An OT Cyber attack simulation on a chemical plant by Prashant Prashant, Rajat Kundu

Okay. Uh my name is Shant. I am a senior cyber security adviser for Enbridge Pipelines. I've been in this industry for 17 years. I'm one of the organizers of the Bside conference. So, welcome everybody to this conference. Uh it's been great to see everybody. The enthusiasm, the community spirit. Michael Spie's keynote was bang on. You know, it's about community 2017, 10 people to 600 people almost that we are finding over capacity on these groups. Um I'm joined by my colleague Rajan Kundu. Uh he also works for NP. He'll give his own introduction. But purpose of our talk and we'll try to be very honest on our time. It's a big uh talk. It almost goes to an hour. We have given

it on couple of forums now. CS4CA Calgary. We also gave it Konuka Phillips and their to their CISO suite um on OT cyber attack simulation on a chemical plant. Enbridge doesn't deal with chemical plants. So full disclosure, this conversation, this content is purely our own research. It's research of both of us in terms of how we can look at security. But in general, uh it's just showing you what's the art of the possible in operational technology. So um if I'm sure folks know at least they have heard of OTI or industrial control systems if not you know you can take me on the side and I can give you a bit of a primer. I'm not an expert in

this field. We all learn as we go. But with that said we'll be honest to our time and we have a couple of simulations to show you. I'll hand it over to Rajan G for his introduction and we proceed. Right. >> So I'm Rajan Sundu. I'm also working with Enbridge with Prashant contractor through Jetson. So my role is uh you know OT networking and cyber security. So uh with our relationship he is actually my client who I have to actually satisfy. He's our cyber security advisor. So that's one of the key thing is that when we are dealing with OT and IT stuff and especially cyber security it's a collaborative effort. Not one single person and not

one single team can do it. It's actually you know everybody has to do it together. Uh professionally I'm a professional engineer. I'm a PGA member. I'm a project management professional as well as I'm a CI SSP. So I'm having three different hats. uh you know on my head uh engineering u cyber security and project manager and to be honest in today's scenario that's what actually works well. Um so starting with our presentation uh we have uh you know our presentations about uh introduction to OT cyber attack. So first of all what we are going to uh know about is that what is exactly an OT systems and what is an OT cyber attack. We will be talking

about some of the you know external attack services. We'll be looking at a little bit of shoddan. What shan is and how we can use you know google dark uh using uh generative AI. We will be also studying one particular uh you know industrial protocol. Uh we all know about the common business protocol HTTP HTTPS and so on and so forth. But we are not much familiar with the industrial protocol. I'm going to take a little bit of deep dive into one of them and then at after that we will be going into a real chemical plant simulation which is like a graphical realism framework uh which is designed by the 45. We will be

presenting you that you know graphical realism and we will be discussing a little bit about the OT systems how the architecture of the layout works. We will do a demo where we will be doing an ask pooping of a human machine interface and then we will be injecting some malicious command through the mod that we will see before before that and given the time you know if there enough time is there we would be actually upload a malicious program into one of the PLC's simulation PLC's and if you're lucky with enough time we'll see the chemical blowing apart. So what is an OT cyber attack? So the OT system is basically it's a physical system. It's very physical in nature.

It's consisting of all you know uh measurements you know motors and so on and so forth. So OT cyber attack actually can disrupt a very very physical process and it can create a real world chaos. Um you know some of you might have seen some movies you know 8 mile island probably or you know deep deep water horizon. So those some of those actually bigger incident cyber attack can actually create one of those incident. It's it's a practical possibilities. So OT systems is the heart of uh critical infrastructure. So these infrastructure nowadays are increasingly connecting to uh IT systems and also because you know many of the systems are actually complicated they supported by remote engineers. So they're also

getting more exposed to u you know remote access platforms and they are getting more and more vulnerable and exposed to uh sophisticated cyber threat. So what we are going to do is that in our workshop we will mimic a real life scenario. Um the aim of this uh mimicking is that we will be try to see what are the different vulnerabilities in our OT systems. How we can detect uh you know a threat and how we can respond and recover from one of those uh cyber intrusion. So this is one of >> just on to that before we go into the Purdue model which Raj will speak about I just want to give you a feeler of what

