no need to marry to change your name
play

No Need to Marry to Change your Name! Attacking Profinet IO - PowerPoint PPT Presentation

20.06.2019 No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S tefan Mehner, Hartmut Knig Brandenburg University of Technology Cottbus - S enftenberg Evolution in Industrial Control Systems


  1. 20.06.2019 No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S tefan Mehner, Hartmut König Brandenburg University of Technology Cottbus - S enftenberg

  2. Evolution in Industrial Control Systems Fieldbus Industrial Ethernet https:/ / www.indu-sol.com/ produkte/ profibus/ ueberwachung/ profibus-inspektorr-nt/ http:/ / wiki.hmkdirect.com/ mediawiki/ index.php/ File:ProfinetIOTopology.j pg 2

  3. Profinet IO - Overview ethernet-based fieldbus protocol specified in IEC 61784-2 real-time capable Profinet Application HTTP device roles: SNMP DHCP NRT Real-time data … • IO Supervisor TCP/UDP • IO Controller IP • IO Device RT IRT Ethernet 3

  4. Profinet IO - Project Configuration IO Supervisor IO Controller IO Device 1) Engineering of Profinet system 2) Assignment of IP address 3) Assignment of device name 4) Engineering 5) Checking the device name 6) Assignment of IP address 7) Connection establishment 8) Data exchange 4

  5. Profinet IO - Project Configuration Engineering of Profinet system Assignment of IP address Name Assignment IP Assignment Assignment of device name Engineering Checking the device name Assignment of IP address IO Device IO Controller IO Device IO Supervisor Connection establishment Data exchange name="device1"? name="device1"? DCP Timeout name="device1" who has "192.168.0.10"? ARP Timeout set name="device1" set ip="192.168.0.10" 5

  6. Attack - Goal IO Supervisor IO Controller IO Device 1) Engineering of Profinet system 2) Assignment of IP address 3) Assignment of device name 4) Engineering 5) Checking the device name 6) Assignment of IP address 7) Connection establishment 8) Data exchange 6

  7. Attack - Steps Engineering of Profinet system Assignment of IP address Assignment of device name Attacker IO Controller IO Device Engineering Checking the device name Assignment of IP address Connection establishment Data exchange 1) Topology Discovery name= “controller“ name= “device 1 “ 2) Port Stealing name= “device 1 “ ? 3) Reconfiguration of IO Device name= “mallory“ 7

  8. Results Topology Controller Device Reconfiguration Sequence Port Stealing PS + R (PS) (R) !! ! !! Star CPU1516 ET200SP !! ! ET200S x !! ! !! Pepperl+Fuchs !! ! !! ifm !! ! CPU315 ET200S x ( ! ) !! !! Line CPU1516 ET200SP ( !! ) ( ! ) ET200S x ( ! ) !! !! Pepperl+Fuchs !! ( ! ) !! ifm CPU315 ET200S NA NA NA !! (. . . ) = attacker connected to CPU x = not successful ! = successful; AR restored after attack NA = not applicable !! = successful; AR permanently broken 8

  9. Results - Behavior of ET200S DCP behavior specified in DIN EN 61158-6-10:2015-09 • 9

  10. Extended Attack - Goal IO Supervisor IO Controller IO Device 1) Engineering of Profinet system 2) Assignment of IP address 3) Assignment of device name 4) Engineering 5) Checking the device name 6) Assignment of IP address 7) Connection establishment 8) Data exchange Paul, A., Schuster, F., König, H.: Towards the Protection of Industrial Control Systems – Conclusions of a 10 Vulnerability Analysis of Profinet IO. (DIMVA 2013) 


  11. Attack - DoS on Name Assignment Engineering of Profinet system Assignment of IP address Assignment of device name Attacker IO Supervisor IO Device Engineering Checking the device name Assignment of IP address Connection establishment Data exchange name="device1"? name="device1"? DCP Timeout DCP Timeout name="device1"? 11

  12. Attack - DoS on IP Assignment Engineering of Profinet system Assignment of IP address Assignment of device name Attacker IO Controller IO Device Engineering Checking the device name Assignment of IP address Connection establishment Data exchange name="device1"? name="device1"? DCP Timeout DCP Timeout name="device1" name="device1" name="device1" Ip=" " who has who has "192.168.0.10"? "192.168.0.10"? ARP Timeout ARP Timeout Is at "de:fe:07:20:ab:cd" set ip="192.168.0.10" 12

  13. Results 13

  14. Status of Disclosure Process reported attack to German BSI PNO informed by BSI feedback: • attack scenario is known • Profinet systems should be protected by cell security concept • only applicable for inside attacker • next version of Profinet with improved security features 14

  15. Conclusion and Future Work novel attack on Profinet IO automation systems • topology discovery • port-stealing • reconfiguration attack • Denial of Service attack from [Paul2013] comprehensive evaluation of the applicability next step: SDN-based firewall to detect and prevent such attacks 15

  16. Hardware 16

  17. Topologies 17

  18. Status of Disclosure Process 18

Recommend


More recommend