:05.58,Default,,0000,0000,0000,,Elswhere sometimes it is useful to see how\Nlegit software communicates with system. Dialogue: 0,0:23:05.58,0:23:13.72,Default,,0000,0000,0000,,It helps to understand architecture of\Nsystem and workflow of clients. In case of Dialogue: 0,0:23:13.72,0:23:21.57,Default,,0000,0000,0000,,PPA it my district was written, it\Nrepresents a role TCP streams in human Dialogue: 0,0:23:21.57,0:23:30.01,Default,,0000,0000,0000,,readable format inside it. Use method read\Nobject from jsdk. It is known that this Dialogue: 0,0:23:30.01,0:23:35.16,Default,,0000,0000,0000,,method is unsafe to insecure\Ndiserealisation, so be careful not Dialogue: 0,0:23:35.16,0:23:42.91,Default,,0000,0000,0000,,to be exploited through remote pickup. The\Nfirst pillar of SPP it's apache webserver. Dialogue: 0,0:23:42.91,0:23:51.74,Default,,0000,0000,0000,,According it config folder or software\Nconfig can be accessed by unauthorized Dialogue: 0,0:23:51.74,0:23:59.04,Default,,0000,0000,0000,,user. In fact, this folder contains some\Nsensitive information of system. For Dialogue: 0,0:23:59.04,0:24:07.17,Default,,0000,0000,0000,,example, files PC system configuration,\Ndatasmells and files inside. If C contain Dialogue: 0,0:24:07.17,0:24:14.66,Default,,0000,0000,0000,,startup options and configuration of all\Ncontainers either application work or Dialogue: 0,0:24:14.66,0:24:20.56,Default,,0000,0000,0000,,automation work. Else configuration of\NOracle and publication in Tomcat DLC can be Dialogue: 0,0:24:20.56,0:24:26.41,Default,,0000,0000,0000,,accessed using this vulnerability. And about\NTomcat. There are three web Dialogue: 0,0:24:26.41,0:24:33.79,Default,,0000,0000,0000,,applications registered, remote diagnostic\Nviewer, manager and orion. According to Dialogue: 0,0:24:33.79,0:24:38.97,Default,,0000,0000,0000,,configuration of Tomcat, it's apache\Nwebserver. I've observed as a ordering Dialogue: 0,0:24:38.97,0:24:48.66,Default,,0000,0000,0000,,service can be accessed through HTTPS and\Nuh, in the file web dot xml there are list Dialogue: 0,0:24:48.66,0:24:56.71,Default,,0000,0000,0000,,of all servlets of orion application and the\Nlist is really huge. So some of these Dialogue: 0,0:24:56.71,0:25:04.71,Default,,0000,0000,0000,,servlets have attractive name forTiger, for\Nexample, brow seservlet. In fact it allows Dialogue: 0,0:25:04.71,0:25:12.70,Default,,0000,0000,0000,,a third of the user directory, and listing\Ndirectories of operation system. But in Dialogue: 0,0:25:12.70,0:25:19.91,Default,,0000,0000,0000,,case of exploitation another servlet is\Nmore attractive. File upload servlet it Dialogue: 0,0:25:19.91,0:25:28.98,Default,,0000,0000,0000,,allows you allows on the file upload with\Nsystem parameters based you in touch with Dialogue: 0,0:25:28.98,0:25:34.68,Default,,0000,0000,0000,,me in full control the name of the file.\NSo this vulnerability can be easily Dialogue: 0,0:25:34.68,0:25:39.42,Default,,0000,0000,0000,,transformed to a remote code execution.\NYou can override some startups scripts Dialogue: 0,0:25:39.42,0:25:46.39,Default,,0000,0000,0000,,office PPA or simply inject a shel in the\Napplication and get the remote code Dialogue: 0,0:25:46.39,0:25:54.77,Default,,0000,0000,0000,,execution with system rights. Also there\Nare some set alerts which contains good Dialogue: 0,0:25:54.77,0:26:03.81,Default,,0000,0000,0000,,service factory names. In fact, they\Nredirect http request to my services. Dialogue: 0,0:26:03.81,0:26:12.21,Default,,0000,0000,0000,,Inside they passed around to foreign http\Nrequests and search desirable my servives. Dialogue: 0,0:26:12.21,0:26:19.98,Default,,0000,0000,0000,,According to parameter service url and\Nfurther invoke go to the public method of Dialogue: 0,0:26:19.98,0:26:26.19,Default,,0000,0000,0000,,security service. And the name of the\Nmethod defined in centralized object in Dialogue: 0,0:26:26.19,0:26:34.44,Default,,0000,0000,0000,,the data section of which to progress.\NElse parameters, the parameters of these Dialogue: 0,0:26:34.44,0:26:43.49,Default,,0000,0000,0000,,goals are also defined in this object. So\Nnow we have situation one Thin client and Dialogue: 0,0:26:43.49,0:26:52.50,Default,,0000,0000,0000,,Fat client can access my services, but in\Ncase of Fat client, it, it can also Dialogue: 0,0:26:52.50,0:26:59.34,Default,,0000,0000,0000,,directly communicate with RMA registry. So\Nif application server missed some Dialogue: 0,0:26:59.34,0:27:04.43,Default,,0000,0000,0000,,important java security updates, it\Ncontains insecure deserialization Dialogue: 0,0:27:04.43,0:27:13.06,Default,,0000,0000,0000,,vulnerability. And using public to use\Nserial we can simply exploit it and get a Dialogue: 0,0:27:13.06,0:27:18.73,Default,,0000,0000,0000,,code execution with system rights again.\NThe next task will be to list all Dialogue: 0,0:27:18.73,0:27:25.67,Default,,0000,0000,0000,,available rMyservices on this SPPA system.