36C3 Preroll music Herald: One of the obvious critical infrastructures we have nowadays is power generation. If there is no power, we're pretty much screwed. Our next speakers will take a very close look at common industrial control systems used in power turbines and their shortcomings. So please give a warm round of applause to repdet, moradek and cOrs. Applause repdet: Good morning, Congress. Thank you for waking up in the morning. We will talk about the security of power plants today, specifically about automation systems, that are used in the power plants up. You might think that this is another talk about how insecure the whole industrial things around us are and more or less it is. So for four years, we are we and our colleagues speak about problems in industrial security. We are happy to say that things are getting better, but it's just that the temper is a little bit different and feels a little bit uncomfortable though. Anyway, we will speak about to like how a power plants are built. What is the automation inside? What are the vulnerabilities? And like the high level overview of what you can do with this. But up at first a little bit of introduction. We are security consultants. We work with a lot of industrial things like PLC, RTuse, SCADAS, DCSs, LCS whatever it is, we were doing this for too long. We should have fought, for so long that we have a huge map of contacts with a lot of system integrators and vendors. And from the time we are not just doing the consultancy work for some asset owner, for example, for a power plant. We also talk to other entities and we try to fix things altogether. We work at Kaspersky and actually the whole research was done not just by me, Rado and Alexander, who are here, but also with the help of Eugenia and two Sergeys. Yep. So things that are very important to note is that everything that we will discuss right now is reported to our respective vendor. Basically long time ago you can see like vendors here, but more or less we will speak only about one vendor today. It's it's it is Siemens. But we would like you to understand that a similar security issues can be found in all other industrial solutions from other vendors. You would find some of the findings, not, for example, that seller does not require like weeks off work to find them out. And this would be through specifically for all other vendors which are not mentioned in the talk. Jokes aside, we will share security issues of real power plants out there and it might look like we are we are kind of irresponsible guys. But in fact, this is the other way around. I mean that to do some kind of research on with these systems that are working in the power plants, you need to get access to them. You need time to do this research. You need to have some knowledge to do this research and all these resources, they are limited for guys like us, for penetration testers, for auditors, for power plant operators and engineers, but for the bad guys like the potential attacker or so adversaries. This is actually their job. They they have a lot of investments to do some research. So we assume that bad guys already know this. And we just we would like to share some information with the good guys so they would be able to act upon this. So let's go to the talk itself. Power plants, power plants is the most common way how humans get their power, their electricity, their every everywhere around us. And there I believe the closest one to Leipzig is called the Lippendorf power station. And during this research when we were preparing an introduction, we were surprised how many information about power plants you can get from the Internet. It's not just, for example, a picture of this of the same power station on the Google Maps. It is actually a very it's a very good scheme of what you can see on the marketing materials from vendors, because when they sell some system that ultimate power plant operations, they sometimes start with building construction. And on their on their websites, you can find the schematic pictures of actually which building does what and where you will find some equipment, which versions of equipment are used in these systems. But if you like, if you don't have this experience, you can just Google things and you will find out which systems are used for automation in power plants, for example, for Lippendorf it's some system that is called Siemens SPP T2000 and P3000, which is actually have another Siemens system inside called Siemens SPPA-T/P3000. So it's a little bit confusing and it is. And we are still confused. This is exactly the system that would be that we will focus today. Siemens SPPT 3000. And again, it could be any other automation system, but it just happened the way that we've seen this system more and more often than others. Up there is a way how you can actually see older generation sites throughout the world. Thanks to their carbon monitoring communities, this is not just power plants. This is also like nuclear sites, wind generation, solar, solar plants, etc. and etc. They are all here, marked by different fuel types of generation. For example, there is a coil and gas power plants. Mark, marked there. So the topic is really huge. And like what we will focus today in our talk is mostly the power plants which are work on coal and gas, which is important to mention. The heart of each power plant is actually a turbine. We don't have a picture of a turbine on the slides, but more or less, I think everybody saw it on the airplane. There are various that there are similar specifically in terms