< Return to Video

36C3 - On the insecure nature of turbine control systems in power generation

  • 0:00 - 0:20
    36C3 Preroll music
  • 0:20 - 0:23
    Herald: One of the obvious critical
    infrastructures we have nowadays is power
  • 0:23 - 0:30
    generation. If there is no power, we're
    pretty much screwed. Our next speakers
  • 0:30 - 0:35
    will take a very close look at common
    industrial control systems used in power
  • 0:35 - 0:43
    turbines and their shortcomings. So please
    give a warm round of applause to repdet,
  • 0:43 - 0:45
    moradek and cOrs.
  • 0:45 - 0:52
    Applause
  • 0:52 - 0:59
    repdet: Good morning, Congress. Thank you
    for waking up in the morning. We will talk
  • 0:59 - 1:05
    about the security of power plants today,
    specifically about automation systems,
  • 1:05 - 1:11
    that are used in the power plants up. You
    might think that this is another talk
  • 1:11 - 1:18
    about how insecure the whole industrial
    things around us are and more or less it
  • 1:18 - 1:25
    is. So for four years, we are we and our
    colleagues speak about problems in
  • 1:25 - 1:31
    industrial security. We are happy to say
    that things are getting better, but it's
  • 1:31 - 1:34
    just that the temper is a little bit
    different and feels a little bit
  • 1:34 - 1:39
    uncomfortable though. Anyway, we will
    speak about to like how a power plants are
  • 1:39 - 1:43
    built. What is the automation inside? What
    are the vulnerabilities? And like the high
  • 1:43 - 1:49
    level overview of what you can do with
    this. But up at first a little bit of
  • 1:49 - 1:57
    introduction. We are security consultants.
    We work with a lot of industrial things
  • 1:57 - 2:03
    like PLC, RTuse, SCADAS, DCSs, LCS
    whatever it is, we were doing this for too
  • 2:03 - 2:10
    long. We should have fought, for so long
    that we have a huge map of contacts with a
  • 2:10 - 2:16
    lot of system integrators and vendors. And
    from the time we are not just doing the
  • 2:16 - 2:21
    consultancy work for some asset owner, for
    example, for a power plant. We also talk
  • 2:21 - 2:27
    to other entities and we try to fix
    things altogether. We work at Kaspersky
  • 2:27 - 2:32
    and actually the whole research was done
    not just by me, Rado and Alexander, who
  • 2:32 - 2:44
    are here, but also with the help of
    Eugenia and two Sergeys. Yep. So things
  • 2:44 - 2:49
    that are very important to note is that
    everything that we will discuss right now
  • 2:49 - 2:58
    is reported to our respective vendor.
    Basically long time ago you can see like
  • 2:58 - 3:03
    vendors here, but more or less we will
    speak only about one vendor today. It's
  • 3:03 - 3:10
    it's it is Siemens. But we would like you
    to understand that a similar security
  • 3:10 - 3:15
    issues can be found in all other
    industrial solutions from other vendors.
  • 3:15 - 3:20
    You would find some of the findings, not,
    for example, that seller does not require
  • 3:20 - 3:26
    like weeks off work to find them out. And
    this would be through specifically for all
  • 3:26 - 3:33
    other vendors which are not mentioned in
    the talk. Jokes aside, we will share
  • 3:33 - 3:42
    security issues of real power plants out
    there and it might look like we are we are
  • 3:42 - 3:49
    kind of irresponsible guys. But in fact,
    this is the other way around. I mean that
  • 3:49 - 3:54
    to do some kind of research on with these
    systems that are working in the power
  • 3:54 - 4:00
    plants, you need to get access to them.
    You need time to do this research. You
  • 4:00 - 4:06
    need to have some knowledge to do this
    research and all these resources, they are
  • 4:06 - 4:10
    limited for guys like us, for penetration
    testers, for auditors, for power plant
  • 4:10 - 4:16
    operators and engineers, but for the bad
    guys like the potential attacker or so
  • 4:16 - 4:22
    adversaries. This is actually their job.
    They they have a lot of investments to do
  • 4:22 - 4:28
    some research. So we assume that bad guys
    already know this. And we just we would
  • 4:28 - 4:33
    like to share some information with the
    good guys so they would be able to act
  • 4:33 - 4:42
    upon this. So let's go to the talk itself.
    Power plants, power plants is the most
  • 4:42 - 4:49
    common way how humans get their power,
    their electricity, their every everywhere
  • 4:49 - 4:54
    around us. And there I believe the closest
    one to Leipzig is called the Lippendorf
  • 4:54 - 4:59
    power station. And during this research
    when we were preparing an introduction, we
  • 4:59 - 5:02
    were surprised how many information about
    power plants you can get from the
  • 5:02 - 5:07
    Internet. It's not just, for example, a
    picture of this of the same power station
  • 5:07 - 5:15
    on the Google Maps. It is actually a very
    it's a very good scheme of what you can
  • 5:15 - 5:20
    see on the marketing materials from
    vendors, because when they sell some
  • 5:20 - 5:24
    system that ultimate power plant
    operations, they sometimes start with
  • 5:24 - 5:30
    building construction. And on their on
    their websites, you can find the schematic
  • 5:30 - 5:34
    pictures of actually which building does
    what and where you will find some
  • 5:34 - 5:40
    equipment, which versions of equipment are
    used in these systems. But if you like, if
  • 5:40 - 5:45
    you don't have this experience, you can
    just Google things and you will find out
  • 5:45 - 5:50
    which systems are used for automation in
    power plants, for example, for Lippendorf
  • 5:50 - 5:57
    it's some system that is called Siemens
    SPP T2000 and P3000, which is actually
  • 5:57 - 6:03
    have another Siemens system inside called
    Siemens SPPA-T/P3000. So it's a little bit
  • 6:03 - 6:10
    confusing and it is. And we are still
    confused. This is exactly the system that
  • 6:10 - 6:18
    would be that we will focus today. Siemens
    SPPT 3000. And again, it could be any
  • 6:18 - 6:24
    other automation system, but it just
    happened the way that we've seen this
  • 6:24 - 6:32
    system more and more often than others. Up
    there is a way how you can actually see
  • 6:32 - 6:38
    older generation sites throughout the
    world. Thanks to their carbon monitoring
  • 6:38 - 6:43
    communities, this is not just power
    plants. This is also like nuclear sites,
  • 6:43 - 6:49
    wind generation, solar, solar plants, etc.
    and etc. They are all here, marked by
  • 6:49 - 6:56
    different fuel types of generation. For
    example, there is a coil and gas power
  • 6:56 - 7:03
    plants. Mark, marked there. So the topic
    is really huge. And like what we will
  • 7:03 - 7:09
    focus today in our talk is mostly the
    power plants which are work on coal and
  • 7:09 - 7:14
    gas, which is important to mention. The
    heart of each power plant is actually a
  • 7:14 - 7:18
    turbine. We don't have a picture of a
    turbine on the slides, but more or less, I
  • 7:18 - 7:24
    think everybody saw it on the airplane.