\NAt first step, we simply use class look at Dialogue: 0,0:27:25.67,0:27:35.20,Default,,0000,0000,0000,,triggers and Java SDK and get a big list\Nof services. All but one jmakes it to Dialogue: 0,0:27:35.20,0:27:43.37,Default,,0000,0000,0000,,myservices, I assume that they perform\Nsome general interface for com, for Dialogue: 0,0:27:43.37,0:27:52.63,Default,,0000,0000,0000,,control and manage containers of SPPA. For\Nthe further investigation we only choose Dialogue: 0,0:27:52.63,0:28:01.16,Default,,0000,0000,0000,,LookUp Service. In fact, this service\Nlooks like some a collection of another Dialogue: 0,0:28:01.16,0:28:10.48,Default,,0000,0000,0000,,RMA services using its public method list\Nwe get the name of all available services Dialogue: 0,0:28:10.48,0:28:17.62,Default,,0000,0000,0000,,and using the name and public method\Nlookup we get the reference of RMA Dialogue: 0,0:28:17.62,0:28:27.00,Default,,0000,0000,0000,,service. All RMA services in this tip\Nimplement interface satisfactory. So Dialogue: 0,0:28:27.00,0:28:36.10,Default,,0000,0000,0000,,buttons as this. We can assume that and\Nthat this is a game collection of another Dialogue: 0,0:28:36.10,0:28:41.10,Default,,0000,0000,0000,,RMA services. But in fact it doesn't have\Npublic method to get the name of the Dialogue: 0,0:28:41.10,0:28:52.70,Default,,0000,0000,0000,,service. So we need to decompile. So we\Nneed to decompile the class and find some Dialogue: 0,0:28:52.70,0:29:00.47,Default,,0000,0000,0000,,factory methods which create RMA service,\Nfor example, create adminscript and Dialogue: 0,0:29:00.47,0:29:08.33,Default,,0000,0000,0000,,inside we can find as the name of the\Ncreated service. As it can be guessed, Dialogue: 0,0:29:08.33,0:29:14.23,Default,,0000,0000,0000,,it's admin service. So using public\Nmethod, get service in this name, we find Dialogue: 0,0:29:14.23,0:29:22.88,Default,,0000,0000,0000,,that I gets the reference to the next\Nlevel RMA service and in final step we get Dialogue: 0,0:29:22.88,0:29:31.35,Default,,0000,0000,0000,,the reference to RMA services which\Nperform real job SPPA. But it this RMA Dialogue: 0,0:29:31.35,0:29:39.07,Default,,0000,0000,0000,,service also contains a lot of public\Nmethods for unauthorized user. So to sum Dialogue: 0,0:29:39.07,0:29:46.38,Default,,0000,0000,0000,,up which referes registry and at each\Nlevel we find a lot of RMA services. And Dialogue: 0,0:29:46.38,0:29:54.29,Default,,0000,0000,0000,,as the last item also contains a lot of\Npublic methods. So the attack surface of Dialogue: 0,0:29:54.29,0:30:01.80,Default,,0000,0000,0000,,Supply C system is really huge. Now when\Nwe list all available RMA services, the Dialogue: 0,0:30:01.80,0:30:10.14,Default,,0000,0000,0000,,next question is how does authentication\Nof client request performs on the system? Dialogue: 0,0:30:10.14,0:30:15.75,Default,,0000,0000,0000,,To answer this question, let's look how\Nclient requests to security service Dialogue: 0,0:30:15.75,0:30:22.19,Default,,0000,0000,0000,,processed from system. First of all,\Nclients get the reference to security Dialogue: 0,0:30:22.19,0:30:31.15,Default,,0000,0000,0000,,service using some client ID. Further\NPCServiceFactory tries to get valid Dialogue: 0,0:30:31.15,0:30:38.35,Default,,0000,0000,0000,,session. Using this clientID in\NSessionManager. If SessionManager will Dialogue: 0,0:30:38.35,0:30:45.24,Default,,0000,0000,0000,,failed in his task, the exception will be\Nthroat and client will be failed. But if Dialogue: 0,0:30:45.24,0:30:54.47,Default,,0000,0000,0000,,it succeeds, valid sessionID will return\Nto PCSfactory. And further in its turn Dialogue: 0,0:30:54.47,0:31:00.83,Default,,0000,0000,0000,,instance of SecurityService will be\Ncreated in factory method. While the Dialogue: 0,0:31:00.83,0:31:12.22,Default,,0000,0000,0000,,session Id will be stored in loginID inside\NSecurityService. And finally client will Dialogue: 0,0:31:12.22,0:31:18.62,Default,,0000,0000,0000,,get the reference to Security Service.\NFurther he can call some public method of Dialogue: 0,0:31:18.62,0:31:28.60,Default,,0000,0000,0000,,it. But as this method can perform\Nprivileged checks of user using loginId in Dialogue: 0,0:31:28.60,0:31:35.94,Default,,0000,0000,0000,,SecurityManager. So to sum up, we have two\Nsecurity measures in this system. But as Dialogue: 0,0:31:35.94,0:31:41.66,Default,,0000,0000,0000,,is the question how user client can\Nperform login operation. If he doesn't Dialogue: 0,0:31:41.66,0:31:47.83,Default,,0000,0000,0000,,have any valid clientID. In this case,\Nit's start up of the system, Dialogue: 0,0:31:47.83,0:31:53.96,Default,,0000,0000,0000,,SessionManager will be added on anonymus\Nsession with clientID that equals zero. Dialogue: 0,0:31:53.96,0:32:00.15,Default,,0000,0000,0000,,And client will use this clientID, and\Nperform login operation. But attacker can Dialogue: 0,0:32:00.15,0:32:07.10,Default,,0000,0000,0000,,also use this feature and simply bypass\Nthose look. So to sum up, there is only Dialogue: 0,0:32:07.10,0:32:14.77,Default,,0000,0000,0000,,one security measure on the system ends\Nand each fully delegated to two method or Dialogue: 0,0:32:14.77,0:32:22.45,Default,,0000,0000,0000,,for RMA services. But amount of itemized\Nservices is huge, amount of public methods Dialogue: 0,0:32:22.45,0:32:29.25,Default,,0000,0000,0000,,is really huge. And so it's become really\Ndifficult to manage security service of Dialogue: 0,0:32:29.25,0:32:40.12,Default,,0000,0000,0000,,system. According to this information. So\Nwe know we know all inputs of system. We Dialogue: 0,0:32:40.12,0:32:45.07,Default,,0000,0000,0000,,know all possible security measures or\Nsystems. So it's time to find Dialogue: 0,0:32:45.07,0:32:53.18,Default,,0000,0000,0000,,vulnerabilities in the list of RMA\Nservices. This one, which looks so Dialogue: 0,0:32:53.18,0:32:58.35,Default,,0000,0000,0000,,attractive, its admins service, it can be\Naccessed with a anonymus session inside. Dialogue: 0,0:32:58.35,0:33:04.15,Default,,0000,0000,0000,,If this public method transcript, this\Nmethod doesn't perform any privileged Dialogue: 0,0:33:04.15,0:33:13.25,Default,,0000,0000,0000,,checks, so we can call its resulting\NTernium credentials and so on. At first Dialogue: 0,0:33:13.25,0:33:19.98,Default,,0000,0000,0000,,step, these methods creates instance of\Nclass loader using bytes from arguments Dialogue: 0,0:33:19.98,0:33:27.43,Default,,0000,0000,0000,,and in fact this step will allow to\Narbitrary java class. This class should Dialogue: 0,0:33:27.43,0:33:33.75,Default,,0000,0000,0000,,implement interface admins screams and\Ndefined method to execute and this method Dialogue: 0,0:33:33.75,0:33:43.03,Default,,0000,0000,0000,,to execute will be called by run script of\NRMA services. For this case we create Java Dialogue: 0,0:33:43.03,0:33:51.21,Default,,0000,0000,0000,,class as a simply run os common from\Narguments of run script. And we get code Dialogue: 0,0:33:51.21,0:33:58.52,Default,,0000,0000,0000,,execution on the system, we system, right?