of size and mostly how they work up on different vendor's Web sites. You can actually find a lot of information where those turbines are used. And this is, for example, the map of the turbines from Siemens. Not all turbines specifically are used in power plants. So there have a lot of different applications like chemical plants, oil and gas. A lot of other things. But if you correlate this information from previous slides, you would be able to identify which systems are used by which power plant. And if you will, Google more information, you can actually tell their versions and the generations of the systems that are used on these power plants. This is important because of the vulnerabilities that we will discuss later on on the slide. So before we will speak about so what is the automation on power plants, we should understand a little bit how they work. So we will go from right to left and it's very easy. A little a little noticed. For all the talk, we will simplify a lot of things for two reasons. One of them to make it more suitable for the audience. And another thing. We don't really understand everything by ourselves. So the first thing you should get is a fuel. Fuel could be, for example, a coil or coal or a gas. And you will just put this inside the combustion chamber where you would put it to set it up on fire, actually. And it will generate a lot of pressure which will go to the turbine. And because of the pressure, the turbine will begin to rotate. The turbine, have a shaft which will drive the electricity generator, which is obviously will generate electricity and put it on the power grid. So it is important from now I want to understand that when we generate some some electricity on the power plant, we put this this power not just for, for example, for this Congress center or for some city. We put it in a big thing called the power grid, where other entities will sell this electricity to different customers. There is also very interesting point about like, when we do generate this pressure and the combustion chamber is on fire, we have a lot of excessive heat. And we have two options like one of them is to safely put it in the air. We have condensing towers. This is option number one. And another option is we can do some form of recuperation. For example, we would take this heat. We will warm water. The water will produce steam. And we will put this steam in the steam turbine and produce additional electricity. This is kind of the optimization of some of some form. So what is the automation in this process? The automation systems that are used on the power plants are usually called distributed control systems or DCSs. And everything that I just said that it just described actually is automated inside those systems. The vendor of the solution want to simplify all things for the operator, because we don't want like hundreds of people working on the power plant. We just want like maybe dozens of people working there and they want to simplify the whole the whole process of length. They don't care about where they get this ???, gas or coal how much they need it. They just should be able to stop the generation process started. And they control one main thing, which is called how much power we should produce to the power grid. So like how many megawatts of electricity we should produce. This is this. This describes the actually the complexity, complexity hidden inside these solutions because there are a lot of small things happening inside and we will discuss it a little bit later. As I said, this GCF says they're not exclusively used on the power plants. There are a lot of other sites that would use the same solutions, the same software and hardware. The DCS is not just like a software that you can install. It's a set of hardware and software, various inputs, output, models, sensors, etc., etc.. As I said, sometimes they start from building construction of like there is a field. Please build a super power station. So it's a more complex projects. Most, most of the time. There are a lot of vendors that are doing it. As I said, we are focusing on this stock, on the Siemens one. Just a short little short description of how simplified things are for operators of this DCA software. So, for example, if we would like to answer the question how we would regulate the output and megabytes of our power plant, we would need to control basically three things. Again, we are oversimplifying here. First of all, you would control how many. This is an example for there for the gas turbine. So we would need to regulate how many? Guess, we would put inside the combustion chamber where would control the flame temperature. And we will control the thing that gets air inside the turbine that basically three things that are controlled by simple peel cease in the whole system. And you would be able, for example, to change 100 megawatts to 150 megawatts based on these settings. So the system itself that we are going to discuss is called Siemens SPPT3000. And actually, again, as allow all other DCA systems or from other vendors. This is a typical industrial systems system. It has all these things called plcs, RTUse, to use HMAS, servers, OPEC traffic, et cetera, et cetera. The only thing that has a difference specifically for Siemens as SPPT3000 is that they have two main things called application server and automation server. That's this software running on the servers is not what you will find on other installations. Despite the fact that there are a lot of like if you will read the manuals for for the systems from