A hazai ICS/OT biztonság testközelből

I'm István Kocsis, and I would like to introduce my colleague László Kőszegy Rex. Hello! Today we will talk a little bit about industrial cyber defense, more precisely about the state of the domestic ICS-OT, and about what the past was like for this industrial automation and manufacturing area, and what it is like now. and a test was carried out at the end of last year to measure the safety status of domestic ICS-Ot devices, i.e. the devices that were available online. If we look back in the past, industrial attacks started during the time of the machine-robot era. Around 1811, or maybe the person of Ned Lutz existed, there are debates about this story, but it is certain that around 1811

a machine-robot wave started, If we look at the current world, we can mention this as APT001. These industrial managers' attacks were less sophisticated than they are today, but they were effectively proven to be destructive. These were both physical attacks. Five or ten leading actors carried out these attacks, which were called "Hammer Style" or "Firepower Attacks" by Zömmel. The workers were beaten with a hammer to break the wheels of the wheelchairs and the wheelchairs themselves. The attack was more sophisticated and destructive, and they collected the whole thing as it was. The machine-robot was already causing a 100,000 Pound sterling damage around 1812. If we try to convert it now, a considerable amount will come out, and by that time, a

complete factory could be established for 500 Pounds, along with workers and orders. If we look at the current world, we can say that everyone is interested in the attacks of the industrial systems. From various government and state sponsored attacks to the classic cybercrime, There are such attacks all over the world. Here, motivation can be political, for example, in a state-related case, or in a military case, also in a state case, or the classic criminals use such attacks to achieve financial goals. And the various hektivist goals have also appeared, which can then be viewed in reality as community or not. These attacks against industrial and manufacturing systems are certainly causing damage. There are numbers about this, too. If we look at them, we can talk about significant

damages. For example, the MERS accident in 2017 was $300 million, the FedEx accident in 2017 was $300 million, the Mondeness accident was $150 million, and perhaps something that has already fallen to us, last year's incident with Hydro, the total cost of the system's installation was $70 million. The lightnings are getting closer to the target. We can talk about the INA this year, or the IGI, which is a Hungarian-specific event, or even the Stadler. There are many attacks that are constantly being tested by these industrial systems. There are many of them from this point of view. At the French nuclear power plant they took away 65 Gigahertz, 11,000 files. Then there was an attack against Russian iron ore. This is a ransomware story, the iron ore had to be

stopped here for 24 hours. Then the Japanese optical factory also suffered such an attack. Or for educational purposes, for example, the HMI was awarded the HMI of the Australian Sea Lift. or the most interesting was the US power grid attack last year. This caused a 10-hour state stay in a large area. The term Industry 4.0 is often used in the context of industrial systems. We often reflect on the fact that our Industry 4.0 is our Security 0.4. This basically and broadly explains what kind of security conditions we have to comply with, unfortunately sometimes with law, in these industrial systems. Moreover, the time is not up yet, we are not talking about Industry 4.0 anymore, but Industry 5.0, so there is

improvement. If we want to know how much focus the Industry 5.0 and Industry 4.0 have received, Frost should have this little and we can see what the focus is on Industry 4.0 and Industry 5.0. Unfortunately, we can see that Security has not been affected by this. This is not true in reality, Industry 4.0 already defines security expectations that should be met, and how much it should be met or not. I think our survey has given a good picture of this. Why is security so problematic in the ICS-OT environment? It can be said that very old devices are still working today. The life cycle of the devices in the OT is completely different from what we are used to in traditional IT.

There are devices that are 15, 20, 25, 30 years old. The oldest tool I've ever replaced was from 1980, it was a 2 year old C-150 PLC. It did a great job, no problems, just a little bit of time-consuming. These devices also have old firmware, and you should know that a firmware change is not as trivial as a router. Many manufacturers do not have a specific possibility for this, because the hardware and software are the same thing that cannot be disassembled, so I cannot go beyond a certain firmware, because I have to change the hardware itself. In many cases, this also carries a risk. In the operating system, it's not a nice thing to push it down. If we push it

