let’s talk bacnet scadasides last minute change

LET’S TALK BACNETSCADASIDES LAST MINUTE CHANGE

M I C H A E L T O E C K E R

Mikhail Turcher, big fanci pantsie

BACNET PROTO

COL

CYBER OVERVIEW

Ooooh… Cybah Cybah Cybah Overfuncher!

BASICSBACnet is short for Building Automation and Control Network• BACnet developed started in 1985, was adopted by ASHRAE in 1995,

and is now a major component of most Building Automation systems.• Basically, it’s a protocol used for control, monitoring, and

interoperability for automation systems used in buildings• BACnet controllers are basically PLCs, controlling HVAC, Lighting,

Security, and other systems you will find in large buildings • BACnet networks are… complicated and strange for IT folks…. More

in a few.

• Like nearly every ICS protocol, BACnet is also insecure by design• It supports encryption… It does, 56-Bit DES. Is this really encryption

anymore?• You can also set a password. Maybe. Kinda, it’s like 6 characters with no

logging, and doesn’t protect against most bacnet commands

Basi….. Sknnnnzzzz….

WE APOLO

GIZE FOR TH

E

FAULT IN TH

E SUBTITLES..

T H O S E RE S P O N S I B

L E HAV E B

E E N SA C K E D

PRIOR ART@WarezJoe

- ShmooCon 2013: How To Own A Building: Exploiting the Physical World With Bacnet- http://www.youtube.com/watch?v=d3jtmv6Y9uk

Redpoint – Bacnet Discovery NSE- http://www.digitalbond.com/blog/2014/03/26/redpoint-discover-enumerate-bacnet-devices/

Dis presentation needs more goats

A BACNET CONTROLLER Ethernet Port

Universal Inputs

RS485

Analog Outputs

Digital Inputs

POWAH!

RS232!

?

OTHER BACNET DEVICE

I tells him to Pressy the butensies!! Press them!!! He does not.

BACNET NETWORKS

BACNET OBJECTS

CHARACTERISTICS OF BACNET PACKETSADD WIREHSHARK CAPTURE

UDP 47808

WHAT YOU NEED TO COMMUNICATEYou need:1. An Instance ID – An ID that uniquely identifies a device2. Network ID – Think of it like a subnet, allows separation of

groups of devices3. The Object – A Logical construct holding the data you want

After that, you can make a request to a Specific Device on a Specific Network.

CHARACTERISTICS OF BACNET PACKETS

Object-Name Request

Magic Number0x810A

CHARACTERISTICS OF BACNET PACKETSMagic Number

0x810A

Object-Name Response

INTERESTING THINGS TO DO WITH BACNETREGISTER_FOREIGN_DEVICE()

FOREIGN DEVICE REGISTRATION

59 WILL GET YOU 505

Potential Issues:1. Requires Spoofing2. Requires ability to change port

numbers.

LOTS OF BACNET ON THE NET

FOCUSED ON THE BACNET NETWORK

This opinion is shortsighted.Here’s why….

CONCLUSIONWhy BACNET?

Cause I work on Critical Infrastructure, and it’s nice to pwn something that I don’t get yelled at for owning.Cause it’s interesting, and fun, and gets me some attention to demonstrate I know what I’m doing.Cause it can have some interesting consequences for owners and others.Why not? It’s still ICS

QUESTIONS?

Than

ks,

Mike

Heh. Goatsies. Always End with Goatsies.