    There are various that there are similar
  • 7:24 - 7:31
    specifically in terms of size and mostly
    how they work up on different vendor's Web
  • 7:31 - 7:37
    sites. You can actually find a lot of
    information where those turbines are used.
  • 7:37 - 7:44
    And this is, for example, the map of the
    turbines from Siemens. Not all turbines
  • 7:44 - 7:48
    specifically are used in power plants. So
    there have a lot of different applications
  • 7:48 - 7:53
    like chemical plants, oil and gas. A lot
    of other things. But if you correlate this
  • 7:53 - 7:57
    information from previous slides, you
    would be able to identify which systems
  • 7:57 - 8:01
    are used by which power plant. And if you
    will, Google more information, you can
  • 8:01 - 8:05
    actually tell their versions and the
    generations of the systems that are used
  • 8:05 - 8:10
    on these power plants. This is important
    because of the vulnerabilities that we
  • 8:10 - 8:17
    will discuss later on on the slide. So
    before we will speak about so what is the
  • 8:17 - 8:22
    automation on power plants, we should
    understand a little bit how they work. So
  • 8:22 - 8:28
    we will go from right to left and it's
    very easy. A little a little noticed. For
  • 8:28 - 8:31
    all the talk, we will simplify a lot of
    things for two reasons. One of them to
  • 8:31 - 8:37
    make it more suitable for the audience.
    And another thing. We don't really
  • 8:37 - 8:43
    understand everything by ourselves. So the
    first thing you should get is a fuel. Fuel
  • 8:43 - 8:49
    could be, for example, a coil or coal or a
    gas. And you will just put this inside the
  • 8:49 - 8:55
    combustion chamber where you would put it
    to set it up on fire, actually. And it
  • 8:55 - 8:59
    will generate a lot of pressure which will
    go to the turbine. And because of the
  • 8:59 - 9:05
    pressure, the turbine will begin to
    rotate. The turbine, have a shaft which
  • 9:05 - 9:10
    will drive the electricity generator,
    which is obviously will generate
  • 9:10 - 9:16
    electricity and put it on the power grid.
    So it is important from now I want to
  • 9:16 - 9:21
    understand that when we generate some some
    electricity on the power plant, we put
  • 9:21 - 9:28
    this this power not just for, for example,
    for this Congress center or for some city.
  • 9:28 - 9:34
    We put it in a big thing called the power
    grid, where other entities will sell this
  • 9:34 - 9:40
    electricity to different customers.
    There is also very interesting point about
  • 9:40 - 9:46
    like, when we do generate this pressure
    and the combustion chamber is on fire, we
  • 9:46 - 9:51
    have a lot of excessive heat. And we have
    two options like one of them is to safely
  • 9:51 - 9:55
    put it in the air. We have condensing
    towers. This is option number one. And
  • 9:55 - 10:01
    another option is we can do some form of
    recuperation. For example, we would take
  • 10:01 - 10:07
    this heat. We will warm water. The water
    will produce steam. And we will put this
  • 10:07 - 10:12
    steam in the steam turbine and produce
    additional electricity. This is kind of
  • 10:12 - 10:20
    the optimization of some of some form. So
    what is the automation in this process?
  • 10:20 - 10:24
    The automation systems that are used on
    the power plants are usually called
  • 10:24 - 10:31
    distributed control systems or DCSs. And
    everything that I just said that it just
  • 10:31 - 10:37
    described actually is automated inside
    those systems. The vendor of the solution
  • 10:37 - 10:42
    want to simplify all things for the
    operator, because we don't want like
  • 10:42 - 10:46
    hundreds of people working on the power
    plant. We just want like maybe dozens of
  • 10:46 - 10:51
    people working there and they want to
    simplify the whole the whole process of
  • 10:51 - 10:56
    length. They don't care about where they
    get this ???, gas or coal how much they
  • 10:56 - 11:01
    need it. They just should be able to stop
    the generation process started. And they
  • 11:01 - 11:05
    control one main thing, which is called
    how much power we should produce to the
  • 11:05 - 11:13
    power grid. So like how many megawatts of
    electricity we should produce. This is
  • 11:13 - 11:20
    this. This describes the actually the
    complexity, complexity hidden inside these
  • 11:20 - 11:24
    solutions because there are a lot of small
    things happening inside and we will
  • 11:24 - 11:29
    discuss it a little bit later. As I said,
    this GCF says they're not exclusively used
  • 11:29 - 11:34
    on the power plants. There are a lot of
    other sites that would use the same
  • 11:34 - 11:40
    solutions, the same software and hardware.
    The DCS is not just like a software that
  • 11:40 - 11:45
    you can install. It's a set of hardware
    and software, various inputs, output,
  • 11:45 - 11:50
    models, sensors, etc., etc.. As I said,
    sometimes they start from building
  • 11:50 - 11:55
    construction of like there is a field.
    Please build a super power station. So
  • 11:55 - 12:01
    it's a more complex projects. Most, most
    of the time. There are a lot of vendors
  • 12:01 - 12:06
    that are doing it. As I said, we are
    focusing on this stock, on the Siemens
  • 12:06 - 12:16
    one. Just a short little short description
    of how simplified things are for operators
  • 12:16 - 12:21
    of this DCA software. So, for example, if
    we would like to answer the question how
  • 12:21 - 12:28
    we would regulate the output and megabytes
    of our power plant, we would need to
  • 12:28 - 12:33
    control basically three things. Again, we
    are oversimplifying here. First of all,
  • 12:33 - 12:38
    you would control how many. This is an
    example for there for the gas turbine. So
  • 12:38 - 12:43
    we would need to regulate how many? Guess,
    we would put inside the combustion chamber
  • 12:43 - 12:49
    where would control the flame temperature.
    And we will control the thing that gets
  • 12:49 - 12:55
    air inside the turbine that basically
    three things that are controlled by simple
  • 12:55 - 13:00
    peel cease in the whole system. And you
    would be able, for example, to change 100
  • 13:00 - 13:09
    megawatts to 150 megawatts based on these
    settings. So the system itself that we are
  • 13:09 - 13:15
    going to discuss is called Siemens
    SPPT3000. And actually, again, as allow
  • 13:15 - 13:22
    all other DCA systems or from other
    vendors. This is a typical industrial
  • 13:22 - 13:29
    systems system. It has all these things
    called plcs, RTUse, to use HMAS, servers,
  • 13:29 - 13:34
    OPEC traffic, et cetera, et cetera. The
    only thing that has a difference
  • 13:34 - 13:41
    specifically for Siemens as SPPT3000 is
    that they have two main things called
  • 13:41 - 13:46
    application server and automation server.
    That's this software running on the
  • 13:46 - 13:53
    servers is not what you will find on other
    installations. Despite the fact that there
  • 13:53 - 14:00
    are a lot of like if you will read the
    manuals for for the systems from Siemens.