down, we have to do it in a very risky way. If we do it in a really risky way, it's really risky. We also add that in many cases, the software or hardware is no longer developed, because there is no point, because the device is damaged. If we look at operating systems, The operating systems used have also been removed, which is true for applications as well. These are the only things that are not updated. Usually, when a system is given, manufacturers lock themselves in a software environment, but they provide a certain software environment with the guarantee, operating and support. If someone decides to update the application or OS, then two things will happen: first, the whole system will not work, and second, if it still works, then

the manufacturer will say that we are grateful that it has been approved, we will no longer take responsibility or guarantee for this, so they do not want to do this. And if we take the guarantee, then in more cases, with the refreshment, they will give out a recommendation that is quite attractive. Furthermore, it is a production and sales price, which is essentially a very attractive amount. Since we are talking about old systems, the protocols have weaknesses that need to be calculated. These industrial controls were not designed for this use when they were introduced. It was not about the PLC having to be connected to any other network system outside of the island business. Since it worked on its own, with the help of various tools

or parts, it was not necessary to use protocols that needed to be used to ensure proper security. What happened was that there was a change of perspective and the industrial leaders were involved in the real These protocol failures can cause serious problems. This can also be a problem of secrecy. How much do they use the encryption in such devices? This is not typical in older protocols, in newer ones it is, but referring back to the previous problem, a new protocol would probably mean firmware refreshment, which could mean a complete replacement of the device. This is typical of such costs and downtime. and they do not do it because of this, so the device remains without

any encryption or password. Another very important principle of the road is that we do not get involved in the operating system. Here, in the most remote environments, the biggest cost loss always comes from the standing time. If we talk about the cost, then it's 20-30 thousand euros for a normal machine. But if we talk about a more special case, for example a titanium 3D printer, it's not uncommon to go up to 200-300 thousand euros per hour. So here we are talking about hours, the time of the machine. If we talk about a complete series of manufacturers, for example, who make pillows, or foams, or other things, there is also more than 100 thousand euros per

machine. and the time it takes to get it out. Which can be counted as a two-day stop, we don't see that very often in a year. Another problem, and we are talking about the connection of the networks, is that these devices are then made available on the internet with advance payment. We will see how much success or what kind of result it will have. At the end of December last year, we prepared a survey that measured the state and safety of domestic internet-reachable internet-based devices. This was a SODAN-based survey, a SODAN corporate-based survey. We manually reviewed and validated the collected data, so there are no false positive reports. Sodan also has its own ICS category, so it can only search

for ICS devices for those who have such a pre-paid. We have been studying the area in a wider circle, we have focused entirely on OT areas, where ICS is just a single field. The biggest part of it is the same, but only a part of it, because in addition to industrial controllers, there are also SCADA, database, HMI, real-time OS, web interfaces, protocol converters, and even pre-used router and Wi-Fi devices in the industry. We focused on the protocols and manufacturers that were spread in Hungary: Lantronics, PC Works, Ellen Bradley, Telesis, Unitronics, Omron, Siemens, Niagara, Emerson, Fronius, ABB. So we tried to apply a relatively wide range of technologies that were more widespread at home. What did

we find? We found that the number of people who have been infected and the internet is connected to the internet, in very interesting and educational conditions. The two most remarkable events are the different device servers of Landtronics, which are quite numerous, we found 449 of them, and if we look at the protocols, we can see that the MQTT protocol It is not a specific issue, as it is a very common issue in the IoT world. However, this issue cannot be mentioned in 2020, not even because of the announcement of the so-called industrial IoT. which increases and implements IoT's characteristics in the world of ICS/OT. So now they are using this kind of M-send communication in the classical industry as

well. We found 85 units from Omron PLC, 120 units from Unitronics, 178 units from Moxa. So you can see that there are plenty of such devices connected to the internet, if we look at the Hungarian segment. If we look at the findings from the perspective of generic protocols, we see that they are still used in advance, typically unsympathetic protocols. Telnet, FTP, SNMP, HTTP, Modbus, MQTT, these are all unsympathetic. MQTT had the possibility to hide the data, but they did not use it. What is interesting is that HTTPS runs on 160 different ports, and all of them had 611 web applications, which are closely related to the industry. the web interfaces of Niagara, the interfaces of Fronius, so there is more and more use of HTTP in this area.