\NOf course, there's a more powerful post Dialogue: 0,0:33:58.52,0:34:05.79,Default,,0000,0000,0000,,exploitation of this vulnerability than\Nsimply run os command. You can. This Dialogue: 0,0:34:05.79,0:34:13.58,Default,,0000,0000,0000,,vulerability allows inject arbitrary java\Nclass inside running its SPPA application Dialogue: 0,0:34:13.58,0:34:25.48,Default,,0000,0000,0000,,so you can use some Java reflection to to\Npatch some variables of system and and Dialogue: 0,0:34:25.48,0:34:36.03,Default,,0000,0000,0000,,have influence on technological properties\Nof SPPA. Else, privilege check inside Dialogue: 0,0:34:36.03,0:34:43.87,Default,,0000,0000,0000,,methods of RMA service can be bypassed\Nwith SEC vulnerability in session service. This Dialogue: 0,0:34:43.87,0:34:49.65,Default,,0000,0000,0000,,service has public method\Ngetloggingsessions(). In fact, this method Dialogue: 0,0:34:49.65,0:34:58.77,Default,,0000,0000,0000,,return all sessiondata of loginin users on\Nthe system. This information includes user Dialogue: 0,0:34:58.77,0:35:10.04,Default,,0000,0000,0000,,names, IP and client Id. So if it this\Namounts these clientId of user that has Dialogue: 0,0:35:10.04,0:35:16.57,Default,,0000,0000,0000,,some admin privileges, attacker can use\Nthis clientId to get a reference to Dialogue: 0,0:35:16.57,0:35:22.62,Default,,0000,0000,0000,,security service and this reference will\Nbe with some more privileged session. Dialogue: 0,0:35:22.62,0:35:36.29,Default,,0000,0000,0000,,Further further, attacker can goal public\Nmethod of security service, get all users Dialogue: 0,0:35:36.29,0:35:43.29,Default,,0000,0000,0000,,and get all private information about all\Nusers of the system and password hashes Dialogue: 0,0:35:43.29,0:35:53.82,Default,,0000,0000,0000,,included in this private information. So\Nto sum up, we have to or both of these Dialogue: 0,0:35:53.82,0:36:06.59,Default,,0000,0000,0000,,vulnerabilities can be accessed through\Nhttps and federal rules can be bypassed. Dialogue: 0,0:36:06.59,0:36:14.20,Default,,0000,0000,0000,,In general, all communication with RMA\Nservices are encrypted. So usernames and Dialogue: 0,0:36:14.20,0:36:24.88,Default,,0000,0000,0000,,password hashes are transfered in plain text.\NThis is this because, this is more critical for Dialogue: 0,0:36:24.88,0:36:37.80,Default,,0000,0000,0000,,for Fat client case. So more all passwort\Nhashes doesn't perform any doesn't have Dialogue: 0,0:36:37.80,0:36:44.40,Default,,0000,0000,0000,,any session protection mechanism. So if\Nattacker can perform when and zoom into a Dialogue: 0,0:36:44.40,0:36:51.67,Default,,0000,0000,0000,,key attack against some user office prior\Nand captures the traffic between this user Dialogue: 0,0:36:51.67,0:36:59.11,Default,,0000,0000,0000,,and application server, he can get valid\Nusername and password hash of the system Dialogue: 0,0:36:59.11,0:37:05.94,Default,,0000,0000,0000,,and simply reuses this credentials and\Nperform login operation on the system. Dialogue: 0,0:37:05.94,0:37:13.82,Default,,0000,0000,0000,,More. over, he also can change the\Npassword of this user. I talk a lot about Dialogue: 0,0:37:13.82,0:37:18.75,Default,,0000,0000,0000,,user names and password hashes, so it's\Ntime to understand how these items Dialogue: 0,0:37:18.75,0:37:27.08,Default,,0000,0000,0000,,organized on the system. Alex.\NAlex: Hello everyone. I will continue our Dialogue: 0,0:37:27.08,0:37:33.17,Default,,0000,0000,0000,,discussion about application server. On\Nthe previous slide you can see how remote Dialogue: 0,0:37:33.17,0:37:42.91,Default,,0000,0000,0000,,authentification works. Now. Sorry, I\Nrepeat. On the parent slide you could see Dialogue: 0,0:37:42.91,0:37:49.62,Default,,0000,0000,0000,,how remote authentification works. And\Nnow I'm going to tell you about how it is Dialogue: 0,0:37:49.62,0:37:57.59,Default,,0000,0000,0000,,organized locally. After the system, after\Nsystem gets started, it begins to read two Dialogue: 0,0:37:57.59,0:38:04.90,Default,,0000,0000,0000,,files: user1.xml and pdata1.exm to get\Nuser list and their password respectevly. Dialogue: 0,0:38:04.90,0:38:11.66,Default,,0000,0000,0000,,The user1 file is the simple xml while the\Ndata1 has a slightly more difficult Dialogue: 0,0:38:11.66,0:38:17.92,Default,,0000,0000,0000,,structure. It is jzip archive encoded in\Nbase64, so as java actualization object in Dialogue: 0,0:38:17.92,0:38:23.54,Default,,0000,0000,0000,,jzip archive contained in a specific xml.