internet facing plcs a new back orifice
play

Internet-Facing PLCs - A New Back Orifice Johannes Klick, Stephan - PowerPoint PPT Presentation

Oct 30, 2023 •285 likes •1.37k views

Internet-Facing PLCs - A New Back Orifice Johannes Klick, Stephan Lau, Daniel Marzin, Jan-Ole Malchow, Volker Roth <firstname>.<lastname>@scadacs.org AG Secure Identity Department of Mathematics and Computer Science Freie

  1. Program block binary representation MC7 Opcodes A %I0.0 A %I0.1 O %I0.2 = %Q0.0 00: 7070 0101 0108 0001 0000 0074 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a c000 c100 ca00 d880 6500 0100 30: 0014 0000 0002 0502 0502 0502 0502 0502 40: 0505 0505 0505 050e 0520 0100 0800 0000 50: 0000 0000 0000 0000 0000 0000 0000 0000 60: 0000 0000 0000 0000 0100 a691 0000 0000 70: 0000 0000 36 / 100

  2. Program block binary representation MC7 Opcodes A %I0.0 A %I0.1 O %I0.2 = %Q0.0 00: 7070 0101 0108 0001 0000 0074 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a c000 c100 ca00 d880 6500 0100 30: 0014 0000 0002 0502 0502 0502 0502 0502 40: 0505 0505 0505 050e 0520 0100 0800 0000 50: 0000 0000 0000 0000 0000 0000 0000 0000 60: 0000 0000 0000 0000 0100 a691 0000 0000 70: 0000 0000 37 / 100

  3. Program block binary representation MC7 Opcodes A %I0.0 A %I0.1 O %I0.2 = %Q0.0 BE 00: 7070 0101 0108 0001 0000 0074 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a c000 c100 ca00 d880 6500 0100 30: 0014 0000 0002 0502 0502 0502 0502 0502 40: 0505 0505 0505 050e 0520 0100 0800 0000 50: 0000 0000 0000 0000 0000 0000 0000 0000 60: 0000 0000 0000 0000 0100 a691 0000 0000 70: 0000 0000 38 / 100

  4. S7comm 39 / 100

  5. S7comm S7comm Protocol Structure 40 / 100

  6. S7comm Download Procedure 41 / 100

  7. S7comm Protocol details Wireshark can dissect S7comm with the dissector available at http://sourceforge.net/projects/ s7commwireshark/ SCADACS 42 / 100

  8. S7comm Protocol details Implementation of partial S7comm available at http://snap7.sourceforge.net/ SCADACS 43 / 100

  9. Attack Details SCADACS 44 / 100

  10. Attack Details 1. Instrumenting live PLC programs with scanning malware 2. SNMP scanning 3. Collecting the scan results 4. Instrumenting live PLC programs with proxy malware 5. Connecting to PLCs through the proxy malware SCADACS 45 / 100

  11. Attack Details I Overview PLC 1 is connected to the Internet 46 / 100

  12. Attack Details II Overview Attacker downloads the main program block. . . 47 / 100

  13. Attack Details Overview ◮ Example PLC code 48 / 100

  14. Attack Details Overview ◮ OB1 with prepended function call to FC 666 49 / 100

  15. Overview Before injection A %I0.0 A %I0.1 O %I0.2 = %Q0.0 BE 00: 7070 0101 0108 0001 0000 0074 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a c000 c100 ca00 d880 6500 0100 30: 0014 0000 0002 0502 0502 0502 0502 0502 40: 0505 0505 0505 050e 0520 0100 0800 0000 50 / 100

  16. Overview Injection 1. insert block call CALL FC666 JU L1 L1: A %I0.0 A %I0.1 O %I0.2 = %Q0.0 BE 00: 7070 0101 0108 0001 0000 0074 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a fb70 029a 700b 0002 c000 c100 30: ca00 d880 6500 0100 0014 0000 0002 0502 40: 0502 0502 0502 0502 0505 0505 0505 ... 51 / 100