By the way, when we talk about the relationship between HTTP and HTTPS, we can see that there are 611 applications that are more than enough for HTTP, and only 42 cases use HTTPS. Obviously, the lack of secrecy can also be a harm in itself. If we look at the specific industrial protocols, if we count the M-sector, the KNX protocol has a fairly strong use structure with 288. We found 120 units of Unitrolix that can handle this PECOM protocol, 83 of Modbus. from BACnet 17, DMP3 12, and the good thing about these protocols is that most of them are also unsympathetic. Where there is a possibility to be unsympathetic, these are not used in good cases. The problems we

encountered are the first of the access control. I can practically state that the devices we found and to which we have access were not sufficiently examined in terms of access control. It would not be possible to make these devices publicly accessible. There are basic sign language on many devices, by the way, the SODAN itself can help you, because sometimes you have to use basic sign language. But we will see an example of where we can think that basic sign language was possible on the device. Obviously, we cannot check what device is installed on it, but it was possible to follow quite a lot of things from SODAN. Information disclosure is valid for all such devices.

These devices are made available with a license that would not be allowed. For example, here you can see a cooling control on the screen. The HMI part of the HMI is practically a complete factory system, without any registration rights, with the right to read, for example. Obviously, this is not the manufacturer's fault. The biggest weakness we found is not directly related to the manufacturer. If we consider that these devices should not be made available, these are not the manufacturer's responsibility, but there is a vulnerability that is clearly related to the manufacturer, because the system itself can be exploited. This cannot be applied to the user, why did they make it available? The generic protocols such as Telnet and SNMP are quite popular, so these devices

should not be allowed to access such a level of access. Especially not because of the vulnerability of the LAN truncks, which we will see later. Therefore, it would be better to lock these devices in front of the internet and to lock them somewhere, and make them accessible only through VPN. In the case of SNMP, There are tools that can be read by the public key, such as Information Disclosure, which is worth mentioning. Here, from the internal IPs, from the machine name, PLC name, even through the project library, a lot of information comes out of a tool that we don't need to spread to the world. Then there is a more serious story when we talk about the fact

that the industrial director of PLC is connected to the internet. This is probably a story from NATO, because the same an IP address can be reached by a Siemens PLC and an Omron PLC. This is probably only possible in the NAT-old mode. The good thing about it is that we can make PLCs reachable at such a level that there are a lot of PLCs that have an exploit that can be sent to the device in a stop. We do not have to force these devices to work at this level. It is another matter that these devices can be stopped in a given case with a file history or can cause problems in their operation. Especially when we see that there

is a 3.02 firmware on the S7, which has a working Metaspoint exploit, but it's not like if there wasn't an E300, because we've seen that there are E300s. Well, it can be written down with a little simulation. Yes. And we've tested it, and it works. We don't test it on the internet, we test it in our own lab. In our own lab, for sure. So I tested it at home. You can write most of the notes without any problems. The 1200 version has a 3D version, and the changes are quite simple. In the case of MQTT, it is also worth considering whether there is a possibility to use a username or another authentication or authorization request. Still, such a request is not used

in 311 of the 400 or more devices. 6 devices are expected to use a username and password for the connection, and 118, where there is some other authorization request. This is also a problem of authentication. This is a picture of a KNX protocol-speaking LOBSON building automation device. There are many more of these, as you can see, and these devices can be scanned with the help of a KNX map, and it can also give you information in a very simple way. There are also codes for KNX devices that can cause problems with the given device. Our favourite is the Grovat Solar Inverter, probably a family home inverter. This is not a commercial product, but Grovat inverters are used in industrial environments.

