DYODE: Do Your Own DiodE for Industrial Control Systems - AryKokos, Arnaud Soullie

uh doing a presentation on d d yod do your own diode DIY a lowcost diode for IC for industrial Control Systems um without further Ado okay am I good to go do you hear me well okay

so okay is it better okay I'm just trying to to speak louder okay so thanks for attending this talk um I'm going to talk about a project that we created with one of my colleague Ari Cocos unfortunately is not here today uh this project is called diode which stands for do your own diode the idea is to create uh low coost doityourself data diode aimed at industrial Control Systems uh the thing is it can be used for other things but mainly it was designed for industrial Control Systems uh so before I start just a few words about myself my name is Aros uh I work as a senior consultant at wavestone which is a consulting company I mostly

do penetration testing I've been doing that for about six years now and I started working on ICS security I would say four years ago like everyone else after stet um I also do a bit of research hence this project uh and this talk today um my interest is in security or Windows Active Directory security I gave a talk about that a few years back in in friends uh and also SC security workshops so I'm doing let's say oneone session to introduce SC security to uh it people um I will do that tomorrow morning here at the bsides and also on Thursday morning at Devcon and I also like when testing and motorbike riding which is not in the

scope for today okay so we're going to start with uh what I would call an IC Crush course the idea is just to give you the required knowledge uh to understand what is an IC um so let's start where can we Define IC so it stands for industrial Control Systems so these are the let's say the systems that help people um create stuff in the manufacturing plants in power plants in building water treatment also in the pharmaceutical industry for example let's say you want to create pharmaceutical drugs then uh from the biological steps to uh let's say putting the the specific liquid into the Vil to the packaging everything is controlled by specific systems that you call

industrial Control Systems uh you can also find these in what you can call critical infrastructures uh which means uh let's say electrical plants dams uh in the nuclear sector things that can really go bad if you cannot secure it correctly okay let's continue this is a very very simplified Network diagram just to introduce the components that we can find in the in an IC so let's start from the right uh you will see here you have specific devices we we will call that sensors and actuators a sensor will simply give you let's say feedback on the on the physical world for example temperature pressure those are the things you can use as a as a sensor

and you will have just the opposite the actuators that will perform an action in the physical world so most of the things um they are controlled let's say by electricity for example if you have a motor and you apply a specific voltage it will start spinning and so to control those devices uh we use what is called plcs that stands for programmable logic controller those are like I would say tiny computers with realtime operating systems and their specificity is to have uh electrical inputs and outputs that means for example the PLC can be used to uh if I take really the the most simple example um you can wire a um let's say a switch to the inputs of the PLC and wire

a light bub to its output and then you can program the PLC to switch the light on when you flip the switch so of course that's a silly example because you can do the same without the PLC but the uh advantage of using the PLC is that if tomorrow your let's say your industrial process changes you just just have to reprogram the PLC you do not have to rewire everything so that's why we use plcs sometimes you may also encounter the the the term rtus which stands for remote terminal units basically it's a standalone PLC so here we are with electrical connection here we already have network connection and to program the plcs uh and to control them we have what we call

the supervision Network or the scada network actually it's not so uh so precise to say scada but it's the the most used term nowadays on this part of the network you will have uh let's say basically windows ating system uh standard workstation servers um and the people working in the plant and Factory they will be in front of Windows workstations they will check that everything works fine in the process and click on some buttons to perform actions in the physical world then this supervision Network it's always somehow connected to the corporate Network which is somehow connected to the internet because you have to read mail and go on YouTube uh okay so that's basically uh

simple Network diagram for for ICS and uh I suggest we continue by introducing the security level nowadays of ICS so here again I'm oversimplifying just for the sake of uh introduction the problem we have in ICS security the PLC when they talk to each other or when they exchange information with the scatter Network they use specific protocols we can say mod boo profet S7 and they all share the same thing it's the lack of security uh if you're able to let's say perform Man In The Middle on those protocols you will be able to let's say understand what's going on because it's not encrypted uh you will be also able to uh let's say replay some commands to

