We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas

00:00
Untertitel
Aus
Abspielgeschwindigkeit
1
Untertitel
Aus
Englisch (automatisch erzeugt)
Abspielgeschwindigkeit
0.25
0.5
0.75
1
1.25
1.5
1.75
2
Qualität
576p
52
 Zitieren
 Teilen
 Herunterladen Bestellen
Kein Logo verfügbarDEF CON
 Strauchs, John Rad, Tiffany Newman, Teague

Formale Metadaten

Titel
SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas
Serientitel
Anzahl der Teile
122
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
On Christmas Eve, a call was made from a prison warden: all of the cells on death row popped open. Many prisons and jails use SCADA systems with PLCs to open and close doors. Not sure why or if it would happen, the warden called physical security design engineer, John Strauchs, to investigate. As a result of their Stuxnet research, Rad and Newman have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to "open" or "locked closed" on cell doors and gates. Using original and publicly available exploits along with evaluating vulnerabilities in electronic and physical security designs, this talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions. John J. Strauchs, M.A., C.P.P., conducted the security engineering or consulting for more than 114 justice design (police, courts, and corrections) projects in his career, which included 14 federal prisons, 23 state prisons, and 27 city or county jails. He owned and operated a professional engineering firm, Systech Group, Inc., for 23 years and is President of Strauchs, LLC. He was an equity principal in charge of security engineering for Gage-Babcock & Associates and an operations officer with the U.S. Central Intelligence Agency (CIA). His company and work was an inspiration for the 1993 movie, "Sneakers" for which he was the Technical Advisor. He was a presenter at Hackers On Planet Earth (HOPE) in 2008 and DojoCon in 2010 and is a consultant for Recursion Ventures. Tiffany Strauchs Rad, BS, MBA, JD, is the President of ELCnetworks, LLC., a technology development, law and business consulting firm with offices in Portland, Maine and Washington, D.C. Her consulting projects have included business and technology development for start-ups and security consulting for U.S. government agencies. She is also a part-time Adjunct Professor in the computer science department at the University of Southern Maine teaching computer law, ethics and information security. Her academic background includes studies at Carnegie Mellon University, Oxford University, and Tsinghua University (Beijing, China). She has presented at Black Hat USA, Black Hat Abu Dhabi, Defcon 17 & 18, SecTor, Hackers on Planet Earth, Chaos Communication Congress and regional information security conferences. Tiffany also researches car computers and is fond of virus research (both biological and digital). Teague Newman is an independent information security consultant based in the Washington, D.C. area with extensive penetration testing experience. In 2009, he competed in the Netwars segment of the US Cyber Challenge and ranked within the Top 10 in the US in all rounds in which he participated. He is also an instructor for Core Security Technologies and has instructed professionals on the topics of information security and penetration testing at places like NASA, DHS, US Army, US Marine Corps (Red Team), DOE, various nuclear facilities as well as for large corporate enterprises. His projects include GPU-based password auditing and liquid nitrogen overclocking. Dora The SCADA Explorer: Exploit writer.
00:00
FeldrechnerSystemprogrammierungPacket Loss ConcealmentMalwareComputerComputersicherheitInformationEDV-BeratungFormation <Mathematik>HauptidealGruppenkeimUnternehmensarchitekturRechnernetzRundungSoftwaretestSpeicherabzugVersuchsplanungCodierungstheorieFlächeninhaltSystemverwaltungGefangenendilemmaCoxeter-GruppePunktInformatikDemo <Programm>FeldrechnerPacket Loss ConcealmentMultiplikationsoperatort-TestGrundraumTypentheorieObjekt <Kategorie>KoroutineProgrammMereologieFlächeninhaltComputersicherheitSpeicherabzugSoftwareschwachstelleCybersexKontextbezogenes SystemMalwareUnrundheitExogene VariableCodecBitPhysikalisches SystemOffice-PaketExploitGamecontrollerBimodulBeweistheorieCASE <Informatik>CodierungPasswortSoftwaretestDifferenteUnternehmensarchitekturWellenpaketStochastische AbhängigkeitComputerGruppenoperationMathematische LogikTabelleWasserdampftafelDatenverarbeitungssystemZahlenbereichMAPSprachsyntheseProjektive EbeneXML
06:28
Coxeter-GruppeRechenschieberSoftwareschwachstelle
07:18
Packet Loss ConcealmentHardwareKomponente <Software>Spannungsmessung <Mechanik>Mathematische LogikGamecontrollerProgrammProzess <Informatik>Wurm <Informatik>ComputervirusComputersicherheitOperations ResearchSoftwarePatch <Software>CybersexHackerSystemprogrammierungQuarkconfinementLokales MinimumComputerSoftwaretestComputerGefangenendilemmaCodeAggregatzustandTermSubstitutionLikelihood-FunktionSoftwareschwachstelleBasis <Mathematik>MultiplikationsoperatorLokales MinimumBitOffene MengeSystemaufrufDatensatzProdukt <Mathematik>Netz <Graphische Darstellung>QuarkconfinementPunktSerielle SchnittstelleWasserdampftafelElektronische PublikationRechter WinkelCodecPhysikalisches SystemEindeutigkeitGarbentheorieComputervirusDatenstrukturPatch <Software>MereologieGeradeComputersicherheitWurm <Informatik>Projektive EbenePhysikalische TheoriePacket Loss ConcealmentMomentenproblemDatenverarbeitungssystemZusammenhängender GraphSoftwareGewicht <Ausgleichsrechnung>ComputerspielVersuchsplanungCoxeter-GruppeWellenlehre
14:11
KontrollstrukturComputersicherheitOrtsoperatorProzess <Informatik>GamecontrollerArithmetisches MittelSoftwareschwachstellePunktOffice-PaketEinsHecke-OperatorPhysikalisches SystemDatenverarbeitungssystemp-BlockGemeinsamer SpeicherÄhnlichkeitsgeometrieDatenverwaltungZahlenbereichGefangenendilemmaAggregatzustandVisualisierungPacket Loss ConcealmentStereometrieBildverstehenProgrammZentralisatorSoftwareSystemverwaltungMathematische LogikExistenzaussageGeradeMultiplikationsoperatorFlussdiagramm