Siemens. There would be a lot of different networks and highways and a lot of things like Siemens would state that there is no connection between the application network and external networks. In practice and in reality, you will find things like spick sensor network, like monitoring both vibration, foreign objects and some noises inside the turbine. You will find the demilitarized zone because all in all, like all power plant operators, they won't have like onsite maintenance guys, engineers. They would try to do a remote support. They would need to install updates for operating system, although for their signatures of their anti viruses, they would need to push some opposite traffic. So like information about the generation process outside either to corporate network or to some regulator, because the whole energy market is regulated and there are different entities who would monitor common electricity generation or they basically will tell you how many electricity you should generate. Because this is common electricity was sold on the energy market. Basically, the whole talk is structured like this. We will speak first about application server, then automation server and then some summary. It all started with the process called Coordinated Vulnerability Disclosure. We notified Siemens about some issues almost a year ago and like a month at the beginning of December, Siemens published an advisory. It was it was not an advisory just from from the issues, just from us. A lot of other teams also contributed to it. And this December, this year, December, doesn't mean that Siemens just released the patches. When they say that this system, SPPT3000, is exclusively supported. So the system integrator for the system is Siemens itself. So throughout the year after we notified them about some security issues, they started to roll out patches and install updates on critical infrastructure they support and hopefully they did it with all the sensitive issues. There is a lot of things to discuss here we will skip, because we are a little bit in a hurry. Things like not all vulnerabilities are the same. And we use, for example, CVSS here to talk about like how critical the vulnerability is, but it's actually not very applicable to the industrial sites. You should understand what you can do with each vulnerability, how you can impact the process, and we will skip this part. There is actually kind of a threat model in the white paper that we will release later on, like during January. We will hope. So, application server, application server is this main is is a main resource that you would find in the SPPT3000 network. Like if if someone will remotely connect to the system, it would end up in application server. If someone wants to start the generation process or to change some values, it would be the application server. If there are other servers that would, for example, try to communicate the application server, they will actually start their work by downloading their software from application server and then executing it. So the first thing you might notice here is there are a lot of a lot of network ports available on this on this machine. And actually, this is the first point. There is a, a huge attack surface for that bursary??? to choose whether or not he would like to compromise some Siemens software or its Windows software or its some another third party. Huge attack surface starting from the fact that there are, all of the installation of this SPP systems are kind of different. So depending on the version and other generation, you can find different Windows versions from 2003 to 2016. Hopefully they are all updated right now, but because the that the update process for such as for such installations is is a hard thing to do. I mean you should wait for maintenance and it should be like maybe once in a healthy year or once a year. You will always find some window where you can use some remotely exploitable vulnerabilities like the eternal blue or blue keeper mark mentioned on the slide. There is tons of different additional software like all signwin??? that will allow you to do privilege escalation, badly configured Tomcats and we have here this funny pie charts that show how configuration of different software is aligned with the best practices from CIS benchmarks. Those are those are basically security configuration gardening guides. The most important thing in the application server is a lot of Java software and in a minute repdet will tell you about this. Surprise, surprise there, the one of the most notable problems in this Siemens SPPT3000 is actually passwords. There, there are three important ranges. The first the first of them is like what's all the installations before 2014 and maybe 2015. All passwords for the for for all the power stations were the same. And you can easily Google them. We've also published like the full world list in the white paper. After this year's Siemens started to generate the unique passwords for all power plants. But until this year, it was kind of hard to change this password. So you need to be aware of how to do this. You need to know the process. You maybe need to contact to contact your system integrator to do this. Starting up from this December, it would be much easier specifically to change passwords. So it's in the past. Even if you know, you have you have these issues, you were not able to simply change or all these things. Along with the passwords, passwords, you can find the like the full diagrams and the integrator documentation that can show you how the system