  • 14:00 - 14:07
    There would be a lot of different networks
    and highways and a lot of things like
  • 14:07 - 14:11
    Siemens would state that there is no
    connection between the application network
  • 14:11 - 14:18
    and external networks. In practice and in
    reality, you will find things like spick
  • 14:18 - 14:23
    sensor network, like monitoring both
    vibration, foreign objects and some noises
  • 14:23 - 14:29
    inside the turbine. You will find the
    demilitarized zone because all in all,
  • 14:29 - 14:34
    like all power plant operators, they won't
    have like onsite maintenance guys,
  • 14:34 - 14:38
    engineers. They would try to do a remote
    support. They would need to install
  • 14:38 - 14:43
    updates for operating system, although for
    their signatures of their anti viruses,
  • 14:43 - 14:46
    they would need to push some opposite
    traffic. So like information about the
  • 14:46 - 14:51
    generation process outside either to
    corporate network or to some regulator,
  • 14:51 - 14:54
    because the whole energy market is
    regulated and there are different entities
  • 14:54 - 14:59
    who would monitor common electricity
    generation or they basically will tell you
  • 14:59 - 15:03
    how many electricity you should generate.
    Because this is common electricity was
  • 15:03 - 15:09
    sold on the energy market. Basically,
    the whole talk is structured like this. We
  • 15:09 - 15:14
    will speak first about application server,
    then automation server and then some
  • 15:14 - 15:21
    summary. It all started with the process
    called Coordinated Vulnerability
  • 15:21 - 15:28
    Disclosure. We notified Siemens about some
    issues almost a year ago and like a month
  • 15:28 - 15:35
    at the beginning of December, Siemens
    published an advisory. It was it was not
  • 15:35 - 15:40
    an advisory just from from the issues,
    just from us. A lot of other teams also
  • 15:40 - 15:46
    contributed to it. And this December, this
    year, December, doesn't mean that Siemens
  • 15:46 - 15:51
    just released the patches. When they say
    that this system, SPPT3000, is exclusively
  • 15:51 - 15:56
    supported. So the system integrator for
    the system is Siemens itself. So
  • 15:56 - 16:00
    throughout the year after we notified them
    about some security issues, they started
  • 16:00 - 16:06
    to roll out patches and install updates on
    critical infrastructure they support and
  • 16:06 - 16:13
    hopefully they did it with all the
    sensitive issues. There is a lot of things
  • 16:13 - 16:19
    to discuss here we will skip, because we
    are a little bit in a hurry. Things like
  • 16:19 - 16:24
    not all vulnerabilities are the same. And
    we use, for example, CVSS here to talk
  • 16:24 - 16:28
    about like how critical the vulnerability
    is, but it's actually not very applicable
  • 16:28 - 16:34
    to the industrial sites. You should
    understand what you can do with each
  • 16:34 - 16:39
    vulnerability, how you can impact the
    process, and we will skip this part. There
  • 16:39 - 16:45
    is actually kind of a threat model in the
    white paper that we will release later on,
  • 16:45 - 16:53
    like during January. We will hope. So,
    application server, application server is
  • 16:53 - 17:03
    this main is is a main resource that you
    would find in the SPPT3000 network. Like
  • 17:03 - 17:08
    if if someone will remotely connect to the
    system, it would end up in application
  • 17:08 - 17:12
    server. If someone wants to start the
    generation process or to change some
  • 17:12 - 17:18
    values, it would be the application
    server. If there are other servers that
  • 17:18 - 17:21
    would, for example, try to communicate the
    application server, they will actually
  • 17:21 - 17:26
    start their work by downloading their
    software from application server and then
  • 17:26 - 17:32
    executing it. So the first thing you might
    notice here is there are a lot of a lot of
  • 17:32 - 17:38
    network ports available on this on this
    machine. And actually, this is the first
  • 17:38 - 17:45
    point. There is a, a huge attack surface
    for that bursary??? to choose whether or
  • 17:45 - 17:49
    not he would like to compromise some
    Siemens software or its Windows software
  • 17:49 - 17:55
    or its some another third party. Huge
    attack surface starting from the fact that
  • 17:55 - 18:01
    there are, all of the installation of this
    SPP systems are kind of different. So
  • 18:01 - 18:06
    depending on the version and other
    generation, you can find different Windows
  • 18:06 - 18:18
    versions from 2003 to 2016. Hopefully they
    are all updated right now, but because the
  • 18:18 - 18:24
    that the update process for such as for
    such installations is is a hard thing to
  • 18:24 - 18:29
    do. I mean you should wait for maintenance
    and it should be like maybe once in a
  • 18:29 - 18:33
    healthy year or once a year. You will
    always find some window where you can use
  • 18:33 - 18:38
    some remotely exploitable vulnerabilities
    like the eternal blue or blue keeper mark
  • 18:38 - 18:45
    mentioned on the slide. There is tons of
    different additional software like all
  • 18:45 - 18:49
    signwin??? that will allow you to do
    privilege escalation, badly configured
  • 18:49 - 18:55
    Tomcats and we have here this funny pie
    charts that show how configuration of
  • 18:55 - 19:00
    different software is aligned with the
    best practices from CIS benchmarks. Those
  • 19:00 - 19:07
    are those are basically security
    configuration gardening guides. The most
  • 19:07 - 19:13
    important thing in the application server
    is a lot of Java software and in a minute
  • 19:13 - 19:19
    repdet will tell you about this. Surprise,
    surprise there, the one of the most
  • 19:19 - 19:28
    notable problems in this Siemens SPPT3000
    is actually passwords. There, there are
  • 19:28 - 19:32
    three important ranges. The first the
    first of them is like what's all the
  • 19:32 - 19:40
    installations before 2014 and maybe 2015.
    All passwords for the for for all the
  • 19:40 - 19:44
    power stations were the same. And you can
    easily Google them. We've also published
  • 19:44 - 19:50
    like the full world list in the white
    paper. After this year's Siemens started
  • 19:50 - 19:58
    to generate the unique passwords for all
    power plants. But until this year, it was
  • 19:58 - 20:02
    kind of hard to change this password. So
    you need to be aware of how to do this.
  • 20:02 - 20:04
    You need to know the process. You maybe
    need to contact to contact your system
  • 20:04 - 20:08
    integrator to do this. Starting up from
    this December, it would be much easier
  • 20:08 - 20:14
    specifically to change passwords. So it's
    in the past. Even if you know, you have
  • 20:14 - 20:20
    you have these issues, you were not able
    to simply change or all these things.
  • 20:20 - 20:24
    Along with the passwords, passwords, you
    can find the like the full diagrams and
  • 20:24 - 20:30
    the integrator documentation that can show
    you how the system is built, how it's
  • 20:30 - 20:34
    operating, specific accounts, etc, etc. Of
    course, this was not published by Siemens,
  • 20:34 - 20:39
    thouse some power plant operators who
    thought that would be a good idea to share
  • 20:39 - 20:45
    this information. So as I said, the most
    important thing the application server is
  • 20:45 - 20:49
    a bunch of Java applications and please
    welcome moradek will share the details
  • 20:49 - 20:57
    about this.