perform actions but the worst thing is um you actually do not need to be in the man in the middle position because you just simply can send unauthenticated commands so that means that if you're on the same network than the PLC you can simply send comments to read or set some values for some plcs it's worse than for others for example on Schneider plcs there is a undocumented function they use in the modbus protocol the function Cod 90 uh and that's what you use to program the PLC and since it relies on modus which is unauthenticated that means that if you can reach from Network point of view the PLC then you are able uh to

download the program that's running modify it and then reupload it so if you translate that to the IT world it would be the same as just because you brow a website you can change the code on the server side so that's pretty pretty bad and you have to assume that as soon as you have a network connection to a PLC you can own it that's the let's say I would say the the state of security um that I encounter within a perform penetration test um second thing Network exposure uh you may think that the PLC there are specific plant factories and so they must not be rich from the outside that's not really the case uh you have plenty

of PLC directly exposed to the internet that's a showdown search I did uh maybe last week so you can see that there are three mod devices in Las Vegas I don't know where I did not perform any kind of test that's not my point my point is to say you have devices exposed to the internet and as soon as you network access you can fully compromise the device so uh that's really really really bad okay so what can we do of course we want to perform some kind of network segmentation so we have technical solution we have firewall we have DMZ that's really really great but that's not the challenge the problem is that as

would Dr Malcolm say in Jurassic Park life finds a way and it's the same for data if you try to isolate the I S network people will use USB keys they will use Wi-Fi access points they will use uh tethering uh they will tether their internet connection with the phone so that's not the challenge the real challenge is to be able to perform Network segmentation while allowing secure data exchange two simple use cases the first one sometimes people want to perform security updates on their IC not so frequent but it happens so there's a legitimate need to be able to transfer the updates from the corporate Network or from the internet to the IC and the other use case is the need to

let's say export some production data from the IC to the corporate Network to be able to let's say uh design dashboard for the for the comx a solution to that is the use of data diads why um data diods you can also call that oneway gateways they use light as the transport medium uh and you can use some of the properties of the specific comp of the optical components to have a very secure connection why because when you use a uh let's say light as the medium you will have some on one side a light emitting diode that will create a light that's going to go through the uh optical cable and this light emitting diod has what we

call a Junction so that's uh let's say for those of us that did some um Electronics um that means that electrons they can only flow from one pole to the other and not the other way around so the security principle is backed by physics So in theory it's really really secure that's the main point of the data diode it's allowing communication to go only one way with a really high security level okay so why did we start this project it's mainly because of the feedback we had during our assessment Ari my colleague did a lot of uh Consulting for ICS security I did a lot of pen testing and we realized that in most of the

cases there were data exchange needs but they were not done properly mainly poorly configured firewall and stuff like that also commercial data diode I did not invent the concept it's used for decades in uh let's say the defense area for example so it exists but it's quite expensive so there's a tradeoff between the cost and the security uh most of the time data diod will cost between 5,000 and maybe to 50 or 100,000 depending of on your need so examp for of course if your client uh needs to have let's say synchronization between the IC and Si it's SI instance maybe it's willing to pay 50k for that but we ENC a lot of situation where there was a

need it's not really you do not have a high availability need you do not need a lot of bandwidth and so the client will not pay 50ks just for this small need that's the main problem I have two examples here uh the first one is about predictive maintenance uh that's a concept in which uh let's say often it's a third party is able to let's say to predict uh what kind of PC is in your CS will wear and so automatically order new ones so that's kind of magical and to do that um what you need is in this specific case was to send a 100 kilobyte file every six hours so you you see that

the the size of the file is not really high uh if you do not send the file the process continues to work that's not a problem you can send the file the the day after um second example that I encountered during an audit in the itical industry it was Refrigeration units uh it was let's say maintained by a third party that needed to have realtime access to the PLC data in order to improve the efficiency of the system so that was in the contract so there again if uh let's say the connection to the third party fails the system will continue to refrigerate that's not a problem um so you have specific needs uh that do not IFI the