operational technology systems are for those who are in this field we live in the spa the in the world of oil and gas and energy right Alberta the province of oil and gas that basically puts money into our pockets through various means that's the commodity which makes money for the whole province um I work for Enbridge pipeline industry so just to give you anecdote of what actually OT systems look like so I have this prop This prop actually looks like a pipeline. A pipeline has a flow of gas. It could be a flow of oil. If you ever go to any of the field sites, if you drive by through farm fields, you will see that there is actually a wall. This

is a very crude representation of a wall with a pressure on a pipeline. You might might see some manual walls people actually go in and put it in and out. If you ever go through past one, don't ignore it. Go check out that and just see how those look like or how those pump stations or whatever the case may be looks like. So this is one example of a pipe flowing gas which could have a pressure gauge on it and it could have a manual wall. You and I, we have plumbing systems in our house, right? When it leaks, what we do? We turn off the tap. We turn off the walls behind the final

wall which actually puts water into our houses. Why? Because there is a leak. Very similar systems, very similar principles at least on the pipeline infrastructure. There could be refineries, there could be other infrastructure as well in the OT space. Another example I'll give you is tank terminals. If you ever go past the Anthony Hyundai, those who are Edmontonians or local Edmontons, there is a full spiel around the Anthony Hyundai what's called the pipeline alley. Big tank terminals. Ambridge owns some. Suncor has a refinery out there. Esso has a refinery out there. These tank terminals look pretty naive. They just store oil in there. But imagine for a moment, which is something we're going to show on the chemical plant. If you

can put enough oil which actually pumps out oil out of the flow of the terminal of the tank and there are various possibilities to do that very naive the oil will flow out there'll be leak around it and the leak could have you know some impact it could have environmental impact we live in the world where environment is very very important and you can have consequences deep down in your OT environments look at electricity coming into our environment right middle of the winter - 35° electricity goes out supply chain disbalances between Alberta in the Alberta around generating plants. We can't buy electricity from our power from our neighbors. The grid disbalances maybe you are blacked out for 6 hours, 7

hours, 10 hours, 12 hours. I don't know how many of you must I'm sure you all are probably older to 2003 2002 the blackout the eastern blackout which happened led to a lot of issues around and I still remember pictures of people sitting on traffic lights thinking what else we're going to do. We are so dependent on these systems we don't realize power, gas, water, electricity, you know, you name it. These are systems which run society. So it's important when we look at IT security or cyber security that this aspect of cyber security around operational systems plays a very important and very big role. I I have been a physics student in my life and you know marrying physics

with cyber is so beautiful because ultimately you figure out how physical principles can be compromised by cyber means and there are various ways you could do that over the o over the over the industry. I've been in this year in this field for six years now. So this is one another example of a tank terminal. I'll give you another one just to give you an idea of what these systems look like. What you see here is a nanoprecise IoT sensor. It's a vibration monitoring sensor which actually sits on top of the pipeline. When the pipeline vibrates and it can vibrate for various reasons, this actually creates a wireless sensor signal which goes down out into our

SCADA systems and there's a whole nine yards how you control these systems because they are so critical even vibration on them volume temperature vibration uh they can become an issue if they're not monitored properly. This is an real life example of an IoT sensor which can be put but it's a magnetic sensor. It just plugs in and does a wireless coms back into the gateway blah blah blah. So these are just examples to show you how IoT systems look like how OT systems look like in your own houses when you look at thermostats. That's a very simple human machine interface which we're going to talk about which looks at your thermostat. So just to give you an idea to get you in that

frame of mind of what we're talking about and then how these can be compromised for the detriment of human safety. Why Raja G and I have put this PPE hat. Ultimately the aim and the subject of our discussion today is making sure as we are going into these fields we look about information security on the IT side but there's a human element to it and that's human lives are at stake. PP is always important. If you are in this field if you ever go into technical sites make sure you have that. It's not about just being an oil and gas. It's about being a construction worker. It's about being in a road uh you know construction going on

