exfiltrating reconnaissance data - black hat€¦ · exfiltrating reconnaissance data from...
TRANSCRIPT
![Page 1: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/1.jpg)
![Page 2: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/2.jpg)
EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS
David Atch & George Lashenko
![Page 3: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/3.jpg)
Introduction
![Page 4: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/4.jpg)
Introduction
David Atch
• VP/Research for CyberX
• Military service as the Team Leader in the IDF CERT
• Focused on reverse engineering & malware hunting
George Lashenko
• Security Researcher at CyberX
• Military service in the intelligence unit of the IDF
• Focused on reverse engineering & uncovering ICS zero-day vulnerabilities
Tal Kaminker
• ML Researcher at CyberX
• PhD student in Computer Science
• Focused on Machine Learning & modeling ICS behavior
![Page 5: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/5.jpg)
Agenda
• Ways to get inside OT networks
• Challenges in exfiltrating data from air-gapped networks
• A few words about Ladder Logic
• Our method for exfiltrating data
• How we achieved it
• Demo
![Page 6: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/6.jpg)
OT networks and how to get inside them
![Page 7: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/7.jpg)
Internet
HMI
IT Network
HMI
OT NetworkUnidirectional gateway
(one-way diode)
Air-Gapped Industrial Network
![Page 8: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/8.jpg)
Air-Gapped Networks from the Attacker’s Perspective
•Hard to get in
• Not impossible
•Harder to get out
• Also not impossible
![Page 9: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/9.jpg)
• First reconnaissance stage has to collect these things:
• Network device mapping
• Security product mapping
• Device types and firmware versions
• Ladder Logic programs
• Schematics and design documents to understand device importance
• Overall working patterns of the users/devices
Air-Gapped Networks from the Attacker’s Perspective
![Page 10: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/10.jpg)
What are the attackvectors?
![Page 11: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/11.jpg)
Attack Vectors:Malicious USB
• autorun.inf – Enabled by default on Windows XP (still widely used in OT networks)
• LNK exploits – Used also by Stuxnet
• DLL Search Order Hijacking
HMI
OT Network
![Page 12: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/12.jpg)
Attack Vectors:External Engineering Laptop
HMI
OT Network
![Page 13: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/13.jpg)
Attack Vectors:Infected Vendor Updates
• NotPetya – Malicious update of Ukrainian financial software
• Dragonfly/Energetic Bear –Malicious updates (containing Havex Trojan) of ICS software from three separate ICS vendors
HMI
OT Network
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A
![Page 14: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/14.jpg)
1st attack on Ukrainian electric grid (Dec. 2015)
• Phishing attack via IT network
• RAT installed on engineer’s PC
• Theft of privileged credentials
• Entered OT network via trusted VPN connection
Attack Vectors:Stolen Remote Access Credentials
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
OT Network IT NetworkVPN
Internet
![Page 15: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/15.jpg)
Exfiltrate Collected Data
• Wait for the laptop to come back and communicate with the malware
• Wait for same/other USB to connect back to the network and exfiltrate through it
![Page 16: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/16.jpg)
Exfiltrate Collected Data:Challenges
• Might take a long time for the malicious relay to connect back
• Increases risk that operation will be detected
![Page 17: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/17.jpg)
Ladder Logic
![Page 18: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/18.jpg)
PLC Structure
Hardware
Firmware
Storage
Ladder Logic byte code Actions
![Page 19: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/19.jpg)
Ladder Logic Example
If vars.state == 0:move(0, vars.send_word_cur_byte)move(0, vars.send_word_cur_bit)
![Page 20: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/20.jpg)
Multiple Rungs Example
Rung
![Page 21: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/21.jpg)
Block Types
• Ladder logic is organized in blocks• Block types:
• Organization Block (OB)• Main• Executed cyclically
• Function Blocks • Code reuse
• Data Blocks• Variables
![Page 22: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/22.jpg)
OB Blocks
• OB Blocks• Cyclic execution (“parallel”)• Execution by event
• Network error,…• Execution in a timer
• Every x seconds
OB1
OB2
OB3
OB_clock
![Page 23: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/23.jpg)
Why exfiltrate with ladder logic ?
• Why exfiltrate with ladder logic ?
• Detection
• Antivirus don’t examine ladder logic
• Persistency
• Previous research showed that Ladder Logic may act as reconnaissance malware
• Scan the network, gather other ladder logic, gather configurations
• Look for security products
• Monitor work hours
• Exploits
• EthernalBlue, ..
