facilities from 40 miles away
play

FACILITIES FROM 40 MILES AWAY Lucas Apa Carlos Mario Penagos About - PowerPoint PPT Presentation

Aug 26, 2023 •315 likes •850 views

COMPROMISING INDUSTRIAL FACILITIES FROM 40 MILES AWAY Lucas Apa Carlos Mario Penagos About Us Lucas Apa Carlos Penagos Vulnerability Research Exploitation Cryptography Reverse Engineering ICS/SCADA Argentina Colombia 2 Agenda

  1. COMPROMISING INDUSTRIAL FACILITIES FROM 40 MILES AWAY Lucas Apa Carlos Mario Penagos

  2. About Us Lucas Apa Carlos Penagos Vulnerability Research Exploitation Cryptography Reverse Engineering ICS/SCADA Argentina Colombia 2

  3. Agenda  Motivation  Industries and Applications  Wireless Standards  Journey of Radio Encryption Keys  Vendor1 Wireless Devices  Vendor2 Wireless Devices  Vendor3 Wireless Devices 3

  4. Motivation  Critical Infrastructures becoming targets  Insider attacks (Lately)  Devices connected to Internet  0days to reach the PLC, RTU, HMI…  Stealth and precise attacks  Incident response at hazardous sites 4

  5. Industrial Wireless Automation  Copper wires are used to monitor and control  Corrosion, Ductility, Thermal Conductivity  Cost of wires, trenching, mounting and installation  Industrial Wireless Solutions  Eliminate cost of hardwiring, logistics, installation  Heavy machinery involved  Remote control and administration (Geography)  Minimize Safety Risk & Dangerous Boxes  Adds durability 5

  6. Industries and Applications  Plunger lift/artificial lift optimization  Well-head automation  RTU/EFM I/O extensions  Cathodic protection monitoring  Hydrogen sulfide (H2S) monitoring Oil & Gas  Tank level monitoring  Pipeline cathodic protection  Rectifier voltage monitoring  Gas/liquid flow measurement  Pipeline pressure and valve Refined Petroleum monitoring Petrochemicals 6

  7. Industries and Applications (2)  Transformer temperature  Natural gas flow  Power outage reporting  Capacitor bank control  kV, Amp, MW, MVAR reading Energy - Utilities  Remote pumping stations  Water treatment plants  Water distribution systems  Wastewater/sewer collection systems  Water irrigation systems/agriculture Waste & Waste Water 7

  8. Industrial Wireless Challenges  Defeat electromagnetic interference (EMI)  Handle signal attenuation and reflections  Reliability is far more important than Speed  Higher transmitter power levels  Site surveys to assess the consistency and reliability of the plant  Mainly using 2.4Ghz or 900Mhz (ISM Band)  No “business” protocols 8

  9. Cryptographic Key Distribution (WSN)  Distribute secrets on a large number of nodes  Base stations with clusters surrounding  Limitations:  Deployment in public or hostile locations  Post-deployment knowledge  Limited bandwidth and transmission power  Methods for crypto key distribution:  Out-of-band  In-band  Factory pre-loaded 9

  10. IEEE 802.15.4 Standard  Wireless Radios (Low Power/Speed)  Set the encryption algorithm and AES Key  Upper Layer Responsibility  Each node can have an ACL  MAC for upper layers:  ZigBee  WirelessHart  ISA SP100  IETF IPv6 - LoWPAN 10

  11. ZigBee 2007 (Standard Security Mode )  Suite of high level communication protocols  Based on IEEE 802.15.4 (Low level layers)  ISM radio bands  Trust Center introduced in 2007 Trust Center  Network Key (AES 128-bit) Two Key Distribution Mechanisms:  Pre-installed (Factory Installed)  Individually Commissioned A B 1. (Commissioning tool) Pre-Installation  Managed by the Trust Center 2. Over the air 11

  12. ZigBee Pro 2007 (High Security Mode)  Many enhancements  More memory requirements  New keys introduced MasterKey_TA LinkKey TA ① Master Key Trust NetworkKey Unsecured Transport   MasterKey_TB Center Out-of-band Technique  LinkKey TB  Secure other keys  A B ② Link Key  Unicast  Unique between nodes MasterKey_TA MasterKey_TB LinkKey TA LinkKey TB ③ Network Key NetworkKey NetworkKey • Regenerated at Intervals MasterKey_AB MasterKey_AB • Needed to join the NWK LinkKey AB LinkKey AB 12