    Applause
  • 20:57 - 21:01
    moradek: Hi, everyone. Let's look at how
    this perverse software works on aplication
  • 21:01 - 21:07
    server. The operator can communicate with
    system through at Thin client and Fat client
  • 21:07 - 21:16
    and. A Thin client act as Java applet
    inside Internet Explorer browser and
  • 21:16 - 21:23
    communicate with server through HTTPS, so
    it can be outside of application of fork
  • 21:23 - 21:29
    and its communications can be constrained
    by a firewall. In opposite in case of Fat
  • 21:29 - 21:35
    client, software should be installed on
    operator machine and client directly
  • 21:35 - 21:41
    communicates with RMA registry to find
    services. And after that directly
  • 21:41 - 21:50
    communicates with this myservices. So Fat
    client should belong to application fork.
  • 21:50 - 21:58
    Illustration of where architecture was
    kindly provided by SPPA throws a URL. Not
  • 21:58 - 22:04
    to be missed, let divided into spaces in
    red zone. The items that brought this
  • 22:04 - 22:11
    request from Thin client and redirect them
    to rmyservices. And in green zones there
  • 22:11 - 22:18
    are myservices which act as network
    services on their name on TCP ports. SPP
  • 22:18 - 22:24
    consists of containers, each container can
    encapsulate inside one or more or
  • 22:24 - 22:32
    myservices. All type of containers are
    represented on illustration and all of
  • 22:32 - 22:40
    them have self explanatory names. Before
    we going deep inside in tunnels office
  • 22:40 - 22:45
    PPA, let me introduce some tools which
    used in this research. First of all, old
  • 22:45 - 22:52
    jars files inside this PPA are obfuscated
    with commercial product. But these
  • 22:52 - 22:59
    security measures can be easily bypassed
    by public available tool the Obfuscator.
  • 22:59 - 23:06
    Elswhere sometimes it is useful to see how
    legit software communicates with system.
  • 23:06 - 23:14
    It helps to understand architecture of
    system and workflow of clients. In case of
  • 23:14 - 23:22
    PPA it my district was written, it
    represents a role TCP streams in human
  • 23:22 - 23:30
    readable format inside it. Use method read
    object from jsdk. It is known that this
  • 23:30 - 23:35
    method is unsafe to insecure
    diserealisation, so be careful not
  • 23:35 - 23:43
    to be exploited through remote pickup. The
    first pillar of SPP it's apache webserver.
  • 23:43 - 23:52
    According it config folder or software
    config can be accessed by unauthorized
  • 23:52 - 23:59
    user. In fact, this folder contains some
    sensitive information of system. For
  • 23:59 - 24:07
    example, files PC system configuration,
    datasmells and files inside. If C contain
  • 24:07 - 24:15
    startup options and configuration of all
    containers either application work or
  • 24:15 - 24:21
    automation work. Else configuration of
    Oracle and publication in Tomcat DLC can be
  • 24:21 - 24:26
    accessed using this vulnerability. And about
    Tomcat. There are three web
  • 24:26 - 24:34
    applications registered, remote diagnostic
    viewer, manager and orion. According to
  • 24:34 - 24:39
    configuration of Tomcat, it's apache
    webserver. I've observed as a ordering
  • 24:39 - 24:49
    service can be accessed through HTTPS and
    uh, in the file web dot xml there are list
  • 24:49 - 24:57
    of all servlets of orion application and the
    list is really huge. So some of these
  • 24:57 - 25:05
    servlets have attractive name forTiger, for
    example, brow seservlet. In fact it allows
  • 25:05 - 25:13
    a third of the user directory, and listing
    directories of operation system. But in
  • 25:13 - 25:20
    case of exploitation another servlet is
    more attractive. File upload servlet it
  • 25:20 - 25:29
    allows you allows on the file upload with
    system parameters based you in touch with
  • 25:29 - 25:35
    me in full control the name of the file.
    So this vulnerability can be easily
  • 25:35 - 25:39
    transformed to a remote code execution.
    You can override some startups scripts
  • 25:39 - 25:46
    office PPA or simply inject a shel in the
    application and get the remote code
  • 25:46 - 25:55
    execution with system rights. Also there
    are some set alerts which contains good
  • 25:55 - 26:04
    service factory names. In fact, they
    redirect http request to my services.
  • 26:04 - 26:12
    Inside they passed around to foreign http
    requests and search desirable my servives.
  • 26:12 - 26:20
    According to parameter service url and
    further invoke go to the public method of
  • 26:20 - 26:26
    security service. And the name of the
    method defined in centralized object in
  • 26:26 - 26:34
    the data section of which to progress.
    Else parameters, the parameters of these
  • 26:34 - 26:43
    goals are also defined in this object. So
    now we have situation one Thin client and
  • 26:43 - 26:52
    Fat client can access my services, but in
    case of Fat client, it, it can also
  • 26:52 - 26:59
    directly communicate with RMA registry. So
    if application server missed some
  • 26:59 - 27:04
    important java security updates, it
    contains insecure deserialization
  • 27:04 - 27:13
    vulnerability. And using public to use
    serial we can simply exploit it and get a
  • 27:13 - 27:19
    code execution with system rights again.
    The next task will be to list all
  • 27:19 - 27:26
    available rMyservices on this SPPA system.
    At first step, we simply use class look at
  • 27:26 - 27:35
    triggers and Java SDK and get a big list
    of services. All but one jmakes it to
  • 27:35 - 27:43
    myservices, I assume that they perform
    some general interface for com, for
  • 27:43 - 27:53
    control and manage containers of SPPA. For
    the further investigation we only choose
  • 27:53 - 28:01
    LookUp Service. In fact, this service
    looks like some a collection of another
  • 28:01 - 28:10
    RMA services using its public method list
    we get the name of all available services
  • 28:10 - 28:18
    and using the name and public method
    lookup we get the reference of RMA
  • 28:18 - 28:27
    service. All RMA services in this tip
    implement interface satisfactory. So
  • 28:27 - 28:36
    buttons as this. We can assume that and
    that this is a game collection of another
  • 28:36 - 28:41
    RMA services. But in fact it doesn't have
    public method to get the name of the
  • 28:41 - 28:53
    service. So we need to decompile. So we
    need to decompile the class and find some
  • 28:53 - 29:00
    factory methods which create RMA service,
    for example, create adminscript and
  • 29:00 - 29:08
    inside we can find as the name of the
    created service. As it can be guessed,
  • 29:08 - 29:14
    it's admin service. So using public
    method, get service in this name, we find
  • 29:14 - 29:23
    that I gets the reference to the next
    level RMA service and in final step we get
  • 29:23 - 29:31
    the reference to RMA services which
    perform real job SPPA. But it this RMA
  • 29:31 - 29:39
    service also contains a lot of public
    methods for unauthorized user. So to sum
  • 29:39 - 29:46
    up which referes registry and at each
    level we find a lot of RMA services. And
  • 29:46 - 29:54
    as the last item also contains a lot of
    public methods. So the attack surface of
  • 29:54 - 30:02
    Supply C system is really huge. Now when
    we list all available RMA services, the
  • 30:02 - 30:10
    next question is how does authentication
    of client request performs on the system?