  17. Overview Injection 1. insert block call CALL FC666 JU L1 L1: A %I0.0 A %I0.1 O %I0.2 = %Q0.0 BE 00: 7070 0101 0108 0001 0000 0074 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a fb70 029a 700b 0002 c000 c100 30: ca00 d880 6500 0100 0014 0000 0002 0502 40: 0502 0502 0502 0502 0505 0505 0505 ... 52 / 100

  18. Overview Injection 1. insert block call CALL FC666 JU L1 2. increase total block length L1: A %I0.0 A %I0.1 O %I0.2 = %Q0.0 BE 00: 7070 0101 0108 0001 0000 007C 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a fb70 029a 700b 0002 c000 c100 30: ca00 d880 6500 0100 0014 0000 0002 0502 40: 0502 0502 0502 0502 0505 0505 0505 ... 53 / 100

  19. Overview Injection 1. insert block call CALL FC666 JU L1 2. increase total block length 3. increase code length L1: A %I0.0 A %I0.1 O %I0.2 = %Q0.0 BE 00: 7070 0101 0108 0001 0000 007C 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 0012 fb70 029a 700b 0002 c000 c100 30: ca00 d880 6500 0100 0014 0000 0002 0502 40: 0502 0502 0502 0502 0505 0505 0505 ... 54 / 100

  20. PLCinject 55 / 100

  21. PLCinject Release plcinject -c ip [-r rack=0] [-s slot=2] [-b block] [-p block] [-f dir] [-d] -d Display available blocks on PLC -p Block that has to be injected/patched with a call instruction: OBx, FBx or FCx on PLC, e.g. OB1 -b Block to call -f Path to your block(s) you want to download to the plc Example: plcinject -c 10.0.0.1 -p OB1 -b FB1000 -f /home/user/PATH Available at https://github.com/SCADACS/PLCinject 56 / 100

  22. PLCinject Live Demo PLCinject with example Payload (running light) and a PLC 57 / 100

  23. . . . patches it and uploads a SNMP scanner 58 / 100

  24. 59 / 100

  25. Attacker downloads the scanning results 60 / 100

  26. A SOCKS proxy enables him to reach the net behind the PLC 61 / 100

  27. SNMP Scanner 62 / 100

  28. SNMP Scanner Rationale ◮ ping is not possible ◮ TCP is not adequate ◮ number of overall connections is limited ◮ connection can only closed when established ◮ UDP: no connection setup, always closable ◮ SNMP enabled in many Siemens PLCs 63 / 100

  29. SNMP Scanner I Details Get the PLC’s IP 64 / 100

  30. SNMP Scanner II Details Calculate the subnet mask 65 / 100

  31. SNMP Scanner III Details Configure UDP connection 66 / 100

  32. SNMP Scanner IV Details Send UDP packets (SNMP get request) 67 / 100

  33. SOCKS Proxy – Details 68 / 100

  34. SOCKS Proxy – Details I ◮ SOCKS5 protocol (RFC 1928) ◮ Without authentication or encryption 69 / 100

  35. SOCKS Proxy – Details II Jump list for protocol states 70 / 100

  36. SOCKS Proxy – Details III Receive clients connect request. . . 71 / 100

  37. SOCKS Proxy – Details IV . . . and store IP and port 72 / 100

  38. SOCKS Proxy – Details V Connect to destination host. . . 73 / 100

  39. SOCKS Proxy – Details VI ◮ connection to client and destination host are established ◮ now we can proxy ◮ send client’s messages to destination and vice versa ◮ an error while receiving means one partner disconnected ◮ send remaining data then disconnect and wait for next client 74 / 100

  40. SOCKS Proxy – Details VII ◮ The SOCKS implementation on the PLC is able to transfer up to 730 KB/s if it is running alone. ◮ In combination with a memory intensive benchmark PLC programm the proxy was able to transfer up to 40KB/s. 75 / 100