  13. The Journey of Radio Encryption Keys R i DeviceVendorID No Encryption a o Key in Firmware Key d D v c Per-Client Encryption Device Company No Encryption Key e i e Key Encryption Key E U r Device n s Change Per-Client Set No Change Company Encryption Encryption Encryption Encryption Encryption Encryption Key Key Key key Key d e Key 13

  14. Reusing Radio Keys  End-User Node Key Storage  Shared Secret  Same Firmware or Same Radio Key  Device Company Key attack 1. Buy same Device (Buy same Key) 2. Remove Radio Module 3. Connect to USB Interface 4. Interact: API & AT Command Mode 5. Send frames using the unknown key Warning: Not possible if exists a Per-Client Encryption Key 14

  15. Exploiting Vendor1 Devices  Company Profile (+1990)  Frequency Hopping Wireless Devices  Great for long or short range wireless SCADA applications  Secure proprietary FHSS with 128 bit AES encryption  Hazardous location approvals, Perfect for outdoor Ethernet SCADA or indoor PLC messaging  30+ miles point to point with high gain antennas 15

  16. Vendor1 Key Distribution “<Vendor1 Tool> is easy to use and intuitive. Default values built into the software work well for initial installation and testing making it easy for first-time users. <Vendor1 Tool> manages all important settings to ensure that the network performs correctly .” (User Guide)  RF Encryption: A 128-bit encryption level key is suggested for the user.  Blank: No encrypted packets  5-7 Chars: Field is translated into a 40-bit encryption level.  15-24 Chars : Field is translated into a 128-bit encryption level. 16

  17. Reversing Passphrase Generation Compiled C++ Binary:  srand seeds PRNG  time returns epoch  srand(time(NULL))  Low Entropy Seed  Same algorithm  rand()  Bad ANSI C function 17

  18. Attacking Weak PRNG C:\>passgen.exe 2013-04-04 21:39:08 => 1365136748 => knc6gadr40565d3j8hbrs6o0 18

  19. The Oldest Passphrase Help File C:\>passgen.exe 2013-04-04 21:39:08 => 1365136748 => knc6gadr40565d3j8hbrs6o0 2013-04-04 21:39:07 => 1365136747 => nir3f1a0dm2sdt41q91c06nt … 2008-04-17 15:20:47 => 1208470847 => re84q92vssgd671pd2smj8ig 19

  20. Comissioning Tool Audit Bruteforce Passphrase Weak PRNG Attack 25 70 Passphrases vs ~156 Million Passphrases Mixed lower case alphabet plus numbers and Every second passed, one more key common symbols Impossible to calculate all passphrases Only a few seconds to calculate all passphrases Calculate once and create a database with all Need to derive AES 128-bit key on realtime possible AES 128-bit key derivations  Easily breakable by an outsider  Further Research with the Devices  Comissioning Tools needs deep testing 20

  21. Vendor2 Wireless Devices  Market leadership: Oil & Gas  Wireless and wired solutions for the digital oil field automation  Trusted by top companies in different industries  Family System (Point to Multipoint) :  Wireless Gateways  Wireless Transmitters  I/O Expansion Modules  Hardwire Sensors 21

  22. 22

  23. An Extended Family of Devices  Applications  Oil & Gas  Refining / Petro Chemicals  Water & Waste Water  Utilities  Industrial Process Monitoring  Transmitters  RTD Temperature Transmitter  Analog/Discrete Transmitter  Flow Totalizer Transmitter  Pressure Transmitter  Hydrostatic Level Transmitter  Many more.. 23

  24. PLC RF RTU Modem SCADA DCS EFM HMI 24

  25. Tool and Project Files  How the devices access the wireless information?  “Enhanced Site Security Key” The Enhanced Site Security feature designed to provide an additional level of protection for RF packets sent and received between <Vendor2> devices and minimizes the possibility of interference from other devices in this area. This feature is not available on some older versions of legacy devices.  Security Key == Encryption Key ???  Legacy Devices Without Encryption??? 25

