Securing the Industrial Internet of Things

so our next speakers Brent he'll be talking to us about the industrial Internet of Things hello everyone so industrial engineering things and today we're going to be looking a little bit at how we can secure it and secure it against the emerging threats like pacemakers and other things that are just coming online but absolutely no reason there so we're gonna be doing this mostly by pulling things apart to see how they work cool now the structure this talk is pretty simple we start in the future we move to the past we make our way back to the present and then look at the not-too-distant future to see how things like progressing so the fire stylists

want to say thanks to synergy or bring Nia and both serve Erlich and Detroit who have helped in the acquisition of hardware for this project yeah so I'm Brent I'm completing PhD at Rhodes University previously worked on unrelated things to security now I'm on security things were exciting so let's get into it the future as we've just heard is actually starting to look a little scary everything wants to go online and as things dooms as things progressed well services people are going to be less technical things will be provided for them and controllers and operators are going to just be people that operate software they don't need to really know how these things work and more and more we're

going to see people just using automated systems and really we're not going to have this to any educated professionals as much as we're gonna have people just controlling things yeah also they might be flying cars we can look forward to that are we ready for the future the previous talk suggests not and is industry ready for the future I think we're about to find out yeah so a big portion of our research is looking at how do we actually go about securing industrial control systems and for me at least this is obviously I'm doing a whole project this we're going I'm looking at industrial control systems and trying to figure out you know how is the best way to even

decide whether they are secure do we treat them like computers do we treat them like websites you know what are they and how do we even go about starting this yeah so because I'm sure most of you don't actually deal with industrial control systems I'll give you a brief introduction yeah industrial control systems a ciggy as the name assist control large industrial things in this case it could be factories petroleum refineries power plants water treatment yeah wide range of things and they're normally kind of in the past they would have been controlled systems yeah this is really what we're going to be looking at yeah looking back things were a lot simpler yeah for the most

part the average industrial control system basically was a sensor that looked at some kind of input controller and some kind of output rather a pump a boiler it was a very kind of closed-loop system very simple to operate yeah as things moved forward they became a little more tricky little more complicated and be my preferred cool now this is an old PLC what we call programmable logic controller has anyone here actually seen where these before Wow cool so these are old yeah they pretty much were set up Yuva code them yeah that inputs and outputs these days we call them hard wieners this was basically just a really hardcore expensive hard and Arduino yeah they were industry discretely connected

for the most part individually addressed limited name space they kind of were designed to be installed and solve a problem one problem in a very small scope yeah kind of as things move forward though we need them to do more because we'd like things doing more yeah we always want to do more with less so they got infinitely more complicated I don't know how well that's come out on the screen yeah newer PLC's that was loud have multiple network ports they can talk to thousands of input and output devices at the same time they can connect to each other some of them have Wireless built right into them and the trend is that we're moving more towards

something that's actually starting to look a little bit more like a computer and less like an Arduino yeah these hardened Arduinos are becoming tiny computers now that's a problem because previously we've treated them like Arduino you don't have to worry about your Arduino accidentally doing too many things does what it's told to your computer on the other hand is a bit more complicated yeah so what this really comes down to is people like connecting things to the Internet as we've just heard everything's going online and with connecting things to the Internet we have new threats yeah where there weren't threads before we now have to look at things that never would have been thought of yeah in a power plant

you never had to worry about you know posters or who knows what else might be connected to the Internet yeah today everything is going online yeah these are just some of the more bizarre things I could find some of them were kind of normal apparently we have a toaster that Mark tweet an egg tray and a coffee machine this is great I'm quite sure we all need to tweet about our toast and but maybe there is a use for these items it's not really for me to decide but the real question comes you know should everything be connected to the Internet and if the Internet of Things is everything why shouldn't industry be on it

should our power plants not tweet when it produces another megawatt this would be nice I mean be great fewer blackouts but maybe not everything needs to just yet and IV is a problem yeah when we think of what things shouldn't go online well the things going online is what things shouldn't go online yeah I would see is showing us that there are constantly emerging threats because people are doing this too quickly and just throwing stuff out there before it's you test it before it's even been thought of yeah I don't know if anyone's ever seen a camera like this before yeah you might have they were on special on Black Friday yeah take a lot was throwing them out like

mad yeah now what's great about these cameras is uh yeah there are multiple vulnerabilities in them is backdoor accounts ships with it for free they've got all kinds of problems pre or you can directly locate them on the Internet yeah all the little red dots those are those cameras yeah as a few months ago more than 185 thousand of them available online yeah they have they're useful to call it go ahead web browser they can tunnel out of your network so that you can find them anywhere in the world from your cell phone very nice for you if you need to see what's going on in your house very nice for me if I feel like