\NThe field of this xml presents on the Dialogue: 0,0:38:23.54,0:38:29.99,Default,,0000,0000,0000,,slide. They are used to calculate cash\Nvalue and check passport during their Dialogue: 0,0:38:29.99,0:38:36.66,Default,,0000,0000,0000,,authentification. On the buttom of the\Nslide you can see password check algorithm Dialogue: 0,0:38:36.66,0:38:44.79,Default,,0000,0000,0000,,in a pseudo code. It's a photographic scam is\Nthe type of called crypted hashing scheme Dialogue: 0,0:38:44.79,0:38:52.19,Default,,0000,0000,0000,,like on Unix and Linux machine. It has a\Nnumber of iterations salts and only one Dialogue: 0,0:38:52.19,0:38:56.91,Default,,0000,0000,0000,,things is edited was, was edited that is\Nhardcore the salt, which is the same for Dialogue: 0,0:38:56.91,0:39:03.90,Default,,0000,0000,0000,,all user. The tool for password, as a tool\Nto extract password hashes and set Dialogue: 0,0:39:03.90,0:39:11.73,Default,,0000,0000,0000,,parameters from the data1-file had been\Ndeveloped on this slide. You can see its Dialogue: 0,0:39:11.73,0:39:18.42,Default,,0000,0000,0000,,output as a tool. The tool can be used\Nduring the password auditing, them to Dialogue: 0,0:39:18.42,0:39:22.73,Default,,0000,0000,0000,,check her password to check week or\Ndictionary password and their actual hash Dialogue: 0,0:39:22.73,0:39:31.96,Default,,0000,0000,0000,,collision parameters. A tool is available\Nat the link below. And draws the line, Dialogue: 0,0:39:31.96,0:39:40.66,Default,,0000,0000,0000,,draws a line on the application server\Nanalysis first, as we have seen, attack Dialogue: 0,0:39:40.66,0:39:47.49,Default,,0000,0000,0000,,surface is really huge and includes a lot\Nof different components. Secondly, it's Dialogue: 0,0:39:47.49,0:39:57.31,Default,,0000,0000,0000,,about remote connections. What's that\Nabout? Whether SPP has remote connection Dialogue: 0,0:39:57.31,0:39:59.62,Default,,0000,0000,0000,,or because no remote connection. I\Ncouldn't I couldn't do end this or someone Dialogue: 0,0:39:59.62,0:40:13.09,Default,,0000,0000,0000,,else, who told you? You should check it\Nanyway. And the last thing is a attacker Dialogue: 0,0:40:13.09,0:40:19.49,Default,,0000,0000,0000,,has opportunity to impact power generation\Nprocess. For example, it can start stop Dialogue: 0,0:40:19.49,0:40:26.07,Default,,0000,0000,0000,,generation, change some output value. Or\Nget some additional information about Dialogue: 0,0:40:26.07,0:40:32.23,Default,,0000,0000,0000,,generation process and all this. Action\Ncan be done from application server. It's Dialogue: 0,0:40:32.23,0:40:40.72,Default,,0000,0000,0000,,all about application server. And let's\Nstart discussion about automation. Its Dialogue: 0,0:40:40.72,0:40:45.62,Default,,0000,0000,0000,,main goal of automation server is to\Nexecute realtime real time automation Dialogue: 0,0:40:45.62,0:40:54.21,Default,,0000,0000,0000,,functions and tasks depending on a\Ndepending on the power plant project Dialogue: 0,0:40:54.21,0:41:01.26,Default,,0000,0000,0000,,architecture and its features. They're all\Nover automation server can be different. We have Dialogue: 0,0:41:01.26,0:41:07.02,Default,,0000,0000,0000,,to distinguish three roles. The first one\Nis automation role. They may be a slight Dialogue: 0,0:41:07.02,0:41:14.19,Default,,0000,0000,0000,,confusion because the term is used was for\Nserver and for it's role, but analyzing Dialogue: 0,0:41:14.19,0:41:18.84,Default,,0000,0000,0000,,uplink automation server configuration and\Npublicly available information we have Dialogue: 0,0:41:18.84,0:41:25.49,Default,,0000,0000,0000,,found that whatever the role is, almost\Nthe same hardware and software are used Dialogue: 0,0:41:25.49,0:41:34.09,Default,,0000,0000,0000,,and we have decided to use these kind of\Nclassifications. That seems less confusing Dialogue: 0,0:41:34.09,0:41:40.74,Default,,0000,0000,0000,,to us. At the same time, it's slightly\Ndifferent from the Windows Dialogue: 0,0:41:40.74,0:41:49.21,Default,,0000,0000,0000,,classification anyway. I mean, in\Nautomation role, automation role means Dialogue: 0,0:41:49.21,0:41:53.04,Default,,0000,0000,0000,,that the server is responsible for\Ninteraction with input-output modules to Dialogue: 0,0:41:53.04,0:41:58.39,Default,,0000,0000,0000,,each control and monitor power plant\Nequipment such as turbine electric Dialogue: 0,0:41:58.39,0:42:04.55,Default,,0000,0000,0000,,generator or some some other. The second\Nrole is communication in this role. This Dialogue: 0,0:42:04.55,0:42:10.36,Default,,0000,0000,0000,,role is used for connection the third\Nparty software and system in other words Dialogue: 0,0:42:10.36,0:42:18.76,Default,,0000,0000,0000,,it's just a protocol converter supporting\Nsuch protocols as modbus, I see 101, 104 Dialogue: 0,0:42:18.76,0:42:25.34,Default,,0000,0000,0000,,and some other. And the last roll is a\Nmigration role. This role is used to Dialogue: 0,0:42:25.34,0:42:32.89,Default,,0000,0000,0000,,connect previous version or for SPPA-T2000\Nand as legacy systems such as SPPA- 80 Dialogue: 0,0:42:32.89,0:42:42.57,Default,,0000,0000,0000,,2002, or tel per MI.. Automation role in\Nautomation server in automation role can Dialogue: 0,0:42:42.57,0:42:52.15,Default,,0000,0000,0000,,be run on the semantic SLMPC and in an\Nindustrial or industrial P.C.. Other roles Dialogue: 0,0:42:52.15,0:42:55.73,Default,,0000,0000,0000,,can be run only on industrial PCs. Now\Nlet's talk a little more about each role Dialogue: 0,0:42:55.73,0:43:03.56,Default,,0000,0000,0000,,and let's start with automation role based\Non PLC. PLC I will directly control field Dialogue: 0,0:43:03.56,0:43:09.76,Default,,0000,0000,0000,,devices like voles and turbine and access\Nto them in excess numbers. The game Dialogue: 0,0:43:09.76,0:43:16.75,Default,,0000,0000,0000,,over for any security discussion. They\Nusually represent low, the lowest level in Dialogue: 0,0:43:16.75,0:43:21.75,Default,,0000,0000,0000,,different reference models, such as do\Nmodel, for example. Any credential, any Dialogue: 0,0:43:21.75,0:43:27.63,Default,,0000,0000,0000,,configuration changes and updates for PLC\Nrequired to stop to stop technological Dialogue: 0,0:43:27.63,0:43:33.71,Default,,0000,0000,0000,,process. So these devices always have\Nsecurity misconfiguration, firmware, Dialogue: 0,0:43:33.71,0:43:40.26,Default,,0000,0000,0000,,visible security updates and secure\Nindustrial protocols. In case of SPPA they Dialogue: 0,0:43:40.26,0:43:48.06,Default,,0000,0000,0000,,are assembler ??? (Server???) protocols\NLCT data. ??? Logic information about its Dialogue: 0,0:43:48.06,0:43:54.35,Default,,0000,0000,0000,,own protocols in the internet, but not so\Nmuch about PLC data protocol. So we had to Dialogue: 0,0:43:54.35,0:44:01.86,Default,,0000,0000,0000,,deal with it and analyze it ourselves.