is built, how it's operating, specific accounts, etc, etc. Of course, this was not published by Siemens, thouse some power plant operators who thought that would be a good idea to share this information. So as I said, the most important thing the application server is a bunch of Java applications and please welcome moradek will share the details about this. Applause moradek: Hi, everyone. Let's look at how this perverse software works on aplication server. The operator can communicate with system through at Thin client and Fat client and. A Thin client act as Java applet inside Internet Explorer browser and communicate with server through HTTPS, so it can be outside of application of fork and its communications can be constrained by a firewall. In opposite in case of Fat client, software should be installed on operator machine and client directly communicates with RMA registry to find services. And after that directly communicates with this myservices. So Fat client should belong to application fork. Illustration of where architecture was kindly provided by SPPA throws a URL. Not to be missed, let divided into spaces in red zone. The items that brought this request from Thin client and redirect them to rmyservices. And in green zones there are myservices which act as network services on their name on TCP ports. SPP consists of containers, each container can encapsulate inside one or more or myservices. All type of containers are represented on illustration and all of them have self explanatory names. Before we going deep inside in tunnels office PPA, let me introduce some tools which used in this research. First of all, old jars files inside this PPA are obfuscated with commercial product. But these security measures can be easily bypassed by public available tool the Obfuscator. Elswhere sometimes it is useful to see how legit software communicates with system. It helps to understand architecture of system and workflow of clients. In case of PPA it my district was written, it represents a role TCP streams in human readable format inside it. Use method read object from jsdk. It is known that this method is unsafe to insecure diserealisation, so be careful not to be exploited through remote pickup. The first pillar of SPP it's apache webserver. According it config folder or software config can be accessed by unauthorized user. In fact, this folder contains some sensitive information of system. For example, files PC system configuration, datasmells and files inside. If C contain startup options and configuration of all containers either application work or automation work. Else configuration of Oracle and publication in Tomcat DLC can be accessed using this vulnerability. And about Tomcat. There are three web applications registered, remote diagnostic viewer, manager and orion. According to configuration of Tomcat, it's apache webserver. I've observed as a ordering service can be accessed through HTTPS and uh, in the file web dot xml there are list of all servlets of orion application and the list is really huge. So some of these servlets have attractive name forTiger, for example, brow seservlet. In fact it allows a third of the user directory, and listing directories of operation system. But in case of exploitation another servlet is more attractive. File upload servlet it allows you allows on the file upload with system parameters based you in touch with me in full control the name of the file. So this vulnerability can be easily transformed to a remote code execution. You can override some startups scripts office PPA or simply inject a shel in the application and get the remote code execution with system rights. Also there are some set alerts which contains good service factory names. In fact, they redirect http request to my services. Inside they passed around to foreign http requests and search desirable my servives. According to parameter service url and further invoke go to the public method of security service. And the name of the method defined in centralized object in the data section of which to progress. Else parameters, the parameters of these goals are also defined in this object. So now we have situation one Thin client and Fat client can access my services, but in case of Fat client, it, it can also directly communicate with RMA registry. So if application server missed some important java security updates, it contains insecure deserialization vulnerability. And using public to use serial we can simply exploit it and get a code execution with system rights again. The next task will be to list all available rMyservices on this SPPA system. At first step, we simply use class look at triggers and Java SDK and get a big list of services. All but one jmakes it to myservices, I assume that they perform some general interface for com, for control and manage containers of SPPA. For the further investigation we only choose LookUp Service. In fact, this service looks like some a collection of another RMA services using its public method list we get the name of all available services and using the name and public method lookup we get the reference of RMA service. All RMA services in this tip implement interface satisfactory. So buttons as this. We can assume that and that this is a game collection of another RMA services. But in fact it doesn't have public method to get the name of the service. So we need to decompile. So we need to decompile the class and find some factory methods which create RMA service, for example, create adminscript and inside we can find as the name of the created service. As