a rising tide: design exploits in industrial control systems
TRANSCRIPT
Alexander Bolshev; Jason Larsen; Reid WightmanMarina KrotofilUsenix WOOT’16
August 9, 2016
A Rising Tide: Design Exploits in Industrial Control Systems
Who we are (alphabetically)
1
Alex
Bolshev
Jason
LarsenMarina
KrotofilReid
Wightman
© 2016 by Honeywell International Inc. All rights reserved.
2
Industrial Control System (ICS)
Physical
application
© 2016 by Honeywell International Inc. All rights reserved.
3
Industrial Control System (ICS)
Physical
application
© 2016 by Honeywell International Inc. All rights reserved.
Cyber-physical exploitation
4
Cyber-physical systems are IT systems “embedded” in an application in the physical world
Interest of the attacker is in the physical world
Exploiting Analog-to-Digital Converters(joint work with Alexander Bolshev)
Cyber-Physical Systems
Black Hat Asia 2016
© 2016 by Honeywell International Inc. All rights reserved.
6
Industrial Control System vulnerabilities
Physical
application
ICSA-13-274-01: Siemens
SCALANCE X-200
Authentication Bypass
Vulnerability
ICSA-13-274-01:
Schneider Electric
Telvent SAGE RTU
DNP3 Improper Input
Validation Vulnerability
ICSA-15-099-01A:
Siemens SIMATIC
HMI Devices
Vulnerabilities
(Update A)ICSA-12-320-
01 : ABB AC500 PLC
Webserver CoDeSys
Vulnerability
ICSA-15-048-03:
Yokogawa HART
Device DTM
Vulnerability
ICSA-15-111-01:
Emerson AMS Device
Manager SQL Injection
Vulnerability
ICS-ALERT-14-323-
01: Advantech EKI-
6340 Command
Injection
ICSA-11-307-01:
Schneider Electric Vijeo
Historian Web Server
Multiple Vulnerabilities
© 2016 by Honeywell International Inc. All rights reserved.
7
Here is the plant. What is the plan?
Cyber-Physical hacking
8
Manipulate the process
Prevent response
Direct Indirect
1 2
Operators Control system
(including safety)
Blind MisleadDirect
manipulation
of actuators
Deceiving
controller/operator
about process
state Blind about
process
state
Modify
operational/safety
limits
© 2016 by Honeywell International Inc. All rights reserved.
9
Alarm propagation
Safety
shutdow
n
Alarm
Alarm
Catalyst poisoning attack
© 2016 by Honeywell International Inc. All rights reserved.
Motivation: Design vulnerabilities
10
Implementation bugs: SQL-injections, buffer overflows, etc.
− Discovery relies heavily on automated tools
− Fixable by patching
Design bugs/flaws: Baked into the design or architecture of soft- and hardware
− Often unique to specific circumstances
− Requires re-design of the system
− Works across multiple environments/platforms/equipment
© 2016 by Honeywell International Inc. All rights reserved.
11
Logical layers of ICS
Exploiting Analog-to-Digital Converters(joint work with Alexander Bolshev)
Physical Layer
Black Hat Asia 2016
Analog to Digital Converters (ADC)
13
Converts a continuous analog signal (voltage or amperage) to a digital number that represents signal's amplitude
Threat scenario
14
Analog
control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ
HMI
0V (actuator is OFF)
It is expected that the ADCs on all devices which consume the same analog signal will convert it into the same digital number
– But what if not??
1.5V (actuator is ON)Analog
control loop
Experimental setup
15
Analog
control loop
“HMI Panel”
“Control PLC”(arduino)
“Actuator”(motor)
“Safety PLC”(S7 1200)
© 2016 by Honeywell International Inc. All rights reserved.
Demo: Two devices, two different conversions
16
Analog
control loop
© 2016 by Honeywell International Inc. All rights reserved.
Vulnerabilities
17
Sampling frequency (aliasing)
− Nyquist theorem: fs >= 2*f
Dynamic range– Signal clipping– Distortions in neighboring channels– Damage to the ADC
© 2016 by Honeywell International Inc. All rights reserved.
Timing diagram
18
Different sampling frequencies of the ADCs result in different output signals
© 2016 by Honeywell International Inc. All rights reserved.
Never trust your inputs!
19
In ICS input validation refers to data conten(x)t rather than to its formatting
Impact
IT and OT has common problems
© 2016 by Honeywell International Inc. All rights reserved.