![Page 24: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/24.jpg)
Previous research
• TEMPEST (1982)
• NSA paper
• Leaking data through electromagnetic emissions
• system-bus-radio
• «Mary had a little lamb»
![Page 25: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/25.jpg)
Setup
• SDRPlay 2
• Antenna to USB
• ConsoleSDR
• TV antenna
• S7-1200
• Default configuration
• POC is tested on this device but may be implemented for other vendors as well
• It’s not a unique feature to this model/vendor
![Page 26: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/26.jpg)
Our Method of Exfiltration
Inject malicious Ladder Logic
PLCCollect data about
the networkExfiltrate data using low radio frequency
![Page 27: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/27.jpg)
Challenges
• Frequency used by the PLC
• Every device transmits electro magnetic waves
• The frequency is different
![Page 28: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/28.jpg)
PLC Processor BehaviorDefault Frequency
Frequencies
320Khz 400Khz
Time
Now
-60
![Page 29: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/29.jpg)
Challenges
• Frequency used by the PLC
• Create changes in EM waves
• Through the ladder logic
• Encoding data with changes
![Page 30: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/30.jpg)
PLC EMbehaviors
• Mathematical calculations • Mul, mod,..
• No effect on the strength of the EM emission
• Ethernet cable• Has effect on frequency
• Requires physically access
• Send/Receive network traffic• No change on the strength or the frequency
• Copying large memory blocks• No effect on the strength of the emission
• But changes the frequency -> success
![Page 31: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/31.jpg)
PLC EmissionWriting to Memory
memcopy
![Page 32: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/32.jpg)
Challenges
• Frequency used by the PLC
• Create changes in EM waves
• Ladder logic that send data
![Page 33: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/33.jpg)
Ladder Logic to Exfiltrate Data
• Decide on an encoding
• Synchronization pattern
• Sync the PLC clock to PC clock
• Send the data
0
0
0
0
0
1
1
1
1
1
![Page 34: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/34.jpg)
Ladder Logic State Machine
Initialize Sync 0
Sync 1
Extract current bit
Send 0
Send 1
![Page 35: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/35.jpg)
Ladder LogicRungs
![Page 36: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/36.jpg)
Ladder Logic rungs
send_bit
Controls the current frequency, the rest of the program will manipulate “bit” variable to encode data
• If bit == 1:• Memcopy(dummy_src, dummy_dst, 10000)
• Else:• Dummy_var = dummy_var * 123
![Page 37: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/37.jpg)
Ladder Logic rungs
sync
A sync pattern is needed to detect the signal on the listening side
• If sync_start <= state <= sync_end:• If state % 2 == 0:
• send_bit(1)
• Else:• send_bit(0)
![Page 38: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/38.jpg)
Ladder Logic rungs
send_cur_bit
We send the current bit
• If sync_end <= state <= data_end:• cur_bit = get_cur_bit(data_arr, state)
• If cur_bit == 1:• send_bit(1)
• Else:• send_bit(0)
![Page 39: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/39.jpg)
Challenges
• Frequency used by the PLC
• Create changes in EM waves
• Ladder logic that send data
• Code that receives the transmission
• Find transmission frequency
![Page 40: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/40.jpg)
Detecting transmission frequency
Pattern repeats across multiple frequencies
Noisy data
Clean signal
Background noise
![Page 41: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/41.jpg)
Detecting transmission frequency
• Treat it like an image• Correlate to a perfect mask• Sync will be easiest to detect
Weak correlation
Strong correlation
Strongestcorrelation
![Page 42: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/42.jpg)
Challenges
• Frequency used by the PLC
• Create changes in EM waves
• Ladder logic that send data
• Code that receives the transmission
• Find transmission frequency
• Detect a synchronization
• sync to PLC clock
![Page 43: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/43.jpg)
Detecting a sync
• Work with optimal frequency• Transform the frequency into a 1D array
![Page 44: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/44.jpg)
Detecting a sync
• Correlate to perfect signal
Strong correlation
Weak correlation
![Page 45: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/45.jpg)
Challenges
• Frequency used by the PLC
• Create changes in EM waves
• Ladder logic that send data
• Code that receives the transmission
• Find transmission frequency
• Detect a synchronization
• Receive data
![Page 46: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/46.jpg)
Receiving the data
• We are synchronized to the PLC clock• The PLC send a bit every second• We all the data received in the last second
![Page 47: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/47.jpg)
Statistics
• Distance• Up to 1 meter
• A better antenna -> better range
• Bandwidth• 1 bit per second
• Better algorithm + better antenna -> faster
• Exfiltration techniques• Antenna could be mounted on a drone
to get to sufficient receiving range
• Portable antenna could be concealed in a portable device
![Page 48: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/48.jpg)
Demo
![Page 49: EXFILTRATING RECONNAISSANCE DATA - Black Hat€¦ · EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS David Atch & George Lashenko . Introduction. Introduction](https://reader033.vdocuments.net/reader033/viewer/2022052719/5f06ab617e708231d419258c/html5/thumbnails/49.jpg)
• Use continuous monitoring with anomaly detection to detect cyber reconnaissance phase preceding data exfiltration
• Detect unwanted Ladder Logic programming
• Detect suspicious traffic originating to/from ICS devices
• Discover new devices on the network
Black Hat Sound Bytes