18:28
ComputersicherheitPhysikalisches SystemComputerMUDLogarithmusUmfangFunktion <Mathematik>GamecontrollerProgrammSingularität <Mathematik>PunktAlgebraisch abgeschlossener KörperPacket Loss ConcealmentUniversal product codeEindringerkennungMathematische LogikBildverstehenZentralisatorFunktionalZahlenbereichDatenverarbeitungssystemMultiplikationsoperatorPunktSoftwareschwachstelleBlockdiagrammRechter WinkelVerknüpfungsgliedPacket Loss ConcealmentProgrammierspracheComputersicherheitGraphische BenutzeroberflächeRichtungGefangenendilemmaGamecontrollerBaum <Mathematik>CybersexUmfangFeldrechnerPhysikalisches SystemZehnCoxeter-GruppeArithmetisches MittelFormale SpracheEinsQuadratzahlProtokoll <Datenverarbeitungssystem>AggregatzustandVideokonferenzSLAM-VerfahrenBildschirmmaskeEin-AusgabeWeg <Topologie>Office-PaketFrequenzKonstruktor <Informatik>ComputervirusBitrateInterface <Schaltung>SchlussregelGeradeThumbnailUmwandlungsenthalpieAlgebraisch abgeschlossener KörperProgrammTermWort <Informatik>DifferenteObjekt <Kategorie>Algorithmische ProgrammierspracheFunktion <Mathematik>
27:13
KontrollstrukturWidgetp-BlockGanze FunktionSystemprogrammierungUmfangEindringerkennungZeitzoneAusnahmebehandlungInternetworkingPacket Loss ConcealmentStellenringSoftwarePhysikalisches SystemPatch <Software>Drahtloses lokales NetzRechnernetzComputerComputersicherheitVideokonferenzCoxeter-GruppeCASE <Informatik>GamecontrollerEindringerkennungBitMereologieBitrateSoftwareschwachstelleNetzadresseZahlenbereichSchlüsselverwaltungTorusPhysikalischer EffektKnoten <Statik>SLAM-VerfahrenGefangenendilemmaAggregatzustandHochdruckLeistungsbewertungVerknüpfungsgliedFeldrechnerOffice-PaketZentralisatorOffene MengeBewertungstheorieMultiplikationsoperatorVideokonferenzSoftwareInternetworkingComputerProgrammWellenpaketTwitter <Softwareplattform>FacebookDatenverarbeitungssystemPhysikalisches SystemNotepad-ComputerComputersicherheitFestplattenrekorderElektronische PublikationYouTubeRechenwerkSpeicherbereichsnetzwerkUmfangTypentheorieInformationsspeicherungVirtuelle Maschinep-BlockPunktSummierbarkeitSpannweite <Stochastik>ArbeitsplatzcomputerGanze FunktionWeb SiteProzess <Informatik>InstantiierungOrdnung <Mathematik>Patch <Software>InformationTeilbarkeitLokales MinimumBesprechung/Interview
35:57
SoftwareKontrollstrukturInternetworkingZeitzoneGammafunktionDatenverarbeitungssystemGebäude <Mathematik>InformationUnordnungVektorpotenzialProzess <Informatik>ComputersicherheitProdukt <Mathematik>ExploitMathematische LogikProgrammierungLAD <Programmiersprache>SimulationPacket Loss ConcealmentFunktion <Mathematik>FunktionalExploitFlächeninhaltVerknüpfungsgliedFeldrechnerSoftwareComputerEuler-DiagrammPacket Loss ConcealmentDemo <Programm>PufferüberlaufGefangenendilemmaProgrammierspracheSocial Engineering <Sicherheit>Endliche ModelltheorieDatenbankProdukt <Mathematik>GeradeEreignishorizontRechenwerkTypentheorieMaskierung <Informatik>MultiplikationsoperatorInternetworkingPhysikalisches SystemCASE <Informatik>ProgrammMinimumZahlenbereichE-MailTeilbarkeitInterface <Schaltung>PunktGamecontrollerVirtuelle MaschineKartesische KoordinatenProgrammbibliothekKlasse <Mathematik>TabelleCodeTorusRechter WinkelDatenverarbeitungssystemHardwareInformatikOffene MengeProzess <Informatik>Gewicht <Ausgleichsrechnung>Lokales MinimumComputersicherheit
44:41
Funktion <Mathematik>Wurm <Informatik>Demoszene <Programmierung>SoftwareVariableErwartungswertGamecontrollerZentralisatorPacket Loss ConcealmentTelekommunikationMereologieInformationProzess <Informatik>InterpretiererSkriptspracheDigitaltechnikAggregatzustandMechanismus-Design-TheorieTouchscreenGemeinsamer SpeicherReelle ZahlComputeranimation
47:34
InternetworkingHypermediaEigentliche AbbildungRechnernetzSoftwareComputersicherheitDatenverarbeitungssystemPatch <Software>Packet Loss ConcealmentTelekommunikationAggregatzustandComputerSpeicherabzugVideokonferenzSoftwareSpeicherabzugInformationTLSWeb logPunktNichtlinearer OperatorGefangenendilemmaExistenzsatzComputersicherheitEigentliche AbbildungPatch <Software>ExploitSchlüsselverwaltungTypentheorieTeilmengeHilfesystemAlgorithmische ProgrammiersprachePacket Loss ConcealmentHypermediaSehne <Geometrie>
Transkript: Englisch(automatisch erzeugt)
00:00
Hi, everyone. Thank you very much for coming to our presentation. We're going to be talking about some research we did with PLCs and prisons' correctional facilities. And I'll give you an introduction of my co-presenters. Sorry, I hope that's not too loud. The objectives we're going to talk about today are we're going to analyze the SCADA systems and PLC
00:20
vulnerabilities. We're going to discuss modern prison design. We have a specialist here who has designed over hundreds of prisons and correctional facilities in his career. And we're going to theorize some possible attack vectors and routines and malicious code introduction. I'm going to talk to you about ladder logic. And while it's very easy to learn and to program in this, it's part of the devil and the details
00:43
of why some of the PLCs are vulnerable to some of the attacks that we've created. We're also going to recommend some solutions. Some are technical. And as with a lot with security, they're also managerial. This is me. I do a lot of stuff actually. Right now with this project,
01:01
I've been doing a lot more technical work. But I'm an attorney as well. I work in Washington D.C. most of the time. But I'm also in Portland, Maine. I'm a part-time adjunct computer science professor at the University of Southern Maine. And I'm so glad I have like every year a bunch of students from that university come to DEF CON. I have a bunch of academic backgrounds.