the investment of several dozen of thousand of dollars uh so in those two example what did our clients do mostly they just connected a uncontrolled third party directly to their ICS and as mentioned before that's not a good idea because if you have network connection you can just uh mess everything up okay so our project is not completely new it's based on existing work from FLC french guy Austin Scott or Robert Gabriel uh the idea is to use standard commercial of the chef hardware and open source code to produce a data diod with a Target cost of about $200 per unit uh what did we want to do that to have a working proof of concept we

wanted to try to create let's say a easy to use solution easy to deploy share the results also uh just note we do not have any commercial intent with this project uh it was mostly to to show that it's possible to create your own device uh but if someone is interested in creating or selling those kind of cheap device uh feel free to do so we we would be happy and we do not want any royalties uh we do not want to sell boxes we do Consulting okay so for the hardware actually you have the hardware here um what we do for this data diod is we use copper Optical converters to have an optical um

connection between the IC and the corporate Network so how does it work um first thing it's not possible just to use a one-way connection uh it's not that simple because most of the protocols that we use every day uh file sharing using sambba or modus relies on TCP so if you want to do TCP you have to do the three-way handshake you send sin you rece cak you send a that's not possible because if you have a oneway channel you going to send your scene and never receive the scene EG so that's why we have to use two computers here and here we use raspberry P's because that's kind of inexpensive and there will be in

charge of Performing some kind of network uh protocol translation from TCP to UDP to allow communication to flow through the diode so how does it work so here you have EET cable from the IC to the first Raspberry p which is connected to this box it's the copper Optical converter which then has two ports one from data emission and the other for data reception so the idea here is to only have one cable that goes from the transmission Port on the first one to the reception port on the second one since there is no cable the other way around data cannot go the other way around so that's kind of simple but but in real life it doesn't work why because

this the first box will not um accept to send data if something is not plugged into the reception Port so that's why we use a third converter just to simulate an active link but this box is connected to nothing then the data will be uh converted to the coer ethernet to the second Raspberry p that will be connected to the corporate Network that's the basic idea uh here you have a picture of the inside of the of the box so as you can see it's not so messy actually you have all the electrical stuff on the left you have the the two raspberry pce that's rench means the input and output on the little stickers here you have uh

actually here you have two Optical uh converters tacked one on each other then the third one as as you can see there's only one cable that goes from here to here so that's the communication Channel and uh no Channel going from transmission to reception here okay so just a few words about the the real cost of the of the product so we aimed at $200 uh clearly we failed uh actually it's more like $400 if we convert the Euros to dolls Why mostly because we wanted to have screens as you can see you have two small LCD screens it's not really useful uh so that was kind of a mistake uh it's really not necessary and

also what was the most expensive part was actually the 19 inch aluminum rack but since everyone wants blinking boxes we thought it's a good idea to put it into a rack if we want to be taken seriously okay so I'm not going to wait until the the end of the talk to perform the demonstration uh of course I have a video backup I'm seriously hoping not to use it um oh wait one more slide so here what is the setup just consider that this PC will emulate the IC Network and a VM on my PC will emulate the corporate Network and between the two we have the the data diode that is just here okay so the first thing I want to

show you is um how to transfer file that's the first feature that we did is the ability to transfer file okay so I'm going to try to do something is to film this screen so you can see what's actually going on

works

well let's skip the video part so the idea is quite simple the idea is that you copy a file on the network share on the first Raspberry Pi and the file ends up on another share on the second Raspberry p so for example here so the corporate Network there's no file at the moment okay