it can be guessed, it's admin service. So using public method, get service in this name, we find that I gets the reference to the next level RMA service and in final step we get the reference to RMA services which perform real job SPPA. But it this RMA service also contains a lot of public methods for unauthorized user. So to sum up which referes registry and at each level we find a lot of RMA services. And as the last item also contains a lot of public methods. So the attack surface of Supply C system is really huge. Now when we list all available RMA services, the next question is how does authentication of client request performs on the system? To answer this question, let's look how client requests to security service processed from system. First of all, clients get the reference to security service using some client ID. Further PCServiceFactory tries to get valid session. Using this clientID in SessionManager. If SessionManager will failed in his task, the exception will be throat and client will be failed. But if it succeeds, valid sessionID will return to PCSfactory. And further in its turn instance of SecurityService will be created in factory method. While the session Id will be stored in loginID inside SecurityService. And finally client will get the reference to Security Service. Further he can call some public method of it. But as this method can perform privileged checks of user using loginId in SecurityManager. So to sum up, we have two security measures in this system. But as is the question how user client can perform login operation. If he doesn't have any valid clientID. In this case, it's start up of the system, SessionManager will be added on anonymus session with clientID that equals zero. And client will use this clientID, and perform login operation. But attacker can also use this feature and simply bypass those look. So to sum up, there is only one security measure on the system ends and each fully delegated to two method or for RMA services. But amount of itemized services is huge, amount of public methods is really huge. And so it's become really difficult to manage security service of system. According to this information. So we know we know all inputs of system. We know all possible security measures or systems. So it's time to find vulnerabilities in the list of RMA services. This one, which looks so attractive, its admins service, it can be accessed with a anonymus session inside. If this public method transcript, this method doesn't perform any privileged checks, so we can call its resulting Ternium credentials and so on. At first step, these methods creates instance of class loader using bytes from arguments and in fact this step will allow to arbitrary java class. This class should implement interface admins screams and defined method to execute and this method to execute will be called by run script of RMA services. For this case we create Java class as a simply run os common from arguments of run script. And we get code execution on the system, we system, right? Of course, there's a more powerful post exploitation of this vulnerability than simply run os command. You can. This vulerability allows inject arbitrary java class inside running its SPPA application so you can use some Java reflection to to patch some variables of system and and have influence on technological properties of SPPA. Else, privilege check inside methods of RMA service can be bypassed with SEC vulnerability in session service. This service has public method getloggingsessions(). In fact, this method return all sessiondata of loginin users on the system. This information includes user names, IP and client Id. So if it this amounts these clientId of user that has some admin privileges, attacker can use this clientId to get a reference to security service and this reference will be with some more privileged session. Further further, attacker can goal public method of security service, get all users and get all private information about all users of the system and password hashes included in this private information. So to sum up, we have to or both of these vulnerabilities can be accessed through https and federal rules can be bypassed. In general, all communication with RMA services are encrypted. So usernames and password hashes are transfered in plain text. This is this because, this is more critical for for Fat client case. So more all passwort hashes doesn't perform any doesn't have any session protection mechanism. So if attacker can perform when and zoom into a key attack against some user office prior and captures the traffic between this user and application server, he can get valid username and password hash of the system and simply reuses this credentials and perform login operation on the system. More. over, he also can change the password of this user. I talk a lot about user names and password hashes, so it's time to understand how these items organized on the system. Alex. Alex: Hello everyone. I will continue our discussion about application server. On the previous slide you can see how remote authentification works. Now. Sorry, I repeat. On the parent slide you could see how remote authentification works. And now I'm going to tell you about how it is organized locally. After the system, after system gets started, it begins to read two files: user1.xml and pdata1.exm to get user list and their password respectevly. The user1 file is the simple xml while the data1 has a slightly more difficult structure. It is jzip archive encoded in base64, so as java actualization object in jzip