01:21
I've studied in China. It was interesting and did a lot of work overseas. I presented to other black hats, DEF CON. So you may have seen me presenting about more like freedom of speech, first amendment issues. But this is the other type of research that I do. And let me turn this over to my father, John Straux, and introduce himself.
01:40
Well, nothing to introduce. You all can read. The only point I want to make is my specialty really is physical security. Now that's what you all call me. Even though 99% of what I do is electronic systems. And so I do the engineering or the specs and the drawings of, and I've done a lot of what's called just the design,
02:00
which is mostly corrections, also courthouses. All right, I am Teague Newman. I'm an independent security researcher
02:21
and penetration tester. I'm based out of Northern Nevada up here and also Washington, D.C. In 2009, I competed in the Netwars Challenge. It was part of the U.S. Cyber Challenge. In all the rounds that I competed in, I have placed within the top 10 in the nation. I also do training and penetration testing
02:43
for core security. I've taught people all over in all different facets from enterprise to government, as you can see. I've worked places like NASA with U.S. Marine Corps Red Team. So I'm all over the place.
03:02
Some of the stuff that I do on my own time is GPU-based password auditing, like somebody up here, and liquid nitrogen overclocking, so that's me. We also have another special member of our team,
03:22
Dora the Skata Explorer, is here in the audience, but Dora did not want to appear on stage. He's an exploit writer. He has a great backpack with all kinds of tricks inside with great exploits. He's good at coding. He lives in the tropical area of Columbia, Maryland, and Dora has done a lot of great work for our group,
03:40
so we're very glad that Dora is here with us today in the audience. All right, so one thing that we're gonna describe here is we're not talking about any vendors per se. While we did do our research, as you can see, our PLC that we purchased on eBay and everything, it's up here on the table. We'll have close-ups of the picture if you can't see it. It's a big room.
04:00
The Red Team always wins. So what we're here to discuss is really about, we did a lot of research, and some of our attack vectors and exploits were on the control computers. This is not a talk about Siemens per se, but as the picture suggests, I mean, this jail facility is Alcatraz. It was designed to be, no one could break out of prison there, right?
04:21
Well, our research suggests otherwise, you know this case to be true as well, but the Red Team always wins, so we're not here to discuss particular vulnerabilities because what's clear and what we're releasing in this presentation today is that with PLCs, it doesn't matter what vendor it is.
04:41
So while Siemens is our research module there, it's not just about Siemens, it's about any PLC because we'll discuss and we'll show you a demo of what we've done with the control computer. All right, so why present about prison vulnerabilities? One of the big things that we're talking about here is not our exploits per se. We're not releasing our exploits.
05:02
We've used it for a proof of demonstration to all of you about the work that we've done, but it's really to kind of hit home the idea if you work in a facility in which PLCs exist, these are the types of things that you should know. Now all of us, most of us in this room will know, we know what PLCs are. A lot of us have looked at Stuxnet, but if you work in a correctional facility
05:20
or you work in other types of facilities that have PLCs and even water treatment plants, those employees may not know what that is. This is part of the problem that we've seen in the correctional facilities is wardens, guards or officers that work there, their responsibility is actually, it's pretty high. Some of the vulnerabilities we saw,
05:40
Siemens or GE, whatever, the essence of they can't fix them. What needs to be done is these people working in these facilities need to know that there are devices that can be vulnerable to attacks. So the US puts a lot of money and funding into securing some of our, you know, what we call the US's assets of high secure facilities, bank vaults, things like that where you may see PLCs.
06:01
But when it comes to our country's, shall we say, worse liabilities in a sense, we are encouraging some heightened security because of the discoveries that we've made. So we're trying to talk to the people who do work in correctional facilities and that's why we went public with our research. And we'll tell you about a little bit how we did that, but a lot of law enforcement agents too,
06:22
we talked about who work in these prison facilities, didn't really know much about this, so we're bringing awareness to that issue. So when we did the research, because this has to do with the US correctional facilities that we were looking at, we briefed some federal agencies. You can see from this slide,
06:41
they're friends, they're friendly, but what's great is that when we said, hey, we found this vulnerability, we wanna talk to you about it, it took about two months to really get together everyone from these agencies. But when we did, it was a positive experience in the sense that they were willing to listen and talk to us about what we did.
07:00
And they're allowing us to present here and that's why we're really grateful for this because it's not, we didn't talk to Siemens or GE because it's really about the correctional facilities in this presentation we're doing. So we were glad and we are grateful to those agencies who allowed us to do this presentation. All right, so the story of Christmas Eve,
07:21
as you may see in the bio, or another bio, the abstract of our presentation, all the doors on death row popped open a little while ago. And I'm gonna have John Straux hear my dad tell you about the story of Christmas Eve because he was called in to figure out why death row, all the doors popped open.