  • 30:10 - 30:16
    To answer this question, let's look how
    client requests to security service
  • 30:16 - 30:22
    processed from system. First of all,
    clients get the reference to security
  • 30:22 - 30:31
    service using some client ID. Further
    PCServiceFactory tries to get valid
  • 30:31 - 30:38
    session. Using this clientID in
    SessionManager. If SessionManager will
  • 30:38 - 30:45
    failed in his task, the exception will be
    throat and client will be failed. But if
  • 30:45 - 30:54
    it succeeds, valid sessionID will return
    to PCSfactory. And further in its turn
  • 30:54 - 31:01
    instance of SecurityService will be
    created in factory method. While the
  • 31:01 - 31:12
    session Id will be stored in loginID inside
    SecurityService. And finally client will
  • 31:12 - 31:19
    get the reference to Security Service.
    Further he can call some public method of
  • 31:19 - 31:29
    it. But as this method can perform
    privileged checks of user using loginId in
  • 31:29 - 31:36
    SecurityManager. So to sum up, we have two
    security measures in this system. But as
  • 31:36 - 31:42
    is the question how user client can
    perform login operation. If he doesn't
  • 31:42 - 31:48
    have any valid clientID. In this case,
    it's start up of the system,
  • 31:48 - 31:54
    SessionManager will be added on anonymus
    session with clientID that equals zero.
  • 31:54 - 32:00
    And client will use this clientID, and
    perform login operation. But attacker can
  • 32:00 - 32:07
    also use this feature and simply bypass
    those look. So to sum up, there is only
  • 32:07 - 32:15
    one security measure on the system ends
    and each fully delegated to two method or
  • 32:15 - 32:22
    for RMA services. But amount of itemized
    services is huge, amount of public methods
  • 32:22 - 32:29
    is really huge. And so it's become really
    difficult to manage security service of
  • 32:29 - 32:40
    system. According to this information. So
    we know we know all inputs of system. We
  • 32:40 - 32:45
    know all possible security measures or
    systems. So it's time to find
  • 32:45 - 32:53
    vulnerabilities in the list of RMA
    services. This one, which looks so
  • 32:53 - 32:58
    attractive, its admins service, it can be
    accessed with a anonymus session inside.
  • 32:58 - 33:04
    If this public method transcript, this
    method doesn't perform any privileged
  • 33:04 - 33:13
    checks, so we can call its resulting
    Ternium credentials and so on. At first
  • 33:13 - 33:20
    step, these methods creates instance of
    class loader using bytes from arguments
  • 33:20 - 33:27
    and in fact this step will allow to
    arbitrary java class. This class should
  • 33:27 - 33:34
    implement interface admins screams and
    defined method to execute and this method
  • 33:34 - 33:43
    to execute will be called by run script of
    RMA services. For this case we create Java
  • 33:43 - 33:51
    class as a simply run os common from
    arguments of run script. And we get code
  • 33:51 - 33:59
    execution on the system, we system, right?
    Of course, there's a more powerful post
  • 33:59 - 34:06
    exploitation of this vulnerability than
    simply run os command. You can. This
  • 34:06 - 34:14
    vulerability allows inject arbitrary java
    class inside running its SPPA application
  • 34:14 - 34:25
    so you can use some Java reflection to to
    patch some variables of system and and
  • 34:25 - 34:36
    have influence on technological properties
    of SPPA. Else, privilege check inside
  • 34:36 - 34:44
    methods of RMA service can be bypassed
    with SEC vulnerability in session service. This
  • 34:44 - 34:50
    service has public method
    getloggingsessions(). In fact, this method
  • 34:50 - 34:59
    return all sessiondata of loginin users on
    the system. This information includes user
  • 34:59 - 35:10
    names, IP and client Id. So if it this
    amounts these clientId of user that has
  • 35:10 - 35:17
    some admin privileges, attacker can use
    this clientId to get a reference to
  • 35:17 - 35:23
    security service and this reference will
    be with some more privileged session.
  • 35:23 - 35:36
    Further further, attacker can goal public
    method of security service, get all users
  • 35:36 - 35:43
    and get all private information about all
    users of the system and password hashes
  • 35:43 - 35:54
    included in this private information. So
    to sum up, we have to or both of these
  • 35:54 - 36:07
    vulnerabilities can be accessed through
    https and federal rules can be bypassed.
  • 36:07 - 36:14
    In general, all communication with RMA
    services are encrypted. So usernames and
  • 36:14 - 36:25
    password hashes are transfered in plain text.
    This is this because, this is more critical for
  • 36:25 - 36:38
    for Fat client case. So more all passwort
    hashes doesn't perform any doesn't have
  • 36:38 - 36:44
    any session protection mechanism. So if
    attacker can perform when and zoom into a
  • 36:44 - 36:52
    key attack against some user office prior
    and captures the traffic between this user
  • 36:52 - 36:59
    and application server, he can get valid
    username and password hash of the system
  • 36:59 - 37:06
    and simply reuses this credentials and
    perform login operation on the system.
  • 37:06 - 37:14
    More. over, he also can change the
    password of this user. I talk a lot about
  • 37:14 - 37:19
    user names and password hashes, so it's
    time to understand how these items
  • 37:19 - 37:27
    organized on the system. Alex.
    Alex: Hello everyone. I will continue our
  • 37:27 - 37:33
    discussion about application server. On
    the previous slide you can see how remote
  • 37:33 - 37:43
    authentification works. Now. Sorry, I
    repeat. On the parent slide you could see
  • 37:43 - 37:50
    how remote authentification works. And
    now I'm going to tell you about how it is
  • 37:50 - 37:58
    organized locally. After the system, after
    system gets started, it begins to read two
  • 37:58 - 38:05
    files: user1.xml and pdata1.exm to get
    user list and their password respectevly.
  • 38:05 - 38:12
    The user1 file is the simple xml while the
    data1 has a slightly more difficult
  • 38:12 - 38:18
    structure. It is jzip archive encoded in
    base64, so as java actualization object in
  • 38:18 - 38:24
    jzip archive contained in a specific xml.
