never trust your inputs
TRANSCRIPT
NEVER TRUST YOUR INPUTS: DATA PROCESSING AS ATTACK VECTOR ON ICS
Alexander Bolshev & Marina Krotofil
; CAT /DEV/USER
2 Security Analyst Summit 2016
Alexander @dark_k3y Bolshev, Ph.D. Security Researcher @ IOAcLve Assistant Professor @ SPbETU “LETI” Marina @marmusha Krotofil Security Researcher @HoneywellSec
WorkstaLon
WorkstaLon
Firewall
Modem Operator Console
Firewall
SQL Server
PLC
RTU
Maintenance
File Server
Webserver
Corporate LAN
SCADA network
Webservices
AcLve Directory
Sensor VenLl
AcLve Directory
Engineering WorkstaLon
Process LAN
INDUSTRIAL CONTROL SYSTEM
3 Security Analyst Summit 2016
Physical application
INDUSTRIAL CONTROL SYSTEM
4 Security Analyst Summit 2016
WorkstaLon
WorkstaLon
Firewall
Modem Operator Console
Firewall
SQL Server
PLC
RTU
Maintenance
File Server
Webserver
Corporate LAN
SCADA network
Webservices
AcLve Directory
Sensor VenLl
AcLve Directory
Engineering WorkstaLon
Process LAN
Catastrophic consequence
EQUIPMENT DAMAGE AT NUCLEAR PLANT
5
h"p://www.con
trolglob
al.com
/blogs/unfe"
ered
/marina-‐krotofi
ls-‐presen
ta;o
n-‐on
-‐ho
w-‐to-‐hack-‐a-‐che
mical-‐plant-‐and
-‐its-‐im
plica;
on-‐to-‐actual-‐issues-‐at-‐a-‐nu
clear-‐plant/
q Two iden;cally built nuclear plants. One had flow induced vibra;on issue. And another did not.
q The vibraLons indicaLon showed itself as hf noise - Field engineer has filtered the signal to get rid of annoying noise - Loss of view into vibra;on issue
INDUSTRIAL CONTROL SYSTEM
6
Data flow
Control decision
0 20 40 6064
65
66
67
68
69
Time [hours]
C
Stripper Temperature
IMAGINE A FIELD ARCHITECTURE…
7 Security Analyst Summit 2016
Analog control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ/SIS
HMI
0V (actuator is OFF)
MV – Manipulated Variable
What if MV value on actuator will be different from MV value on logger?
1.5V (actuator is ON)
BUT IT’S ANALOG CONTROL LINE!
8 Security Analyst Summit 2016
It’s impossible to have two different MVs on the same line at the same ;me!
Are you sure?
DEMO VIDEO
10 Security Analyst Summit 2016
INTRO TO ANALOG-‐TO-‐DIGITAL CONVERTERS (ADC)
WHAT IS ADC?
12
q Converts a con;nuous analog signal (voltage or amperage) to a digital number that represents signal's amplitude
t
x(t)
ADC IN A NUTSHELL
13 Security Analyst Summit 2016
QuanLzing &
Encoding
…
• Frequency • Phase • Amplitude
Sampling & Holding (S/H) circuit
Resolution
MSB
ADC
Clock
uI(t)
VREF
uI’(t) fs Dn-1
D1 D0
Conversion time
f clock
EXPLOITABLE ADC LIMITATIONS
14 Security Analyst Summit 2016
q Sampling frequency should follow Nyquist rule ( > 2B) q Input amplitude range
fs
http
s://s
vi.n
l/Alia
sing
Arti
fact
s
“RACING” WITH ADC CLOCK
LET’S SETUP EXPERIMENT
16 Security Analyst Summit 2016
Experimental setup: - Arduino Leonardo (Atmega32U4 with build-‐in ADC, 125kHz int clock) - Si5351 generator
Algorithm: 1. Generate square signal with
specific frequency and phase, 2. Read 120 ADC values in row
and average them, 3. Output to serial port (PC), 4. Increase phase and frequency, 5. GOTO 1.