07:40
And it's also kind of the basis of this whole entire presentation. And that is that quite some time ago, I designed an electronic security system that is all the electronics for a state penitentiary that included a death row, it was a maximum security facility. We were done, it was occupied, inmates were brought in, the thing was running,
08:01
everything seemed to be going fine. And then Christmas Eve, I'm at home and I get a call from the warden. All the doors and death row had popped open spontaneously. That concerned him, now it turned out nothing really bad happened, they got everybody in. But it concerned me a little bit
08:20
in terms of what could have happened and liability and things like that. So we immediately went out there and tried to track down what caused it. What it turned out to be was the contractor had not used the manufacturers and model numbers of the equipment we had exactly specified. They had made some substitutions. Now in hindsight, in all likelihood
08:43
I would approve the substitutions, but the problem was the two components, that is a PLC and a relay, had never been used at a correctional facility before. And some kind of voltage surge occurred and there was a printed circuit board that had a one-way diode on it, as we found out,
09:01
and it was leaking voltage. And it was leaking just enough, not very much, just enough to trip the relays, which then opened up all the doors. Easily fixed. Now, go forward in time, and I'm sitting there watching news about Stuxnet in Iran and how they attacked the PLCs
09:21
and got the centrifuges moving fast, and I had a eureka moment. I said, wait a minute. We had that happen at a high security prison accidentally. What could you do if you did something deliberately? And the other thing that occurred to me was,
09:42
wait a minute, nobody knows that PLCs are used in prisons. They really don't. Most large security systems don't use PLCs. We'll get into this again later, why you use PLCs in prisons, but if most people don't know
10:00
that PLCs are used in prisons, then all this SCADA talk about SCADA attacks is focused on power grids and nuclear facilities and all kinds of other things, but not prisons. And it's a vulnerability that, if you know about it, you can protect yourself, because 98, 99% of the solution
10:22
to the problem is procedural, not technical. So this research idea started a lot with looking at the Stuxnet, and those of us that were interested in following, that the code is very well-designed, well-engineered.
10:42
I mean, it took a lot of professionals, perhaps a nation state. I'm sure you've all heard those theories, but I got this idea to start looking at where else PLCs that are vulnerable might exist, and I gotta give credit to Tom Parker and FX. They're not a part of this research project, per se, but they have really fantastic analyses they've done of Stuxnet. I mean, going through line by line with the code,
11:00
and then Black Hat Abu Dhabi last year, we all got to sit down and really talk about some of the essence of what makes Stuxnet unique. And so, after these presentations, I came back to the US, and I sat down with my father, who has a lot of design experience, and then with Teague, who's a fantastic penetration tester. And that's when we said, wow, this could be interesting.
11:21
So, what if someone wrote a worm or a virus that could affect correctional facilities? That was our big question. All right, so I'm gonna turn over, my dad's gonna do a big section now on the design of prisons. And the reason this is important, if you understand the structure on why things are designed in prisons, you'll understand why some of the PLCs and where they're vulnerable is a problem, so.
11:48
Culinary Institute of America, and I also work, we actually had a really neat WAV file we're gonna play, but apparently we can't do that right now, so that has nothing to do with anything.
12:02
It started with Stuxnet. TAC was, and this is what I read, not personal knowledge, again, step seven of the Siemens software, and apparently there's some Microsoft patches you can do that minimize this vulnerability. But it goes back to the fact
12:21
that it's all about the programmable logic controller, the PLC. It's not just the SCADA systems for like power lines, pipelines, water systems. Prisons use PLCs. Now, let's go back to nomenclature just for a minute.
12:41
What is a prison or a penitentiary? A prison or penitentiary is something that's probably run by the federal government or the state government. It's confinement for a year to life. I mean, it's serious confinement. When people talk about a jail, and a lot of times they use the terms improperly,
13:02
a jail is usually a county, city, or town facility, and confinement is usually less than a year. The only thing about a jail that makes them a little bit interesting is some jails could be really huge. As pointed out, Orange County Jail in California has 2,500 inmates. And the other thing about a jail
13:21
that makes them important to look at is a jail is often used for pretrial confinement. That is, while you're awaiting trial, they put you in jail. So you could be a pickpocket, you could be a terrorist, you could be a serial killer. So anybody could be in a jail, even though the confinement's very low. In the United States, there are about, I think exactly right now,
13:41
117 federal correctional facilities, 1,700 prisons that have state penitentiaries, 3,000 jails throughout the United States. And of these correctional facilities, about 160 are operated privately. And most, possibly all,
14:00
I haven't surveyed them all, so I can't speak definitively, use PLCs in their electronics. That's me in jail. Now, we're going to this because to understand what the vulnerability really is, you gotta understand how a prison operates
14:21
or a large jail operates, and what the electronics are, and how it works. This is the contemporary design of a jail. It involves a central control, and then housing pods for housing controls. And the whole idea is ergonomics. And that is, it's no longer the way
14:42
Hollywood portrayed large prisons where there are long cell blocks with bars. In fact, most new modern facilities don't even have bars. They have solid doors with vision panels. But these long cell blocks don't exist. The idea is ergonomics is central control can see down those alleys into every housing pod.
15:04
The control in every housing pod, ideally, can see every single cell. So there's visual contact with everybody you're managing. And that minimizes the number of people that you need to operate the facility.
15:24
Going back to a point I made earlier is I've heard two misconceptions. One is that some people think that PLCs are used in all security systems. And as I said, they're not. Most large security systems, for example, use some kind of operating system
15:42
that's specifically written and designed for security systems. The two probably most common ones people know are Linnell International's OnGuard, or SoftwareHouse Secure 9000. And there are a bunch of others. But those are two really big ones that have a big share of the market.
16:01
They don't use PLCs. Now, are there similarities between what they use and the PLC? Of course there are. The only thing is their controllers or their data gathering panels, whatever you want to call them, are smarter, more multifunctional, multitasking, much more state of the art.
16:21
Now, no one's ever tested those systems, so I can't really speak to it. But you wouldn't put a PLC. Now, why do you use a PLC in a prison? The reason is it's very simple, it's very basic, it's easy to program, and more importantly, it's easy to track. Because nine times out of 10 after you do your programming,
16:41
say you're doing two, 300 cells, or five, 600 cells, that could equate to 20, 30,000 points in a system. If you did conventional programming, that's one heck of a lot of tracking you have to do. Some's not working. This button's supposed to do this. When you use ladder logic, it simplifies it.
17:03
Because when you print it out, particularly on a long sheet of paper, it looks like a ladder. And you could follow the lines, trace them with your fingers, and it'll go from this point down to this point down to this point, and it ends up where you want to go. But it's that simplicity and vulnerability that make it vulnerable.