    The field of this xml presents on the
  • 38:24 - 38:30
    slide. They are used to calculate cash
    value and check passport during their
  • 38:30 - 38:37
    authentification. On the buttom of the
    slide you can see password check algorithm
  • 38:37 - 38:45
    in a pseudo code. It's a photographic scam is
    the type of called crypted hashing scheme
  • 38:45 - 38:52
    like on Unix and Linux machine. It has a
    number of iterations salts and only one
  • 38:52 - 38:57
    things is edited was, was edited that is
    hardcore the salt, which is the same for
  • 38:57 - 39:04
    all user. The tool for password, as a tool
    to extract password hashes and set
  • 39:04 - 39:12
    parameters from the data1-file had been
    developed on this slide. You can see its
  • 39:12 - 39:18
    output as a tool. The tool can be used
    during the password auditing, them to
  • 39:18 - 39:23
    check her password to check week or
    dictionary password and their actual hash
  • 39:23 - 39:32
    collision parameters. A tool is available
    at the link below. And draws the line,
  • 39:32 - 39:41
    draws a line on the application server
    analysis first, as we have seen, attack
  • 39:41 - 39:47
    surface is really huge and includes a lot
    of different components. Secondly, it's
  • 39:47 - 39:57
    about remote connections. What's that
    about? Whether SPP has remote connection
  • 39:57 - 40:00
    or because no remote connection. I
    couldn't I couldn't do end this or someone
  • 40:00 - 40:13
    else, who told you? You should check it
    anyway. And the last thing is a attacker
  • 40:13 - 40:19
    has opportunity to impact power generation
    process. For example, it can start stop
  • 40:19 - 40:26
    generation, change some output value. Or
    get some additional information about
  • 40:26 - 40:32
    generation process and all this. Action
    can be done from application server. It's
  • 40:32 - 40:41
    all about application server. And let's
    start discussion about automation. Its
  • 40:41 - 40:46
    main goal of automation server is to
    execute realtime real time automation
  • 40:46 - 40:54
    functions and tasks depending on a
    depending on the power plant project
  • 40:54 - 41:01
    architecture and its features. They're all
    over automation server can be different. We have
  • 41:01 - 41:07
    to distinguish three roles. The first one
    is automation role. They may be a slight
  • 41:07 - 41:14
    confusion because the term is used was for
    server and for it's role, but analyzing
  • 41:14 - 41:19
    uplink automation server configuration and
    publicly available information we have
  • 41:19 - 41:25
    found that whatever the role is, almost
    the same hardware and software are used
  • 41:25 - 41:34
    and we have decided to use these kind of
    classifications. That seems less confusing
  • 41:34 - 41:41
    to us. At the same time, it's slightly
    different from the Windows
  • 41:41 - 41:49
    classification anyway. I mean, in
    automation role, automation role means
  • 41:49 - 41:53
    that the server is responsible for
    interaction with input-output modules to
  • 41:53 - 41:58
    each control and monitor power plant
    equipment such as turbine electric
  • 41:58 - 42:05
    generator or some some other. The second
    role is communication in this role. This
  • 42:05 - 42:10
    role is used for connection the third
    party software and system in other words
  • 42:10 - 42:19
    it's just a protocol converter supporting
    such protocols as modbus, I see 101, 104
  • 42:19 - 42:25
    and some other. And the last roll is a
    migration role. This role is used to
  • 42:25 - 42:33
    connect previous version or for SPPA-T2000
    and as legacy systems such as SPPA- 80
  • 42:33 - 42:43
    2002, or tel per MI.. Automation role in
    automation server in automation role can
  • 42:43 - 42:52
    be run on the semantic SLMPC and in an
    industrial or industrial P.C.. Other roles
  • 42:52 - 42:56
    can be run only on industrial PCs. Now
    let's talk a little more about each role
  • 42:56 - 43:04
    and let's start with automation role based
    on PLC. PLC I will directly control field
  • 43:04 - 43:10
    devices like voles and turbine and access
    to them in excess numbers. The game
  • 43:10 - 43:17
    over for any security discussion. They
    usually represent low, the lowest level in
  • 43:17 - 43:22
    different reference models, such as do
    model, for example. Any credential, any
  • 43:22 - 43:28
    configuration changes and updates for PLC
    required to stop to stop technological
  • 43:28 - 43:34
    process. So these devices always have
    security misconfiguration, firmware,
  • 43:34 - 43:40
    visible security updates and secure
    industrial protocols. In case of SPPA they
  • 43:40 - 43:48
    are assembler ??? (Server???) protocols
    LCT data. ??? Logic information about its
  • 43:48 - 43:54
    own protocols in the internet, but not so
    much about PLC data protocol. So we had to
  • 43:54 - 44:02
    deal with it and analyze it ourselves.
    It's not a special protocol for SPPA. When
  • 44:02 - 44:07
    you program your Symantec, PLC an need to
    exchange some that some data between them
  • 44:07 - 44:15
    in real time. You use this protocol. It's
    a quite simple protocol and maybe its
  • 44:15 - 44:21
    description is available somewhere in the
    internet. But we couldn't find it. So just
  • 44:21 - 44:29
    the case show you need structure. In ways
    that knows security mechanism in this
  • 44:29 - 44:36
    protocol, so, so, so only obstacle while
    do remain in the middle attack to spool
  • 44:36 - 44:41
    data in the sequence number, which we can
    get from a packet that just follows the
  • 44:41 - 44:48
    implementation. For practical analyses we
    have developed the sector, which is
  • 44:48 - 44:55
    available at the link below. During the
    security assessment of PLC configurations,
  • 44:55 - 45:02
    one of the main things, which we check, is
    unauthorized access to the two reading and
  • 45:02 - 45:10
    writing PLC memory. Availability of
    unauthorized access is determinate by
  • 45:10 - 45:17
    position of the mod selector of the PLC
    and some other configuration parameters.
  • 45:17 - 45:23
    During the previous research conducted to
    one of our colleg Daniel Parnischev???? is
  • 45:23 - 45:31
    a privilege matrix has been obtained. They
    shows unsecure states and configurations
  • 45:31 - 45:37
    of PLC. The tool for gathering information
    from the PLC. over the network and its
  • 45:37 - 45:42
    analysis has been developed by Danil and
    also available in our repository. Now
  • 45:42 - 45:48
    let's talk about application server based
    on industial PC. Its just a Linux box.
  • 45:48 - 45:52
    During the start it tries to download some
    additional files from the application
  • 45:52 - 46:00
    server. This file includes to include jar
    files, the bar scrapes, some configuration
  • 46:00 - 46:07
    protocols files and some other. You know,
    to execute jar files PTC Perc virtual
  • 46:07 - 46:15
    machine is used. Is it a runtime java
    machine widely spread in industrial IJ and
  • 46:15 - 46:23
    military area. PTC Perc contains a
    completion mechanism. So that is all jar
  • 46:23 - 46:28
    files contains a bitecode transformation.