RESULT
17 Security Analyst Summit 2016
What is this?!
STRANGE AVERAGE VALUES
18 Security Analyst Summit 2016
q On Arduino Leonardo ADC divider is set to the max value 128 At 16 Mhz master clock freq, the ADC clock freq = 125kHz
q At ~125kHz there is a high probability, that generated signal will be always sampled by S&H in its max or min amplitude value - Average signal value even aher 120 conversions will be 3.3V or 0V
RACING WITH ADC CLOCK
19 Security Analyst Summit 2016
LET’S REPEAT OUR EXPERIMENT
20 Security Analyst Summit 2016
Frequency = around 8.9kHz)
TIMING DIAGRAM EXPLAINS EVERYTHING
21 Security Analyst Summit 2016
conversion time
Signal
FROM ATMEGA32U4 DATASHEET
22 Security Analyst Summit 2016
Chapter 24 on ADC , page 302
125kHz / 14 ~ 8928Hz (112μs) We’ve just breached through sampling rate
precision of the ADC!
PROBLEMS WITH USING ADC IN SOFTWARE
ADC access Lming
FROM DEMO: TWO DEVICES & TWO DIFF OUTPUTS
24 Security Analyst Summit 2016
Wait, but why? Timing diagrams can explain ;-‐)
EVERYTHING IS MUCH EASIER IN ICS WORLD
25 Security Analyst Summit 2016
q In many real-‐world ICS applica;ons ADC doesn’t sample input signal with highest possible frequency - Typical sampling rate is 1-‐100 ;mes per second
HURDLES OF THE ATTACKER
26 Security Analyst Summit 2016
q How to figure out the required phase and frequency to crah malicious signal?
q Send some peak signals and monitor output of the ADC (directly/indirectly)
q E.g. by hacking into switch you can monitor/control both data flow to control PLC AND signals from SIS/Safety LC/logger/DAQ/etc
27 Security Analyst Summit 2016
Analog control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ/SIS
MV – Manipulated Variable
Compromised industrial switch HMI
FIGURING OUT SIGNAL PARAMETERS
ADC conversion Lme
PROBLEMS WITH USING ADC IN SOFTWARE
ADC IN CRITICAL APPLICATIONS
29 Security Analyst Summit 2016
Be careful when using ADC in criLcal applicaLons
q Industrial PLCs also have analog inputs and built-‐in ADCs
q Let’s test at one of the most popular PLCs S7 1200
EXPERIMENT
30
Let’s check the real conversion Lme of S7 1200 ADC
Arduino
Waveform generator S7 1200
Analog signal
S7 Protocol
S7 input amplitude Frequency
I2C
Reads value from PLC every
N Lme
31 Frequency is fixed
N=8.3ms
N=9ms
N=7ms
N=4.5ms
N=2.5ms
32 Security Analyst Summit 2016
WHAT’S WRONG?
33 Security Analyst Summit 2016
Nothing, really. You just need to read datasheet more thoroughly
Text in small letters
INVALID RANGE OF SIGNAL
BREAKING SOFTWARE DEFINED RANGES (I)
35 Security Analyst Summit 2016
q Consider a 5-‐10V signal which is consumed by ADC with ranges 0-‐15 V
q What will happen if you send signal lower than 5V or higher 10V?
Time 5
10
V
From the real life code:
uint8_t val = readADC(0); // reading 8-‐bit ADC value with ranges 0V -‐15 V val = val – 85; // Normaliza;on -‐> 85 == 5 Volts (255/3)
Any signal of less them 5 V (val < 85)will cause integer overflow in val
BREAKING HARDWARE DEFINED RANGES
36 Security Analyst Summit 2016
What if the avacker sends signal outside of the ADS hardware defined range?