archive contained in a specific xml. The field of this xml presents on the slide. They are used to calculate cash value and check passport during their authentification. On the buttom of the slide you can see password check algorithm in a pseudo code. It's a photographic scam is the type of called crypted hashing scheme like on Unix and Linux machine. It has a number of iterations salts and only one things is edited was, was edited that is hardcore the salt, which is the same for all user. The tool for password, as a tool to extract password hashes and set parameters from the data1-file had been developed on this slide. You can see its output as a tool. The tool can be used during the password auditing, them to check her password to check week or dictionary password and their actual hash collision parameters. A tool is available at the link below. And draws the line, draws a line on the application server analysis first, as we have seen, attack surface is really huge and includes a lot of different components. Secondly, it's about remote connections. What's that about? Whether SPP has remote connection or because no remote connection. I couldn't I couldn't do end this or someone else, who told you? You should check it anyway. And the last thing is a attacker has opportunity to impact power generation process. For example, it can start stop generation, change some output value. Or get some additional information about generation process and all this. Action can be done from application server. It's all about application server. And let's start discussion about automation. Its main goal of automation server is to execute realtime real time automation functions and tasks depending on a depending on the power plant project architecture and its features. They're all over automation server can be different. We have to distinguish three roles. The first one is automation role. They may be a slight confusion because the term is used was for server and for it's role, but analyzing uplink automation server configuration and publicly available information we have found that whatever the role is, almost the same hardware and software are used and we have decided to use these kind of classifications. That seems less confusing to us. At the same time, it's slightly different from the Windows classification anyway. I mean, in automation role, automation role means that the server is responsible for interaction with input-output modules to each control and monitor power plant equipment such as turbine electric generator or some some other. The second role is communication in this role. This role is used for connection the third party software and system in other words it's just a protocol converter supporting such protocols as modbus, I see 101, 104 and some other. And the last roll is a migration role. This role is used to connect previous version or for SPPA-T2000 and as legacy systems such as SPPA- 80 2002, or tel per MI.. Automation role in automation server in automation role can be run on the semantic SLMPC and in an industrial or industrial P.C.. Other roles can be run only on industrial PCs. Now let's talk a little more about each role and let's start with automation role based on PLC. PLC I will directly control field devices like voles and turbine and access to them in excess numbers. The game over for any security discussion. They usually represent low, the lowest level in different reference models, such as do model, for example. Any credential, any configuration changes and updates for PLC required to stop to stop technological process. So these devices always have security misconfiguration, firmware, visible security updates and secure industrial protocols. In case of SPPA they are assembler ??? (Server???) protocols LCT data. ??? Logic information about its own protocols in the internet, but not so much about PLC data protocol. So we had to deal with it and analyze it ourselves. It's not a special protocol for SPPA. When you program your Symantec, PLC an need to exchange some that some data between them in real time. You use this protocol. It's a quite simple protocol and maybe its description is available somewhere in the internet. But we couldn't find it. So just the case show you need structure. In ways that knows security mechanism in this protocol, so, so, so only obstacle while do remain in the middle attack to spool data in the sequence number, which we can get from a packet that just follows the implementation. For practical analyses we have developed the sector, which is available at the link below. During the security assessment of PLC configurations, one of the main things, which we check, is unauthorized access to the two reading and writing PLC memory. Availability of unauthorized access is determinate by position of the mod selector of the PLC and some other configuration parameters. During the previous research conducted to one of our colleg Daniel Parnischev???? is a privilege matrix has been obtained. They shows unsecure states and configurations of PLC. The tool for gathering information from the PLC. over the network and its analysis has been developed by Danil and also available in our repository. Now let's talk about application server based on industial PC. Its just a Linux box. During the start it tries to download some additional files from the application server. This file includes to include jar files, the bar scrapes, some configuration protocols files and some other. You know, to execute jar files PTC Perc virtual machine is used. Is it a runtime java machine widely spread