    That's why regularly decompiles Fails
  • 46:28 - 46:36
    exam. To solve this problem, we have
    written a php script to perform reverse
  • 46:36 - 46:44
    transformation. After that, regular
    decompilers have been successful. Running
  • 46:44 - 46:49
    jars open RMI services on the automation
    server and the sound ??? of their
  • 46:49 - 46:56
    extension. For example, in case of
    migration server on PC services, which are
  • 46:56 - 47:00
    extension of classic Java RMA services are
    used and on the slide you can see is the
  • 47:00 - 47:07
    list of of these services. Just the key
    issues of automation. So based on
  • 47:07 - 47:13
    industrial PCM present represents just
    light. Firstly, as you can see, it's there
  • 47:13 - 47:20
    is a possibility to spoof downloaded files
    from application server files downloaded
  • 47:20 - 47:25
    over https and there are no security
    security mechanisms during the process.
  • 47:25 - 47:32
    Secondly, it's about the default
    credentials. You can get access over SSH
  • 47:32 - 47:41
    SSH to server vs user SAM admin and
    password. See him next. It's
  • 47:41 - 47:46
    vulnerabilities in archives in our around
    IPC services. This will not be allowed to
  • 47:46 - 47:51
    perform sensitive data explosion and
    remote code execution. And finally, the
  • 47:51 - 47:55
    last group with vulnerabilities found in
    the software used to feel an immigration
  • 47:55 - 48:02
    role for communication vs SB 82000, also
    known as the DSP system has a number of
  • 48:02 - 48:06
    issues on the immigration server vs old
    TXP. You are not. You are in magic
  • 48:06 - 48:14
    position. If you wrote about your own
    obviously vulnerabilities as they are in
  • 48:14 - 48:21
    runtime as you need and service as this
    service contains request runtime contain a
  • 48:21 - 48:29
    method where the first argument defines as
    the action to be executed. Using the
  • 48:29 - 48:35
    action read file it is possible to get
    content of any file from the system. Using
  • 48:35 - 48:39
    the right config file it's possible to
    write information to the server. To the
  • 48:39 - 48:47
    server. And for example, it can be a jar
    files, which execute shell comand on from
  • 48:47 - 48:53
    the command line and use in some SPPA
    specific functions, you can execute these
  • 48:53 - 49:01
    jar files later. This is all about
    automation server. To sum up, automated
  • 49:01 - 49:08
    automation server can based on PLC or
    industrial PC. In case of PLC it says a
  • 49:08 - 49:16
    simple PLC is usual PLC with no security
    issues. In case of industrial PLC.. it's
  • 49:16 - 49:22
    just a Linux box., which try to download
    some additional files from the application
  • 49:22 - 49:29
    server and some of them execute with the
    virtual machine. So far, we haven't
  • 49:29 - 49:33
    mentioned any network equipment using
    distributed control system Using the
  • 49:33 - 49:41
    research we saw a wide variety of network
    devices and network infrastructure,
  • 49:41 - 49:47
    including switches, firewalls and more
    rare devices such as data diet, for
  • 49:47 - 49:56
    example. We tried to summarize all this
    information and got it common SPPA on
  • 49:56 - 50:02
    network topology and scam. Lookup shown in
    purple usual places for network devices.
  • 50:02 - 50:09
    By the same device it can be found in
    other vendors distributed control system.
  • 50:09 - 50:13
    Network devices in industrial network
    usually have a lot of security issues. The
  • 50:13 - 50:19
    reason for this is that most of them don't
    require any configuration before start and
  • 50:19 - 50:29
    can be run out of the box. And that's why
    the things like get NLP??? and then be
  • 50:29 - 50:35
    coming in to stream with credentials for
    different services. Fill ware? with
  • 50:35 - 50:44
    publicly, publicly available, exploits and
    just a lack of security configurations.
  • 50:44 - 50:53
    All the things are usual for usual for
    network devices and they are usually usual
  • 50:53 - 51:01
    usual security issues for our industrial
    network. I think that's all I know now
  • 51:01 - 51:07
    Gleb wil sum up our discussion.
    repdet: Yep. Yep. So the topic of power
  • 51:07 - 51:14
    plants is huge. The system is huge and we
    try to cover this and that's a lot of
  • 51:14 - 51:18
    small things in the talk. And in fact
    everything can be summed up on this slide.
  • 51:18 - 51:23
    These those are just the vulnerabilities,
    as you can see in the problems in Java, in
  • 51:23 - 51:28
    Web applications, in different simple
    mechanisms that you can exploit actually
  • 51:28 - 51:33
    directly even not go into the PLC or field
    level, field level. You can impact the
  • 51:33 - 51:39
    process itself. What we don't cover in
    this talk, is actually what select
  • 51:39 - 51:44
    havoc???? or disaster could be caused by
    attacking such systems because it's actually
  • 51:44 - 51:49
    not that bad. I mean they're talking about
    things like blackouts of the series or
  • 51:49 - 51:54
    things like this. This is not what you can
    do with as a consensus system, because the
  • 51:54 - 51:59
    like the distribution of the power power
    in the grid is not there according to the
  • 51:59 - 52:02
    threat model is not the problem of the
    power generation. There shouldn't be like
  • 52:02 - 52:06
    another regulator who should watch for
    like enough capacity in the network to
  • 52:06 - 52:11
    fill this, to fill the electricity for the
    customers. So what we're really speaking
  • 52:11 - 52:17
    here is like the is how we can impact
    there. For example, the turbine, the
  • 52:17 - 52:23
    turbine is itself, for example, but we had
    no access to the real turbine. They're
  • 52:23 - 52:28
    big, expensive, and we haven't found
    anyone willing to provide us one. So we
  • 52:28 - 52:34
    will destroy it. But the point is, we have
    an educated guess like PLCs, they control
  • 52:34 - 52:39
    a lot of parameters of this turbine. And
    the turbine is like a big mechanical
  • 52:39 - 52:45
    monster that is actually self degrading by
    working and putting it into different like
  • 52:45 - 52:50
    incomfortable operating modes will degrade
    it even faster or it will break its end.
  • 52:50 - 52:54
    It's not easy. You can have a spare PLC or
    some other device. You won't have a spare
  • 52:54 - 53:03
    turbine. So that the impact is there. But
    it's not like a very huge. So what we
  • 53:03 - 53:09
    tried to do with this research mostly is
    to understand, how we can help the power
  • 53:09 - 53:15
    plant, the apparatus out there. And we
    have to fight in all the issues and
  • 53:15 - 53:20
    analysing this infrastructures and the
    customer sites, we understood that all of
  • 53:20 - 53:24
    the installations actually did the same.