This is a good example of how the inverter can be used for configuration and can be used for encryption, authentication, and even for configuration through HTTP. The Fox is also used for building automation. It can be used in two types: 19.11.0 on a simple TCP, the simple Niagara Fox protocol and 49.11.0 on the Secure Fox protocol, which would already use SSL. We will see how it is used. This is an example where a simple Niagara Fox protocol is used. Starting from the internal IP, we see that it is an QNX OSM foot, We can see what kind of device it is. One is a ComfortPoint device, the other is a Central Line device. The other two are for Honeywell devices. These are also

available at this level. The Fronius is also used for the solar system. There are many Fronius solar power and different size inverter systems on the net. Most of them have a lack of authorization and the lack of authorization is present, as you can see, for example, the lack of secrecy, this is also available through HTTP. To be able to configure it, you need to have the same login through HTTP, but there is a possibility that you can view the specific firmware version here, and can look for familiar injuries, which came out last December. The lack of certification is also an interesting tool. This is an automatic fuel filler tank. which can be accessed and accessed via Telnet. The encoded code here is no more

than a so-called control code or command code. If someone is connected to such a device via Telnet, then after a sequence of escape, this code will be entered, and this answer will be received. This is practically the status query. This allows you to see the content, what kind of load level, what kind of usage it is, You can configure the device with other codes as well. So in this respect, the lack of authorization, secrecy, and authorization management is present. When we saw the PLC, there was a lack of validation, but here we can see another example. You can go to the project library and project file and access the device. If the device has a known

vulnerability, it can be used to test it. We have seen Foxy before, here we can ask the status of the devices through the SIVA Fox protocol, or the favorite Modbus, which is everywhere and everywhere, it does not expect verification, encryption, and you can even change anything. We have already talked about this, that the majority of industrial protocols are not classified. This slide was already mentioned in another presentation, and here we can see that this use is quite typical in these generic protocols. HTTPS is really used in a very specific way. The lack of encryption can still be avoided by the previous automatic business data transfer state, because it was made possible through web HTTP. In the case

of Niagara Fox, we found that there are 68 devices that speak this Fox protocol, of which only 43 are the The non-security-free, without any encryption, talks about Fox, and the 14-speaker-only talks about the secure Fox protocol. And for some reason, both of the 11 devices have the possibility to communicate. So there are at least 14 NEOGARs that use SecureFox, but apparently all 14 have already expired, so they are non-existent. And it is not possible to expect these certificates to be updated in the near future on these devices.

We can see the output of the sensor, this is the Niagara AX device, which I have also programmed in, which is good that it works with TLS V1, this is also interesting, and then we can see that in 2018, the device probably got under fire in 2017, and in 2018 the sensor was also turned off, so that's all about HTTPS communication. Our next friend is the Unitronics PLC, which is an interesting animal species, because it is built in HMI, so it is a HMI PLC. Here we can see that the device is practically accessible, there is no secretion in communication, and you can read all the necessary information from the device through the internet. By the way, it's great, because the PCOM

cannot be secreted. If there were already commercial vehicles, then there are electric vehicle chargers, systems, etrel, also the lack of secrecy, lack of access control and the lack of authorization management in certain vehicles, where they made it possible to go in and even do free refueling. or you can also ensure the charging. Obviously, we haven't tried it. The same as the PSLC, the PLC-D web server, the PLC can be reached on a web-based platform. Here, you can see the device name, firmware version, so you can add the operating system. You can see that it is a 2013 code, so it's not a new one, if we look at it that way. Then we have a good little Siemens, we have already mentioned

that the device is connected to the 3211 firmware, and it can be easily connected to this communication, TCP 102 S7 COM protocol, it is not secret. If someone wants to use such a protocol within the network, then via Wireshark you can read these protocols very well. You can see the communication connection, the writing and reading of variables, S7 Comp is really an unsecret communication. Of course, Siemens has released its update, and S7 Comp Plus already has a secret protocol, but this is connected to the firmware version, so it is a good chance to use it on these devices, and this protocol cannot be used, only with the replacement of the device. Therefore, the risk-con plus rate has not

increased. Then we have arrived to the already hacked devices. I mentioned the Lantron X, There are 449 Lantronix devices, 3 of them are already compromised. With some kind of an automatic, one of the Lantronix known vulnerabilities can be used to read the signal from the device, if it is transmitted through the internet. The configuration of the Lantronics is also available on the Internet. You can read the password from the device through it. Obviously, the bot will set up the password in 2008 or KCPV, which is a bit of an educational feature, but 364 such devices are already compromised. If the LAN is damaged or the LAN is not connected properly, these devices are quite dangerous for