whatever the case may be because what's happening now cyber is not about only hacking emails or taking your confidential information out and being a reputational impact to you. Cyber is now going into the world of OT and industrial control systems where it could kill people. Somebody very interestingly told me one day he said look a doctor if he messes up can probably kill one patient. An engineer if he messes up can kill thousands. Let that sink in for a moment. The rules of information security or operational security are written in blood. That's what they call in the world of engineering because people have gone through these things. They're so sensitive and so critical. You don't

want a human life to be lost because there was a misconfiguration on a system. And so keep that in mind. We talked, you know, Michael talked about in the morning confidentiality, integrity, availability. The other aspect of OT industrial control systems come around reliability and safety of operations. Again we live in province called Alberta. Oil and gas any energy infrastructure is important. These things play a role in the society. Knowing the reliability of operations knowing that safety is at stake for those technicians is very important. So just wanted to give you that context. Over to you Raj G. >> Right. So the next slide is about um you know an IT and OT perview model which

actually shows you know how the physical systems or or the control system or the OT system is laid out and I have a little prop here uh which I prepared just to show you know you know how to correlate them together with the with the stream. So what we have is the lowest level which is the sensors and you know we have a little potential meter here. analog and digital sensors which actually you know some of those props pashant as the balls you know it's an actuator which can be commanded by this little board which is on the layer zero >> so they are always in this level sorry if you can go ahead all these devices

>> we have upper level which is the PLC which is a program of a logic controller which sends actually the signal to these devices which close and open you know the walls and motors and and stuff like that and then we have a level two which is an HMI so this is how a person gets the visibility of these things. What's going on here? Because these things are huge. You cannot just see them with your own eyes, you know, in one shot. You need to have those graphics somewhere so that you can get an overall picture, which is where it's shown up. This is one of the wonderful part. If you get access to this guy, if you have a

current, you know, right credentials, you can actually mess up with everything down here. You can create an oil spill. You can actually, you know, make a transformer blow up. You can do lots of lots of things. And then we have the next layer which is the layer three. Now this is where the data gets collected. It's a historian. It's a computer which collects all the data which is coming flowing up from from down all the way up and it's storing all the data. This is what goes to the business side of the things where somebody else somewhere else is actually monitoring those datas and making critical decisions the business decisions. So we have a point

in the Purdue model where you see that we have a firewall which is segregating the IT and OT network. Everything here is very physical you know it is it is you know uh safety related availability is is very important here and then we have the data which is the which is the cream of the thing where all the data moves which is the interfacing between it and OT. So just to give a quick update on that model it is just a reference model it doesn't it's not how it looks like in the field. Okay, this is just a reference model to show you how these are zoned, how those security enclaves or levels are created for those systems

to give you a kind of a understanding of how when we look at cyber, when we look at OT environments, how that that does play a role. You could literally have an IT system sitting next to an OT system and you would say, hey, it doesn't fill my view model thought process, so it is wrong. That's not how it works. when you see in the field this is just to give you an idea but that's a beautiful way of showing how you can model OT systems which are literally these systems and they can be detrimental to human safety as we talked about including operations and the reliability of that so the next uh next point is we will

just discussing a little bit about the common attack surfaces so one of the most vulnerable thing on you know on the Purdue model or on OT system is that its connectivity with the IQ or the corporate network the second thing is that There are those devices IoT devices or the specialized PLC devices which needs better support. There are 100 different types of vendors and it's not possible for a customer to know all of them by heart. So they are depending upon you know remote support for those devices. In addition to that there are those HDMIs and SCA dash dashboards which could be internet exposed. Uh there are also many different third-party vendor support as well. We

have wireless communications uh with the OT systems and the cloud service integration like you know API data. We have historians which connects to uh you know uh connects to internet and probably those datas are getting stored in the cloud as well. Plus there are many physical thing like the USB stick and uh you know control room cabinets which are very very physical. Uh so physical access to those equipments are also very expert. You might have seen in some of the movies you know some big star gets into you know physical access to some critical infrastructure you know do the biometric scanning and do things. So that is the physical aspect part of it plus there are many sensors IoT uh

sensors are there temperature sensor you can manipulate the temperature values and you can give a totally different kind of scenario. So those are the vulnerable uh points or the common external attack services that is possible. So the other thing we will be discussing is that now what we are talking about is what I'm talking about is basically the OT system which is a highly specialized field but again to hack into the system you may not need to be an engineer you may not need to have indepth knowledge of those system it is still possible to hack so one of the search engine that I would show you is a showdown now what it does is that it