getting into your network yeah this is a problem because this isn't one brand this isn't one vendor yeah this is the industry in the kind of a key camera world this is just how things look at the moment okay we have probably got more problems getting shipped than we actually have true solutions yeah so we need to look at these and I encourage you to look at them maybe not put them on your network but buy them and play with them they are really fun they do bizarrely curious things like when you set them up they require your Wi-Fi password and SSID now that wouldn't really be that much of a problem so what you do is you tap it in

on your cell phone into their little app and it plays a tone in the air to the camera transmitting your SSID and password in audio for everyone to hear they're fantastic but it's devices like this that you can so easily attach to your network that are really looking to become a problem yeah if you need a security camera on a site looking at a plant so easy you can just pop one and plug it in you can do it from your cell phone I bought ten of them they're like two hundred and sixty ran each yeah they're really really cheap you bring them in put them everywhere and they now become a problem yeah but back

to PLC's yep they're getting fancy too yeah they are starting to look a little bit like computers they have operating systems you can put programs on them some of them have multiple network interfaces yeah they can do SMB they can do FTP yeah you can think of something your server does this probably does it too yeah they're becoming quite fancy because we want them to be yeah but once again this is what is causing problems and maybe too much too soon yeah now I've broken this talk into three steps we will see how many of the steps we get to do before everybody needs coffee yeah step number one we're gonna look at a bit about firmware yeah in understanding

how PLC's work it makes sense to look at what's really inside them yeah now I was lucky enough to be provided us now they're in Vevey t-this is massive fancy PLC capable of doing just about anything it appears and to call it proprietary doesn't quite cover it it's got network ports it's got USB and then things get weird it's got proprietary black back planes or the software is proprietary it's very hard to tell what's going on with it yeah but it has long CPU now I'm CPUs are these something I'm somewhat familiar with yeah yeah but the firmware itself that's that's actually something else these these PLC's actually run real time operating systems windows oh yes

operating systems not quite so easy to just get your hands on these things to play with yeah luckily we did manage to get some of it will ever look at that yeah but firmware firmware is firmware we can pull it apart as anyone here pulled apart your firmware before less than I thought yeah - which is good yeah you can put a pod route or firmware ya bin and walk the firmware mod kit these things are great yeah use them to have a look what's going on pull apart your inter firmware sometimes rebuild it yeah when you run it you might get something like this might tell you that you've got some compressed data and

you've got a file system that's great yeah the walk is a fantastic tool can take your firmware pull a part in it you know it's inside it it's not without fault yeah we have been walk telling us that I have got to the expect symbol tables one big-endian little-endian rod yeah the most important thing being that this was not actually on a computer or a microcontroller this is on a NXP microcontroller that I'd programmed to make an LED blink then walk somehow thought we had multiple kernels and firmware loaders on yeah so unfortunately does get things wrong yeah but it is great for getting pretty decent high level overview of what's actually going on yeah this I don't know if anyone can

actually see this is Morris what a successful extraction would look like yeah we can pull everything out we can get our kernel you can fill out our image we can even pull out our files in some cases this allows us to do quite a lot I'll see if I can make these ads available afterwards so that people can actually look through this type of stuff but basically we can actually see what's going on inside our system in some cases like this one here and even sometimes dumps the entire it it's running a web app we've got all the files for your rabbit where that you can pull them out load them somewhere else and rebuild it

yeah now that's quite useful when you're trying to do research and trying to build tools we've got files we've got file systems and we modify them well sometimes yeah the firmware market is great it says it can extract modify and rebuild sometimes yeah it's great with root of firmware it's pretty terrible with everything else yeah but maybe we can do something else Howard virtualizing yeah once again for research these things are expensive PLC could be anywhere between 40 and 80 grand yeah so I might eat more than one of them it would be great if I could simply which allows them yeah I know if we went virtualizing things like open wrt is entirely possible yeah we can simply

pull down a route image get it going with a network port and on your box you've now got a route to that you can log into that's great open wrt lets us do this VxWorks is a little more complicated yeah I've managed to get this to boot kind of goes in and then it crashes unfortunately the ex works being a proprietary operating service operating system in the beginning didn't have too much information on this luckily winDriver has provided us for the license and hopefully in the next few months we will actually have a working Virchow in 580 but certainly that seems possible having virtual devices would mean that we can have entire control systems running in one box something that you

could launch attacks upon within your own network yeah something that also isn't controlling massive amounts of industry that you don't want to break the next thing that I decided I would look at is whether you can actually program these devices remotely and obviously we've got a PLC we're putting it into a an industrial control system at some point we're gonna have to program it maybe update it updates don't happen very often it seems but we've been asked to know that these things can be done yeah the first step was to look at how these things even get programmed to begin with now some PLC's get programmed over USB yeah that seems to be a bit of a trick

