Hacking ICS & OT Networks - Joseph Foote

Everyone, it's 3:00. I'm going to get started. I've got quite a bit to run through. I'm going to try and speak through some of the simple bits. The rest of I may keep more important bits in depth hopefully. But there is some questions at the end and if I can't run through my time, please feel free to find me around the outside bar etc. um and ask if you like. So what I want to cover is critical national infrastructure operational technology and industrial control systems. I'm going to try and explain what these are and give you some examples and make sure it's as clear as can be. But this is more primer sort of how to get started,

what kind of approach you need to take to get into this part of testing and the services that we provide. So who am I? My name is Joseph Fut. I'm a senior consultant working with a London cyber security firm specializing in mobile hacking. So iOS and Android but in terms of my day job I'm doing infrastructure web bit cloud pretty much everything you can imagine all mixed together. Um and then as hobbies hardware PCB design development and posting you'll find my blog um there's a link to it and find me on Twitter at false privacy. They're not particularly at the moment so give it a little bit maybe a couple weeks I'll try and get a blog live. I try and things up

and you'll see more activity and I've got a little slide at the end of kind of my blog soon. So I hope you find interesting. So as an overview I want to cover what is the CIA triad model some examples of protocols that you might see in OT environment studies and have time hopefully a quick demonstration of what security gate might look like. So what is British national infrastructure? These are kind of things that you practice to your everyday life and in a sense necessary for most of us to live comfortably. Things like power lines, lamp post, transportation systems, motor services, water, gas, electric, communications, power plant etc. Things that are again very necessary for us have a life and

everything around us to operate smoothly. In terms of an OT networks an operating technology network which is what's used to actually facilitate and run all utilities like power plants water etc. There's a different kind of approach and mindset needs to be taken from communication must be high. You can't have cross talk between different systems. You need to be very careful, very selective about what goes where, how to communicate, how it's secured. Instant access is typically non-existent. However, if there isn't instant access, it will be disallowed and ideally purely on a white basis of what can go out. That might be to update URLs that might be you know patches. It might be a very specific corporate

resource has to be accessible but as minimal as possible. Bless you. It must be always available and reliable. I if they was go down, you might have no electric, no gas, your water might stop working, might not get filled for a period. All these are problems both for business and for us. And then it must be checked against threats. So while the business is very important, you can't exactly say the network will just be insecure built anyone or left complete wide open. There are bad actors and it will take vicious measures given the chance. And then finally it should be cost effective and this works in tandem with availability i.e. all the systems used tried tested

and they're known to be because they work. However, systems also tend to be a little bit cheaper. You can run them for longer, keep them going, and everyone's happy because of it. Now, you might be familiar with CIA triads in IT. So, information services in IT CIA has a confidentiality is number one. If a web service goes down for 10 minutes, no one really cares. So long as you use your account secure your password your accounts access maliciously and then you have integrity availability but in man availability is king it has to come first integrity you can't change customer data billing data changing sensor output etc and finally have let's not say it's more important but the

primary concern is always going to be keeping this up online and So I want to give an example of the Persian model and this is something we referenced continuously in every OT test we do be very aware of this and a client's going to potentially use this as a baseline architecture a guide for how they do things you can find this online variants of it but typically will look something like this. So at the very top, level four, you have your enterprise network. That's your corporate network. That's where you walk into the office, connect to your laptop, and you land on some Vand somewhere. You' have things like workstations, email service, DNS servers, file shares,

all that kind of thing. On 3.5, you have a DMZ, intermediate layer of sorts. You have junk box, which certain individuals in corporate might have access to typically behind the PAN solution. So privilege access management say only these accounts come through they can access these specific IPs into this Windows machine and you need two factor authentication or perhaps more than that in some cases your patch servers. So these will be things that saw for instance your Red Hat updates and the Windows updates. However, these updates are going server have to be tried and tested by Wii product teams meaning it's typically months behind your main updates for say Windows and Red Hats and then you have historian mirror. I'm

going to dive into what story is momentarily. Let's detail sign in. Three you have manufacturing operations. So that's in the middle your engineering workstations your main paraly so that readable access and smile servers other bits uh but let's focus engineer work for a second the engineering workstations are where technical individuals who have authorization will get to land on the network on that workstation and access part of your environment it's most critical again very selective and has to be secured however when they try to jump down they might have to scar the network might have to indirectly control PLC's it depends on how to set things up the engineers typically the X has to do these things

