How to Break the Modbus Protocol and Cause a PLC DoS

start the afternoon session now with Omar morando Omar all yours okay thank you so I hope that the OT cyber security argument is a good topic to restart after the lunch so uh thanks so much for your present here my name is Omar murando I'm the head of cyber security and The Innovation lab I come from Italy and the company is about security is an Italian company focuses on cyber security services in OT IIT and Automotive domain I have more than 20 years of experience with the scada system PLC remotio DCS and so on and I have also good experience in in automotive domain I'm a researcher in penetration Tessa developer of a scada sploit is a framework that developed targeting dot domain and plc's mostly finding in Europe European market you can reach me by email or Twitter if you want so uh would like to start with the question very simple basic question why are ICS being attacked very simple I don't ask you to to answer because after lunch it's not easy to to restart I suggest on some topics okay the ICS security is a challenges because uh we have some critical infrastructure we have Energy power generation power transplantation we have telecommunication transport we have water treatment but also we have some manufacturing companies that are interested for apt for attackers and if we read some Reapers one is from IBM last year nearly the 80 percent of the analyzed companies infrastructure don't adopt any zero trust strategies and the cost of the bridges are up then 5 million dollars and in more or less the 30 percent whereby ransomware or destructive attacks why ICS are so attractive for apt we have the Cyber trades okay it's now we know very well unfortunately we have a digital transformation in the asset for zero that push a lot please put it technology in your plant because it's easy and we pay to do that the problem is the vendors the PLC vendors had included in the in the PLC for example some website module you can reach a PLC using a browser very easy the problem is inside this website website you don't have the same Hardware system that you can have in a very real web server and this is a very big problem or credential are coded inside the plcs inside a remits IO intelligence remote for example and then we have the problem of compliance so this story started from stock site I don't want to boring you with stock so this was a very known attack a very known malware but I take the opportunity of Stack side to put some topics important topics is the malware discovering 2010 and it's important for two important things that I will I would like to underline the first is was the first malware targeting OT system air gaped OT system without any kind of connection to internet the first important topic is that staxnet show to the world that is possible to have a physical damage using software this was the second important topic stock site was based on four zero days on Windows to reach the OT Network Siemens S7 300 plcs based on ends as A7 communication protocol and what is technically speaking interesting on staxnet that on the scatter system on the console room no planned anomalies what was displayed why because sex the malware was a sort of man in the middle right that damp every single information exchanged by the scada system and the plcs and perform and do a replay attack against the scada system sending fake data I will show you in a real case during my demo after my present after my boring slide presentation okay very important and the physical the Mage was conducted by the malware changing the internal Registries of the plcs and changing the speed of rotation the rotation speed of the centrifuge up to the mechanical damage mechanical failure reaching the resonant frequencies this is not the only important matter in the story in OT domain another one is in destroyer in Destroyer is a malware that was the first attack was in 2016 and the target of industrial sorry the target of business Destroyer is power plant generation Power Generation Plant why because in Destroyer use a typical protocol that are used in this domain this sign this name are typical protocol used in for example ABB DCS control system or other plcs commonly used in power generation plan and industry was able to destroy completely the power plant the power plant but malware is a software it means that we have an update last year industrial B2 important tape update a new Reborn malware in destroying April last year is very recent situation the third and the final malware in OT that I would like to show you is a Triton Triton so in in our production plan you know that we have the emergency button the red button if the if we have some critical situation we can push on the red button and we stop the plant we hope there is a company that is special one of the most important companies specialized to produce PLC is secure PLC I'll call it is tricon X tricon x is the worldwide leader in safety instrumented system the PLC dedicated to stop for the emergency situation to control the emergency and to put all the actuator in a site condition Triton is a malware specifically developed for triconex sis system it means that if you push your red button nothing happened the problem is that the consequence could be absolutely catastrophic because imagine you have a chemical plant or a ship transport for example you push the right button and nothing happened it means that you can have a very important destroyed consequence of this action we are we we are in in a safe condition now we don't need right button so the long story last year are very impressive a lot of company that are targeted by apt in it in OT and ICS domain very important story so what's first question is what is it inside and ICS is a very very basic starting from left or better starting from Level zero to the level of the Contour we have the sensor sensor is a is a is a component that is able to transform a physical value in a digital signal actuators is exactly the opposite it transform a digital signal in the physical action then we have the PLC the program programmable logic controller is the physically is an industrial computer in most of the case inside the PLC you can find a sort of Linux or Unix based operating system like Wix works or some specific Linux version like Adonis for example for Siemens or other operating systems like unit OS for Schneider letter is depend of the company but more or less our embedded Unix or Linux system that is able to control in real time some input coming from the sensors and activate the output or better activate the actuator using the output in real