\NIt's not a special protocol for SPPA. When Dialogue: 0,0:44:01.86,0:44:06.81,Default,,0000,0000,0000,,you program your Symantec, PLC an need to\Nexchange some that some data between them Dialogue: 0,0:44:06.81,0:44:14.88,Default,,0000,0000,0000,,in real time. You use this protocol. It's\Na quite simple protocol and maybe its Dialogue: 0,0:44:14.88,0:44:21.14,Default,,0000,0000,0000,,description is available somewhere in the\Ninternet. But we couldn't find it. So just Dialogue: 0,0:44:21.14,0:44:28.83,Default,,0000,0000,0000,,the case show you need structure. In ways\Nthat knows security mechanism in this Dialogue: 0,0:44:28.83,0:44:35.79,Default,,0000,0000,0000,,protocol, so, so, so only obstacle while\Ndo remain in the middle attack to spool Dialogue: 0,0:44:35.79,0:44:40.68,Default,,0000,0000,0000,,data in the sequence number, which we can\Nget from a packet that just follows the Dialogue: 0,0:44:40.68,0:44:48.16,Default,,0000,0000,0000,,implementation. For practical analyses we\Nhave developed the sector, which is Dialogue: 0,0:44:48.16,0:44:55.22,Default,,0000,0000,0000,,available at the link below. During the\Nsecurity assessment of PLC configurations, Dialogue: 0,0:44:55.22,0:45:02.38,Default,,0000,0000,0000,,one of the main things, which we check, is\Nunauthorized access to the two reading and Dialogue: 0,0:45:02.38,0:45:09.55,Default,,0000,0000,0000,,writing PLC memory. Availability of\Nunauthorized access is determinate by Dialogue: 0,0:45:09.55,0:45:17.48,Default,,0000,0000,0000,,position of the mod selector of the PLC\Nand some other configuration parameters. Dialogue: 0,0:45:17.48,0:45:22.87,Default,,0000,0000,0000,,During the previous research conducted to\None of our colleg Daniel Parnischev???? is Dialogue: 0,0:45:22.87,0:45:30.58,Default,,0000,0000,0000,,a privilege matrix has been obtained. They\Nshows unsecure states and configurations Dialogue: 0,0:45:30.58,0:45:37.44,Default,,0000,0000,0000,,of PLC. The tool for gathering information\Nfrom the PLC. over the network and its Dialogue: 0,0:45:37.44,0:45:42.35,Default,,0000,0000,0000,,analysis has been developed by Danil and\Nalso available in our repository. Now Dialogue: 0,0:45:42.35,0:45:48.25,Default,,0000,0000,0000,,let's talk about application server based\Non industial PC. Its just a Linux box. Dialogue: 0,0:45:48.25,0:45:52.27,Default,,0000,0000,0000,,During the start it tries to download some\Nadditional files from the application Dialogue: 0,0:45:52.27,0:45:59.52,Default,,0000,0000,0000,,server. This file includes to include jar\Nfiles, the bar scrapes, some configuration Dialogue: 0,0:45:59.52,0:46:07.26,Default,,0000,0000,0000,,protocols files and some other. You know,\Nto execute jar files PTC Perc virtual Dialogue: 0,0:46:07.26,0:46:15.25,Default,,0000,0000,0000,,machine is used. Is it a runtime java\Nmachine widely spread in industrial IJ and Dialogue: 0,0:46:15.25,0:46:22.70,Default,,0000,0000,0000,,military area. PTC Perc contains a\Ncompletion mechanism. So that is all jar Dialogue: 0,0:46:22.70,0:46:28.19,Default,,0000,0000,0000,,files contains a bitecode transformation.\NThat's why regularly decompiles Fails Dialogue: 0,0:46:28.19,0:46:36.49,Default,,0000,0000,0000,,exam. To solve this problem, we have\Nwritten a php script to perform reverse Dialogue: 0,0:46:36.49,0:46:44.11,Default,,0000,0000,0000,,transformation. After that, regular\Ndecompilers have been successful. Running Dialogue: 0,0:46:44.11,0:46:49.00,Default,,0000,0000,0000,,jars open RMI services on the automation\Nserver and the sound ??? of their Dialogue: 0,0:46:49.00,0:46:55.85,Default,,0000,0000,0000,,extension. For example, in case of\Nmigration server on PC services, which are Dialogue: 0,0:46:55.85,0:47:00.26,Default,,0000,0000,0000,,extension of classic Java RMA services are\Nused and on the slide you can see is the Dialogue: 0,0:47:00.26,0:47:07.28,Default,,0000,0000,0000,,list of of these services. Just the key\Nissues of automation. So based on Dialogue: 0,0:47:07.28,0:47:13.25,Default,,0000,0000,0000,,industrial PCM present represents just\Nlight. Firstly, as you can see, it's there Dialogue: 0,0:47:13.25,0:47:19.79,Default,,0000,0000,0000,,is a possibility to spoof downloaded files\Nfrom application server files downloaded Dialogue: 0,0:47:19.79,0:47:24.98,Default,,0000,0000,0000,,over https and there are no security\Nsecurity mechanisms during the process. Dialogue: 0,0:47:24.98,0:47:32.00,Default,,0000,0000,0000,,Secondly, it's about the default\Ncredentials. You can get access over SSH Dialogue: 0,0:47:32.00,0:47:40.74,Default,,0000,0000,0000,,SSH to server vs user SAM admin and\Npassword. See him next. It's Dialogue: 0,0:47:40.74,0:47:46.13,Default,,0000,0000,0000,,vulnerabilities in archives in our around\NIPC services. This will not be allowed to Dialogue: 0,0:47:46.13,0:47:50.84,Default,,0000,0000,0000,,perform sensitive data explosion and\Nremote code execution. And finally, the Dialogue: 0,0:47:50.84,0:47:54.52,Default,,0000,0000,0000,,last group with vulnerabilities found in\Nthe software used to feel an immigration Dialogue: 0,0:47:54.52,0:48:01.77,Default,,0000,0000,0000,,role for communication vs SB 82000, also\Nknown as the DSP system has a number of Dialogue: 0,0:48:01.77,0:48:06.48,Default,,0000,0000,0000,,issues on the immigration server vs old\NTXP. You are not. You are in magic Dialogue: 0,0:48:06.48,0:48:14.19,Default,,0000,0000,0000,,position. If you wrote about