to do say code changes for updates to verify the environment is running properly and maybe in rare cases change the code on the PLC's and I'm going to dive into what PLC is soon um so just hang for a second going back to the story just for one mode to give some context for the rest of this and the story essentially stores sensor data from the base control. more of your sort of physical your manufacturing side say these are how things are operating is up time were there any errors and engineers and perhaps sometimes high up people can breach reports directly or indirectly from this mon the network and make sure things are working or know whether or

not engineers be sent out something in the physical world not just digital marketing so I want to give a principles to specifically some of the most common. There are others. Green network. If you saw the talk about OT in boats before and ships um you'll find out there are quite a few variants but for now I'm talking more in terms of power plants, energy providers, water gas. These are things we're more familiar with. Modbus is a serial and TCP protocol in some cases very simple maybe run through you got free 68701 quite a long name I know the others are simple it's not going to like but some that have two pil 101 and 104 serial and

respectively and then which can be serial or ethernet using batteries nine times out of 10, but there's other environments that are necessary. Each protocol has its own pros and cons, strengths and weaknesses and use cases and the companies that use these are but it can be vendor dependent. So depending on where they buy their equipment from they might be locked to a specific subset protocols for mods when the serial are here you get a little idea of what protocol looks like time the specifics of each but I did want to give an overview so I'm just going to flip through these TCP example and one I want to state before I move on bus is not encrypted

It might need to be wrapped with another country you put through a private link for example a VPN tunnel but you're limited in what you can do. Ideally should be something that's point sering

serial than they would stand TCP connection. DND3 doesn't support encryption hardworks. However, there's a V5 variant that supports native encryption. This might be used where you've got wider network, more access, more machines, more unknowns, more variables. [Music] We have the protocols. Well, you can get a sense and they've all in such a way that we've gone from more quite simplistic down to the MP3 is a little more complicated I more complicated. Again, each of these are sort of an extension. there's a necessity for them to exist and often times they can read more common information. Finally, we have copy net say there are other protocols but these are the examples I wanted to give as a quick

overview. This is something that be used more in factories is interesting because it runs on top of sort of stand. So you use wire sharp and you look at frames going through and going through and look at the frame you see the types IPv4 for example you might see the type of hex 800 but pocket you see something more like hex 8892 now there's multiple variants so it might be a bit different why for you but just as an example I just want to give that one thing I should mention being these protocols They're all used for largely the same purpose to read sensors instruct machines and actuators to do certain things and to hopefully provide

feedback to scar systems. I'm going to talk about classes shortly. You can think of them as sort of a hub where engineers can sit and there's control feedback reporting system analytics and general overview of factory health. Now the attack vectors on these can range from simplistic to very complicated but how the modern flare works the same attack vectors come again and again standard person would look for a suitably position attacker physical access often midated quite well you'll see in power plants and factories those huge fence around barbed wire multiple doors that require a badge to get into and Then there might be more oppressive security let's say armed person now that'll be sissing around watching

depending on the serious you're looking at this can be on the very extreme side but it definitely depends what you're looking at and this is why hackers might prefer to look something like a warehouse that's strictly connected network operation technology network etc however has less security be it physical or digital and finally have good common fishing compromise employee. So whether it's a malicious insider or someone that's being coerced into helping with attack which is guts. Now I want to make this into a bit more of a real world thing. Most of you probably heard of stuff before but if you haven't don't worry have a refresher. I appreciate the picture a little bit hard to see in the

background. I put a darker background on it. Projector is not bright at home. However, you see these metal cylinders here. These are uranium enrichment centrifuges on outside. I believe in the best of my research there are cooling pipes to keep the centers as temperature. Um you see some science in the background various mechanical equipment and essentially this would be used to heat uranium or enrich it to make it into something more suitable for nuclear fuel. I'm going to talk that down a bit more detail. As a disclaimer all this is the best of my knowledge start is not exactly the best documented thing. A lot of it is hearsay. People claiming that they were in the know and they put out information

about it. It does not say any of it's guaranteed to be factual. So please take it mind and do your research after you need to do if you're interested. It is not a sort of direct acquisition or husion sorry any one singular person entity or entities that is left to you to research as you please and it's intended to be educational so please don't use this break factories terms as a quick refresher OD's operational technology is industrial control systems and we've got scar as a supervisory control and base acquisition These will make more sense what they promise programmable logic holders your PLC's and then they are programmed with something logic. It's a quick overview which is a lot of not that logic can be