17:24
I also want to make one correction, is that we've been doing some news interviews, and one of the news interviews seemed to imply that I said that corrections officers weren't smart, or should have known this stuff.
17:40
How many people here drive a car? How many of you know what a PCV valve is? All right, a few do, most don't. Just because you drive a car doesn't mean you're required to know what a positive crankcase ventilation valve is. It's a very important valve, particularly in older cars.
18:00
And that's the point, is why should a corrections officer, or a warden, or an administrator, know what a PLC is or how it's programmed? Their specialty, their skills, are to operate the facility as efficiently and probably with not enough people and not enough money, and try to make it work well. That's their job. So I don't mean anything I've said
18:20
or whatever accounts may be in the press, and I'm not criticizing the corrections industry or corrections officers. This is the same kind of design. Now, it doesn't look like a spoke of a wheel, but it's the same concept. It's ergonomics, that is, vision lines for control. You can see, in other words,
18:40
our rule of thumb was, when we designed, was if you could directly see the door, then you didn't need a video camera there or anything else. You couldn't see the door. You put a camera there, and not only that, but you put a camera on both sides of the door, not just one side, so that you can see if somebody, for example,
19:00
is under duress or being compelled to do something. Many have hundreds of cells, but all but the smallest, jails or prisons, have some kind of central control. So what does it look like?
19:20
Starts out with the central control. This is the hub of the wheel. This is the brain of the entire facility, and it runs everything, virtually everything. Even things like showers and lights, depending on what state and jurisdiction you're in,
19:41
they have different rules. But the whole purpose of the entire facility is obviously about door control, to keep people in and monitor locks, cell nuits and motors, and to monitor sensors or limit switches.
20:03
They also monitor many other kinds of systems like closed circuit video surveillance, duress alarms, that is someone's being held at knife point or shank point, I guess, vernacular, intercoms. And some facilities, not all of them,
20:20
have some kind of perimeter, and a lot of times there's a perimeter patrol, that is there's a fence intrusion detection system, concertina wire, barbed wire, and so forth. Those things tend to nuisance a false alarm at high rates. And they sometimes have patrol vehicles out there, they have a graphic interface. Sometimes that graphic interface between a patrol vehicle and central control
20:42
is radio frequency. Which, you gotta remember, the big boom in prison and jail construction was about 15, 20 years ago, and back then nobody talked about cyber security or viruses or any of that stuff. It just wasn't important back then.
21:00
And these facilities are still operating and they haven't changed hardly at all. They all go back, all these activities go back to a programmable logic controller, usually it's a self-standing rack
21:20
some place in an equipment room, not in a control room, and some place in there will be a big relay bank. Because the PLCs themselves don't have the ability or the power to do things. Again, it's basically a very dumb form of multiplexing, basically. And they control many functions.
21:41
Now this is a very simplified block diagram of what works. And Teague and Tiffany will be going back to this shortly. You have basically, you have inputs, and the inputs are panel switches, lock sensors, door sensors. You wanna know that the door is closed, and you wanna know that the door is locked.
22:01
In the early days, for example, when electronics were first introduced, inmates found that they could put pencils in the track on a sliding door. Why are sliding doors preferred over swing doors? The biggest reason is safety of the corrections officer. Swing doors often end up putting corrections officers in the hospital.
22:21
Because some of these inmates have nothing to lose, either that or they have no sense of consequences, and they'll slam that iron door shut. So sliders are preferred, even though it's slightly more expensive. They'll put pencils in there, and sometimes they'll jam up the door right up to the point where the, before the limit switch trips. So you think the door's locked, but it really isn't.
22:43
Because the limit switch hasn't tripped yet. There are, by most accounts, 40 to 50 manufacturers of PLCs throughout the world. These are the most common ones used in correctional facilities. And of these, I'd say,
23:01
the top ones are Allen-Bradley, GE, and Square D. Now here's some very basic PLC facts. Two points here in terms of protocols. Londworx is real popular, I don't know. Again, this is a different industry for me also. You may not be familiar with Londworx.
23:22
But the objective of Londworx is primarily one thing, is to minimize by as much as 40% the amount of wire and conduit you use. And wire conduit in a correct facility could end up being tens of thousands of dollars in cost savings. Or much more. Another thing is programming language.
23:43
The most common programming language for PLCs was then, is still true today, maybe after our presentation it might change, is ladder logic. Simply because it's easy to follow, easy to track, easy to review. It doesn't mean you couldn't use any of the other languages to program your PLC.
24:04
It's just simply that they don't. And again, back 15, 20 years ago, at the boom of correction facility design and construction, it was the most common sense thing to do. Make it as simple as possible.
24:21
In large facilities, PLCs monitor thousands of points, contact closures that then control hundreds of devices, mostly motors and solenoids. Here's one schematic design, but a better one to look at would be this one. And the point I wanna make here is that, now, you probably are not gonna monitor 34 points,
24:43
but if you want it to be a purist about it, and know the exact status of this one door, you could monitor 34 points just on this one schematic. And that's another reason why the PLC is ideal, so easy to review.
25:05
And Teague might bring this up a little bit later, but let's look down there under the note. Speed control. We were playing around with, well, if you did it maliciously, what could you do? Well, I remember a demonstration using a pneumatic sliding doors
25:21
that basically are air-driven pistons. And I saw that when we turned off the speed controls, we could actually crack a two by four and a half using the door. So if you want it to, for example, hurt somebody, that'd be one way of doing it.
25:42
And then all the way out, not just inside a facility, even the fence Sallieport gates ultimately are controlled back at the central control. Now, during the day, for example, there'll be direct control right at the Sallieport gate. But say two o'clock in the morning, again, they're short staffed, don't have enough people.
26:02
A lot of times, they'll switch control back to central control. And at that point, you would have a vulnerability going from inside a correct facility all the way out to the gate. During the day, you probably would not, because they'll have what's called direct control. And the only way central control would take it over is through an override, which you would rarely do.