indexes all the devices and services it scan IP IP fringes and banners and it has ability of finding any IP devices router and switches database and service uh server which are actually actively connected to internet. Um our aim is to protect the systems so that they are not directly exposed but there are many in the world as we speak which are actually connected to u you know to to internet without any protection. So we will just take a look into a few few of them. Uh >> so while he does it, how many know what short what Showdown is? >> Quite a few. So that's very good. So Showdown is basically a search engine you can use for looking at, you know,

vulnerabilities on the internet, connected networks and stuff, right? So you can create a free version, a free account or you can create a subscri subscription one. What what Reagan is going to show is uh basically we don't know sometimes showdown queries because we are human beings. You can't get enough information about cyber security of everything. Can I use AI to create me showdown queries to look for OT systems which are vulnerable on the internet and then use them either targeted to my company or whichever subject scope company we're looking for or in general. So over to you. >> Right. So let me just you know open up uh uh you know my internet's uh screen

here and I'm going to go to showdown. uh I will go to uh chat GPD and I'm will be running a query uh which is very very simple to generate a Google uh Google docu is my screen available there >> so while he does that uh some of you who may have been speakers and stuff would have gotten these decks today the back doors and breaches uh we had a limited number and uh we got it from black hills infosc but anyway there is a cloud core cloud security deck there is a core deck for IR and there is one specially for ICS and OT if you are interested ever in doing in incident response in the ICOT

world you can actually gamify incident response play within your own teams in this space I haven't played with it it is literally in my hand it is brand new I'll give these two away to those who ask questions and hopefully we have time for questions in the end so we'll see how that goes we'll see how much you know is the enthusiasm of this talk >> right so for example you know we you know I'm going to use a Google doc query to find external OT assets with mod bus exposure ization and educator. Now if I run it, it is going to give me you know a result uh which is going to give me

some of the you know um uh you know Google doc >> expander sir. So it is going to give me some some results and if I copy it and I put it on just you know Google search engine so I don't know anything about OT systems you know the PLC's or anything like that but once I make a query it gives me all the resources that I need to make a study and understand what it is. One of the most common protocol is modbus. just tells me this you know it gives me a Google query on it and I can just research and I can find everything about that particular technology. So this is you know one of the one of the

way uh even if somebody's like you know non a technical uh you know OT person can learn and find about thing and then we have this you know um uh showdown and if I just go to and just say I look here on the Google doc through the Google doc and Google search engines uh it gives me a result of modbus and cement some of the name of the company I go to showdown and just say cmens HMI and it just tells me some of the exposed uh system which we have. I can just keep on trying. Let's say I just go and try this one. See if I can if this one pops up something and let's see what it pops

up. Oh, it does open something. You know, now it is telling me an exposed system and I did nothing. And I just take normal guy playing around with you know chat DB ra Google doc and put it on showdown and it just opened me an information about an >> by the way there's no MFA here okay you already saw this by the way this could be a honeypot it could be a real HMI system but this is what it is this is how exposed the whole internet is not that your own organization could be you can tailor those queries towards that but the idea of showing you this example was the fact that the cost of going into

OT OT cyber security from a bad p bad man's perspective has reduced. You don't need to know OT queries or you don't need to know much about you can use chat GPD get a query run it on your organization or on the internet and get a default page of an HMI system. By the way, Seaman's S7 PLC, if anybody's ever interested in stuckset, you guys heard of stuckset 2009, the biggest uh cyber warfare weapon which was ever created to this date. It actually holds that title to my understanding. Um S7 was the PLC which was compromised by the so-called folks who created Staxet. I'm not going to go into details of that. All right. But it

went into the Iranian centrifuges. It checked out the uh the you know the back at the back end it actually exploited two zero day vulnerabilities in S7 and it uh led to the centrifuges going fast but on the HMI they were literally seeing oh we are in the bounds of it and we should be okay and it the more you get away through a tolerance level of a particular machine it basically comes down and that's what happened in the Iranian centrifug with the specet. So this S7 PLC by the way was the culprit in that. It still is one of the main ones which is used in DOT world right now for for testing and uh