  26. Key Generation and Distribution  Create a “Project File” and update all Nodes  From documentation: “If the project file name is changed , a new Site Security Key will be assigned” Possible Scheme: Per-Site Encryption This Key MUST be somewhere on the Project File. 26

  27. File Name Change => New Key 27

  28. Project File Binary Diffing ProjectA \x17\x58\x4f\x51 1364154391 Sun, 24 Mar 2013 19:46:31 GMT ProjectB \x51\x58\x4f\x51 1364154449 Sun, 24 Mar 2013 19:47:29 GMT 28

  29. Component Identification  Support Center  Firmware Images & Documentation  Radio Modules, Architectures & Processors RISC 29

  30. Understanding Firmware Image (RISC)  Industry Standard Format  @Address and content  Incomplete Image (Update)  Only compiler strings CrossWorks for MSP430

  31. Component Identification 430F14 9

  32. YouTube (XT09 and 802.15.4) 32

  33. No Per-Client Key Dear <<Reseller Sales Eng>>, We are going to borrow a used “ Analog Transmitter” from one of our partners, We are going to test it for a few weeks and let you know if we decide to buy a new one . Are there any specific concern we Lucas, might take into account when deploying this device to connect it You just need to upgrade the configuration files. with our <Device>? Or just upgrade all project configuration files? Thanks. Thank you 33

Recommend

16,000 electric buses deployed in Shenzhen Electric semi trucks are coming 92 miles 250 miles

16,000 electric buses deployed in Shenzhen Electric semi trucks are coming 92 miles 250 miles

16,000 electric buses deployed in Shenzhen Electric semi trucks are coming 92 miles 250 miles 100 miles 300 miles 500+ miles 500 miles 150 miles 220 miles 300 miles Heavy-duty vehicles in California Vehicle population Transportation

623 views • 15 slides
Unit Review .4 miles B 1.2 miles C 3,590,400 miles D Return to Table of Contents Slide 3 /

Unit Review .4 miles B 1.2 miles C 3,590,400 miles D Return to Table of Contents Slide 3 /

Slide 1 / 21 Slide 2 / 21 1 2040 yards is how many miles? A 34 miles Unit Review .4 miles B 1.2 miles C 3,590,400 miles D Return to Table of Contents Slide 3 / 21 Slide 4 / 21 2 The top shelf of your fridge is 18 inches tall. A 3

287 views • 4 slides
Facilities Facilities Facilities Division The Facilities Division provides : Engineering,

Facilities Facilities Facilities Division The Facilities Division provides : Engineering,

PRESENTATION 2019 BUDGET Facilities Facilities Facilities Division The Facilities Division provides : Engineering, maintenance, and cleaning services for the County's facilities. Services provided include: Planning, design,

887 views • 43 slides
Isomorphic Kotlin Troy Miles @therockncoder Troy Miles @therockncoder Troy Miles, aka the

Isomorphic Kotlin Troy Miles @therockncoder Troy Miles @therockncoder Troy Miles, aka the

Isomorphic Kotlin Troy Miles @therockncoder Troy Miles @therockncoder Troy Miles, aka the Rockncoder, began writing computer games in assembly language for early computers like the Apple II, Commodore C64, and the IBM PC over 38 years ago.

665 views • 53 slides
20,800 residents ~15 people/acre 15 miles of new trails 286 acres of new parks Fully

20,800 residents ~15 people/acre 15 miles of new trails 286 acres of new parks Fully

1,400 acres 8,000 dwellings 20,800 residents ~15 people/acre 15 miles of new trails 286 acres of new parks Fully multi-modal transportation network with world- class bicycle facilities. COMPLETE A community with a full spectrum of

198 views • 3 slides
Aggregate Task Force ROADWAY SYSTEM IN CHIPPEWA COUNTY State Highways 132.8 Miles County

Aggregate Task Force ROADWAY SYSTEM IN CHIPPEWA COUNTY State Highways 132.8 Miles County

Aggregate Task Force ROADWAY SYSTEM IN CHIPPEWA COUNTY State Highways 132.8 Miles County Highways 297.9 Miles Municipal Streets 70.4 Miles Township Roads (Maintained) 686.8 Miles Total Miles 1,187.9 Miles About 70 percent of the roadway

187 views • 5 slides
Update Facilities Management November 2017 Facilities Management 1. Facilities Management

Update Facilities Management November 2017 Facilities Management 1. Facilities Management

Facilities Procedures Update Facilities Management November 2017 Facilities Management 1. Facilities Management Overview 2. Partnership between Campus Facilities and Student Affairs Housing 3. Central Receiving and Shipping Update 4. Campus

464 views • 19 slides
ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN.

ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN.

ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN. He got married and his wife's name was Mrs.Candace and they had a kid named Grace. Alexander Miles was born May 18,1838. He died May 7, 1918

357 views • 9 slides
1 1 MILES SPAN MINIMUM SPANNING TREES Important: Before reading MILES SPAN , please read or

1 1 MILES SPAN MINIMUM SPANNING TREES Important: Before reading MILES SPAN , please read or

1 1 MILES SPAN MINIMUM SPANNING TREES Important: Before reading MILES SPAN , please read or at least skim the program for GB MILES . 1. Minimum spanning trees. A classic paper by R. L. Graham and Pavol Hell about the history of algorithms

623 views • 40 slides
James Miles James Miles Director, Liv-ex Ltd , History and development of the History and

James Miles James Miles Director, Liv-ex Ltd , History and development of the History and

James Miles James Miles Director, Liv-ex Ltd , History and development of the History and development of the fine wine investment market Hong Kong International Wine &amp; Spirits Fair Conference HKIWSF 2009 1 Introduction d i

351 views • 14 slides
Miles and Miles of Texas Tommy Camfield and Diane Johnston, 1976 Chords in this song: C 7 C G

Miles and Miles of Texas Tommy Camfield and Diane Johnston, 1976 Chords in this song: C 7 C G

Miles and Miles of Texas Tommy Camfield and Diane Johnston, 1976 Chords in this song: C 7 C G G 7 F A 7 D 7 C Intro: C until count in Page 1 Austin Ukulele Society Arrangement: Bob Guz, 2013 Verse 1 C F C I was born in Louisi-ana F

459 views • 12 slides
Records of Decisions and More at Federal Facilities NOVEMBER 4, 2019 FEDERAL FACILITIES

Records of Decisions and More at Federal Facilities NOVEMBER 4, 2019 FEDERAL FACILITIES

RODs and More at Federal Facilities Federal Facilities Academy Records of Decisions and More at Federal Facilities NOVEMBER 4, 2019 FEDERAL FACILITIES RESTORATION AND REUSE OFFICE 1 FEDERAL FACILITIES TRAINING The purpose of this course is

812 views • 41 slides
SPPs Operating Region Current 77,366 MW of generating capacity 46,136 MW of peak

SPPs Operating Region Current 77,366 MW of generating capacity 46,136 MW of peak

SPPs Operating Region Current 77,366 MW of generating capacity 46,136 MW of peak demand 48,930 miles transmission: 69 kV 12,569 miles 115 kV 10,239 miles 138 kV 9,691 miles 161 kV 5,049 miles

474 views • 18 slides
Jersey Bus Franchise: The Commissioner Perspective June 2017 Welcome to Jersey 5 miles 9 miles

Jersey Bus Franchise: The Commissioner Perspective June 2017 Welcome to Jersey 5 miles 9 miles

Jersey Bus Franchise: The Commissioner Perspective June 2017 Welcome to Jersey 5 miles 9 miles 100K By Philg88; Attribution: Wikimedia Foundation (www.wikimedia.org) (Own work) [CC BY 4.0 (http://creativecommons.org/licenses/by/4.0) or ODbL

320 views • 28 slides
Disaster Recovery Team Churches/Religious Facilities Educational Facilities Commercial/

Disaster Recovery Team Churches/Religious Facilities Educational Facilities Commercial/

Disaster Recovery Team Churches/Religious Facilities Educational Facilities Commercial/ Industrial/Manufacturing Hotels/ Motels/Hospitality Medical Centers/Healthcare facilities Nursing Home/ Assisted Living Retail Facilities BROWN NURSING

