A Rising Tide: Design Exploits in Industrial Control Systems

Transcription

1 A Rising Tide: Design Exploits in Industrial Control Systems Usenix WOOT 16 August 9, 2016 Marina Krotofil Alexander Bolshev; Jason Larsen; Reid Wightman

2 Who we are (alphabetically) 1 Alex Bolshev Jason Larsen Marina Krotofil Reid Wightman

3 Industrial Control System (ICS) 2 Physical application

4 Industrial Control System (ICS) 3 Physical application

5 Cyber-physical exploitation 4 Cyber-physical systems are IT systems embedded in an application in the physical world Interest of the attacker is in the physical world

6 Cyber-Physical Systems Exploiting Analog-to-Digital Converters (joint work with Alexander Bolshev) Black Hat Asia 2016

7 Industrial Control System vulnerabilities ICSA A: Siemens SIMATIC HMI Devices Vulnerabilities (Update A) ICSA : ABB AC500 PLC ICS-ALERT Webserver CoDeSys 01: Advantech EKI- Vulnerability 6340 Command Injection ICSA : Schneider Electric Telvent SAGE RTU DNP3 Improper Input Validation Vulnerability ICSA : Emerson AMS Device Manager SQL Injection Vulnerability 6 ICSA : Schneider Electric Vijeo Historian Web Server Multiple Vulnerabilities ICSA : Siemens SCALANCE X-200 Authentication Bypass Vulnerability ICSA : Yokogawa HART Device DTM Vulnerability Physical application

8 Here is the plant. What is the plan? 7

9 Cyber-Physical hacking Manipulate the process Prevent response Direct Indirect Operators Control system (including safety) Direct manipulation of actuators Deceiving controller/operator about process state Blind Mislead Modify operational/safety limits Blind about process state

10 Alarm propagation 9 Catalyst poisoning attack Alarm Alarm Safety shutdow n

11 Motivation: Design vulnerabilities 10 Implementation bugs: SQL-injections, buffer overflows, etc. Discovery relies heavily on automated tools Fixable by patching Design bugs/flaws: Baked into the design or architecture of soft- and hardware Often unique to specific circumstances Requires re-design of the system Works across multiple environments/platforms/equipment

12 Logical layers of ICS 11

13 Physical Layer Exploiting Analog-to-Digital Converters (joint work with Alexander Bolshev) Black Hat Asia 2016

14 Analog to Digital Converters (ADC) 13 Converts a continuous analog signal (voltage or amperage) to a digital number that represents signal's amplitude

15 Threat scenario 14 It is expected that the ADCs on all devices which consume the same analog signal will convert it into the same digital number But what if not?? HMI Control PLC Safety PLC/Logger/DAQ Analog control loop Analog control loop 0V (actuator is OFF) 1.5V (actuator is ON) Actuator

16 Experimental setup 15 HMI Panel Actuator (motor) Safety PLC (S7 1200) Control PLC (arduino) Analog control loop

17 Demo: Two devices, two different conversions 16 Analog control loop

18 Vulnerabilities 17 Sampling frequency (aliasing) Nyquist theorem: f s >= 2*f Dynamic range Signal clipping Distortions in neighboring channels Damage to the ADC

19 Timing diagram 18 Different sampling frequencies of the ADCs result in different output signals

20 Impact 19 Never trust your inputs! IT and OT has common problems In ICS input validation refers to data conten(x)t rather than to its formatting

21 Exploit the device hosting ADC 20 V 10 5 Time From the real life code: uint8_t val = readadc(0); // reading 8-bit ADC value with ranges 0V -15 V val = val 85; // Normalization -> 85 == 5 Volts (255/3) Any signal of less them 5 V (val < 85) will cause integer overflow in val

22 Mitigations 21 Buffer ADC with Low-Pass Filter (LPF) Good design dictates ADC f s >= LPF f c

23 LPFs in the Reference Design 22 ADC with f s > 470Hz LPF with f c near 15 khz

24 Mitigations 23 Hardware mitigations Buffer ADC with Low-Pass Filter (LPF) Good design dictates ADC f s >= LPF f c All ADCs consuming the same signal should have the same f c Software mitigations Adding randomness to sampling frequency Makes it hard for the attacker to predict S/H timings V 0 f s = f + rand( ) Time

25 Control Layer Exploiting Variable Frequency Drives (Reid Wightman) S4x16

26 Variable Speed Drives (VFD) 25

27 Bad vibrations 26 All rotating shafts, from motorcycles to industrial pumps, have mechanical resonance points These are the frequency points (critical speeds) at which vibration can rapidly damage the equipment

28 Wait! I ve heard about it!(?) 27

29 Vulnerability 28 Configuration of Schneider ATV12: Skip frequency

30 Impact 29 Destroying equipment by operating it at its resonance (skip) frequency Masking actual rotating speed from the operator VFD calculates speed for HMI by computing RPM CaseSpeed(RPMS) CaseFreq(Hz) *OutputFreq(Hz) = CurrentSpeed(RPMS)

31 Mitigation 30 Monitoring output freq in addition to RPMs is a good idea But protocols are vulnerable and aren t likely to be changed Better: Vibration (and other parameters) monitoring Out of band, please

32 Cyber Layer Exploiting Protocol Stack Implementation (joint work with Jason Larsen) Several papers & presentations

33 Process control loop 32 Actuators Sensors Adjust themselves to influence process behavior Control system Computes control commands for actuators Measure process state

34 Tuning controller algorithm 33 Requires observations on the live process

35 Stale Data Danger PID response Without attack Under attack Reactor Pressure kpa gauge Hours

36 Vulnerability 35 Modbus IEC Ethernet Serial Logic Vendor Internal Vendor Backplane Vendor Protocol Handshake - Session 4000 Vendor Protocol Handshake - Session 5000 Vendor Protocol Handshake - Session 6000 IEC Protocol Handshake Vendor Protocol Handshake - Session 8000 Vendor Protocol Handshake - Session 9000

37 Vulnerability 36 Process data doesn t show up every time around the logic External racks may only report in every few cycles TCP/IP protocols are often report-by-exception The input memory contains the last known good value Freeze all points for a particular TCP/IP session with a UDP packet by advancing the sequence number Session is kept alive and by sending a UDP packet every 30 seconds to any interface Result: STALE DATA

38 Mitigations 37 State-aware implementation of the protocol stack Compare data with max allowed dead time of the process Reject data which are too stale and/or dangerous to process stability

39 Conclusions 38 ICS security community is researching and evolving Many attack scenarios do not necessary require access to expensive equipment Audits for industrial control systems need to evolve to emphasize the actual design of the environment and protocols Searching for design flaws in ICS requires different skills sets than researching software implementation vulnerabilities

40 Thank You! Alex Bolshev Jason Larsen Marina Krotofil Reid Wightman