cyber security testing purposes. But this is just an example of a web version of an HMI which sits on that PLC or similar products of seams. >> And one of the interesting thing is you know uh most of the people including me once upon a time in OT systems you know we are lazy lazy in the sense lazy confidential is not that very important for us. Safety and reliability is safety, reliability and ability is what we you know die for. We are not very good with confidentiality. So most of the you know you see here is a username and password. The most of the HMI and email you would find many of them are using the default password

going into internet you can find the default password and username you can actually directly get into those HMIs and manipulate things. things are improving as people like me are getting associated more and more with cyber security experts. We are improving day by day but there are many cases where we still see these kind of things. Um >> just to add on to that just a little bit for a couple of seconds. >> So cyber security in the OT space doesn't have to be about pilfering information out of the OT environment. It is about manipulating physical aspects of the operations. Okay, you have a pipeline running a pipe at a certain pressure, pressure P1. If you go

from a P1 to a P1 plus whatever number, it overpressurizes the pipe. When something overpressurizes, what happens? It either will burst or leak depending on the commodity going into it. These types of attacks are called living of the land techniques. There are already systems which are managing these pipelines for those technicians who are sending oil and through the pie or gas through the pipe. What if instead of a good human being or a technician, a bad person has access to that HMI or a SCADA system, they send a command, increase the pressure up to a certain point and now you have gas flowing at a certain pressure and it could actually explode. I highly recommend to you Raja G said

and in fact I watched that movie as well called the deep free uh the deep sea horizon. Deep deep sea horizon. It's a movie about safety. It's a movie about how things can go wrong and while on your screen they still look good but in the back end you're actually oil gushing out of your rigs and creating a havoc on on the systems. So and these are realities I can go on and on. They have happened in the Ukraine Russian war. Electricity has gone out for 300,000 people. Malware has gone in and wiped out these systems. uh the old smart Florida incident they had a the hackers had access to the chlorine which they could up in the HMI in the system for

the water treatment imagine these are systems which you and I depend on I turned that pipe on of the city of Edmonton in the hope that I'm not going to die drinking that water right so it has to be very very important for us to understand what can go wrong with some of these system with a small tweak of these uh of these configurations >> the next one is a common uh you know OT uh you know uh protocol we will study which is which is Modbus which is still one of the widely used protocol in the OT systems. So what we will be doing is that we will be doing a packet capture of uh of of a modbus uh command and uh

you know writing a register. So these industrial protocol traffic again the same thing I may be technically qualified to understand all that thing many many of the IT people or hackers may not be but using simple tools or the tools which are available to a cyber security guy or any hacker or anybody else free tools no money you can actually analyze some of those systems and you can you know you know create that. So the my objective of the next uh next presentation uh is that uh to study industrial uh protocol how the commands and uh response to those commands comes and how using a simple wire sharkark you can actually have the visibility of

what's going on inside. So um here we go. So I have a you know um a a simple mod bus uh you know slave uh you know running here. This is a simulation. So exactly what we see there you know on my little prop one of the device could be a model of the slave and the PLC could be actually interpreting that controller and running commands over it. So I have a slave here and then I have a master. So just to give you an idea. Okay. So while he does the demo um what actually is happening is on this dashboard if you know the the actual um uh equ act actuator or whatever the operating uh

system is or the the actual um machine is at level zero. It is being handled by a PLC, a programmable logical controller. You can all Google it later on. And then an HMI which is going to control the PLC which will ultimately control the physical process which is going to run. So the modbus command modbus protocol runs through the HMI through the PLC out into the actuator and runs the physics of it and but this protocol in itself natively is insecure. There's no encryption. This protocol was whenever it was created was created mostly to run the systems not from a cyber security perspective in mind. So that's what Raji is showing. He'll show some master slave configuration and how

we can manipulate the numbers but it could be very easily used and it is very heavily used protocol in the OT space these days even uh just like TCP IP if you all know TCP IP was not meant to be secure. It was created to be a protocol to run the worldwide web but then lo and behold we are at the stage where now people encrypt and do a lot of things over it. Correct. So to run this little experiment I have a wire shark running on the background and you know right now I have triggered this wire shark as a mod bus only. So right now there is no traffic it's just total zero and what