    And we can write a very simple do it
  • 53:24 - 53:30
    yourself assessment. And hopefully even
    like engineers on the power plants can
  • 53:30 - 53:35
    test themselves. It is very easy. A set of
    steps on two or three pages. You connect
  • 53:35 - 53:39
    to application network, you connect to the
    automation network, you run the tests, you
  • 53:39 - 53:43
    get the results. And afterwards you talk
    with Siemens. Well, you can fix something
  • 53:43 - 53:48
    by yourselves. And basically you don't
    have to hire like expensive consultants to
  • 53:48 - 53:53
    do the job. You should be. You should be
    able to do it by yourself. We hope that
  • 53:53 - 54:01
    you will be able to do it. Of course. To
    summarize the whole situation around
  • 54:01 - 54:07
    DCSSs, it is if you have seen other
    industrial solutions like SCADAS, like
  • 54:07 - 54:13
    substations and if any actually, you would
    find a lot of similarities and they the
  • 54:13 - 54:18
    whole like it will have the same pain
    points as all other solutions. There is a
  • 54:18 - 54:24
    good documents from there. IAC 62443
    which describes how like power plant
  • 54:24 - 54:29
    operator or asset owner should talk to the
    system integrator and the vendor. With the
  • 54:29 - 54:33
    vendor in terms of what security they
    should require and how they should control
  • 54:33 - 54:41
    it. We urge any power plant operator to
    read this standards and to require
  • 54:41 - 54:46
    security from their vendors and system
    integrators, because nowadays it depends
  • 54:46 - 54:49
    from vendor to vendor. Maybe vendor is
    more interested in the security or the
  • 54:49 - 54:54
    plant or some regulator and the like.
    Nobody knows how to act. This is the
  • 54:54 - 55:00
    document where a which describes how you
    should talk with all other entities. Of
  • 55:00 - 55:08
    course, read the slides, read the white
    paper in the January. Call Siemens updatal
  • 55:08 - 55:12
    systems, change your passwords and
    configurations. This is actually very easy
  • 55:12 - 55:19
    to at least to shrink the attack surface.
    A lot of things inside SPPS ??? network is
  • 55:19 - 55:23
    a modern windows boxes and it's kind of
    easy to set up some form of monitoring, so
  • 55:23 - 55:28
    you should talk to your security
    operations center. They would be able to
  • 55:28 - 55:33
    look for some locks, not most of the
    impact that we showed, like it was their
  • 55:33 - 55:37
    input from the java application and
    you won't be able to monitor all of these.
  • 55:37 - 55:42
    We have like security events in windows.
    But at least it's still some form of
  • 55:42 - 55:49
    detection process inside your network. And
    again, finally, to summarize, it is not
  • 55:49 - 55:55
    like a problem of one DCS from Siemens.
    There are exactly the same issues for
  • 55:55 - 56:02
    other vendors not mentioned here. We will
    release a lot of things today, tomorrow
  • 56:02 - 56:07
    and in January. Basically like the big
    white paper about everything that we have
  • 56:07 - 56:11
    found out, we have recommendations, what
    to do with the wordlists, with the do it
  • 56:11 - 56:16
    yourself security assessments with a lot
    of tools up. One of the tools would help
  • 56:16 - 56:19
    you to do the research, another tools
    would help you, for example, if you are
  • 56:19 - 56:24
    using intrusion detection detection
    systems like IDSS, you would be able to
  • 56:24 - 56:30
    parse the protocols and maybe write some
    signatures for them. We work closely with
  • 56:30 - 56:34
    Siemens. We want to say thank you for the
    Siemens product search. They did a great
  • 56:34 - 56:38
    job in communications between us and the
    product team that develops the products
  • 56:38 - 56:42
    that Siemens SPPA team for ??? in
    itself. The main outlines from the vendor
  • 56:42 - 56:47
    response is, that if a power plant
    operator, you should hurry and install a
  • 56:47 - 56:55
    new version 8.2 SP2. There are Siemens
    is trying to like educate and raise
  • 56:55 - 57:00
    awareness outside their customers. That's
    first of all, they should change passwords
  • 57:00 - 57:04
    that there are critical vulnerabilities
    and they should do something with it. And
  • 57:04 - 57:11
    there is not all the problems are fixable by
    Siemens themselves. There is an operator
  • 57:11 - 57:19
    is viable for some of the activities to do
    the security by themselves. So that's
  • 57:19 - 57:24
    actually it. Thank you. Thank you very
    much. Thank you, Congress. If you have any
  • 57:24 - 57:27
    questions, please welcome.
  • 57:27 - 57:36
    Applause
  • 57:36 - 57:41
    Herald: Thank all of you for this excellent
    talk, we have a short three minutes for
  • 57:41 - 57:45
    questions. If you have questions, please
    line up at the microphones in the hall. If
  • 57:45 - 57:49
    you're using hearing aids, there is an
    induction loop at microphone number three.
  • 57:49 - 57:54
    Do we have questions from the Internets?
    Yes. Question from our signal angel,
  • 57:54 - 57:59
    please.
    Signal-Engel: So we've got a question with
  • 57:59 - 58:03
    the vulnerabilities found. Could you take
    over those cans from the worldwide web cam
  • 58:03 - 58:11
    without the freedom and the minimum tax?
    Herald: Can you please repeat.
  • 58:11 - 58:14
    repdet: A little bit louder, please?
    Signal-Engel: Sorry. With your own
  • 58:14 - 58:19
    vulnerability found, could you take
    control over those plants without worldwide
  • 58:19 - 58:27
    them from public Internet, without further
    amending the ??? ?
  • 58:27 - 58:31
    repdet: Actually, no. This is and this is
    some poor some form of the good news.
  • 58:31 - 58:35
    Those systems are exclusively supported by
    one system integrator, by Siemens. They
  • 58:35 - 58:39
    are more or less protected from the
    external access. Of course, there would be
  • 58:39 - 58:44
    external access, but it's not that easy to
    reach it. And of course, it's we're not
  • 58:44 - 58:47
    talking about Internet. We're talking
    about some corporate networks of things
  • 58:47 - 58:50
    like this.
    Herald: Next question, microphone three,
  • 58:50 - 58:54
    please.
    Mic. 3: Yes, hello. Uh, I also have a
  • 58:54 - 59:00
    power plant on my planet and, uh, it's
    kind of bad for the atmosphere, I figured.
  • 59:00 - 59:06
    So, uh, my question is, can you skip back
    to where the red button is to switch it
  • 59:06 - 59:14
    off? And I'm asking for a friend.
    Laughter, Applause
  • 59:14 - 59:19
    repdet: As we never thought about that,
    these materials can be used in this way.
  • 59:19 - 59:25
    But yeah. Specifically, if you have an
    operator of engineers, friends on the
  • 59:25 - 59:30
    power plants, you can talk to them.
    Herald: Do we have any more questions from
  • 59:30 - 59:38
    the Internets? No questions. Any questions
    from the hall? I guess not. Well, then,
  • 59:38 - 59:41
    thank you very much for this talk and a
    warm round of applause.
  • 59:41 - 59:46
    Applause
  • 59:46 - 59:49
    36c3 Postroll music
  • 59:49 - 60:13
    Subtitles created by c3subtitles.de
    in the year 2020. Join, and help us!
Title:
36C3 - On the insecure nature of turbine control systems in power generation
Description:

more » « less
Video Language:
English
Duration:
01:00:13

English subtitles

Revisions