26:23
And we're gonna harp on this a number of times, and then I'll repeat it again one more time right now, because it's so important. 98, 99% of the solution to fix to this vulnerability is procedural, not technical. And in fact, there's probably no technical way
26:40
to giving a 100% fix for the PLC vulnerability. But if you air gap it, make everybody follow strict procedures, have no unauthorized connections, you probably don't have a problem. At this point, I will turn it over to Teague and Tiffany,
27:04
and they're gonna look at specific vulnerabilities and infection vectors. When we did a evaluation of a facility, it was here in the US, and we were able to go in
27:21
and take a look at both the internet access, some of the security there, and really talk to some of the people who worked there, the guards, to get an idea of how much knowledge they had about IT, information security, and what they had in the facility. So one of the things that the vulnerabilities we found were open doors and gates. There are times when we were talking
27:40
to the officers, prison guards there, where they have shorter staff, and in the morning hours, when controls are shifted to central control because of staffing shortages, if you were a malicious attacker, these are some of the things that you would look at. And if you're inside a prison, you would theoretically be able to see the movement of some of the guards, so this is something that we thought
28:01
would be one of the vulnerabilities. As my father said, cause phase lock sliders to go out of phase, preventing doors from opening and closing. This was interesting too, because my father sent some research and some work in fire protection, fire evaluation. And do you wanna mention something about the slam doors?
28:22
The mic should be working. Yeah. Not on all doors, but there's one feature called, you have to specify when you request a lock manufacturer, it's called a remote latch holdback. They usually use the initials for that.
28:41
And the purpose of that is, that if there's an evacuation, a lot of these doors are called slam locks. As soon as you slam the door shut, it's locked. It stays locked. And the only way you can open it, is with a mechanical key. Someone has to be there. And then depending on the state, some states for example, won't allow any corrections officer
29:01
to open more than a certain number of doors, because the assumption is, it might be a smoke filled corridor. And you have to be able to identify the keys by feel. So it's a complicated process. Now, if you wanted to, for example, if you were the Bloods and the Crips, and you wanted to get somebody on the other side, what you would do is start a mattress fire someplace, which happens every year.
29:21
And in fact, every couple of years, inmates that are dying, particularly from smoke inhalation, would be to get an evacuation started. And if you knew, if you could suppress the remote latch holdback in the PLC software, and you didn't like the guy behind you, all you had to do is slam the door.
29:40
And that door will be locked. And whoever's on the other side of the door is not gonna get out. Emergency release of entire cell blocks through the entire facility. We are gonna be discussing, and T's gonna mention it to you, a cascading release where you, if you release all of the doors at once,
30:02
it actually can break the locks and cause pretty severe damage. So we discussed, I think T's gonna mention a little bit more of that in his part that he's doing. And perimeter fence intrusion detection systems have high rates of false alarms. So that's another vulnerability we looked at. And one of the things that a lot of people
30:21
have asked us about this presentation is, well, this is not possible because the prison system is not on the internet. It's supposed to be. This is a high secure facility, including maximum security. They should be off the internet. Well, when we did some research and we actually looked at a facility, it's not as, the IT and the way that they set up the networks
30:40
in some cases was an afterthought. They designed the prison and the security in it and then the networks and all that came in later after it had been designed. And some of the IT contractors maybe didn't have backgrounds in security. So what we found is that the systems are not as air gapped as you may think. There's not as much network segmentation as you may think.
31:02
And we were able to see some problems with that. One of the problems we found is that the PLCs and the control computers, those things need some patching and updates, things like that. So inside the central control center that you remember from the picture we had up there, there's an electronic, not electronic,
31:21
but there's like a computer room, equipment room. That's where a lot of the computers are. And when Teague and I did our evaluation, we were able to go and take a look at this stuff. And some of the stuff we found was surprising. Also, if there's a commissary or sometimes some of the lower security prisons, stuff like that, they have like vendors, fast food vendors and stuff
31:41
that sell food in the facility. Those have a lot of internet connections to order food, order supplies, things like that. We were able in one circumstance to trace that network back to the control room. So if that is an attack factor that we looked at, that you shouldn't be able to get from the commissary to the control room,
32:00
but we did see that that was something that we did see. So we are dismissing the myth that the PLCs are invulnerable because they're not connected to the internet. This is another thing that we saw that if people are in the control room, just like the Stuxnet attack, if you have a USB drive, something like that, that's how the infection can take place.
32:23
Also, when we were at this facility on site, we saw IT was there doing some fixes on something. They were in the equipment room unsupervised. And maybe at this particular facility, the guards knew who these guys were. But what we found is when we followed them down in there,
32:41
we didn't see anything bad going on with them, but it's the type of attack factor when we're thinking about it. That's a way that you could get that in there. So another thing we found is that there was an interesting story, and it's in our white paper, about when patrol vehicles, when they get close to, for instance, like police stations, small jails, things connected to courthouses when they're bringing in inmates
33:00
or people that are standing trial, if they had a video camera, the video is actually transferred via Wi-Fi to the control computer inside of the prison. And T, can you mention more about that? Yeah, so, is this working? All right. So what occurs is some of these DVRs now, when they get within range,
33:22
they actually just start uploading video files to essentially the jail land, to a storage machine on there. Well, it's been proven at this point that some of the DVRs in the police cars had public IP addresses, and they actually have been hacked remotely,
33:43
compromised, and they were able to upload whatever type of file they wanted instead of a video file to whatever the storage unit, you know, the SAN or NAS or whatever it would be at that particular facility. A number of other things were also able to be done, such as watch the video live, but the most interesting thing is
34:00
is that the DVR, in fact, was on a public IP address, it was compromised, and they were able to upload a file to within the jail that was not a video. Yeah, and from a story we read that some of those, some people have figured out that if they live near a jail, they can pick this up. It was not an encrypted signal, and the videos went up on YouTube. So that was unfortunate.
