never trust your inputs

NEVER TRUST YOUR INPUTS: DATA PROCESSING AS ATTACK VECTOR ON ICS

Alexander Bolshev & Marina Krotofil

; CAT /DEV/USER

2 Security Analyst Summit 2016

Alexander @dark_k3y Bolshev, Ph.D. Security Researcher @ IOAcLve Assistant Professor @ SPbETU “LETI” Marina @marmusha Krotofil Security Researcher @HoneywellSec

WorkstaLon

WorkstaLon

Firewall

Modem Operator Console

Firewall

SQL Server

PLC

RTU

Maintenance

File Server

Webserver

Corporate LAN

SCADA network

Webservices

AcLve Directory

Sensor VenLl

AcLve Directory

Engineering WorkstaLon

Process LAN

INDUSTRIAL CONTROL SYSTEM


Physical application



WorkstaLon

WorkstaLon

Firewall

Modem Operator Console

Firewall

SQL Server

PLC

RTU

Maintenance

File Server

Webserver

Corporate LAN

SCADA network

Webservices

AcLve Directory

Sensor VenLl

AcLve Directory

Engineering WorkstaLon

Process LAN

Catastrophic consequence

EQUIPMENT DAMAGE AT NUCLEAR PLANT

5

h"p://www.con

trolglob

al.com

/blogs/unfe"

ered

/marina-‐krotofi

ls-‐presen

ta;o

n-‐on

-‐ho

w-‐to-‐hack-‐a-‐che

mical-‐plant-‐and

-‐its-‐im

plica;

on-‐to-‐actual-‐issues-‐at-‐a-‐nu

clear-‐plant/

q  Two iden;cally built nuclear plants. One had flow induced vibra;on issue. And another did not.

q  The vibraLons indicaLon showed itself as hf noise -  Field engineer has filtered the signal to get rid of annoying noise -  Loss of view into vibra;on issue


6

Data flow

Control decision

0 20 40 6064

65

66

67

68

69

Time [hours]

C

Stripper Temperature

IMAGINE A FIELD ARCHITECTURE…


Analog control loop

Control PLC

Actuator

Safety PLC/Logger/DAQ/SIS

HMI

0V (actuator is OFF)

MV – Manipulated Variable

What if MV value on actuator will be different from MV value on logger?

1.5V (actuator is ON)

BUT IT’S ANALOG CONTROL LINE!


It’s impossible to have two different MVs on the same line at the same ;me!

Are you sure?

DEMO VIDEO

INTRO TO ANALOG-‐TO-‐DIGITAL CONVERTERS (ADC)

WHAT IS ADC?

12

q  Converts a con;nuous analog signal (voltage or amperage) to a digital number that represents signal's amplitude

t

x(t)

ADC IN A NUTSHELL


QuanLzing &

Encoding

…

•  Frequency •  Phase •  Amplitude

Sampling & Holding (S/H) circuit

Resolution

MSB

ADC

Clock

uI(t)

VREF

uI’(t) fs Dn-1

D1 D0

Conversion time

f clock

EXPLOITABLE ADC LIMITATIONS


q  Sampling frequency should follow Nyquist rule ( > 2B) q  Input amplitude range

fs

http

s://s

vi.n

l/Alia

sing

Arti

fact

s

“RACING” WITH ADC CLOCK

LET’S SETUP EXPERIMENT


Experimental setup: -  Arduino Leonardo (Atmega32U4 with build-‐in ADC, 125kHz int clock) -  Si5351 generator

Algorithm: 1.  Generate square signal with

specific frequency and phase, 2.  Read 120 ADC values in row

and average them, 3.  Output to serial port (PC), 4.  Increase phase and frequency, 5.  GOTO 1.

RESULT


What is this?!

STRANGE AVERAGE VALUES


q On Arduino Leonardo ADC divider is set to the max value 128 At 16 Mhz master clock freq, the ADC clock freq = 125kHz

q  At ~125kHz there is a high probability, that generated signal will be always sampled by S&H in its max or min amplitude value -  Average signal value even aher 120 conversions will be 3.3V or 0V

RACING WITH ADC CLOCK


LET’S REPEAT OUR EXPERIMENT


Frequency = around 8.9kHz)

TIMING DIAGRAM EXPLAINS EVERYTHING


conversion time

Signal

FROM ATMEGA32U4 DATASHEET


Chapter 24 on ADC , page 302

125kHz / 14 ~ 8928Hz (112μs) We’ve just breached through sampling rate

precision of the ADC!

PROBLEMS WITH USING ADC IN SOFTWARE

ADC access Lming

FROM DEMO: TWO DEVICES & TWO DIFF OUTPUTS


Wait, but why? Timing diagrams can explain ;-‐)

EVERYTHING IS MUCH EASIER IN ICS WORLD


q  In many real-‐world ICS applica;ons ADC doesn’t sample input signal with highest possible frequency -  Typical sampling rate is 1-‐100 ;mes per second

HURDLES OF THE ATTACKER


q  How to figure out the required phase and frequency to crah malicious signal?

q  Send some peak signals and monitor output of the ADC (directly/indirectly)

q  E.g. by hacking into switch you can monitor/control both data flow to control PLC AND signals from SIS/Safety LC/logger/DAQ/etc