certain versions. The good thing is that this Lantronix exploit was built into the SODAN, so if it finds a Lantronix exploit, it immediately runs the exploit, takes the password from it and displays it in the SODAN. So, in practice, the SODAN already locks these passwords. Then we have devices that are used for industrial Wi-Fi, for real point-to-point transactions or connecting buildings. Ubiquiti devices are already compromised in Kilencvárd, for example, which could be a default signal or some basic signal, because these devices are also There were several attacks, some were using default passwords, and some were using a known vulnerability that could be used to change the password and change the hostname to the name of the head-router. Then, in the industry, they

also prefer to use Mikrotik routers, Mikrotik WiFis and Mikrotik routers. There are 74 Mikrotik devices on the Internet, which have been infected with the crypto-money-hunter code of CoinHive. Obviously, there is no CoinHive anymore, but the code of CoinHive itself, as you can see, is still in these routers. so they have not noticed that these devices have been infected. And these injuries that have been infected are still there. Then, going back to the Siemens S7 devices, there are more than 60 of them from the 1200 model. The S7 is divided into 65 pieces, just to show you what firmware versions and times can be calculated. There are 61 devices that have 3.0.x firmware. The release date is around 2013. There is one that is still running on 2011 firmware

and three that are running on 2016. The S7 Comp Plus is not yet working on 3.0 devices, but it can work on 4.2 if it is used. We talked about the S7 1200s, where there are such exploits in the metasploit, that the device can be sent to the stop, but these devices have a lot of damage. It is not certain that it was a very good idea to make these devices available on the Internet with the damage. The same goes for the PSC device of the Saly, you can access the web interface of the device, which gives you the version of the signal, and you can search for known injuries. As you can see, there are some injuries that are very high.

and this is the version for it. My favorite feature of this device is the life cycle. This is a MOPS device, which was issued in January 2000, so it reached the age of 20. From then on, it has to be at least 20 years old, like a good sheep. So this is a MOPS device with an XO order. and if it does not have a lightning strike or short circuit, then it will work for at least 10 years with this old certificate, which has been set up for 20 years. In summary, these internet-accessible ICT devices are operated with great risk and risk. These devices should not be kept under proper protection, secrecy, refurbishment, access control and authorization regulations.

to make these really illegal in this way. If you are interested in this whole report of the survey, which is more than 60 pages long, you can download it from the link below. Thank you for your attention. And now I will pass the word to Reksi, who will show us through two short demos why the basic safety regulations of industrial managers are important. In the first demo we present what happens if we make a PLC device accessible without access control, and we didn't use the password protection yet, because it's ours. In the second demo we show that if we use password protection but don't use access control, how can we protect the PLC password protection,

especially in case of simple passwords. To put it simply and a bit more precisely, PLC is an industrial controller. It is a built-in target hardware that integrates logic. If we are talking about industrial controllers, this is practically the brain of the system. In the next demo, you can see why these devices should be called. We are not using anything in the video, only the Siemens software, so practically no need for Pentester knowledge here. For the test I used the latest software, the TIA Portal 16, with the latest firmware, 1200. This is one of the latest devices of the S7 product family. The firmware date is 2020. Here you can see the file, I wrote a simple code, which changes the state of

the outputs with a 1 Hz frequency. The state. And I went online, you can see that. And I'll come down quickly offline and look at the device.

It is visible here on the devices that the outputs change so that we can see it in the program as well. And the PLC is running. It can be seen that we are able to turn the PLC on. So we can say that we have full control over the device now. It can be seen that we have set it up. So, nice orange-yellow. Now let's start it back. And here you can see the restart process. It has practically started. That's it for this part. Now let's look at the attack or bad start page. Here you can see that I have another board built in. Actually, it doesn't matter if you put it in or not, just drop

an error, so the PLC runs the same way. And you can use the download the same way. You can see that I didn't put the board in the face here. I put a password on it quickly. And now you can see that I also changed the software a bit, this is not the "let's make the runs run at once" anymore, this is practically a running light. And if I turn on the first run, it stops the running. Now we can quickly load this configuration, and we have to send our device to the store for every single hardware load. This is good for preventing the whole thing from happening while running. and then you can download it to another device, and then you can start the system. You