your own\Nobviously vulnerabilities as they are in Dialogue: 0,0:48:14.19,0:48:21.21,Default,,0000,0000,0000,,runtime as you need and service as this\Nservice contains request runtime contain a Dialogue: 0,0:48:21.21,0:48:29.48,Default,,0000,0000,0000,,method where the first argument defines as\Nthe action to be executed. Using the Dialogue: 0,0:48:29.48,0:48:34.62,Default,,0000,0000,0000,,action read file it is possible to get\Ncontent of any file from the system. Using Dialogue: 0,0:48:34.62,0:48:39.46,Default,,0000,0000,0000,,the right config file it's possible to\Nwrite information to the server. To the Dialogue: 0,0:48:39.46,0:48:46.70,Default,,0000,0000,0000,,server. And for example, it can be a jar\Nfiles, which execute shell comand on from Dialogue: 0,0:48:46.70,0:48:52.80,Default,,0000,0000,0000,,the command line and use in some SPPA\Nspecific functions, you can execute these Dialogue: 0,0:48:52.80,0:49:00.58,Default,,0000,0000,0000,,jar files later. This is all about\Nautomation server. To sum up, automated Dialogue: 0,0:49:00.58,0:49:07.54,Default,,0000,0000,0000,,automation server can based on PLC or\Nindustrial PC. In case of PLC it says a Dialogue: 0,0:49:07.54,0:49:16.42,Default,,0000,0000,0000,,simple PLC is usual PLC with no security\Nissues. In case of industrial PLC.. it's Dialogue: 0,0:49:16.42,0:49:21.99,Default,,0000,0000,0000,,just a Linux box., which try to download\Nsome additional files from the application Dialogue: 0,0:49:21.99,0:49:28.64,Default,,0000,0000,0000,,server and some of them execute with the\Nvirtual machine. So far, we haven't Dialogue: 0,0:49:28.64,0:49:33.39,Default,,0000,0000,0000,,mentioned any network equipment using\Ndistributed control system Using the Dialogue: 0,0:49:33.39,0:49:41.34,Default,,0000,0000,0000,,research we saw a wide variety of network\Ndevices and network infrastructure, Dialogue: 0,0:49:41.34,0:49:46.82,Default,,0000,0000,0000,,including switches, firewalls and more\Nrare devices such as data diet, for Dialogue: 0,0:49:46.82,0:49:55.79,Default,,0000,0000,0000,,example. We tried to summarize all this\Ninformation and got it common SPPA on Dialogue: 0,0:49:55.79,0:50:02.16,Default,,0000,0000,0000,,network topology and scam. Lookup shown in\Npurple usual places for network devices. Dialogue: 0,0:50:02.16,0:50:08.51,Default,,0000,0000,0000,,By the same device it can be found in\Nother vendors distributed control system. Dialogue: 0,0:50:08.51,0:50:13.11,Default,,0000,0000,0000,,Network devices in industrial network\Nusually have a lot of security issues. The Dialogue: 0,0:50:13.11,0:50:18.58,Default,,0000,0000,0000,,reason for this is that most of them don't\Nrequire any configuration before start and Dialogue: 0,0:50:18.58,0:50:29.20,Default,,0000,0000,0000,,can be run out of the box. And that's why\Nthe things like get NLP??? and then be Dialogue: 0,0:50:29.20,0:50:35.22,Default,,0000,0000,0000,,coming in to stream with credentials for\Ndifferent services. Fill ware? with Dialogue: 0,0:50:35.22,0:50:43.91,Default,,0000,0000,0000,,publicly, publicly available, exploits and\Njust a lack of security configurations. Dialogue: 0,0:50:43.91,0:50:53.32,Default,,0000,0000,0000,,All the things are usual for usual for\Nnetwork devices and they are usually usual Dialogue: 0,0:50:53.32,0:51:01.38,Default,,0000,0000,0000,,usual security issues for our industrial\Nnetwork. I think that's all I know now Dialogue: 0,0:51:01.38,0:51:07.17,Default,,0000,0000,0000,,Gleb wil sum up our discussion.\Nrepdet: Yep. Yep. So the topic of power Dialogue: 0,0:51:07.17,0:51:13.66,Default,,0000,0000,0000,,plants is huge. The system is huge and we\Ntry to cover this and that's a lot of Dialogue: 0,0:51:13.66,0:51:17.69,Default,,0000,0000,0000,,small things in the talk. And in fact\Neverything can be summed up on this slide. Dialogue: 0,0:51:17.69,0:51:22.55,Default,,0000,0000,0000,,These those are just the vulnerabilities,\Nas you can see in the problems in Java, in Dialogue: 0,0:51:22.55,0:51:28.22,Default,,0000,0000,0000,,Web applications, in different simple\Nmechanisms that you can exploit actually Dialogue: 0,0:51:28.22,0:51:33.34,Default,,0000,0000,0000,,directly even not go into the PLC or field\Nlevel, field level. You can impact the Dialogue: 0,0:51:33.34,0:51:39.46,Default,,0000,0000,0000,,process itself. What we don't cover in\Nthis talk, is actually what select Dialogue: 0,0:51:39.46,0:51:44.20,Default,,0000,0000,0000,,havoc???? or disaster could be caused by\Nattacking such systems because it's actually Dialogue: 0,0:51:44.20,0:51:48.93,Default,,0000,0000,0000,,not that bad. I mean they're talking about\Nthings like blackouts of the series or Dialogue: 0,0:51:48.93,0:51:54.47,Default,,0000,0000,0000,,things like this. This is not what you can\Ndo with as a consensus system, because the Dialogue: 0,0:51:54.47,0:51:59.00,Default,,0000,0000,0000,,like the distribution of the power power\Nin the grid is not there according to the Dialogue: 0,0:51:59.00,0:52:02.10,Default,,0000,0000,0000,,threat model is not the problem of the\Npower generation. There shouldn't be like Dialogue: 0,0:52:02.10,0:52:05.95,Default,,0000,0000,0000,,another regulator who should watch for\Nlike enough capacity in the network to Dialogue: 0,0:52:05.95,0:52:10.86,Default,,0000,0000,0000,,fill this, to fill the electricity for the\Ncustomers. So what we're really speaking Dialogue: 0,0:52:10.86,0:52:17.35,Default,,0000,0000,0000,,here is like the is how we can impact\Nthere. For example, the turbine, the Dialogue: 0,0:52:17.35,0:52:23.09,Default,,0000,0000,0000,,turbine is itself, for example, but we had\Nno access to the real turbine. They're Dialogue: 0,0:52:23.09,0:52:27.58,Default,,0000,0000,0000,,big, expensive, and we haven't found\Nanyone