Rage Against The Machine(s): An Intro To Operational Technology (OT) Hacking

Hello everyone. As uh been introduced, I'm Liam and I'm going to talk about OT hating today. Just an intro. Nothing too technical. Uh any sort of technical questions. I'm thick as men, [clears throat] so I probably can't answer them anyway, but I'll try my best because I'm a sheep. I'm going to also do a who am I. I'm Liam. I'm a senior pentester at KPMG and a bit of a nerd. That's about it really. So just before I begin, quick word from the sponsor which is Printers and they've asked me to say it's about time the focus is on someone else. So, what I'm going to talk about today, I'm going to go I did get a

little bit carried away forgetting that it's only 15 minutes, but I will try and speed run through as much all the boring bits, a few def boring bits, a few definitions, some small differences between OT and IT and then kind of more so of how we approach an OT test rather than getting bogged down in the other technical stuff because the the approach to OT in my opinion is a bit more important than the approach you might take to other types of tests. And then I'll talk about briefly if I hopefully I have time a case study in South Africa where we did some OT testing on a a few uh manufacturing factories. So what is it? What it what

is OT? A few definitions just to just to kind of you you may recognize some of these you may not. Um but OTT kind of refers to the or everything to do with large scale machinery pretty much nothing big huge physical machines that you know it encapsulates all the monitoring detection and control of physical processes and devices under that you've got ICS which is again a bit of a broad term for the terms underneath. Um so we have scarda those are typically used for data collection and remote monitoring and you'll typically find these on large scale environments just power lines uh kind of really important in uh critical national infrastructure distributed control systems or DCS these

tend to be in more localized single plants so you talk about manufacturing oil refineries power plants and then you have programmable programmable logic controllers which kind of what it says in the tin. These are a bit more bespoke and depending on where you're at, what factory, what environment you're in, these are all naturally programmed to do different things. Differences between OT and IT I've kind of split it up into it's obviously in the real world way more broad than this but I've tried to split it up into five main categories. So the purpose it it's more about data processing and security. In OT they focus on more the control and monitoring of physical processes as I

said before. So we have a an efficient and reliable industrial systems environment. These are it more office and data centers as we're all we're all very aware of all those. Uh again as you're probably aware your the technology interacting with is a lot more standardized but your your your Windows Linux all the distributions what you come across every day in the OT environment really again it kind of depends where you are it is quite quite broad bespoke really specialized hardware and software which comes with it own challenges which we'll get to later on availability this is more about the downtime in the IT space. You can have downtime kind of whenever you want to do

upgrades or how many times we get an email on a weekly basis saying oh you can't access this system for the next 5 hours while upgrading it can happen in OT but it depends where it is again if you're thinking about nuclear reactors how often can you just shut them down for 5 hours every every other week uh again which brings it own challenges which why the approach different security focus it very much about data security and authorization and confidentiality integrity and whatnot OT very very very heavy on the safety side. I'm going to get into that in a little bit for obvious reasons. And [clears throat] patch cycle kind of goes to what I was saying about the

specialized the specialized uh software and hardware and the lack of available downtime to upgrade things. Patch cycles can be few and far between in OT compared to your wind windows. It is all the time. Right. Testing challenges. I briefly mentioned earlier on about how the approach is different than just starting off with safety again because [laughter] if you I'll stop by asking the question actually this could be a CTF or in real life who has seen that there's an a random computer running a really old operating system and we all know the metasloit who's threw the metas-loit module at us raise hands who's threw it without looking and you've knocked over a server there's a lot of lies in the room I'll

take it. [laughter] Naturally, you can't really do you can't really take that risk in OT because if you do knock something over, you could risk physical harm, whether it be big robotic arms or uh hazardous waste leaks if something goes down. Um, again, moving on to the minimal to the minimal downtime. I've kind of kind of said already about stuff like that. uh when things because you don't have much downtime in an OT system. Again, it can vary. If you look at a manufacturing planned, you know, you get two weeks off in the summer, which is pretty standard in this country. Uh some might not be 24 hours. So, you do have kind of time

every now and then to upgrade things. But when you're looking at more critical national infrastructure, things are a bit more a bit more risky when it comes to shutting things down to do upgrades and stuff. which kind of leads onto legacy systems. Because of that nature, there's a lot of outdated software and hardware with a lot of unpatched vulnerabilities. And that is pretty much because where do you have time to as I again as I said quite repetitive there where do you get time to upgrade it and because things are tend to be very very bespoke and specialized. It's not just a case of well we can roll that out to everyone who's got plugged in across the board

all over the all over the country or the world wherever. So things are a bit more localized and a bit more specialized. So they take it's not as common to see regular updates all the time. And you also have the legal and the compliance side. Industries like energy, healthcare and transportation. They have their own uh strict regulations on when it comes to security testing and security itself. Um and particularly with some areas of OT you do have industry standards what you need to oblige with when you're doing testing and when you particularly bring the the approach how you going to test it. So given all those challenges, it's not the most straightforward. It's not the

most straightforward test to do, but with a bit of planning and a bit of foresight and just a bit of take your time and be a bit more methodical with your approach, then you can still have a lot of fun and it can still be and it's you can still find some really cool stuff. For my standards, I was dead impressed with this little how it's going to tick round, which is very simple, but for my simple brain, took us ages to work out how to do it. But day one naturally you you're pretty much you're going to be on site. You go in meet your uh point of contact and you get plugged into the

network which is typically going to be the IT network. And I know we're doing OT here, but it is really important to also do the internal IT network because it kind of goes hand inhand with the next bit which is one of the important bits of this testing is you want to see because the OT should be working on its own internal network with no internet access for obvious reasons. But you want to find is there any sort of is there any way of getting from the in even internet grade you have a field day but even internally on the IT system is there any way of getting from there into this localized the local OT network.