thought of as a stack of nested statements with conditions to be met actions to be performed and then more depth as they go along and sometimes back out but forward it depends on the system they're controlling. So what is stuckset or what stet? Stuckset is a worm. It means spread screen device computer replicate cell and in this case was highly sophisticated. In fact, security researchers that reverse engineered it said they spend months and months instead of taking one day to reverse engineer something did they took three to six months and they both been well written and high sophisticated stock targeted Iran's nuclear enrichment program in advance nuclear city. It was f it was the first major publicly

disclosed man target specifically ICS systems and run through control systems and his code name was Olympic games which is interesting. Finally slet was and approved and this is speculation but although it was neveritted a lot of points towards it being by George W. Bush and later Barack Obama came to power. So who investigated it? We have semantic per labs and a group which I believe is one or two individuals maybe a larger group now head and [Music] no worries. Now again speculation here listening the generally accepted theory it was is it was in development is around 2005 retrospectively it first known deployment was mid 2009 discovered in mid 2010 and slightly after that analysis began by various groups

including sematic who had it first who did the best job they argued with each other very hard to say and finally sub was disclosed around 2012, but there were early accounts and forms of messaging balls. So, exactly how far back you take it. Um, it's up to you. The conference now it wasn't officially to anyone threat actor. No one officially claimed it and perhaps no one wanted to. But the evidence points to joint operation by the UK, US and Israel, specifically the SA in the US CIA and the military cyber command in within the SA the DO so the tail access operations branch were essentially threated as developing the malware due to sophistication. as a

little bit trivia. account say that people walking down there were mega nerds who wor like plies on the desks but the elite hackers in the world so that what will within the UK GHQ primarily for intel and then Israel's unit 8200 intel and action likely cost millions or more development but as cross government programs know that biggest times 1000 and then finally while not directly attributed to stet multiple assassinations were reported reported specifically are high rank individuals, scientists involved in the program and whistleblowers alongside people that may or may not introduce the malware into the environment. Method and exploitation. So Splet used Windows zero days for zero days to be specific. We're going to talk about

those shortly. Fire also pivoted through network shares in vulnerable services mainly vulnerable to the zero basic discovery machines on the network nearby companies and contractors and what I mean by that is vendors nearby technical support companies people equipment all were infected so very but as the story goes apparently they just dropped some USB sticks outside and people plug them in I don't know if that's true cuz it sounds silly but it could quite well be. It was early time security times. This is a seaman's plc S7 300 model in the Iranian nuclear facility near the bridge plant. They use S7 300 and the 400 model. I want to give a quick sort of visual this is you can

get idea of the size and it purpose. On front you have indicated large monitoring diagnosis etc. But this machine essential would have had a connection to the scard computers, the devices that pro monitor them. It would report it feedback to the scard equipment. And it would have had various run cabling to control things like motors, lights, um index for air, oil pumps, all kinds of things like that. So what was the purpose that why we think again best guesses they did it well panic disruption causing significant delays the Iranians enrichment program of Iran's nuclear program and potential weapons the US had run out of diplomatic passive means to stop Iran from developing nuclear weapons or as they

would put it they're trying to make nuclear reactors they need some rich fuel The part of the isotope we're using was unsuitable for power very suitable for the warhead. you know, weigh it up. The US had their concerns. They tried and they knew supposedly if they didn't take action, Israel claimed they would. They would bomb the plant ineffectively because so far in the ground that would cause tensions within the Middle East and Israel apparently would expect us to finish the dog base after shot down using a huge amount of air. They had a innocent plants. [Music] So initial entry a little bit but supposedly USB flash drives as unbelievable as that is people just pick

them up and plugging them in and that led us up going onto an egg network and there was intended to be off the internet completely inaccessible multiple layers of both distance and physical security now my best guess from everything I've read and researched is a compromise deploy machines. It jump between security boundaries and leverage all mentioned all security with zero days to privilege gain privilege access to the machines and the network. So to to do this they required to digitally sign the malware. Now you would think the US government would go to Microsoft and say give us some certificates to sign things with but apparently that was too obvious. Instead they decided to steal from two companies based in well two