I'm going to do is that I'm going to and we have a state here. So you see this number zero at zero we have 21 we have 43 65 and so on and so let me just clear this out as well. What I'm going to do is that I'm going to read from this slave ID which I know that this slave ID is one. I'm going to read you know 10 registers. So read zero from nine and I run it and it's going to give me a value here. It is a master system. But look what the wire shark did. It did. So the wire shark immediately captured that I'm trying to run a mod bus read command

read holding register and I'm going to read 10 registers and then I go here. This is the response. I set a query. I get a response and the response tell me what are all the numbers. So now I'm into a O protocol and I'm able to see the command and responses. >> You're basically reading the registers of the PLC from that command and that's that's the important part. Don't worry about the technical details. One thing you can get from this is Wireshark is the Swiss Army knife of network security right? >> So you can get shark and run it and it'll have OT protocols also figured out, >> right? And the thing is that you know I

mean you know with a little bit of intelligence and you know like you can capture you know 90 days of data out of out from the wire sharkark and you can use tools to analyze that data you can actually find out it's it's it's data like if you change one data second set of data is getting changed like we mentioned the pressure right there is a set point the pressure is regulated so there is a fixed number and another number is just going little above and beyond it. If you can find those two combination you know this number if you change this number the second number changes and then you can manipulate the first number. So the idea behind this is

okay I have a read I can see what the values I can read and then I have the master system and I'm going to write something here. So let's say I'm going to just reverse the order. So I have 21 instead of 21 I will just give 12 I have 43 so I will make it 34 and then I will make it as 56 56 and 78 and 90. So I will clear this first and then I am going to write it just

okay so right away I get the response from Wireshark. So the wire shark is telling me somebody is trying to write these numbers 12 3 4 6 7 8 9 65 and it says that yes the return is successfully confirmed I have been able to write four registers. So by analyzing the read and writing things we can actually have a 90 days record of these read and writes of modbus and we can actually figure out which changing what numbers change what parameters. We don't have to be an engineer. We don't have to you know know everything about it. But with a little bit of intelligence and hacking is all about trial and error. You do not know

what's the result that you will expect. You just keep doing things doing things and something will trigger. Right? So this is exactly the the same thing without knowing any technical information of a chemical plant. You just play around with those protocols. see the read and write request and just make sense which number chains what are the number and then next presentation is going to be by uh Prashant and he's going to actually inject a malicious command through uh metasloit which is again an IT tool it's not a OT tool but likewise somebody can analyze this thing and then go with the IT tool and he can actually um affect an OT system >> please show me the presentation

>> yes >> by the way I just got a 15 minute uh timer So, I'll try my best. There were four simulations, but I'll see if I could at least pull one or two to get one or two on it to see give you an idea of how things would work. Maybe just >> Yeah. Yeah. We'll go with the architecture. So, part of the simulation is uh if you give me that board again. >> Yeah, sure. >> Uh is uh so this this particular simulation if I'm not able to finish it, you can again take me offline. There is a GitHub project called Fortifid uh GRFICS version two. It is graphical realism for ICS version two by a company

called Fortif. They have a free GitHub version. These virtual simulations, these virtual machines are actually from that simulation. So you can go through the details and create it on your own basically a laptop or a lap. So the architecture which is um what that simulation goes through is uh you will have there's a PLC which is a virtual machine. There's a workstation which is basically a normal computer which can run commands or which can upload configuration files in a PLC. We all know a PLC is the brain of the process. If this is a physical process, running the system PLC is very important because it controls the whole logic around it. So it's a very critical system for OT

which can be compromised. Okay. Then we have a simulation virtual machine. It's not in real life you get in OT space but there is a simulation which I'll show you quickly. U and then we have a PFSense firewall which is a firewalls which creating a network segmentation between our OT network and then a network which is in a nutshell your HMI. We are going up till the HMI phase here. We're not going to the SCADA which is a different topic altogether. Okay. So human machine interface there's a virtual machine for that and there's Kal Linux. Kal Linux is offensive cyber security. There's a virtual machine you can run to create havoc on the system. So this is just the architecture of the