34:22
So they definitely need some guidance or assistance from the InfoSec community, so we're here doing this part of that reason. So something we saw that was most alarming, though, that really got us to say, we want to talk to the government soon because we'd really like some prison warden's guards and the Federal Bureau of Prisons to start training people working in these facilities
34:43
why you need to not access Gmail, not access Twitter from the control computer. We did see that. So we're in the control room, and Teague was down in the equipment room looking at the PLCs, things like that, and I'm up there, and we're watching someone on the control computer pulling up Gmail. And that's one of the concerns we found,
35:02
is if they knew why this is very risky, both for their lives and those of the public at large, I'm sure they wouldn't do that, but sometimes, and my father and I have talked to a lot of law enforcement officers. It gets really late at night. People get bored. They're gonna start checking Facebook, things like that.
35:21
They need to know why they should not do that inside the control room particularly, and this is why we're glad to be talking about this because we did see that. So you can cause widespread panic pandemonium either by locking all the cell doors down, opening them up. So the cascade program we talked about, you can destroy all the locks all in one go.
35:41
So there are a lot of reasons why if you work in these facilities, know that Stuxnet is not just something in Iran. It's not just something that affects nuclear power plants. It can affect your facilities here, the prison in which you work. So Teague and I are gonna discuss some infection vectors we talked about. So I'm gonna talk about some of the infection vectors
36:00
from without. So we talked about the software updates. Straightforward malicious attacks from outside the facility. There have been other research that have shown that some PLCs are connected to the internet and it's something that if you know the model number and all that, it'll make the attack vector a lot easier. Malicious attacks from outside the sanitized point. Connections to the outside.
36:20
We saw that. I mean, we've seen connections to the commissary, connections to the outside on the control computer via checking Gmail. So there are a lot of ways that if we want to do a malicious attack, we could do it. So also from without, clearly at this point, we have seen that someone was checking their Gmail from the control computer.
36:41
So a client-side attack vector is completely within scope at that point in time because we know that it has, they are checking email. Of course from out, again, there is potential via these DVRs if they're uploading wirelessly from the police cars. And now this would be within a jail, not a prison.
37:01
But you also have to look, well, if they're uploading wirelessly, there's wireless there as well. Now how does the network segmentation look in that situation? Clearly it'll probably be different everywhere but it's probably not always going to be done correctly. It's just rare to see it done perfect all the time. From within, obviously, we have the typical
37:23
social engineering attack vectors. We've seen people, technicians working alone in the equipment room. Who says they're really technicians, right? Stux pretty well proved that even if stuff is air-gapped, it doesn't particularly matter. You can still compromise it.
37:42
So obviously, the other thing to think about as well is it's people say that Stux was via USB drive. Now think about all this stuff we have now with the Teensies and everything else. It doesn't just have to be a USB drive. It can be any particular HID interface.
38:01
So obviously, there's clearly all the social engineering vectors and there are a number of external vectors as well. All right, so we talked about we don't believe that in all facilities, internet access is isolated. There's some maximum security facilities we saw that the prisoners had some access to a computer that they,
38:20
we read this in an article and the next article said, well, the prisoners are finding all these flaws in it so they're essentially red teaming it in a way and then the prison's fixing all the holes they found including buffer overflows that they saw the prisoners were doing. So is the internet access isolated? We don't know from that system but it's the type of thing that they need to be very cautious about this. So what kind of badness is possible?
38:41
This is where we're gonna talk about, I'm just gonna briefly say this is how we set up our basement lab. We're gonna, Teague's gonna give you some pictures of that and we're gonna have a demo of our PLC, what we're working. But okay, so the worst case scenario, one of them is open all the doors. Mayhem, open some of the doors. Released from prison. Is this unlikely? But maybe. You still have to get past the guys with the guns
39:02
so that's a little difficult as well. But in the past 30 years, helicopters have been used for prison escapes eight times, six of which were initially successful. They were picked up later for other things but which event is more unlikely? So when we hear that, oh this is really unlikely that this might happen, there have been some very unlikely things with helicopters
39:20
but we think that because of the stocks net and the copycats, things like that, it actually may become a lot more likely. We can close all the doors during a fire. Let's say you don't want a witness to testify against you in trial, lock all the doors and if there's a fire, everyone perishes in that side. So prisoners are locked in, locked down a housing unit. So how much did this research cost us?
39:43
And when some people say that to do this type of PLC research, it's gonna take a big lab and a research facility and a lot of money to do it, it did not for us at all. It cost us $2,500. Most of those were in legit licenses. We made it clear that we saw the licenses elsewhere but because we're doing this, well,
40:00
and also we wanted to get the legit license so we could do a lot of research on it as well. But we bought this from the vendor and the Siemens model that you see here is the S7300, the same one exploited by Stuxnet. It's the same one that we do see in some prisons and there are a lot of exploits that are available that we found, exploitdatabase.com or exploitdb.com.
40:21
There are a lot that are free, they're out there. So our exploits, by the way, they're unique to some others that have been done out there but they're pretty simple to write. I've seen some buffer overflows on a stack, 30 lines of code. I mean, that's not difficult at all to do. So we had a lot of fun doing this type of research and Ting's gonna now talk to you
40:42
about our basement lab, what we had set up. So for the lab, it's a computer with that plugged into it. It could literally be this right here. There's nothing spectacular about it. All you need is a machine that will run the software and a way to connect the PLC to that machine.
41:00
It's nothing fancy. We set it up in about 10 minutes. So definitely not advanced persistent threat. Especially, yeah, so anyhow, that's what the lab looks like. That is the machine with the PLC on the table. That's it, that's all. That's what we use to research this.
41:22
And this is the programming language. This is just an example of it. It's as easy as if you have taken some basic computer science engineering classes, really understanding just a lot of logical gates. For instance, this is an and, this is an or, and what you see below is what it's gonna look like in the program. So it is pretty simple to get this work
41:41
if you understand the logical diagrams there. All right, so for these attack vectors, as we said, we do have exploits of our own, but there are publicly available exploits. I mean, there's a handful out there. You can find them at ExploitDB. There is some going in Metasploit right now. Luigi released like 34 exploits
42:03
for SCADA systems in one day. These are not particularly difficult to obtain. All right, so now we talk about our attack vector. Our attack vector that we're demonstrating here is actually similar to what Stuxnet did.