in industrial IJ and military area. PTC Perc contains a completion mechanism. So that is all jar files contains a bitecode transformation. That's why regularly decompiles Fails exam. To solve this problem, we have written a php script to perform reverse transformation. After that, regular decompilers have been successful. Running jars open RMI services on the automation server and the sound ??? of their extension. For example, in case of migration server on PC services, which are extension of classic Java RMA services are used and on the slide you can see is the list of of these services. Just the key issues of automation. So based on industrial PCM present represents just light. Firstly, as you can see, it's there is a possibility to spoof downloaded files from application server files downloaded over https and there are no security security mechanisms during the process. Secondly, it's about the default credentials. You can get access over SSH SSH to server vs user SAM admin and password. See him next. It's vulnerabilities in archives in our around IPC services. This will not be allowed to perform sensitive data explosion and remote code execution. And finally, the last group with vulnerabilities found in the software used to feel an immigration role for communication vs SB 82000, also known as the DSP system has a number of issues on the immigration server vs old TXP. You are not. You are in magic position. If you wrote about your own obviously vulnerabilities as they are in runtime as you need and service as this service contains request runtime contain a method where the first argument defines as the action to be executed. Using the action read file it is possible to get content of any file from the system. Using the right config file it's possible to write information to the server. To the server. And for example, it can be a jar files, which execute shell comand on from the command line and use in some SPPA specific functions, you can execute these jar files later. This is all about automation server. To sum up, automated automation server can based on PLC or industrial PC. In case of PLC it says a simple PLC is usual PLC with no security issues. In case of industrial PLC.. it's just a Linux box., which try to download some additional files from the application server and some of them execute with the virtual machine. So far, we haven't mentioned any network equipment using distributed control system Using the research we saw a wide variety of network devices and network infrastructure, including switches, firewalls and more rare devices such as data diet, for example. We tried to summarize all this information and got it common SPPA on network topology and scam. Lookup shown in purple usual places for network devices. By the same device it can be found in other vendors distributed control system. Network devices in industrial network usually have a lot of security issues. The reason for this is that most of them don't require any configuration before start and can be run out of the box. And that's why the things like get NLP??? and then be coming in to stream with credentials for different services. Fill ware? with publicly, publicly available, exploits and just a lack of security configurations. All the things are usual for usual for network devices and they are usually usual usual security issues for our industrial network. I think that's all I know now Gleb wil sum up our discussion. repdet: Yep. Yep. So the topic of power plants is huge. The system is huge and we try to cover this and that's a lot of small things in the talk. And in fact everything can be summed up on this slide. These those are just the vulnerabilities, as you can see in the problems in Java, in Web applications, in different simple mechanisms that you can exploit actually directly even not go into the PLC or field level, field level. You can impact the process itself. What we don't cover in this talk, is actually what select havoc???? or disaster could be caused by attacking such systems because it's actually not that bad. I mean they're talking about things like blackouts of the series or things like this. This is not what you can do with as a consensus system, because the like the distribution of the power power in the grid is not there according to the threat model is not the problem of the power generation. There shouldn't be like another regulator who should watch for like enough capacity in the network to fill this, to fill the electricity for the customers. So what we're really speaking here is like the is how we can impact there. For example, the turbine, the turbine is itself, for example, but we had no access to the real turbine. They're big, expensive, and we haven't found anyone willing to provide us one. So we will destroy it. But the point is, we have an educated guess like PLCs, they control a lot of parameters of this turbine. And the turbine is like a big mechanical monster that is actually self degrading by working and putting it into different like incomfortable operating modes will degrade it even faster or it will break its end. It's not easy. You can have a spare PLC or some other device. You won't have a spare turbine. So that the impact is there. But it's not like a very huge. So what we tried to do with this research mostly is to understand, how we can help the power plant, the apparatus out there. And we have to fight in all the issues and analysing this infrastructures and the customer sites, we understood that all of the installations actually did the same. And we can write a very simple