  41. Attack Video . . . Video Presentation. . . 76 / 100

  42. Evaluation 77 / 100

  43. Evaluation Questions ◮ How much is the execution time increased by injected SOCKS proxy? 78 / 100

  44. Evaluation Questions Default maximum cycle time = 150 ms 79 / 100

  45. Measurements I How to measure ◮ Pull data from OB1 PREV CYCLE variable ◮ Store the result in a DB ◮ Upload DB from PLC ◮ Compare values for the baseline program and the SOCKS Proxy (idle / under load) 80 / 100

  46. Measurements II *** = p value ≤ 0.0001 81 / 100

  47. Measurements III Baseline Proxy idle Proxy under load Mean 85.32 85.40 86.67 Std. Deviation 0.4927 0.5003 0.5239 Std. Error 0.01089 0.01106 0.01158 All values in milliseconds (ms) Result: ◮ There exists a significant but not practically relevant timing difference between the baseline program and its malicious SOCKS proxy version regarding the default cycle time of 150 ms. 82 / 100

  48. Mitigation strategies 83 / 100

  49. 84 / 100

  50. Mitigation strategies 1. Network-level access control 2. Enabling protection-level 3 3. If all else fails, means to woo deities to lend disaster protection 85 / 100

  51. Summary 86 / 100

  52. Summary ◮ Inject malware into a PLC without service disruption ◮ An internet facing PLC can be used as a gateway into the local network ◮ This enables an adversary to attack devices behind the Internet-facing PLC ◮ Taking these indirect connected systems into account, the attack surface regarding ICS could be much bigger than expected 87 / 100

  53. Q&A 88 / 100

  54. Appendix 89 / 100

  55. Signature 00: 7070 0101 0108 0001 0000 0074 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a c000 c100 ca00 d880 6500 0100 30: 0014 0000 0002 0502 0502 0502 0502 0502 40: 0505 0505 0505 050e 0520 0100 0800 0000 50: 0000 0000 0000 0000 0000 0000 0000 0000 60: 0000 0000 0000 0000 0100 a691 0000 0000 70: 0000 0000 90 / 100

  56. Version 00: 7070 0101 0108 0001 0000 0074 0000 0000 10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 20: 0014 000a c000 c100 ca00 d880 6500 0100 30: 0014 0000 0002 0502 0502 0502 0502 0502 40: 0505 0505 0505 050e 0520 0100 0800 0000 50: 0000 0000 0000 0000 0000 0000 0000 0000 60: 0000 0000 0000 0000 0100 a691 0000 0000 70: 0000 0000 91 / 100

Recommend

Looking Back: History of American Media Learn these things Understand how printed press

Looking Back: History of American Media Learn these things Understand how printed press

Looking Back: History of American Media Learn these things Understand how printed press developed How the concept of freedom of press came into being Look at impact of radio, TV, and internet Recognize issues facing journalism

346 views • 16 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
1 https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-

1 https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-

1 https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back- issues/table-contents-3/ipj-archive/article09186a00800c851e.html 2 3 4 1. Internet radio, tv broadcast, pub/sub, news, stock quotes.. 2. Packet duplication, app needs

580 views • 46 slides
Swiss cheese security or the real challenges faced by internet facing companies About me

Swiss cheese security or the real challenges faced by internet facing companies About me

Swiss cheese security or the real challenges faced by internet facing companies About me Almost 20 years in information security / hacking OWASP Project leader Latest research interests: Large scale RSA crypto survey

691 views • 49 slides
PLCS Tutorial in 30 minutes! NASA ESA PDE 2009 Nigel Shaw, Eurostep Limited C O P Y R I G H T

PLCS Tutorial in 30 minutes! NASA ESA PDE 2009 Nigel Shaw, Eurostep Limited C O P Y R I G H T

PLCS Tutorial in 30 minutes! NASA ESA PDE 2009 Nigel Shaw, Eurostep Limited C O P Y R I G H T E U R O S T E P G R O U P What is PLCS ? ISO 10303-239 Published 2005 Part of STEP Product Life Cycle Support Effectively an ISO standard