I was strongly hoping not to use the video but

okay not working so well so the idea was simply on this computer to copy a file and a few seconds later it should appear um on my

computer I can to open the

fure okay yes okay so here is the file copy just logo for my company uh I will do the same with a slightly uh more uh bigger file which is one megabytes okay so let's try

again okay so the file is copied on this side and in a few seconds or in one minute should appear here uh I will talk about that later but the speed is actually not so great which is not too bad because as mentioned we do not uh Target high availability or high bandwidth needs okay wait a sec should appear few minutes so also what's interesting is that since there is no by directional communication you can actually use the same IP address on the two raspberry P's which means that you do not have to configure anything on the IC side or on the corporate side okay so that's the the Java file I was sending so as you can see it's a one

megab file 30 seconds so really kind of slow but it works the second demonstration I'd like to to do you have it here I'm going to make the screen slightly bigger okay so that's a modbo client so let's say I want to transmit modbus data using the diode here on this PC I have the simulator and I'm going to change the the values that you can see so I'm going to change the one to a zero and then put the the following one to one yeah so as you can see it's the delay is is maybe about 500 millisecond or 1 second Works quite well so those were mod coils of course we can do the

same with modb registers so I'm just going to put one two three

yeah and like as you can see it's modified okay and the last feature which is kind of interesting is the the screen sharing so let's say you're on your IC you need the help of your vendor to perform some debugging operation but you do not want to expose RDP directly to the internet and let and let your provider do whatever he wants to do so with this solution we offer oneway screen sharing that means using a simple web browser um the third party would be able to see what's on the screen and being on on a conf call with one of your employee uh it can help you click on the right icons and perform the action but

you keep um you keep doing the action it's not the provider that does the action so that's I think a better security mechanism so here also as you will be able to see there's about a 1 second delay if I move

the yeah it's going from this PC to this one the screen sharing goes from the IC Network to the corporate Network or to the internet let's say I'm going to explain the world workflow in the following sides and also as you can see uh yes let's just open video really not suited for video you have one or two frames per second so it's really not working that well however the resolution is high enough to let you really see what's written so I think that for remote maintenance it works kind of well okay let's switch back uh to the

slides okay so I talk about the hardware now I'm going to talk about the software we wanted to have a work Solution that's working quite quickly we didn't want to invest six month in development so what we did is reuse something that already existed it's called UDP cast it's an open source application and it has a feature to send data through a oneway channel uh it was mainly designed for satellite communication Where The Down link is down Link in is quite cheap but the up link is expensive so using this um this application we were able to let's say uh have the core of our product and we produce some python code to use that application to do file

transfer Modo transfer and screen sharing uh we also have a quite easy to understand configuration file and it's only about 500 single lines of code so what happens when we transfer a file so on the ICS Network you're on a PC you copy a file to a share uh then uh what the Raspberry p will do is calculate a check sum of the file put the check sum and the file name into what we call a manifest file that will be sent to the second raspberry pipe and then you send the actual file you receive the file you calculate the check sum if the check sum is the same as in the Manifest file that means the

the data transfer went well and so the file is copied to um to a network share and you can access it from the corporate Network for modbus how does it work you actually have a MB client on the first Rasberry P every second is going to request some values from the plc uh put those values into ajon object that's going to be serialized and send Using sockets to the second Raspberry Pi it's going to be deserialized and on the second Raspberry Pi we have a modb server that we instantiate and the values of the mod server will be updated with the Valu sent by the data diode so that means that on my PC I was not

directly addressing the PLC I was addressing the Raspberry p inside the diode lastly the screen sharing workflow uh so on the PC of which I want to share the screen I have a Powershell script it's really easy maybe 10 lines of code that will take a screenshot every 500 milliseconds and save that to a network share on the first Raspberry Pi then the Raspberry Pi will uh use sockets to send the picture to the second uh Raspberry Pi on which we instantiate um a web server that will serve an MGP file that's technology that's mostly used for webcams uh so that means the client does a get request to mg Peg file and then the server keeps

sending the new pictures and it looks like a video where it's just a Ser of uh pictures yeah does that answer the the question how it works uh we may now take a look at the configuration file um um so as you can see it's quite easy we have let's say the useless stuff like the name of the configuration the version and the date then we have some properties about the raspberry pies IP and Mac address because then again since the the data only flows one way you have to use static RP it wasn't first time we tried to make it work it didn't work at all it was because there was no response to the

r RP broadcast and then you just Define all the modules that you want to use so at the moment we have three types of module file transfer it's called folder so you just have to choose a part number which must be unique and the the file path for the input and the output for if you want to add a modus PLC you just type modbus then you define the IP address of the PLC then you define on which port on the second Raspberry p will be instantiated the server and then you define the values that you want to because we cannot copy all the values it would be take too much time so we would just