do it yourself assessment. And hopefully even like engineers on the power plants can test themselves. It is very easy. A set of steps on two or three pages. You connect to application network, you connect to the automation network, you run the tests, you get the results. And afterwards you talk with Siemens. Well, you can fix something by yourselves. And basically you don't have to hire like expensive consultants to do the job. You should be. You should be able to do it by yourself. We hope that you will be able to do it. Of course. To summarize the whole situation around DCSSs, it is if you have seen other industrial solutions like SCADAS, like substations and if any actually, you would find a lot of similarities and they the whole like it will have the same pain points as all other solutions. There is a good documents from there. IAC 62443 which describes how like power plant operator or asset owner should talk to the system integrator and the vendor. With the vendor in terms of what security they should require and how they should control it. We urge any power plant operator to read this standards and to require security from their vendors and system integrators, because nowadays it depends from vendor to vendor. Maybe vendor is more interested in the security or the plant or some regulator and the like. Nobody knows how to act. This is the document where a which describes how you should talk with all other entities. Of course, read the slides, read the white paper in the January. Call Siemens updatal systems, change your passwords and configurations. This is actually very easy to at least to shrink the attack surface. A lot of things inside SPPS ??? network is a modern windows boxes and it's kind of easy to set up some form of monitoring, so you should talk to your security operations center. They would be able to look for some locks, not most of the impact that we showed, like it was their input from the java application and you won't be able to monitor all of these. We have like security events in windows. But at least it's still some form of detection process inside your network. And again, finally, to summarize, it is not like a problem of one DCS from Siemens. There are exactly the same issues for other vendors not mentioned here. We will release a lot of things today, tomorrow and in January. Basically like the big white paper about everything that we have found out, we have recommendations, what to do with the wordlists, with the do it yourself security assessments with a lot of tools up. One of the tools would help you to do the research, another tools would help you, for example, if you are using intrusion detection detection systems like IDSS, you would be able to parse the protocols and maybe write some signatures for them. We work closely with Siemens. We want to say thank you for the Siemens product search. They did a great job in communications between us and the product team that develops the products that Siemens SPPA team for ??? in itself. The main outlines from the vendor response is, that if a power plant operator, you should hurry and install a new version 8.2 SP2. There are Siemens is trying to like educate and raise awareness outside their customers. That's first of all, they should change passwords that there are critical vulnerabilities and they should do something with it. And there is not all the problems are fixable by Siemens themselves. There is an operator is viable for some of the activities to do the security by themselves. So that's actually it. Thank you. Thank you very much. Thank you, Congress. If you have any questions, please welcome. Applause Herald: Thank all of you for this excellent talk, we have a short three minutes for questions. If you have questions, please line up at the microphones in the hall. If you're using hearing aids, there is an induction loop at microphone number three. Do we have questions from the Internets? Yes. Question from our signal angel, please. Signal-Engel: So we've got a question with the vulnerabilities found. Could you take over those cans from the worldwide web cam without the freedom and the minimum tax? Herald: Can you please repeat. repdet: A little bit louder, please? Signal-Engel: Sorry. With your own vulnerability found, could you take control over those plants without worldwide them from public Internet, without further amending the ??? ? repdet: Actually, no. This is and this is some poor some form of the good news. Those systems are exclusively supported by one system integrator, by Siemens. They are more or less protected from the external access. Of course, there would be external access, but it's not that easy to reach it. And of course, it's we're not talking about Internet. We're talking about some corporate networks of things like this. Herald: Next question, microphone three, please. Mic. 3: Yes, hello. Uh, I also have a power plant on my planet and, uh, it's kind of bad for the atmosphere, I figured. So, uh, my question is, can you skip back to where the red button is to switch it off? And I'm asking for a friend. Laughter, Applause repdet: As we never thought about that, these materials can be used in this way. But yeah. Specifically, if you have an operator of engineers, friends on the power plants, you can talk to them. Herald: Do we have any more questions from the Internets? No questions. Any questions from the hall? I guess not. Well, then, thank you very much for this talk and a warm round of applause. Applause 36c3 Postroll music Subtitles created by c3subtitles.de in the year 2020. Join, and help us!