So that that's to me that's the all important part of the test because of the risks that that we've already outlined on the approach to how we're going to test it. Sometimes you don't strictly speaking need to actually plug into the local network because of that risk of what could happen. Uh again, if you're in a manufacturing plant or an assembly line and things are okay, then you probably will plug in and have a little poke around. But again, you're going to do that really slowly. So your MAP scans, you're talking top five ports, top 10 ports, you're not going to throw everything at it and then risk not knocking something over. But because the

risks of injury or kind of environmental dangers, there's a bit less of those in your normal manufacturing plant. So you might plug in, as I say, and you might see what you can do there. But if you're talking kind of more dangerous environments, critical national infrastructure, power plants, refineries, where you really can't take that risk, then you really want to focus on the on the segregation side because if if there's no logical or or physical entrance or way into that local network, then you might want to rethink about actually plugging into that local local OT network itself. But people were pentesters wall going to find a way in whatever it may be. And that's why we'll normally have a plant

walk. This is where you go onto the actual factory floor and you're you're in a in a monster in amongst the people with you know with real jobs, you know, doing stuff making the country keep going. Uh so you'll go there and that's where you do all of your recon of the factory floor. So you'll be looking around, okay, is any doors open? Is there a serve room I can access? Is there any way I can logically or physically get access to some of these machines? And if you can, great it. Then that's when you might think about plugging in to one of the PLC's, uh, a HMI, any sort of anything with an anything with a USB port or not a USB

port, an Ethernet cable point, you can plug in and get access to that local network. And then when you're in, that's when you start thinking about the crown jewel. So what what can you do theoretically? Can you shut down something? Can you can you accidentally break anything? What can you can you take over any sort of robotic arms or anything? I'm going to I'm conscious of time, so I'm going to move on quickly. When the fun start when the fun starts, that's when that's when you need to stop. So as I mentioned in the last slide there before I moved over that you once you've realistically found an entrance into the OT network then stop

and that's when you start thinking right do I what's the risk of going of of actually plugging in uh what value do I add and especially if there's no logical or physical way realistically that someone's going to get into that network what value do I add by actually plugging in like what's the risk-to-reward ratio know so that's kind of one of the appro one of the big things you need to think about even if you kind even if there is something kind of there um do I really need to plug in I mean hopefully the answer is yes and you do some really cool things if the risk of the reward is like you know we're not we know what

we're doing we're not there's no real danger of us plugging in then obviously you're going to have some fun then but just to really reiterate the the approach of do I need to be Yeah, because if something goes wrong, what can happen? >> Don't you have to consider the insider threat though? >> You do. You do. And that's why particularly that's where the physical side comes in cuz you're absolutely right. Like if someone has keys, yeah, they can go in. Yeah. But it depends kind of [snorts] who's going to go in there. But you're right. You're absolutely right though. The insider threat is real. plug in. That's when you weigh up that risk to reward. In a factory of manufacturing or

assembly line where the risk of danger isn't isn't all as much, then you might definitely plug in. But if you're talking about electric grids and power lines, then maybe maybe not worth the risk. Cons of time. So, I'm going to move on lastly to the case study. So in May last year, a colleague and I, Liam Fallen, you all know Liam, one of the crew, one of the crews running the track there today, we went to Johannesburg to pentest two factories. And just to kind of to illustrate a real world example of why we go through that, go through this and you start the IT, the segregation and the OT. What we did was we went all the way we started off

plugged in the network do your normal scans and then we found just again yeah I'll start again the reason why we do the IT side is because a lot of small little vulnerabilities and mis misconfigurations can get to where you want which is the OT side. So, we found a a printer which had all the usernames of who previously printed and printed anything. We found on the SharePoint the default password for the company, sprayed that against everyone and we found one that matched someone who hadn't changed it. So from there we had a we had a a valid user account where we managed to uh scan kind of the whole network with it and your your crap

map stuff your standard IT uh internal infra stuff and we found a switch which was dual nicked where we managed to pivot through that into the OT side and there because we had that logical access to the OT network essentially then we kind of had the we had the the okay to plug in and yeah, we pivoted through and we had full access of robotic arms. Uh we could have we had access to the the the APC, so we could have shut down everything essentially if we wanted to. Uh yeah, that's pretty much it. So, we had the crown drills pretty early and that was on both that was on both uh both factories. And the best thing about it

is on day one Oh, sorry, I've run out. Day one, no really copy and we still got in. And there's not there. No time now, but feel free to find me anywhere. Thank you. [applause]