can see the process of how it works on the device. First, we set it to stop, then it gets the software, it is downloaded nicely, and then the device starts again. As you can see, the software is running differently. This means that we have a target machine that has a control and after the load it gets disturbed. It can be anything. It can be a packaging machine, it can be a manufacturer's part, or even the control of one of the phases of a factory. It can really be anything, industrial control. This will lead to a fast chaos, which operators can't really understand, because they press anything on the machine side that it won't work as it did before, because we modified the software. This can be noticed relatively

quickly, so we haven't talked about precision here, we just hit a huge one. In the case of Stuxnet, there was a precision attack here, we hit one there. We did a little damage with a little energy investment. If you go back to the software after the maintenance in the car and see what happened, you can see that there is a difference between his current software and the system, and you can see that something is not OK. Well, then he tries to load the version that still works, and he sees that the device is protected by a shield.

It is possible that they are trying to enter the standard passwords that they use, and this will not work, because the attacker or the bad-mouthing side obviously has something complicated to write down, which the attacker or the bad-mouthing side can obviously mark, and obviously they will not be typed into the factory. At least they hope they won't be typed into it. It is clear that they can't even stop the device, because it won't work without Janszó. They open a diagnostic to check what's going on, but they won't see the device even with the diagnostic. They won't be able to tell what happened. They will notice that some software download has happened, they will notice that

the BLC has stopped, but they won't be able to tell who did it, but they will notice that something like this has happened.

So even if they paste the diagnostics here, it won't work. They try to stop it again, but it won't work without CSO. And this memory reset won't help either, because it also needs to be an ESO. So without it, it won't work here in the case of 1200 BLC. Now I've quickly set the bit number that I set in the first input, so that the device can be stopped. So the device has practically stopped. You can see that here too. You can't restart it without a password. In a harsh environment, I don't recommend you to try it out. Unless you have permission to do so. In addition to causing financial damage, you can also cause personal injury in some cases. So don't be stupid. So obviously this password can

be erased and returned with the help of a Siemens memory card, if it is available, which is usually not in the case of 1200. But this is always energy and loss. You don't have to throw it out, but it will cause headache. And then at the end of the second one, I see that there is a signal on the device. I used a S7300 for this demo. Here we try to connect it online to the device, and it asks for a signal right away. We try to tip it, but it won't work. We try again, but it doesn't work either. There is no problem with this, we have a very nice, cool little software for this, and then it tries instead of us. Let's open it

quickly. Here it is. Let's quickly set the connection parameters. This is TCP/IP, right? The IP address is 192.168.0.61. Not 611, 61. Connect. We can see that the security level is set to 3. Here we have the SOTAR file, which we have put together beforehand and we are starting the attack. While this is going on, it is worth noting that these symbols are often written on the machine, or on the side of the machine, so it is written on the area of the machine, or on the display. If they are not there, then we are talking about easily recognizable symbols, because here not people who graduated from university are used to handling the machine most of the time, but people with 8 general

or honorary degrees. So we are not talking about complicated passwords, maybe from a software company, or from the company who made it. So we are talking about really simple passwords, which means that with a few thousand words in our hands, we will most likely have the password. You can see that we have managed to try 3,000 passwords in a speed range. We managed to get it to 5000, but if we have a good word list, it won't last for more than a million words, especially if we are talking about simple sign language. So this will happen in a very short time, if not in hours. We are connecting again, but with the existing sign language. We quickly fit it in. It works, it is visible that the upload

is successful, so it works. Through the two access control demos we could show you that in the case of industrial controllers, we have to pay attention to the safety of the devices. In this case, access control is expected to be completed. We have to regulate the access control to be only available to those who need it, and only those who have access control can use the right signal to connect to the devices and perform the operations. We haven't talked about the rules of the sign language training, the sign language control system, you know it, and as Rekszi said, the complicated, randomized words are not useful in such an environment, and the best way is to change the words if they change the device itself. However, with a more regular

sign language and the rules, we can make it harder to use the bad intention. Thank you very much for your attention, and have a good time at the conference.