simulation. Just wanted to give you a context before we uh go into the simulation and I'll see how much I can pull through it. But uh if you can just towards the uh

so what you're seeing on the screen here is the uh by the way let me give you a quick spiel on the virtual machines which are running there are there is a PLC virtual machine there's a Kal Linux I told you about there's a SCADA BR which is basically an HMI and then there is a chemical plant simulation which is another virtual machine and PFSense which is a firewall on virtual box. So you can run this on virtual box, create your own network configurations and and look around it. I'm not running the workstation machine right now because the simulation does not call for one. So that's the the more the kind of the virtual machines running on the virtual

box there. And then what you see here is since I've already have them running. Uh this is the HMI what you see on the see on the SCADA VR system. So this is a boiler. We're talking about a chemical plant. So a boiler which has inputs for chemical and then outputs coming out of it. Okay? And then you have certain kilom per hour going in certain pressure and level in there. I'm not a chemical expert by any means. I just look at this and like yay it working fine, right? But it is uh it is green and it is working. Okay. So this is a simulation of an HMI which is connected to a PLC in real time

through that uh through those virtual machines I talked about. There's also a um a PLC. This PLC which we were talking about has a web interface. That web interface is what's shown there. you can actually upload a configuration file on the PLC to play with it and kind of create havoc around it. So just giving you an idea that there's a this is open PLC. This is another software from open source. It's uh you can get it from GitHub. It's packaged into fortified uh simulation uh platform but you can run you can stop you can choose files to upload the PLC program and create havoc around it. Okay. And uh here is the simulation of the plant

again. Um actually this is the one when it is already blown up. So this is uh this is from the previous simulation I had and I had to reset the machine. I didn't have time find time for it but so when I kind of turned it on today I'm like oh it's already blown up. Okay but uh this is how it looked like in the end just to give you an idea. You have the simulation going in. These were normal levels, norward pressures. When you create some of those parameters for for hacking them, which I'll talk maybe in one of them, and you increase the pressure and come to a point where it actually blow blows up and shows you, or

you can decrease the pressure and shut down the boiler as well. So that's what you can play with the pressure of the boiler based on the mod bus protocol I was talking about and how you can how you can uh relay with that. Um, again, it's 10 minutes. So let me see what I can pull through. If I were to look at Kali Linux

no >> yeah HMI actually so yeah so you have Kali Linux here and if you remember the architecture the Kali Linux was sitting at the HMI level what I'm going to do is I'm going to ARP spoof so what you had here was this was the HMI and the HMI has an IP address talking to a PLC. Okay, I'm going to ARP spoof. Kali Linux is going to arp spoof the HMI's IP address and send a modbus command to try to manipulate because HMI is actually sending the real commands, but I'm going to create a hey, I am your HMI. I'm going to send you the command because Modbus is not source authentication. It doesn't look at that.

If you send it the command through a man in the middle or through an through a Kali Linux, it will take you. So, um, uh, we'll do a quick, uh, not. So, we'll do a quick uh uh let me open the

So, if I do wireshark at this point in time, it will show me um what packets are going back and forth because my Kali Linux is sitting at the same level as the HMI.

Just need to make sure I'm listening on the right port. Give me a second.

So I'm listening on Ethernet one which is the Ethernet uh network sitting next to the HMI on the same network. What you see here are Modbus and TCP flows going back and forth at that particular network. Okay. If I block if I stop it, I don't want too many packets going here. And I will filter on Modbus.

So you will see that my mod bus is going between source and destination of 90.5 and 95.2. I know my IP scheme from the HMI that my HMI was at a 90 quick second

that match was a 90.5. So this tells me this much that 90.5 is my HMI because I know that I did not know my PLC IP address but I do know now that it is 95.2. Okay, so that's one thing I know from Wireshark's capture that what are the flows of the traffic going on. Now I'm going to use Linux to actually mimic 90.5 and then send a command to it. Okay, so how do I do there's an arc spoof command in Linux. Those who have in Cali, those who have played with it would probably know it. U it's easy to to remember and to to play with it. But let me open it up.