Define what kind of values we want to to copy and lastly the screen share looks like the the folder it's actually kind of the the same directive in the configuration file so as you can see it's quite simple to use and to configure and the config configuration file should is the same on the first and second Raspberry p so that's easier to to perform okay now this is an interesting question that I received one morning from one of my colleague came into the office and say what's all the fuss about this diode uh seems overly complicated I can just use ethernet cable and cut two uh two of the strings inside for example the two reception strings and then I

have a oneway communication medium that's easier this is kind of true however as mentioned the main problem is that all the protocols most of the protols use TCP so you still need to have the raspberry pies for example to to perform the protocol translation and then some may sound NS likee uh attacks but in theory if you use an ethernet cable even if it's cut and you use half dlex mode on each side of the of the raspberry piece you may uh perform uh Port up and Port down actions and that may be used as a side Channel attack so actually using light as the medium is the only thing that ensures that there is no uh back

communication but actually you can build a working solution secure enough without the optical copper converter that's one option okay then what are what are the limits of this project so at the moment it's really really slow maybe one to two megabytes per second tops uh and also there was a high latency caused by the flat file transfer because as mentioned at the beginning we use UDP cast so from the python code you use an external binary uh which display some things on the console before really launching so you have you have at least a two second delays uh which is not good for mod boost and screen sharing so we replace that we only keep UDP cast for

the file transfer and we use a very basic naive implementation using python UDP sockets to send the the modus data and the screen sharing other problem at the moment uh let's say this box is not production ready the it's working but it needs to add more let's say uh error catching if something is it may be buggy a bit and also the components are not really meant to be used in let's say harsh environments like we sometimes encounter in ic uh so it's not dust proof and stuff like that but it's working quite well at at the moment okay so maybe we can take a step back uh so I explain what is an ICS why

we need data diod how my data diod Works uh then let's think is it magical so the the whole idea of doing data diod was to have data flowing only one way but as I mentioned at the beginning most most of the time you need to exchange data in two ways updates antivirus signatures need to flow from the corporate Network to the IC and the production report needs to flow from the IC to the corporate Network so in the reality in the real world you may end up using two different data diodes one from one side one on the other side so yes you will still have a high level of security but that goes a bit against the

principle of having one-way Communication in reality it's not that easy to have oneway communication and um you may imagine that a malware may be able it's going to be very complicated but it may be possible that you can have a communication Channel with the control command that goes with through this diode on this side and through this diode on the other side so I'm not saying thata diodes are not good I'm just saying it's not magical and it's not as simple as putting this box to secure everything next uh still on the same topic what exactly guarantees the diode only one thing data is Flowing one way so that means that if you want to have a secure

solution you still need to perform all the kinds of logical security and hardening that you perform on your devices uh if the the output Raspberry p is not secure enough you have default credential SS exposed you may be hacked that means someone could perform a dener service or could also let's say on the Fly modify the modbus values so it's not enough to have uh a oneway communication you still need to perform Standard