42:20
What we're doing is we are directly calling the PLC's application functions. So once you are on that machine that monitors, controls, or programs the PLC's, it's open season. So basically, however you get on that machine, we discuss the attack vectors,
42:41
now you're on it, what do you do? Migrate into the process, access the libraries, and call the application functions. So it's using the libraries how they're designed to be used. That's why we're saying this is not particular to Siemens. Yes, we have that, but if the software exists
43:00
and it has libraries, it's gonna work across any vendor. Okay, now we're gonna do our demo. We took demo of our exploit writer. So you're gonna get to hear Dora the SCADA explorer's voice, hopefully the audio will work on this. We've been having some trouble with audio. Okay, before I get into the demo, I kinda wanna explain some things here. So what we have is this PLC,
43:23
there's a number of lights on the bottom and a number of lights on the top. And I just kinda wanna make clear what's going on. You have to use your imagination, because these are just lights. But what occurs is when you flip a switch on the bottom, a light comes up on the bottom and on the top. The bottom, picture it as what you would see
43:42
at the monitoring computer. It says, alright, switch is flipped. So in our case, it would say the status of that door is locked. When you see the light occurring at the top, that is what the current status of the actual door in this case would be. So if the light's on up top, the door is locked.
44:01
If the light's off up top, the door is unlocked. So you'll also notice in the demo, there's typically the cascading release programs that we talked about. That would be doors opening or closing sequentially. It wouldn't be all at once. The possibility was there that if everything occurred
44:21
at once, you could have voltage in rush and you could start frying some electronics. You'll notice it's pretty easy for us to not cascade things. Anyway, just remember, the bottom is what you would see in a monitoring area, and the top is what's actually occurring on the other end with the hardware.
44:43
Alright, so what we see in the middle here, this is our PLC. The switches on the bottom represent the actual lock control themselves. So either a physical mechanism or the software changing the state. The LEDs on the right side of those switches represent their state. So that would be if the switch is actually
45:01
physically on or off. The LEDs you see at the top represent the actual lock state, which should be like a secondary sensor that's telling you is this lock actually locked or what state it currently is in. And as you see switching back and forth, the LEDs update to show that status. Now in the software, you basically have
45:21
all of the internal states, again, are the same things. You can see the lock controls and the lock states themselves. And in the software, the LEDs, or the column with the true and false is basically are the state of the switches and the lock states where they currently are. Alright, so once we actually start running
45:40
the exploit, or not exploit, the interpreter scripts, we're gonna basically migrate into the controls, the communications part of the software that handles communications with the, actually if you wanna look at the PLC real quick, it's about to trigger.
46:01
And there they go. And as you can see in the software itself, the state of the switches is still currently turned on. So basically, yeah, showing a false information really. So what we've done, if you wanna move, share that interpreter script real quick, kinda what we've done is migrate it into the communications process,
46:21
sent using the Siemens actual DLLs, sent using Railgun, the communications commands to send basically any of the information to update the variables on the device itself. And basically all we did.
46:41
Alright, so you'll notice there, with this last shot of the software too, that is basically what you would see in the control center. You'll see that, in fact, all the doors are still locked, and clearly on the PLC, they were not. In fact, let me embroider on that just for a second. That is, my original expectation was
47:01
that we would somehow be able to control the PLC to unlock a door. Turns out we were able to do much more than that. We can now unlock the door, but tell central control it's still locked when it really isn't. Yeah, we are, in fact, not only are we manipulating the physical state of the door,
47:22
we are also suppressing alarms and notifications as well. Okay, can we go back to the other screen, please? This is what it looks like. For those of you who can't see it up here, that was the same one in the video, so there's a close-up picture of it.
47:42
And this is, when we toured a correctional facility, we took some pictures of the relays and PLCs and some of the wires and networks there, and we're showing you a few of those in here. These are also, by the way, our white paper was published by Wire, but also it's on Core Security's website under one of their blogs about DevCon, so you can pull up our white paper and more information on this and see more pictures.
48:03
All right, so this is really the summary. We're gonna be talking about the remediation here now, which is pretty clear for what we're gonna do. Use a device for its intended purposes. Those of us in this room, we get that, all right? But for those of you watching elsewhere online, prison warden's guards, this is very important for you, because there's some things that can't be fixed with PLCs,
48:22
it's up to you, really, to, those acceptable use policies have a reason why they're there. Proper network segmentation, restrict physical media, the same stuff that would prevent Stuxnet, this is the stuff that we're discussing here. So, many modern jails and prisons were designed 10 years ago before these attacks were known,
48:41
so what we're suggesting is evaluate some of the designs and security that you have. Take a look at the IT network, I mean, very carefully, because if an attack did occur on a correctional facility, it's a pretty big deal. Forcing and updating procedures and policies, and really, having the guards understand
49:01
why this is a big deal is the most important thing. This is the biggest risk mitigating thing that you can do, is educate your employees. If you have PLCs that run safety-critical operations or correctional facilities, know that these attacks can't exist. One point I'd like to make is, clearly, the way we're doing it, you can't really patch that, so the education is huge.
49:24
How do you, how would you do it otherwise? That's why you need to, everybody always says it, but the layered defenses, you gotta really have it all in place, especially for things like this, that can be deemed critical infrastructure for a particular facility, where it may involve lives of people.
49:42
So you gotta determine what's important, and then implement it hard. All right, we also wanna give a big shout-out to Dora the Skate Explorer for being awesome, and for any of you out there or watching online, if you think that we or Dora hold the keys to the castle here, we do not. These exploits aren't gonna be public, and it's nothing that was terribly,
50:01
terribly difficult to do. So we've gotten some interesting requests, I'll tell you, since some articles have been written about us, and no, we won't help you, and it's the type of thing that, that's one of the reasons that Dora has been very quiet here. Are we gonna be taking questions in this room, too? Oh, we are, okay, great.
50:21
Oh, okay, thanks. Thanks for the feds who invited us for a briefing. And special thanks to Core Security.