So I arc spoof and I do because I'm in the normal so it won't allow me. I need to do uh I already had it from the previous demo. So what I have started doing now is I'm arc spoofing the HMI and forecasting that I am the HMI of the system with this ongoing this is one attack. This is basically you are r spoofing the HMI you got to know the PLC now you can effectively act as an HMI and start sending commands. So that's one piece of the puzzle from a from a demo perspective. Then uh once you have that okay so that's one thing I mean I can rof and send uh send commands to it. Uh

there is another attack which is more around the metas-ploit. So let me show you a quick metas-ploit one. Uh how many of you know what metas-ploit is? Okay, good. So uh I'll be using a metas-ploit. Uh hopefully it opens up takes a lot of time. Uh there is a mod bus u while it does that time later. So can you just go to this screen from the How much time we have? Five minutes. Maybe I'll I'll I'll leave this simulation. I'll just walk you through uh the the steps of it.

>> Yeah. Quickly. So, I was I was supposed to use the meta I did the first demo metas-loit in MSF console. I'll search for Modbus. There is a Modbus client which you could use. Now, that client you can set the IP address of the PLC. You can set right coils at the data address 40. So you need to know some of the gimmicks of it. But then you set a number one and set data coils to one and then you run it. It'll start bringing the pressure down of the boiler to a point where it actually stops. So what you have done, you have used Kal Linux at an environment at the level of HMI and then you created a the

conditions to actually stop the one example. Not everybody can put Kali Linux at that level. What can you do? If you have access to the HMI, you can play with do and do the same thing. That's what's called living of the land techniques. Anyway, I'll stop there. There are other devos too and uh we have a presentation which we can send it also after the fact if you're all interested in this. We'll open up for questions. Floor for questions. Any comments uh things you may have learned or things you may not have learned. So please go ahead. Yes, >> Ramse.

Is there any modbus? >> There is. So now the versions of Modbus has gone into what's called Modbus TCP. There's also an encryption layer people put on Modbus. It's called Modbus secure. So I mean the underlying layer protocol is still insecure but they have put a uh a data layer on top of it just like if you have IP. IP is insecure but IP sec is secure when you create VPN tunnels. So similarly there are versions of Modbus which are secure. Now the question is those products have those and will they be able to take them on is a different question because vendors accordingly have to up their ante if they came to to create those use

>> just from your experience infrastructure

>> uh many do but again I don't know everything about every oil and gas company what they're doing usually there is a lot of challenge of using modbus as an insecure protocol there are other ones too. There's DNP3, there is you know profy bus, there is infinib bus, there is field bus. >> So one of the thing is that most of the systems are actually high air gap. So there is a legacy mod bus system that exists and many of the my peers they don't like to use any Ethernet protocol. you go with a serial RS485 kind of protocol which is kind of anatomical which is 30 40 years old protocol and the only way you can hack it of course

it's hackable but you have to physically present and have two wires connected to it and manipulate it locally right there which the charges of this is very very rare so many of my peers they don't like internet they just change the system to those very very basic we going to find that are the app running today on. >> Yes. So currently these days there are new products which have come where PL where firewall is built into the PLC. So you could use the firewall capabilities or in the PLC or you could also use firewall at those lower levels of level zero to level one to segment the network and make them like I use PFSense if you

have seen PFSense was was segmenting the the Kali Linux and the HMI from the from the PLC. So yes, you could segment those uh networks. You have to be very careful though because these systems are they they have to keep running. If firewall impedes in real time operations of a of a PLC or of an actuator or what the case may be it can lead to downstream impacts of operations running you know so we have to be very careful but it is possible. >> Yeah. One of the other technique you know some of my peers is that you know if there is a one HMI or two HMI this reduces the subnet to the smallest ever

possible number. Of course you know it is not very flexible but by doing that reducing the subject to a very very small number you cannot just insert another host into it who can inject. So there are many different techniques are there um studying a little bit of OT uh provide that exposure how we can protect these kind of systems but again it's more of an education that the more you know about the system the more protection you can get. >> Okay we have to be honest of time to be you know it is 2015 I have another panel to go to so but please hit up both of us offline if you want to learn more about

it. Thank you very much for coming. Really appreciate you taking your time.