q ADC will output max value (all bit set to 1) q ADC might be damaged (did not test out of cost factors J) q Values on other inputs could be distorted
ATTACK VECTORS IN ICS SYSTEMS
DIRECT ACCESS ATTACK TOOLKIT
38
Line coupling circuit (usually OpAmp/Transformer)
Total setup cost 50$ (1kHz) -‐-‐ 400$ (50MHz)
ATTACKING FROM ICS DEVICE
39
q Compromising one of the field components (PLC, sensor, actuator, DAQ, logger, etc.) - Most MCUs inside transmi"ers/actuators are capable of genera;ng
arbitrary signals up to 500-‐1000Hz - Some devices allow to generate signals of 44kHz and above
ATTACK FROM TRANSMITTER
40 Security Analyst Summit 2016
HART transmiver reference design ;-‐)
DAC with s/r up to 100kHz (smooth sine wave at ~ 5kHz)
http
://w
ww
.tm-e
etim
es.c
om/e
n/ac
cura
te-in
dust
rial-t
empe
ratu
re-m
easu
rem
ents
-with
-loop
-pow
ered
-tran
smitt
er.h
tml?
cmp_
id=7
&ne
ws_
id=2
2291
8850
MITIGATIONS
We’re at SAS axer all J
HARDWARE MITIGATIONS
42 Security Analyst Summit 2016
PUT ANALOG LPF (LOW-‐PASS FILTER) ON ADC INPUT
43 Security Analyst Summit 2016
q Low-‐pass filter rejects signals with a frequency higher than its cutoff frequency
q Buffer ADC input with LPF q Good design dictates ADC fs >= LPF fc
LPF FILTERS IN REFERENCE DESIGNS
44 Security Analyst Summit 2016
“We included LPF in our design"
ADC with fs > 470Hz
LPF with fc near 15 kHz
45 Security Analyst Summit 2016
SOLUTION
FLIP SIDE OF USING LPF
46 Security Analyst Summit 2016
”Securing” may lead to more vulnerabiliLes
q When adding LPF into an individual device, make sure that all related devices have the same cut-‐off frequencies
q E.g. if PLC input is buffered with LPF 𝒇↓𝒄 =𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇↓𝒄 =𝟓𝒌𝑯𝒛, the a"ack not only possible, but the probability of success increases!
NOTE: DIGITAL LPF WON’T WORK!
47 Security Analyst Summit 2016
Do not use digital LPF after the ADC! ADC will be already compromised by an ill-intended signal and no digital filter will fix the matters
USE ADC WITH HIGHER BANDWIDTH/LOWER CONVERSION TIME
48 Security Analyst Summit 2016
q Using ADC with higher sampling frequency can mi;gate “oversampling” a"ack as the a"acker will have to generate signal of much higher frequency
q Genera;ng >1MHz signal and injec;ng it into analog line is much harder than injec;ng < 1MHz signal - H/f signals subjected to greater a"enua;on and more affected by
noise
SCALE SIGNAL AMPLITUDE BEFORE ADC
49 Security Analyst Summit 2016
q To avoid abuse of ADC ranges, normalize signal amplitude before feeding the signal to ADC - Simplest op;on: voltage divider + OpAmp, - Signal condi;oning circuits or even dynamic
range compression
Select what is suitable for your OT process
SOFTWARE MITIGATIONS
50 Security Analyst Summit 2016
APPLY SECURE CODING TECHNIQUES
51 Security Analyst Summit 2016
q Scru;nize your ADCs/PLC datasheets to figure out effecLve ranges, conversion ;me, frequency and other cri;cal parameters
q Even if it is sufficient to control the process with one value per second, sample the signal with higher frequency and average converted values
q When receiving value from ADC, treat it as an absolute value (all bits received from ADC are significant)
DO NOT SLEEP! (WHILE WORKING J)
52 Security Analyst Summit 2016
Avoid wriLng/using the following code (if you don’t completely understand your process and aren’t completely sure about what you are doing)
Val = readADC(); Output(Val); Sleep(Timeout);
IT AND OT HAVE COMMON PROBLEMS
53 Security Analyst Summit 2016
NEVER TRUST YOUR INPUTS