Bricks-in-the-Loop
Scott M Thompson, CACI, Inc. S tarting Programming in BAS IC at 13. Helped stand up Cyber National Mission Force (CNMF). Worked with NS A, US CYBERCOM, and Air Force Cyber. MS in Cyber Forensics. 26 years of Navy experience as a S ystems Engineer. Gas Turbines, Diesel Engines, Fuel and Water S ystems, Power Distribution. Hacked in 300 Baud … Phone Phreak. S cott M. Thompson – ICS / S CADA S ystems Engineer, CACI, Inc. scott.thompson@ caci.com 832-570-5758
90 th Cyber Operations Squadron (90 th COS) 90 th Cyber Operations S quadron at Joint Base S an Antonio accelerates global vigilance, reach, and power by rapidly developing cyber capabilities to achieve military obj ectives across all domains. Our vision is to rapidly weaponize cyberspace in support of Air Force, j oint, and Inter-agency partners to further U.S . interests. We employ more than 250 active duty, civilian, and contract personnel to meet engineering challenges. Our BIL model is under the modeling and simulation flight, which provides synthetic environments for mission rehearsal, concept exploration, and capability assessments. We are also known as Distributed Mission Operations Center-Cyber (DMOC-C) to support maj or exercises with modeling and simulation tools for realistic training. 3
Operational Technology vs Information Technology Operational Technology (OT) is hardware and software that detects or causes a change through the direct monitoring and/ or control of physical devices, processes, and events in the enterprise. Information technology (IT) is the use of computers to store, retrieve, transmit, and manipulate data, or information , often in the context of a business or other enterprise. IT is considered to be a subset of information and communications technology (ICT).
Cyber Threat to Operational Technology (OT) According to S ymantec, Internet of Things (IoT) attacks increased 600% between 2016 and 2017. A DHS / US -CERT reported in March 2018 that Russia has compromised computer systems containing ICS/SCADA data in an effort to be able to cripple the energy sector in Europe and North America. Hacker methodologies now include using OT as a means of gaining access to IT as OT is normally an easier target: • A city irrigation system was attacked in Orange County, California. This allowed access to a town government's IT network, where the attacker installed ransomware on critical municipal file servers. • An aquarium thermometer used as an entry point into a casino IT network. The casino’s high-rollers list was stolen. 5
BIL Objectives - Provide a cyber-physical interface for exposure, Brick Model of Blue AFB orientation, and familiarization of Operational Technology (OT) defense to Air Force Cyber Protection Teams in a rich, vivid, and lucid environment. - Build ICS and S CADA technologies at a low cost by maximizing the use of open-source technologies and protocols and commercial-off-the-shelf hardware. - Deliver an environment that is portable and easily integrated into the 90 COS slice environment. - Provide OT scenarios that are relevant to the ICS / S CADA challenges that are faced by the Air Force. - Develop the environment as needed to orient operators to an ever-expanding Internet of Things (IOT). Bricks-in-the-Loop at DEFCON 27 6
TERMINOLOGY and ICS BAS ICS
Terminology An Industrial Control S ystem (ICS ) is a generic term used to describe any system that gathers information on an industrial process and modifies, regulates, or manages the process to achieve a desired result. Distributed Control S ystems (DCS ) S upervisory Control and Data Acquisition S ystems (S CADA) Process Control S ystems (PCS ) Emergency Management S ystems (EMS ) Automation S ystems (AS ) S afety Instrumented S ystem (S IS ) All of these systems are considered Industrial Control S ystems.
Programmable Logic Controller (PLC) Brick Type PLC Modular PLC Remote Telemetry Unit (RTU) with GSM Communications
Human Machine Interface (HMI)
The Story of an HMI We have done research on different HMI software and hardware during the last year. One device, in particular, stood out: ▪ Hard-coded HTTP authentication credentials. ▪ Arbitrary JavaS cript execution via HTTP upload. ▪ Hard-coded user credentials. ▪ Privilege escalation via misconfigured / usr/ sbin/ useradd binary Lesson Learned: Carefully research your ICS / S CADA devices in a test bed before they are installed in your production network. S ometimes the security misconfigurations can be astounding.