471 views • 25 slides
Bouncing Back: Building Resilience in Migrant Wives Facing Family Violence in Singapore A study

Bouncing Back: Building Resilience in Migrant Wives Facing Family Violence in Singapore A study

Bouncing Back: Building Resilience in Migrant Wives Facing Family Violence in Singapore A study based on migrant wives in a crisis shelter to understand how they overcome adversities Presented By: Jean Lim Kanika Kant Theresa Wee Anglican

536 views • 49 slides
Welcome back to CIS 530! PLEASE TYPE YOUR QUESTIONS IN THE CHAT IF YOUR INTERNET IS TOO SLOW TO

Welcome back to CIS 530! PLEASE TYPE YOUR QUESTIONS IN THE CHAT IF YOUR INTERNET IS TOO SLOW TO

Welcome back to CIS 530! PLEASE TYPE YOUR QUESTIONS IN THE CHAT IF YOUR INTERNET IS TOO SLOW TO SEE THE VIDEO, YOU CAN FIND THE SLIDES ON THE CLASS WEBSITE New course policies 1. Im granting everyone 10 extra late days. You can now use up

857 views • 56 slides
INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY

INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY

INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY AND PART I DATA PROTECTION OVERVIEW Privacy Data protection Surveillance Exercises Privacy the right to be let alone Warren and

611 views • 44 slides
LAVENTURE MIDDLE SCHOOL HOME OF THE FALCONS Back to the Future! Our 2017-18 Mission: Close the

LAVENTURE MIDDLE SCHOOL HOME OF THE FALCONS Back to the Future! Our 2017-18 Mission: Close the

LAVENTURE MIDDLE SCHOOL HOME OF THE FALCONS Back to the Future! Our 2017-18 Mission: Close the GAP Our Approach: PBIS PLCs AVID instructional Umbrella Schoolwide Literacy Focus on Equity Our 2018-19 MISSION: Close the GAP Our

228 views • 12 slides
Back-Office Web Traffic on the Internet Enric Pujol TU-Berlin

Back-Office Web Traffic on the Internet Enric Pujol TU-Berlin

Back-Office Web Traffic on the Internet Enric Pujol TU-Berlin Philipp Richter TU-Berlin Balakrishnan Chandrasekaran Duke University Georgios

579 views • 38 slides
2 Control and Field Level Devices Industrial Automation, EPFL, Spring 2019 Content 2.1 PLCs

2 Control and Field Level Devices Industrial Automation, EPFL, Spring 2019 Content 2.1 PLCs

2 Control and Field Level Devices Industrial Automation, EPFL, Spring 2019 Content 2.1 PLCs (controllers) 2.2 Basics of control 2.3 Programming PLCs Industrial Automation | 2019 2 PLC = Programmable Logic Controller: Definition AP =

835 views • 69 slides
Poisoning Networks Motjvatjon You are sittjng in an Internet Cafe at the airport heading back

Poisoning Networks Motjvatjon You are sittjng in an Internet Cafe at the airport heading back

create your own exercise Pranav Jagdish &amp; Cristoph Hielscher Poisoning Networks Motjvatjon You are sittjng in an Internet Cafe at the airport heading back from that awesome vacatjon You are wishing your loved ones Happy New Year

581 views • 15 slides
Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1) Brian Randell Brian Randell Brian Randell WADS-3, May 2004 1 The Menu The Menu The Menu On Dependability Concepts On Fault Assumptions

600 views • 20 slides
Prepping the Professionals in our PLCs Curriculum Leadership Development Network of IL

Prepping the Professionals in our PLCs Curriculum Leadership Development Network of IL

Prepping the Professionals in our PLCs Curriculum Leadership Development Network of IL ASCD 4/ 30 /201 8 Doug Lillydahl Director of Communication Arts A. E. Stevenson High School dlillydahl@d125.org Page 1 PROFESSIONAL

183 views • 15 slides
Winning back technology for people Whose interest should technology serve? Principle 1