willing to provide us one. So we Dialogue: 0,0:52:27.58,0:52:34.06,Default,,0000,0000,0000,,will destroy it. But the point is, we have\Nan educated guess like PLCs, they control Dialogue: 0,0:52:34.06,0:52:38.78,Default,,0000,0000,0000,,a lot of parameters of this turbine. And\Nthe turbine is like a big mechanical Dialogue: 0,0:52:38.78,0:52:44.60,Default,,0000,0000,0000,,monster that is actually self degrading by\Nworking and putting it into different like Dialogue: 0,0:52:44.60,0:52:49.88,Default,,0000,0000,0000,,incomfortable operating modes will degrade\Nit even faster or it will break its end. Dialogue: 0,0:52:49.88,0:52:54.33,Default,,0000,0000,0000,,It's not easy. You can have a spare PLC or\Nsome other device. You won't have a spare Dialogue: 0,0:52:54.33,0:53:03.02,Default,,0000,0000,0000,,turbine. So that the impact is there. But\Nit's not like a very huge. So what we Dialogue: 0,0:53:03.02,0:53:09.44,Default,,0000,0000,0000,,tried to do with this research mostly is\Nto understand, how we can help the power Dialogue: 0,0:53:09.44,0:53:14.91,Default,,0000,0000,0000,,plant, the apparatus out there. And we\Nhave to fight in all the issues and Dialogue: 0,0:53:14.91,0:53:19.75,Default,,0000,0000,0000,,analysing this infrastructures and the\Ncustomer sites, we understood that all of Dialogue: 0,0:53:19.75,0:53:23.95,Default,,0000,0000,0000,,the installations actually did the same.\NAnd we can write a very simple do it Dialogue: 0,0:53:23.95,0:53:30.25,Default,,0000,0000,0000,,yourself assessment. And hopefully even\Nlike engineers on the power plants can Dialogue: 0,0:53:30.25,0:53:35.05,Default,,0000,0000,0000,,test themselves. It is very easy. A set of\Nsteps on two or three pages. You connect Dialogue: 0,0:53:35.05,0:53:39.02,Default,,0000,0000,0000,,to application network, you connect to the\Nautomation network, you run the tests, you Dialogue: 0,0:53:39.02,0:53:43.05,Default,,0000,0000,0000,,get the results. And afterwards you talk\Nwith Siemens. Well, you can fix something Dialogue: 0,0:53:43.05,0:53:47.97,Default,,0000,0000,0000,,by yourselves. And basically you don't\Nhave to hire like expensive consultants to Dialogue: 0,0:53:47.97,0:53:52.95,Default,,0000,0000,0000,,do the job. You should be. You should be\Nable to do it by yourself. We hope that Dialogue: 0,0:53:52.95,0:54:00.62,Default,,0000,0000,0000,,you will be able to do it. Of course. To\Nsummarize the whole situation around Dialogue: 0,0:54:00.62,0:54:07.32,Default,,0000,0000,0000,,DCSSs, it is if you have seen other\Nindustrial solutions like SCADAS, like Dialogue: 0,0:54:07.32,0:54:13.21,Default,,0000,0000,0000,,substations and if any actually, you would\Nfind a lot of similarities and they the Dialogue: 0,0:54:13.21,0:54:18.23,Default,,0000,0000,0000,,whole like it will have the same pain\Npoints as all other solutions. There is a Dialogue: 0,0:54:18.23,0:54:24.33,Default,,0000,0000,0000,,good documents from there. IAC 62443\Nwhich describes how like power plant Dialogue: 0,0:54:24.33,0:54:29.26,Default,,0000,0000,0000,,operator or asset owner should talk to the\Nsystem integrator and the vendor. With the Dialogue: 0,0:54:29.26,0:54:33.36,Default,,0000,0000,0000,,vendor in terms of what security they\Nshould require and how they should control Dialogue: 0,0:54:33.36,0:54:40.96,Default,,0000,0000,0000,,it. We urge any power plant operator to\Nread this standards and to require Dialogue: 0,0:54:40.96,0:54:46.13,Default,,0000,0000,0000,,security from their vendors and system\Nintegrators, because nowadays it depends Dialogue: 0,0:54:46.13,0:54:49.39,Default,,0000,0000,0000,,from vendor to vendor. Maybe vendor is\Nmore interested in the security or the Dialogue: 0,0:54:49.39,0:54:53.71,Default,,0000,0000,0000,,plant or some regulator and the like.\NNobody knows how to act. This is the Dialogue: 0,0:54:53.71,0:55:00.05,Default,,0000,0000,0000,,document where a which describes how you\Nshould talk with all other entities. Of Dialogue: 0,0:55:00.05,0:55:07.68,Default,,0000,0000,0000,,course, read the slides, read the white\Npaper in the January. Call Siemens updatal Dialogue: 0,0:55:07.68,0:55:12.16,Default,,0000,0000,0000,,systems, change your passwords and\Nconfigurations. This is actually very easy Dialogue: 0,0:55:12.16,0:55:18.79,Default,,0000,0000,0000,,to at least to shrink the attack surface.\NA lot of things inside SPPS ??? network is Dialogue: 0,0:55:18.79,0:55:23.46,Default,,0000,0000,0000,,a modern windows boxes and it's kind of\Neasy to set up some form of monitoring, so Dialogue: 0,0:55:23.46,0:55:27.85,Default,,0000,0000,0000,,you should talk to your security\Noperations center. They would be able to Dialogue: 0,0:55:27.85,0:55:32.72,Default,,0000,0000,0000,,look for some locks, not most of the\Nimpact that we showed, like it was their Dialogue: 0,0:55:32.72,0:55:36.77,Default,,0000,0000,0000,,input from the java application and\Nyou won't be able to monitor all of these. Dialogue: 0,0:55:36.77,0:55:41.77,Default,,0000,0000,0000,,We have like security events in windows.\NBut at least it's still some form of Dialogue: 0,0:55:41.77,0:55:49.44,Default,,0000,0000,0000,,detection process inside your network. And\Nagain, finally, to summarize, it is not Dialogue: 0,0:55:49.44,0:55:55.21,Default,,0000,0000,0000,,like a problem of one DCS from Siemens.