Analog control loop

Control PLC

Actuator

Safety PLC/Logger/DAQ/SIS

MV – Manipulated Variable

Compromised industrial switch HMI

FIGURING OUT SIGNAL PARAMETERS

ADC conversion Lme

PROBLEMS WITH USING ADC IN SOFTWARE

ADC IN CRITICAL APPLICATIONS


Be careful when using ADC in criLcal applicaLons

q  Industrial PLCs also have analog inputs and built-‐in ADCs

q  Let’s test at one of the most popular PLCs S7 1200

EXPERIMENT

30

Let’s check the real conversion Lme of S7 1200 ADC

Arduino

Waveform generator S7 1200

Analog signal

S7 Protocol

S7 input amplitude Frequency

I2C

Reads value from PLC every

N Lme

31 Frequency is fixed

N=8.3ms

N=9ms

N=7ms

N=4.5ms

N=2.5ms

WHAT’S WRONG?


Nothing, really. You just need to read datasheet more thoroughly

Text in small letters

INVALID RANGE OF SIGNAL

BREAKING SOFTWARE DEFINED RANGES (I)


q  Consider a 5-‐10V signal which is consumed by ADC with ranges 0-‐15 V

q  What will happen if you send signal lower than 5V or higher 10V?

Time 5

10

V

From the real life code:

uint8_t val = readADC(0); // reading 8-‐bit ADC value with ranges 0V -‐15 V val = val – 85; // Normaliza;on -‐> 85 == 5 Volts (255/3)

Any signal of less them 5 V (val < 85)will cause integer overflow in val

BREAKING HARDWARE DEFINED RANGES


What if the avacker sends signal outside of the ADS hardware defined range?

q  ADC will output max value (all bit set to 1) q  ADC might be damaged (did not test out of cost factors J) q  Values on other inputs could be distorted

ATTACK VECTORS IN ICS SYSTEMS

DIRECT ACCESS ATTACK TOOLKIT

38

Line coupling circuit (usually OpAmp/Transformer)

Total setup cost 50$ (1kHz) -‐-‐ 400$ (50MHz)

ATTACKING FROM ICS DEVICE

39

q Compromising one of the field components (PLC, sensor, actuator, DAQ, logger, etc.) -  Most MCUs inside transmi"ers/actuators are capable of genera;ng

arbitrary signals up to 500-‐1000Hz -  Some devices allow to generate signals of 44kHz and above

ATTACK FROM TRANSMITTER


HART transmiver reference design ;-‐)

DAC with s/r up to 100kHz (smooth sine wave at ~ 5kHz)

http

://w

ww

.tm-e

etim

es.c

om/e

n/ac

cura

te-in

dust

rial-t

empe

ratu

re-m

easu

rem

ents

-with

-loop

-pow

ered

-tran

smitt

er.h

tml?

cmp_

id=7

&ne

ws_

id=2

2291

8850

MITIGATIONS

We’re at SAS axer all J

HARDWARE MITIGATIONS


PUT ANALOG LPF (LOW-‐PASS FILTER) ON ADC INPUT


q Low-‐pass filter rejects signals with a frequency higher than its cutoff frequency

q Buffer ADC input with LPF q Good design dictates ADC fs >= LPF fc

LPF FILTERS IN REFERENCE DESIGNS


“We included LPF in our design"

ADC with fs > 470Hz

LPF with fc near 15 kHz


SOLUTION

FLIP SIDE OF USING LPF


”Securing” may lead to more vulnerabiliLes

q When adding LPF into an individual device, make sure that all related devices have the same cut-‐off frequencies

q E.g. if PLC input is buffered with LPF 𝒇↓𝒄 =𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇↓𝒄 =𝟓𝒌𝑯𝒛, the a"ack not only possible, but the probability of success increases!

NOTE: DIGITAL LPF WON’T WORK!


Do not use digital LPF after the ADC! ADC will be already compromised by an ill-intended signal and no digital filter will fix the matters

USE ADC WITH HIGHER BANDWIDTH/LOWER CONVERSION TIME


q  Using ADC with higher sampling frequency can mi;gate “oversampling” a"ack as the a"acker will have to generate signal of much higher frequency

q  Genera;ng >1MHz signal and injec;ng it into analog line is much harder than injec;ng < 1MHz signal -  H/f signals subjected to greater a"enua;on and more affected by

noise

SCALE SIGNAL AMPLITUDE BEFORE ADC


q  To avoid abuse of ADC ranges, normalize signal amplitude before feeding the signal to ADC -  Simplest op;on: voltage divider + OpAmp, -  Signal condi;oning circuits or even dynamic

range compression

Select what is suitable for your OT process

SOFTWARE MITIGATIONS


APPLY SECURE CODING TECHNIQUES


q  Scru;nize your ADCs/PLC datasheets to figure out effecLve ranges, conversion ;me, frequency and other cri;cal parameters

q Even if it is sufficient to control the process with one value per second, sample the signal with higher frequency and average converted values

q When receiving value from ADC, treat it as an absolute value (all bits received from ADC are significant)

DO NOT SLEEP! (WHILE WORKING J)


Avoid wriLng/using the following code (if you don’t completely understand your process and aren’t completely sure about what you are doing)

Val = readADC(); Output(Val); Sleep(Timeout);

IT AND OT HAVE COMMON PROBLEMS


NEVER TRUST YOUR INPUTS

never trust your inputs

Technology