it's not might actually be a USB port off and running rnd is often a USB to network interface it's actually just network traffic yeah no network traffic is nice because you can look at that you can take out Wireshark and pull it apart so Tom DiBella program yeah wrote a small program you just select what you'd like to upload and you hit upload yeah in this case the program is not very interesting it turned on a relay when I click the button that's all I needed it to do there's nice and small yeah and when I uploaded it I noticed a few things it transferred all of the program over UDP this was interesting because this to me did not

seem like a great idea yeah there was no way to guarantee that packets were getting there not easily at least yeah but they'd come up with a solution to this the PLC simply responded to each packet yeah and provided us with what appeared to be a very lovely little pattern yeah I've come kind of somewhat simplified this but at the beginning of every file that had transferred we saw something that looked like that you'd send a a packet with a length of 46 and it would return a 60 to say yes yeah now in this case I'm using the lens because the then stay constant in this the contents are actually not to ortant at this point

yeah these were basically just treated as file markers one signature part the beginning of the farm and one the end of the file yeah this was great because now I knew what powers going over network with black so it was something and we could start pulling it apart so I just ran I took the wireshark capture through a little script that kind of tried to check the pattern and just thought I'd give it a go yeah I dumped the transferred data and after putting it through something to visualize what was inside we've got something like this now for those if maybe not seen entropy graphs or content graphs like this the blue is principal characters yeah these high density areas

would be compressed data yeah now this at first doesn't look like too much yeah we start reading the principal characters a few things became quite evident it was simply giving us files they actually quite some V gave us all the files being transferred to the PLC yeah now obviously this is probably not too much of a problem you program these things on closed networks yeah but once again moving into the future when you've got a compromised webcam on your system your network might not be as close as you thought yeah and this was at least interesting we can pull apart these files and because we've got the pattern and we can simply use UDP it can replay them modify and

reprogram our PLC's because all it takes is network traffic now the other exciting moment was when I realized what else you could do you could stop start run reset and wipe these things over the network yeah now something that I must make clear at this point a lot of what happens in the PLC world and in industrial control world comes down to configuration this was only this was all capable because the PLC I was using had not been configured to say no to these type of things yeah unfortunately that does mean that whoever sets up or installs these PLC's out in the wild needs to make sure that they disable these things yeah we'd come

down to operator fault and configuration and this is a trend in industrial control that consistently shows up where things go wrong and where the vulnerabilities occur if you don't turn off remote WAP someone can walk your PLC remotely if they can get to it but there's been scene that's maybe not so hard yeah then the next thing is either all of us using UDP you can change that and obviously if we switch to TCP maybe you do but better is probably only fewer corrupted transmissions yeah you can also start doing things like segmenting your networks you can put quite a lot in place to try and mitigate these problems yeah but the truth is they're out there and you've got to look

at them and moving forward these are things that people should start to consider when setting up these devices more importantly when placing other untrusted devices within a network the next thing I wanted to look at was actually creating my own industrial control system as I said these are expensive yeah unfortunately I did not get to attend Ross's talk docker for hackers I'm quite sure what I'm about to tell you is this exciting but basically docker is fantastic yeah you can just spawn up as many little nodes as you like write a script and if you give it a packet format you can fake network censors fake actuators yeah if you know protocol these things talk over you can

put them up and but docker the nice thing is once you've got your Campos script you just tell your computer how many of them you want if you'd like a hundred sentences you just spawn 100 of them yeah docker is fantastic for this you can do internal networking you can intake you into a network and Brigid donate to an interface and plug it into a physical PLC yeah you can now capture what appears to be real traffic coming for real packets real pcap and you can actually start to look at what is starting to look like a fairly real industrial control system yeah eventually when this is coupled with some kind of humne virtualized PLC we

can start to create entirely virtual control systems that attacks can actually be launched against virtualized control system real traffic this starts to look like a tool that actually can be used in a lot of real research now as a platform for testing this gives us a lot of options yeah I mean might be fine just to know what happens when you throw Metasploit at Appeals yeah these are things I look forward to finding out but in conclusion what does this really come to as I said PLC's they they're not quite maybe something everybody plays with every day yeah but the Internet of Things oh that's that's something that's starting to creep into all of our lives and

we've got to look at protecting things yeah our industrial control systems control things very important to us water power and other than that I think most people like a cause so petroleum is a big thing yeah so we need to protect these things obviously IOT is starting to look like a bit of a threat to that so basically moving forward I'd like to eventually come up with a virtual control system that all of us can play with that you can download and run on your own computers and start to get some real research going oh that was probably short any questions