Winning back technology for people Whose interest should technology serve? Principle 1

Winning back technology for people Whose interest should technology serve? Principle 1 Principle 2 The internet is an integral part of modern The internet is a global public resource that lifea key component in education, must remain

309 views • 19 slides
The UE facing territorial diversity The role of local development facing the crisis Seminar:

The UE facing territorial diversity The role of local development facing the crisis Seminar:

The UE facing territorial diversity The role of local development facing the crisis Seminar: THE EU AND ITS RURAL AREAS: A CUMBERSOME LEGACY IN THE 21ST CENTURY? Wladyslaw Piskorz Head of Unit - Competence Centre Inclusive Growth, Urban and

449 views • 12 slides
Effective Interventions: Thinking Outside the Box Created PLCs devoted to curriculum and

Effective Interventions: Thinking Outside the Box Created PLCs devoted to curriculum and

Effective Interventions: Thinking Outside the Box Created PLCs devoted to curriculum and student interventions Its more Impact Team to discuss academics, behavior, and than one attendance Developed teacher leaders

252 views • 22 slides
Solidifying The Cloud How to back up the Internet Raymond Blum Staff Site Reliability Engineer,

Solidifying The Cloud How to back up the Internet Raymond Blum Staff Site Reliability Engineer,

Solidifying The Cloud How to back up the Internet Raymond Blum Staff Site Reliability Engineer, International Man of Mystery, Google Lessons Learned Backing Up Google Ensuring durability and integrity of user data is job one A lapse in

360 views • 17 slides
No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your favourite team? Do you use the internet to watch music videos? Do you use the Internet to read the news? Do you use the Internet to play games? Shared

997 views • 51 slides
7/16/2020 Professional Development Requirements and Opportunities PY 20-21 July 16, 2020

7/16/2020 Professional Development Requirements and Opportunities PY 20-21 July 16, 2020

7/16/2020 Professional Development Requirements and Opportunities PY 20-21 July 16, 2020 7/16/2020 1 Agenda Updates Virtual PLCs Agency PLCs Institutes Teaching Skills that Matter PI PD plans IHPDS training

420 views • 5 slides
PLCS: A CATALYST FOR PROGRAM IMPROVEMENT An Early Childhood Investigations Webinar Lindsey Allard

PLCS: A CATALYST FOR PROGRAM IMPROVEMENT An Early Childhood Investigations Webinar Lindsey Allard

SCHOOL READINESS CONSULTING PRESENTS: PLCS: A CATALYST FOR PROGRAM IMPROVEMENT An Early Childhood Investigations Webinar Lindsey Allard Agnamba, Ed. D. Katherine Rowell, M. Ed. Founder and Executive Director Practice Manager

360 views • 34 slides
Item 7.1 Change of use of land for the erection of a chalet/mobile home at Baads Farm, Anguston

Item 7.1 Change of use of land for the erection of a chalet/mobile home at Baads Farm, Anguston

Item 7.1 Change of use of land for the erection of a chalet/mobile home at Baads Farm, Anguston Road, Peterculter 200040/DPP FACING SOUTH FACING WEST FACING NORTH FACING SOUTH-EAST FACING SOUTH-EAST Key Issues This is a stand alone

310 views • 10 slides
The educational challenges The educational challenges facing children in migrant facing children

The educational challenges The educational challenges facing children in migrant facing children

Child and Youth Migration in West Africa: Research Progress and Implications for Policy The educational challenges The educational challenges facing children in migrant facing children in migrant communities in cocoa- -growing growing

92 views • 7 slides
Design &amp; Verification of Restart-robust Industrial Control Software Dimitri Bohlender

Design &amp; Verification of Restart-robust Industrial Control Software Dimitri Bohlender

Design &amp; Verification of Restart-robust Industrial Control Software Dimitri Bohlender VTSA18, Inria Nancy, 27 August 2018 Introduction On Restart-robustness Programmable Logic Controllers (PLCs) PLCs are devices tailored to the

803 views • 45 slides

More recommend