Security okay the the road map for the project so the next step that we want to take is make it more reliable by using a hard bit feature what we call hard bit feature is the let's say ability to send a defined file um maybe every half an hour and so if we do not receive the file on the second Raspberry p we raise an alert or we send an alert to the CIS log to say hey something is wrong a bit of security hardening uh we aimed at the beginning of providing uh let's say complete and ready to use images for raspberry pies but that takes time possible improvements for which we may need your help adding more protocols

at the moment you have file transfer modus and screen sharing we'd like to have uh S7 protocol the one used by the cement PLC it's it's not too too hard to do I think but because there are open source libraries that will help us it could also be interesting to have a CIS log feature and SMTP feature maybe integrate some kind of Integrity check on the data uh having cryptographic signature on transfer file would also be interesting for high security environments I think it's not going to be that hard implement but really the the next big project is this one uh is the ability to use infrar red as the communication medium because that would allow us to let's say remove the

three copper etical Optical converters and just have a let's say a light emitting diode on one of the raspberry and a light reception receptor on the other side so of course that's going to be really really slow but if you just need to tr to let's say to synchronize mod values that's that's enough so with this uh solution we aimed at a solution about $50 maybe if we use raspberry P Zeros and just infrared um

devices okay I think was really really fast uh so the code is on GitHub uh the code on GitHub is work working however it's not the latest versions uh I actually did some modification in Improvement just before leaving and uh I did not do a g push so it's on my work computer that's in France but so maybe if you want to try the project wait just one week or two so I have time to come back and push the the new version but the version that's on GitHub is working it's just not as reliable as the the latest one and so uh again if you want to help with this project if you find it

interesting just do whatever the hell you want with it we do not want anything we it just we were hoping to help and to show that if something is missing from a security point of view being uh in software in Hardware maybe there's a solution to do this yourself okay so do you have any question wonderful I'm going to open the floor up for some questions but uh I'm going to cover something I missed I do some name dropping our sponsors it wouldn't be possible if if it weren for people like ver Sprite Nativity tenable Amazon and source of knowledge thank you yeah I had a question you were sending info from one Raspberry Pi to

two raspber pies one of which would respond how did you split the Light Between the two so it went both ways instead of just one okay um you were talking about this slide maybe oh yeah you did be a ethernet converage between the two top ones and ethernet on the bottom I didn't quite understand how you sent it both ways to two Raspberry Pi for transmit and one receive okay so I'm going to do it again so here you have your IC devices they talk using a standard copper ethernet to the first Raspberry p this one has a second network interface connected to the ethernet copper port on this Optical converter which then has the transmission optical Port

connected to the optical reception port on this one and so this one is only used because if you plug nothing on the reception Port uh the converter uh thinks that it's not working so this is just to emulate a valid signal on the on the first converter to make it work if you do not do that it's not working

I know that some of the models this feature can be disabled in some of the optical converters the one we found on Amazon we were not able to disable it but someone uh actually um call for paper reviewer from another security conference uh gave us an interesting solution he told us we can use an optical splitter to actually put the transmission signal back into the reception Port so that would actually it could be cheaper but the problem is those things uh you do not find it on Amazon you have to buy it from let's say China and actually the the shipping cost was so high for one or two Splitters then for us it was cheaper to stay with

the converter but let's say on a mass scale production you would replace that with a with a that should work hi um did you did you consider uh using an optoisolator chip which you can get about $2 and and just run serial through it I you can you can run those up to 10 megabits and it you know wouldn't cost very much it's it's a standalone chip that has both the the diode and the uh the like an LED built right into it and they're used pretty commonly for isolating electrical circuits from each other um I I'll check it out I it might be a way to really reduce how you call that again it's

called an it's called an optoisolator they're they're used a lot of times to to divide different parts of circuits from each other electrically okay and I think that would probably be right up right up the up your alley for this particular project okay thanks anybody have any other questions

no actually we we thought the the solution that we implemented where you have a client on one side and a server on the other side was maybe the most straightforward so but yes a proxy would definitely work but I think it would be more complicated uh from a software velopment perspective to code the specific proxy stuff then here where I can just reuse existing libraries for example for the for the modbo client and server I'm just using existing python code so that was that that's why it was so easy and hence so cheap to do that yeah good job but it's that's not I think the most uh efficient way I know that but that's the cheapest way I think

at least without using the Optical uh isolator all right all right well let's uh let's give another round of applause to our presenter from thank you