\NThere are exactly the same issues for Dialogue: 0,0:55:55.21,0:56:01.91,Default,,0000,0000,0000,,other vendors not mentioned here. We will\Nrelease a lot of things today, tomorrow Dialogue: 0,0:56:01.91,0:56:07.21,Default,,0000,0000,0000,,and in January. Basically like the big\Nwhite paper about everything that we have Dialogue: 0,0:56:07.21,0:56:11.15,Default,,0000,0000,0000,,found out, we have recommendations, what\Nto do with the wordlists, with the do it Dialogue: 0,0:56:11.15,0:56:16.32,Default,,0000,0000,0000,,yourself security assessments with a lot\Nof tools up. One of the tools would help Dialogue: 0,0:56:16.32,0:56:19.42,Default,,0000,0000,0000,,you to do the research, another tools\Nwould help you, for example, if you are Dialogue: 0,0:56:19.42,0:56:24.08,Default,,0000,0000,0000,,using intrusion detection detection\Nsystems like IDSS, you would be able to Dialogue: 0,0:56:24.08,0:56:29.70,Default,,0000,0000,0000,,parse the protocols and maybe write some\Nsignatures for them. We work closely with Dialogue: 0,0:56:29.70,0:56:33.88,Default,,0000,0000,0000,,Siemens. We want to say thank you for the\NSiemens product search. They did a great Dialogue: 0,0:56:33.88,0:56:37.97,Default,,0000,0000,0000,,job in communications between us and the\Nproduct team that develops the products Dialogue: 0,0:56:37.97,0:56:42.02,Default,,0000,0000,0000,,that Siemens SPPA team for ??? in\Nitself. The main outlines from the vendor Dialogue: 0,0:56:42.02,0:56:47.15,Default,,0000,0000,0000,,response is, that if a power plant\Noperator, you should hurry and install a Dialogue: 0,0:56:47.15,0:56:55.34,Default,,0000,0000,0000,,new version 8.2 SP2. There are Siemens\Nis trying to like educate and raise Dialogue: 0,0:56:55.34,0:56:59.70,Default,,0000,0000,0000,,awareness outside their customers. That's\Nfirst of all, they should change passwords Dialogue: 0,0:56:59.70,0:57:04.07,Default,,0000,0000,0000,,that there are critical vulnerabilities\Nand they should do something with it. And Dialogue: 0,0:57:04.07,0:57:10.97,Default,,0000,0000,0000,,there is not all the problems are fixable by\NSiemens themselves. There is an operator Dialogue: 0,0:57:10.97,0:57:19.31,Default,,0000,0000,0000,,is viable for some of the activities to do\Nthe security by themselves. So that's Dialogue: 0,0:57:19.31,0:57:24.11,Default,,0000,0000,0000,,actually it. Thank you. Thank you very\Nmuch. Thank you, Congress. If you have any Dialogue: 0,0:57:24.11,0:57:26.93,Default,,0000,0000,0000,,questions, please welcome. Dialogue: 0,0:57:26.93,0:57:36.03,Default,,0000,0000,0000,,{\i1}Applause{\i0} Dialogue: 0,0:57:36.03,0:57:40.79,Default,,0000,0000,0000,,Herald: Thank all of you for this excellent\Ntalk, we have a short three minutes for Dialogue: 0,0:57:40.79,0:57:45.27,Default,,0000,0000,0000,,questions. If you have questions, please\Nline up at the microphones in the hall. If Dialogue: 0,0:57:45.27,0:57:49.38,Default,,0000,0000,0000,,you're using hearing aids, there is an\Ninduction loop at microphone number three. Dialogue: 0,0:57:49.38,0:57:54.44,Default,,0000,0000,0000,,Do we have questions from the Internets?\NYes. Question from our signal angel, Dialogue: 0,0:57:54.44,0:57:59.11,Default,,0000,0000,0000,,please.\NSignal-Engel: So we've got a question with Dialogue: 0,0:57:59.11,0:58:03.27,Default,,0000,0000,0000,,the vulnerabilities found. Could you take\Nover those cans from the worldwide web cam Dialogue: 0,0:58:03.27,0:58:10.90,Default,,0000,0000,0000,,without the freedom and the minimum tax?\NHerald: Can you please repeat. Dialogue: 0,0:58:10.90,0:58:13.51,Default,,0000,0000,0000,,repdet: A little bit louder, please?\NSignal-Engel: Sorry. With your own Dialogue: 0,0:58:13.51,0:58:19.43,Default,,0000,0000,0000,,vulnerability found, could you take\Ncontrol over those plants without worldwide Dialogue: 0,0:58:19.43,0:58:26.56,Default,,0000,0000,0000,,them from public Internet, without further\Namending the ??? ? Dialogue: 0,0:58:26.56,0:58:31.07,Default,,0000,0000,0000,,repdet: Actually, no. This is and this is\Nsome poor some form of the good news. Dialogue: 0,0:58:31.07,0:58:35.01,Default,,0000,0000,0000,,Those systems are exclusively supported by\None system integrator, by Siemens. They Dialogue: 0,0:58:35.01,0:58:39.40,Default,,0000,0000,0000,,are more or less protected from the\Nexternal access. Of course, there would be Dialogue: 0,0:58:39.40,0:58:43.83,Default,,0000,0000,0000,,external access, but it's not that easy to\Nreach it. And of course, it's we're not Dialogue: 0,0:58:43.83,0:58:46.57,Default,,0000,0000,0000,,talking about Internet. We're talking\Nabout some corporate networks of things Dialogue: 0,0:58:46.57,0:58:50.42,Default,,0000,0000,0000,,like this.\NHerald: Next question, microphone three, Dialogue: 0,0:58:50.42,0:58:54.50,Default,,0000,0000,0000,,please.\NMic. 3: Yes, hello. Uh, I also have a Dialogue: 0,0:58:54.50,0:59:00.07,Default,,0000,0000,0000,,power plant on my planet and, uh, it's\Nkind of bad for the atmosphere, I figured. Dialogue: 0,0:59:00.07,0:59:05.67,Default,,0000,0000,0000,,So, uh, my question is, can you skip back\Nto where the red button is to switch it Dialogue: 0,0:59:05.67,0:59:14.46,Default,,0000,0000,0000,,off? And I'm asking for a friend.\N{\i1}Laughter, Applause{\i0} Dialogue: 0,0:59:14.46,0:59:18.75,Default,,0000,0000,0000,,repdet: As we never thought about that,\Nthese materials can be used in this way. Dialogue: 0,0:59:18.75,0:59:24.92,Default,,0000,0000,0000,,But yeah. Specifically, if you have an\Noperator of engineers, friends on the Dialogue: 0,0:59:24.92,0:59:29.53,Default,,0000,0000,0000,,power plants, you can talk to them.\NHerald: Do we have any more questions from Dialogue: 0,0:59:29.53,0:59:38.41,Default,,0000,0000,0000,,the Internets? No questions. Any questions\Nfrom the hall? I guess not. Well, then, Dialogue: 0,0:59:38.41,0:59:41.40,Default,,0000,0000,0000,,thank you very much for this talk and a\Nwarm round of applause. Dialogue: 0,0:59:41.40,0:59:45.90,Default,,0000,0000,0000,,{\i1}Applause{\i0} Dialogue: 0,0:59:45.90,0:59:48.77,Default,,0000,0000,0000,,{\i1}36c3 Postroll music{\i0} Dialogue: 0,0:59:48.77,1:00:13.00,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!