a rising tide: design exploits in industrial control systems

Alexander Bolshev; Jason Larsen; Reid WightmanMarina KrotofilUsenix WOOT’16

August 9, 2016

A Rising Tide: Design Exploits in Industrial Control Systems

Who we are (alphabetically)

1

Alex

Bolshev

Jason

LarsenMarina

KrotofilReid

Wightman

© 2016 by Honeywell International Inc. All rights reserved.

2

Industrial Control System (ICS)

Physical

application


3

Industrial Control System (ICS)

Physical

application


Cyber-physical exploitation

4

Cyber-physical systems are IT systems “embedded” in an application in the physical world

Interest of the attacker is in the physical world

Exploiting Analog-to-Digital Converters(joint work with Alexander Bolshev)

Cyber-Physical Systems

Black Hat Asia 2016


6

Industrial Control System vulnerabilities

Physical

application

ICSA-13-274-01: Siemens

SCALANCE X-200

Authentication Bypass

Vulnerability

ICSA-13-274-01:

Schneider Electric

Telvent SAGE RTU

DNP3 Improper Input

Validation Vulnerability

ICSA-15-099-01A:

Siemens SIMATIC

HMI Devices

Vulnerabilities

(Update A)ICSA-12-320-

01 : ABB AC500 PLC

Webserver CoDeSys

Vulnerability

ICSA-15-048-03:

Yokogawa HART

Device DTM

Vulnerability

ICSA-15-111-01:

Emerson AMS Device

Manager SQL Injection

Vulnerability

ICS-ALERT-14-323-

01: Advantech EKI-

6340 Command

Injection

ICSA-11-307-01:

Schneider Electric Vijeo

Historian Web Server

Multiple Vulnerabilities


7

Here is the plant. What is the plan?

Cyber-Physical hacking

8

Manipulate the process

Prevent response

Direct Indirect

1 2

Operators Control system

(including safety)

Blind MisleadDirect

manipulation

of actuators

Deceiving

controller/operator

about process

state Blind about

process

state

Modify

operational/safety

limits


9

Alarm propagation

Safety

shutdow

n

Alarm

Alarm

Catalyst poisoning attack


Motivation: Design vulnerabilities

10

Implementation bugs: SQL-injections, buffer overflows, etc.

− Discovery relies heavily on automated tools

− Fixable by patching

Design bugs/flaws: Baked into the design or architecture of soft- and hardware

− Often unique to specific circumstances

− Requires re-design of the system

− Works across multiple environments/platforms/equipment


11

Logical layers of ICS

Exploiting Analog-to-Digital Converters(joint work with Alexander Bolshev)

Physical Layer

Black Hat Asia 2016

Analog to Digital Converters (ADC)

13

Converts a continuous analog signal (voltage or amperage) to a digital number that represents signal's amplitude

Threat scenario

14

Analog

control loop

Control PLC

Actuator

Safety PLC/Logger/DAQ

HMI

0V (actuator is OFF)

It is expected that the ADCs on all devices which consume the same analog signal will convert it into the same digital number

– But what if not??

1.5V (actuator is ON)Analog

control loop

Experimental setup

15

Analog

control loop

“HMI Panel”

“Control PLC”(arduino)

“Actuator”(motor)

“Safety PLC”(S7 1200)


Demo: Two devices, two different conversions

16

Analog

control loop


Vulnerabilities

17

Sampling frequency (aliasing)

− Nyquist theorem: fs >= 2*f

Dynamic range– Signal clipping– Distortions in neighboring channels– Damage to the ADC


Timing diagram

18

Different sampling frequencies of the ADCs result in different output signals


Never trust your inputs!

19

In ICS input validation refers to data conten(x)t rather than to its formatting

Impact

IT and OT has common problems


20

Exploit the device hosting ADC

From the real life code:

uint8_t val = readADC(0);

// reading 8-bit ADC value with ranges 0V -15 V

val = val – 85;

// Normalization -> 85 == 5 Volts (255/3)

Any signal of less them 5 V (val < 85) will cause integer overflow in val

Time

5

10

V


21

Mitigations

Buffer ADC with Low-Pass Filter (LPF)

− Good design dictates ADC fs >= LPF fc


22

LPFs in the Reference Design

ADC with fs > 470Hz

LPF with fc near 15 kHz


23

Mitigations

Buffer ADC with Low-Pass Filter (LPF)

− Good design dictates ADC fs >= LPF fc

− All ADCs consuming the same signal should have the same fc

Hardware mitigations

Adding randomness to sampling frequency

− Makes it hard for the attacker to predict S/H timings

Software mitigations

𝒇𝒔 = 𝒇 + rand(△)

Time

V

0

Exploiting Variable Frequency Drives(Reid Wightman)

Control Layer

S4x16


Variable Speed Drives (VFD)

25


Bad vibrations

26

All rotating shafts, from motorcycles to industrial pumps, have mechanical resonance points

− These are the frequency points (critical speeds) at which vibration can rapidly damage the equipment


Wait! I’ve heard about it!(?)

27


Vulnerability

28

Configuration of Schneider ATV12: Skip frequency


Impact

29

CaseSpeed(RPMS)

CaseFreq(Hz)*OutputFreq(Hz) =CurrentSpeed(RPMS)

Destroying equipment by operating it at its resonance (skip) frequency

Masking actual rotating speed from the operator

− VFD calculates speed for HMI by computing RPM


Mitigation

30

Monitoring output freq in addition to RPMs is a good idea

− But protocols are vulnerable and aren’t likely to be changed

Better: Vibration (and other parameters) monitoring

− Out of band, please

Exploiting Protocol Stack Implementation(joint work with Jason Larsen)

Cyber Layer

Several papers & presentations


32

Process control loop

Actuators

Control system

Sensors

Measure process state

Computes control commands for

actuators

Adjust themselves to influence

process behavior


Tuning controller algorithm

33

Requires observations on the live process


Stale Data Danger

34

0 1000 2000 3000 4000 5000 6000 70008.9

9

9.1

9.2

9.3

9.4

9.5

0 5 10 15 20 25 302750

2800

2850

2900

2950

3000

Hours

kPa g

auge

Reactor Pressure

Without attack

Under attack

PID response

Vulnerability

35

Logic

Ethernet

Serial

Backplane

Modbus

IEC

Vendor Internal

Vendor

Vendor Protocol Handshake - Session 4000Vendor Protocol Handshake - Session 5000Vendor Protocol Handshake - Session 6000IEC Protocol HandshakeVendor Protocol Handshake - Session 8000Vendor Protocol Handshake - Session 9000


Vulnerability

36

Process data doesn’t show up every time around the logic

− External racks may only report in every few cycles

− TCP/IP protocols are often report-by-exception

The input memory contains the last known good value− Freeze all points for a particular TCP/IP session with a UDP

packet by advancing the sequence number

− Session is kept alive and by sending a UDP packet every 30 seconds to any interface

Result: STALE DATA


Mitigations

37

State-aware implementation of the protocol stack

− Compare data with max allowed dead time of the process

− Reject data which are too stale and/or dangerous to process stability


Conclusions

38

ICS security community is researching and evolving

Many attack scenarios do not necessary require access to expensive equipment

Audits for industrial control systems need to evolve to emphasize the actual design of the environment and protocols

– Searching for design flaws in ICS requires different skills sets than researching software implementation vulnerabilities


Thank You!Alex BolshevJason Larsen

Marina KrotofilReid Wightman

a rising tide: design exploits in industrial control systems

Documents