time real time means two or three milliseconds no more then we have HMI HMI is more or less a touch screen that shows some information to the operator HMI means human machine interface is a is a panel control panel that interact with the operator in order to put and send commands or receive information coming from the plan then we have in in 50 different protocol custom protocol in OT domain modbus DC modbus generally speaking of mobile TCB device net profinet profit bus can open a bachnet OPC UA a long list of industrial protocols that are not sub common then you have a telecommunication system and then they have the scada system scada system is a software inside and computer scada means supervisor in control and data acquisition it means it's as software is able to to to view all the planned and interact with the operator reading the alar coming from the plants sending information storing data even logging and so on in this architecture we have from the right to the left we have the sensors and actuators we have more than one plcs depend of the extension dimension of the plant we have some production network with other plcs HMI product we have the scada network that control of the plant and then thanks to Industry for zero but not only industrial zero we have a connection that recognition in certain case to the corporate domain because we have the production management system we need to integrate or interact with the sales guy when sales guy reach an order activate the production of the product and so on the very Dynamic situation that require a connection direct connection from the plan to it Corporation corporate Network the problem is in certain case this network is absolutely flat without cementation without firewall without the inside without nothing okay now after we have also the edge Computing that emphasize this critical information another question is it hard to attack an ICS system please say no no it's not it's not it's very easy to attack an ICF system why because first of all is the life cycle of the plant in it domain we change our PC every I don't know three four five years we send the Technologies we change the license the ADR license we change a lot of things every years or every two years in a production plant we have the same PLC same architecture same device for 10 20 30 or up to 40 years it means that you can find a very old PLC in your actual current production plan with the old version all firmware why because the first objective is either availability don't touch anything if it works I'm in production plane I have to produce I don't have to update I have to produce and one day of stopping some couples for some customer means one million dollars by day I cannot stop my PLC to update the firmware because some guy from Sababa Italy tell me please update your plc okay it's not important I have to produce so the problem is the attacks are faced that you have had that we can have in ICS in in OT plant is absolutely huge we have interaction from up to down up down approach a fishing campaign malware that coming from I.T that go down deep deep to OT level and block my system but better attacker are targeting of this system because is a very entry point very easy entry point to come up and block and run some and Cipher the server of it Corporation if you don't have a segmentation on the network I can connect for example my maintenance PC that I use usually [Music] for office I use the same PC I bring my PC I put my PC on the plant I connect my PC to the night OT Network I do something and then I take my PC and go to my office in this case I can I I can transfer my malware that are targeted towards the network that is easier and then come back to it Corporation this is a typical situation or USB USB are absolutely used in OT domain and it's the the the way for stocksnet in an air gapet situation in 2000 in 2010 how can I find my PLC this is a showdown I think you know Showdown Shodan is a Google search engine for iot device you can go on Showdown you can put in this case Schneider TS6 TS6 is the name of the plcs of Schneider Electric you can search for key Schneider and TS6 that you can find a long list of IP addresses of PLC directly connected on internet with some information related to the firmer version of the ethernet communication firmer version of the project more details that are absolutely important okay now what I can do I can open my engineering station I can put the address of the PLC I can reach the PSC I can if the PLC project is not protected by password but it's not so important I bypass the password I will if you want I can tell you after the conference uh I can read the information I can read the project inside the plc okay I can change the behavior of the PLC I don't know where is this PLC doesn't matter but the problem is I can reach this product I can I can easily modify interact with the PLC directly the myth of modbus why modbus because modbus is a is a absolutely the most important protocol using OT domain is a very young it's a band of a point of view a young protocol for a product is very old protocol because it's a 1979 was developed by modicon in a U.S company the describe and Define the modbus structure of the protocol the problem is this protocol is the most common protocol the 30 of the power of the plant industrial plant use mode bus in certain cases serial communication TCP communication modbus ltu models plus different version but more or less the same frame structure and no concept of encryption no concept of authentication because it's too old this protocol this is a structure of the modbus but I don't want to borrow you with all the bytes and that you can find inside but the problem is this protocol provide you a long list of functionalities that are used by defaulty and it means that without any encryption without any authentication process process you can read the manual of the modbus and do an attack to the PLC changing the behavior of the PLC using three four line of python code I will show you during the demo the structure of the modbus TCP is the same start of the modbus serial communication models encapsulating in a TCP IP stack but is absolutely the same structure of the protocol and we have different version of the protocol that are integrating using some Gateway it means I have I don't know a very simple device that is able to use modbus on RS 485 or rs232 that have to communicate with the modbus TCP I have a very simple very cheaper Gateway that transform translated physical that adapt to diffic the physical different difficult physical layer and I'm able to interact with this simple device that's