Taiwanese companies real and J real I know this was related to both so they a second one next door I don't I don't mean I'm not joking they just released to the company next door and they stole that one instead researchers u reporters journalists they claim these networks highly secure sophisticated that No one could have possibly got any but the most specialist of agents. However, in practice there's a good chance on SD share. And then finally earlier entries expect suspected because of the in knowledge they have of internal network within the enrichment plants. Supposedly the US has sent several employees again and again for regulatory reasons to put things like little special anti-10 devices on

centrifuges storage etc. and equally make sure that the bands of nuclear material match expect during that time. There was a good chance to have got some kind of device into the network and found a way to begin mapping it and apparently start also mapped things. So both the way it came in and exited by the media it would condense the the network map and the machine information into its own binary. So it left the estate on say a USB stick or something else it had access to with its bounds. It would selfports that information back once it escaped the internet. So ultra development again group and supposedly as the story goes they had a replica of

a centrifuge the same kind used in the original plant and they managed to destroy it from controlling a PLC. So they spun it up to around,300 RPM. So H per minute for the main motor within the centuge. This caused the banana shaped arm inside to cause a present frequency within the device causing it to slowly push disintegrate itself. Once they managed this apparently they took it to the flew out to the white house team it from George W. Bush and once he picked up the pieces I'm satisfied they were strong enough he gave go ahead for the program. So what did the target logic arrive? This was very sophisticated. This is the reason that spuckset probably didn't

affect people at home or other companies. Well, we looked for sep controlled PLC's and the scard software they program step seven PLC's specifically because a scaler software would have the necessary information the keys and access from these PLCs that it makes sense to get starter parts. Again, it looked for the S7 300 and 400 models specifically because they knew that was within use to instant knowledge of the internal state and equally probably to records of what they purchased from the nearby vendors for specific network layout system information down to things like time parameters, rules, serial numbers, the batteries and it looked for six rooms of 164 systems. founding that now make it a bit more clear

within these groups were group one sent a few systems so we actually used material among other things these were made from carbon fiber and metal run at high RPM very sensitive supposedly pip made reasons but if anyone knows about how different metal materials been scrapped carbon fiber shrinks when it's heated metal expands so you can imagine their various devices in kept at a specific temperature used specific way and actively protected group two frequency verses within the cent to make them skin and group three slightly less important have backup systems configuration systems etc. But this wasn't as important for Stuckset. What did that process look like? First and foremost to evade detection. Stuckset was pretty much invisible and

it remained that way for a very long time until good reasons which we're going to talk about as well. It exploited and injected malicious data logic into PLC's via the bus protocol but also via seven as well. Now it goal was to manipulate cent so the motor speed about 350 controllers again controlled by PLC's directly and that will spin them up to about 300 res to break down explode to be but in a fairly safe way for the staff around and it will spin them down to around two PS which my best guess is this cause that motors overheats to break down or perhaps other problems of heating elements and different materials to practice and then finally or not finally quite

they would send false information to operators. So they planned out quite well they captured information on the network for around somewhere between 13 to 30 days depending on who you asked. They then replayed this information back to Scarlet Systems for this whole time like putting a camera in front of a CCTV camera you know >> and just replaying the whole like a movie. So day four was operating fine. The engineers appeared machines spinning up and breaking down rapidly. They didn't know why. They tried best to fix it but they couldn't. They didn't know what source was due to this mware. And finally between attacks is slowly breaking things. It would turn into a normal operation to avoid suspicion. So

they planned this out well to the sophisticated attack and it was a very complex piece of malware that had to be self-sufficient. Remember this is an air gap network. So you can't really reach out to a sort of mind control server and ask what to do before aing by itself to be very smart and very good. [Music] >> How long have I got? >> You're a couple minutes already. >> Oh okay. So you got some zero days. You can research them yourself. Um the standard was about thousand centers, two years of delays and a lot of financial costs. Um spread skip that for now. Why was it discovered? Supposedly Israel's in 8200 push more aggressive action and end up

shutting down machines worldwide. They remove the restrictions basically free and they got discovered and ruined the entire program up until that day. Um Iran's response well they formed the US against US banks they wiped 30,000 S oil company causing massive problems and water down but apparently like it was offline so they don't know how that works but fair enough vention I think it's fairly obvious don't bring USBs in train employees make risk soft work. Going to skip past the bit about how to assess limited time, but I do want to talk tiny bit about research. I'm currently looking at building a debug adapter to get into an Apple Watch. So, it's got a interface on it which you can

actually exploit. I'm going to use that and I'm going to reverse engine research coming up just a suggestion. So forget about those it always ways around them. Um I want to buy some red team that be really cool a lot of access to corporate resources gone looking forward to that mobile data might might not be related um functional CPU customer system with that any questions quick but if not we might run outside probably have time for questions >> no time for questions find me outside um after sort of next break and we'll talk about then thank you very much.