568 views • 27 slides
Downtown Bike Network Public Meeting May 14/15, 2018 History of Project 10 Miles of bike

Downtown Bike Network Public Meeting May 14/15, 2018 History of Project 10 Miles of bike

Downtown Bike Network Public Meeting May 14/15, 2018 History of Project 10 Miles of bike facilities to build a downtown network Design work began in 2012 Grant awarded in 2014 Work stopped in 2017 History of Project 95%

495 views • 23 slides
Energy Management OCSD Service Area Orange 572 miles of sewers County 471 square miles La

Energy Management OCSD Service Area Orange 572 miles of sewers County 471 square miles La

Energy Management OCSD Service Area Orange 572 miles of sewers County 471 square miles La Habra 200 million gallons per day Brea 2.5 million population Fullerton Placentia Yorba Linda 20 cities, 4 special districts Buena Park 15 pumping

694 views • 20 slides
Facilities Plan February 24, 2020 Purpose Attached is a facilities plan that has been

Facilities Plan February 24, 2020 Purpose Attached is a facilities plan that has been

Three to Five Year Facilities Plan February 24, 2020 Purpose Attached is a facilities plan that has been prepared by Josh DeWitte, Director of Building and Grounds, FGM Architecture and reviewed by the Facilities Committee and Board of

444 views • 15 slides
INTERNATIONAL AIRPORT RFD is Strategically Located 58 nautical miles; 68 highway miles Northwest

INTERNATIONAL AIRPORT RFD is Strategically Located 58 nautical miles; 68 highway miles Northwest

INTERNATIONAL AIRPORT RFD is Strategically Located 58 nautical miles; 68 highway miles Northwest of Chicago OHare Only a 90-minute drive (measured over 288 truck round-trips) MADISON MILWAUKEE CHICAGO ROCKFORD 190 90 CHICAGO OHARE

338 views • 31 slides
School Board Presentation 2013/2014 2012/2013 School Year 1,059,252 miles traveled for the

School Board Presentation 2013/2014 2012/2013 School Year 1,059,252 miles traveled for the

School Board Presentation 2013/2014 2012/2013 School Year 1,059,252 miles traveled for the year 5852 Miles traveled each day Here to Anchorage, AK 4,308 miles Here to Key West, FL 1,312 miles X 4 and back to Myrtle Beach

436 views • 14 slides
School Board Presentation 2013/2014 2012/2013 School Year 1,059,252 miles traveled for the

School Board Presentation 2013/2014 2012/2013 School Year 1,059,252 miles traveled for the

School Board Presentation 2013/2014 2012/2013 School Year 1,059,252 miles traveled for the year 5852 Miles traveled each day Here to Anchorage, AK 4,308 miles Here to Key West, FL 1,312 miles X 4 and back to Myrtle Beach Bus

351 views • 14 slides
Mobility Plan 2035 An Element of the Citys General Plan Context: Los Angeles Transportation

Mobility Plan 2035 An Element of the Citys General Plan Context: Los Angeles Transportation

Mobility Plan 2035 An Element of the Citys General Plan Context: Los Angeles Transportation Facts 3.8 Million People 468.7 Square Miles 7,500 miles of Public Streets 3,665 bus miles in service 73 rail miles in

588 views • 36 slides
Doing Business with CDOT Who is CDOT? CDOT is responsible for 9,146 miles of highway (23,061

Doing Business with CDOT Who is CDOT? CDOT is responsible for 9,146 miles of highway (23,061

Doing Business with CDOT Who is CDOT? CDOT is responsible for 9,146 miles of highway (23,061 Mission lane miles) and 3,447 bridges To provide the One of the largest state government agencies with an best multi-modal

586 views • 27 slides
Sweetwater County, Wyoming Pierotto Diversion Structure 2,200 sq. miles Largest Ephemeral

Sweetwater County, Wyoming Pierotto Diversion Structure 2,200 sq. miles Largest Ephemeral

Sweetwater County, Wyoming Pierotto Diversion Structure 2,200 sq. miles Largest Ephemeral Drainage in U.S. 830 sq. miles 1370 sq. miles After a long and useful service, it is time to retire the Pierotto Diversion Structure. It has held

563 views • 17 slides

More recommend