20
Exploit the device hosting ADC
From the real life code:
uint8_t val = readADC(0);
// reading 8-bit ADC value with ranges 0V -15 V
val = val – 85;
// Normalization -> 85 == 5 Volts (255/3)
Any signal of less them 5 V (val < 85) will cause integer overflow in val
Time
5
10
V
© 2016 by Honeywell International Inc. All rights reserved.
21
Mitigations
Buffer ADC with Low-Pass Filter (LPF)
− Good design dictates ADC fs >= LPF fc
© 2016 by Honeywell International Inc. All rights reserved.
22
LPFs in the Reference Design
ADC with fs > 470Hz
LPF with fc near 15 kHz
© 2016 by Honeywell International Inc. All rights reserved.
23
Mitigations
Buffer ADC with Low-Pass Filter (LPF)
− Good design dictates ADC fs >= LPF fc
− All ADCs consuming the same signal should have the same fc
Hardware mitigations
Adding randomness to sampling frequency
− Makes it hard for the attacker to predict S/H timings
Software mitigations
𝒇𝒔 = 𝒇 + rand(△)
Time
V
0
Exploiting Variable Frequency Drives(Reid Wightman)
Control Layer
S4x16
© 2016 by Honeywell International Inc. All rights reserved.
Variable Speed Drives (VFD)
25
© 2016 by Honeywell International Inc. All rights reserved.
Bad vibrations
26
All rotating shafts, from motorcycles to industrial pumps, have mechanical resonance points
− These are the frequency points (critical speeds) at which vibration can rapidly damage the equipment
© 2016 by Honeywell International Inc. All rights reserved.
Wait! I’ve heard about it!(?)
27
© 2016 by Honeywell International Inc. All rights reserved.
Vulnerability
28
Configuration of Schneider ATV12: Skip frequency
© 2016 by Honeywell International Inc. All rights reserved.
Impact
29
CaseSpeed(RPMS)
CaseFreq(Hz)*OutputFreq(Hz) =CurrentSpeed(RPMS)
Destroying equipment by operating it at its resonance (skip) frequency
Masking actual rotating speed from the operator
− VFD calculates speed for HMI by computing RPM
© 2016 by Honeywell International Inc. All rights reserved.
Mitigation
30
Monitoring output freq in addition to RPMs is a good idea
− But protocols are vulnerable and aren’t likely to be changed
Better: Vibration (and other parameters) monitoring
− Out of band, please
Exploiting Protocol Stack Implementation(joint work with Jason Larsen)
Cyber Layer
Several papers & presentations
© 2016 by Honeywell International Inc. All rights reserved.
32
Process control loop
Actuators
Control system
Sensors
Measure process state
Computes control commands for
actuators
Adjust themselves to influence
process behavior
© 2016 by Honeywell International Inc. All rights reserved.
Tuning controller algorithm
33
Requires observations on the live process
© 2016 by Honeywell International Inc. All rights reserved.
Stale Data Danger
34
0 1000 2000 3000 4000 5000 6000 70008.9
9
9.1
9.2
9.3
9.4
9.5
0 5 10 15 20 25 302750
2800
2850
2900
2950
3000
Hours
kPa g
auge
Reactor Pressure
Without attack
Under attack
PID response
Vulnerability
35
Logic
Ethernet
Serial
Backplane
Modbus
IEC
Vendor Internal
Vendor
Vendor Protocol Handshake - Session 4000Vendor Protocol Handshake - Session 5000Vendor Protocol Handshake - Session 6000IEC Protocol HandshakeVendor Protocol Handshake - Session 8000Vendor Protocol Handshake - Session 9000
© 2016 by Honeywell International Inc. All rights reserved.
Vulnerability
36
Process data doesn’t show up every time around the logic
− External racks may only report in every few cycles
− TCP/IP protocols are often report-by-exception
The input memory contains the last known good value− Freeze all points for a particular TCP/IP session with a UDP
packet by advancing the sequence number
− Session is kept alive and by sending a UDP packet every 30 seconds to any interface
Result: STALE DATA
© 2016 by Honeywell International Inc. All rights reserved.
Mitigations
37
State-aware implementation of the protocol stack
− Compare data with max allowed dead time of the process
− Reject data which are too stale and/or dangerous to process stability
© 2016 by Honeywell International Inc. All rights reserved.
Conclusions
38
ICS security community is researching and evolving
Many attack scenarios do not necessary require access to expensive equipment
Audits for industrial control systems need to evolve to emphasize the actual design of the environment and protocols
– Searching for design flaws in ICS requires different skills sets than researching software implementation vulnerabilities
© 2016 by Honeywell International Inc. All rights reserved.
Thank You!Alex BolshevJason Larsen
Marina KrotofilReid Wightman