the reason why models is very common in in OT plant will show you how to exploit a vulnerability that was found in 2018 that can create a denial of service do a denial of service of the PLC in this case I'm targeting the Schneider Electric PLC um that are vulnerable by this this kind of attack there are four family four type of PLC Schneider Electric that use a this kind of function that is called set breakpoint what has what I mean consider when I write a program inside the PLC is more or less the same thing that I can do in my desktop I can put some breakpoint in the memory of the in the PLC memory and then go step by step to see what happened in my production plan okay to to do at the back of the of the application if you if you in this case in the specific case of of this vulnerability of this modbus extension protocol there is a long list of common that you can use in the modbus protocol this is a is not a public or better is is a list that is not coming from the Bender is a list that we have discovered during the reverse engineering of the protocol and we discover some undocumented list of command of modbus Schneider Electric plcs that you can use one of these is the set breakpoint on a specific line code that is the code is 60. and crafting the break point frame of the modbus protocol using a very simple line of python code you can stop the PLC in a specific portion of memory desktop completely the PLC and also the ethernet communication of the PLC it means that the PLC is in stop doesn't run and it is also unreachable you cannot reach the PLC using the ethernet communication communication not a problem you can start and restart your PC and everything restarts again the problem is if you have a plant I don't know water treatment up to the mountain without any guy that can switch off and and turn on your PLC you have to reach your station and then reset your PLC to restart your production situation and the problem is I have a long plant with I don't know 10 20 30 50 or 100 plc's I can spread the attack to all the plcs on the plant I can stop completely all the plant and the consequence could be very dangerous for the plant and also for for the business okay before that I would like to show you how to do that in a real case Okay more or less real case uh I could not bring my my I have usually I use a a real simulator but the problem is too complicated for for it to transport in Airplane so I have a virtual simulator here and we have this this simulator this is a software that is able to simulate to emulate the Schneider plc okay and it is able to emulate the modicom M 580 PLC CPUs by Schneider Electric with a specific CPU with a specific firmware that is a version 3.10 that is a the PLC is very um actual PLC that is affected by this vulnerability here I have scatter supplies the tools that I developed but you can write your script by python in this case I use scatter splite in this case in Scatter spot I have a long list of of tools in this case I would like to use the modbus scan why because okay I'm an attacker now I with my PC I I'm inside the industrial Network OT Network but I don't know how many plcs I can have in this network I don't know the version of the plcs I don't know the version and the type of plcs so I have to discover how many devices I had and the version of the plcs that I have using a very simple script in python or in a language that you prefer you can discover all the PSC that you have in this case I have one plcs of course that is emulated by my software and the address of the plc's localhost so I have to put in my modbus scan the the address remember to others in this case I have set remote host 100 70 set Airport 20 50 20 then I can run my modbus scan run okay and now I discover I have some important information that are grabbed my mobile scan tool in this case I have vendor name sorry power from microphone vendor name Schneider Electric mod modbus sorry Network modules this the firmer version that I have here that are emulated here but also I have some important information related to the demo the project name the version software used to develop this project the data of the last Modified by the user and the MAC address of the plcs this information app absolutely important because why because I have the firmer version I open Google and I can search modbus better modicon M 580 firmware version 3.10 exploitation and I'm sure that I can find a long list of possible exploitation of this version of the firmer then I have some important and relevant information related to the projecting version and the data of the last modified project it means that there is no one that is changing nothing inside since 2020 for example no one is updated this software and updated the project good so I can try to exploit these uh this PLC using the CV that I show in this presentation this CV is a specific CV that means if you put a break point in the PC at the address zero zero that is the block memory address of the PLC the PLC is stopped completely unreachable and completely stopped so I can craft my packet specify the zero zero address and using a very simple script I have a simple tool minus D then Apple denial of service I can send this request and the PLC is absolutely stopped because I reached an invalid breakpoint address the CPU is in error early communication is absolutely stopped if I try to reach again my PLC the PLC is not available it's unreachable very easy how to do that very simple code I have here the Dos attack very I can craft the information and the frame over on my of my modbus protocol you can read the manual of the modulus protocol you can search on Wikipedia of the modbus protocol and you can write your specific frame using three line of code and bypassing also some request a reservation request typical for modicon plcs okay please don't do that at home don't try this atom so I typically a typical kill chain of the Cyber attack in ICS when I reach and I'm in my I connected in my OT Network I start the network scanning to discover all the devices this is an approach of the staxnet more or less that perform the two and men in the middle and putting the device and the malware between the PLC and the scada system reading all the information Has Changed by two the two devices dumping all these information in a file in order to do a reply attack against the scada system to show sending fake data and then attacking the POC in the net the first step is Network scanning using for example modbus scan or writing your specific tools very easy to discover all the device that you have and grabbing this information coming from the PC consi