AFRL Project ACDC Trailer (From DARP A Proj ect) Modular PLC DIN Rail DIN Cabinet Terminal Blocks Power Supplies (24, 36, 48V)
AFRL Project
Typical Control System –Purdue Model
SCADA Network Communications
SCADA Server Polls Data from RTUs / PLCs Hey dudes, let me know what’s going on out there. I want to know: Valve Position (O:0) Pump S tatus (O:8) Pressure (Rn:0) Level (Rn:1) Flow (Rn:2).
RTUs and PLCs Respond Ok, here’s my status: O:0 = True ( Valve is Open) O:8 = True (Pump is On) Rn:0 = 45 (Pressure S ensor) Rn :1 = 17 (Level Sensor) Rn:2 = 60 (Flow Sensor)
SCADA Server Updates HMI Status I’m going to record Larry… here’s your thos e readings for updated display of posterity! I’ m cool what’s going on out like that. there. RTU reports .... And PLC reports ….
… and the polling repeats at a regular interval Hey dudes, let me know what’s going on out there. I want to know: Valve Position (O:0) Pump Status (O:8) Pressure (Rn:0) Level (Rn:1) Flow (Rn:2).
Same Old … Same Old … Ok, here’s my status: O:0 = True (Valve is Open) O:8 = True (Pump is On) Rn:0 = 45 (Pressure Sensor) Rn:1 = 17 (Level Sensor) Rn:2 = 60 (Flow Sensor)
Yadda Yadda Yadda … I’m going to record Larry… here’s your those readings for updated display of posterity! I’m cool what’s going on out like that. there. RTU reports .... And PLC reports ….
We Institute Change ..Larry Sips coffee and hits a button… “Have the RTU shut the valve!” ROGER THAT, LARRY! I’ll have the RTU shut the valve!! I S AW THAT AND I’ M RECORDING THAT! At time 0605, valve on RTU was ordered closed by Larry.
We Institute Change …no one ever prints RTU, shut the valve! around here... And I O:0 = F ALS E! do color and everything! I’m entering sleep mode. Sure… whatever you want. …I’m running MODBUS, I don’t care. I’ll do anything that anyone wants… OK, made that change.
The Bricks-in-the-Loop Prototype (Version 1.0) ▪ 4 vital 480V buses supplied by commercial power that supply Headquarters Bldg Tower/ Air Traffic Control the: 1. Runway, Taxi, and Approach Lights 2. Combined Air Operations CAOC/ Comms S quadron Center/ Comm S quadron 3. Tower and Air Traffic Control 4. Airfield Operations ▪ A Commercial power bus Airfield Operations (12.75KV) and an UPS on each power bus. ▪ S upervisory control that automatically starts emergency generators when commercial power is lost. Runway, Taxi, ▪ Traffic lights Approach Lights ▪ Fuel Farm 2 4
PLC Logic using Raspberry Pi UniPi PLC controls the traffic light DC Power S upply simulation. myBOX by myS CADA technologies. 4 PLCs (Raspberry Pi computers) for S upervisory Control of the base’ s electrical distribution. myBOX provides HMI service over the WWW. S cenarios are built using BitS cope Blade Rack allows deployment myDesigner software. The HMI of 20 Raspberry Pi computers using a common DC source. S erves additional (Master) speaks with the PLCs (S laves) traffic lights and the fuel farm. using MODBUS / TCP protocol. Desktop server provides the IT network, the Air Force’ s S LICE virtual environment. 2 5
Future of BIL BIL provides a cyber-physical interface that helps cyber defense forces with Exposure , Orientation , and Training in Industrial Control S ystems (ICS ). ICS/SCADA Petting Zoo BIL Base Functionality We go beyond the Raspberry Pi and bring in PLCs from leading manufacturers (S iemens, Allen Bradley, Honeywell, etc) to both control the environment and allow teams to explore the nuances of industrial Weather, Water, and S ecurity Cameras Electrical Distribution control devices from different Irrigation and S ystems companies. Fuel Operations Low Power RF/ Building Fire Alarms and S uppression Automation 26
Build Your Own SCADA for FUN and PROFIT
General Rules - S tart simple and build complexity as you go. - Fall in love with Open S ource again. - Do deep dives on the protocols. There’s TONS of information out there. Pass on what you learn. - GET CREATIVE! Engage the imagination of your target audience. Look for ways to get them invested with your proj ect. - This is a GREAT proj ect for a hard-charging group of young students or employees. - BES T WA Y to learn ICS / S CADA is to build it yourself. 2 8
S tep 1: Find OpenPLCProj ect www.openplcproject.com
Recommend
More recommend