On the insecure nature of turbine control systems in power generation
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Untertitel |
| |
| Serientitel | ||
| Anzahl der Teile | 254 | |
| Autor | ||
| Lizenz | CC-Namensnennung 4.0 International: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/53183 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
| |
| Schlagwörter |
00:00
Abgeschlossene MengePhysikalisches SystemProzessautomationDatenstrukturLeistung <Physik>ComputersicherheitGüte der AnpassungUnrundheitComputeranimationVorlesung/Konferenz
01:07
InformationReverse EngineeringSoftwaretestPacket Loss ConcealmentWort <Informatik>ComputersicherheitDienst <Informatik>Physikalisches SystemDivergente ReiheWeb SiteEDV-BeratungOrdnung <Mathematik>MultiplikationsoperatorMAPSoftwaretestComputersicherheitInformationÄhnlichkeitsgeometrieIntegralReelle ZahlGemeinsamer SpeicherSystemintegrationAutomatische IndexierungStellenringCASE <Informatik>SystemaufrufTemporale LogikDifferenteProzess <Informatik>VektorpotenzialHilfesystemVorlesung/Konferenz
04:17
ComputersicherheitLeistung <Physik>InternetworkingInformationNummernsystemPhysikalisches SystemLeistung <Physik>Materialisation <Physik>Web SiteGebäude <Mathematik>VersionsverwaltungVollständiger VerbandAutomatische HandlungsplanungComputeranimation
05:51
Leistung <Physik>BitPhysikalisches SystemWeb SiteProzessautomationLeistung <Physik>DifferenteTypentheorieComputeranimation
06:49
Leistung <Physik>ProgrammierumgebungProdukt <Mathematik>SystemaufrufDifferenteTermInformationRechenschieberWeb SiteMAPComputeranimation
07:47
DualitätstheorieVerschiebungsoperatorGradientLeistung <Physik>EnergiedichteTurm <Mathematik>QuellcodeDifferenteKartesische KoordinatenRechenschieberVersionsverwaltungSoftwareschwachstellePhysikalisches SystemInformationKorrelationsfunktionTablet PCSystemaufrufDruckverlaufRechter WinkelBildverstehenLeistung <Physik>BitNetz <Graphische Darstellung>Computeranimation
09:23
QuellcodeEnergiedichteTurm <Mathematik>GradientLeistung <Physik>VerschiebungsoperatorHardwareGebäude <Mathematik>Prozess <Informatik>KontrollstrukturFunktion <Mathematik>DruckverlaufNetz <Graphische Darstellung>Konfiguration <Informatik>PunktZahlenbereichWeb SiteSchnittmengeEin-AusgabeLeistung <Physik>Prozess <Informatik>GamecontrollerPhysikalisches SystemNichtlinearer OperatorWasserdampftafelFunktion <Mathematik>Globale OptimierungBildschirmmaskeKomplex <Algebra>BitTurm <Mathematik>SoftwareProzessautomationHardwareEndliche ModelltheorieKonstruktor <Informatik>Projektive EbeneMultiplikationsoperatorDeskriptive StatistikSystemaufrufDienst <Informatik>Automatische HandlungsplanungSondierungBildverstehenBesprechung/Interview
12:10
OrtsoperatorElektronischer ProgrammführerLastInverser LimesOperations ResearchInterface <Schaltung>ServerRechnernetzEnergiedichteStatistikRegulator <Mathematik>MAPNichtlinearer OperatorClientBenutzeroberflächeModul <Datentyp>Web logErschütterungInternetworkingWorkstation <Musikinstrument>RauschenPhysikalisches SystemSoftwareFunktion <Mathematik>DifferenteEinfach zusammenhängender RaumProzess <Informatik>Kartesische KoordinatenInformationUmwandlungsenthalpieObjekt <Kategorie>SoftwarewartungInstallation <Informatik>ZeitzoneDienst <Informatik>ErschütterungServerElektronische UnterschriftVirenscannerNichtlinearer OperatorSchnittmengeART-NetzQuantenzustandDemoszene <Programmierung>GamecontrollerSondierungDigitale PhotographieWeb SiteDämpfungRegulator <Mathematik>Quick-SortComputervirusBitrateComputeranimation
14:49
ServerVirtual Home EnvironmentGruppenoperationZustandsdichteRIS <Medizin, Informationssystem>ComputermusikMigration <Informatik>Prozess <Informatik>ServerEnergiedichteDatenstrukturSoftwareschwachstelleRegulator <Mathematik>Kartesische KoordinatenSystemaufrufDemoszene <Programmierung>SpeicherabzugPatch <Software>ComputersicherheitBitInstallation <Informatik>SystemintegrationWeb SitePhysikalisches SystemDigitale PhotographieComputeranimation
16:31
DatenmodellRechnernetzInterface <Schaltung>ServerErschütterungProdukt <Mathematik>AppletURLPCMCIATomcat <Programm>BenchmarkWindows ServerBildschirmfensterGleitendes MittelEndliche ModelltheorieProzess <Informatik>MereologieeCosSoftwareschwachstelleKartesische KoordinatenServerSoftwarePhysikalisches SystemURLSondierungInstallation <Informatik>Rechter WinkelSoftwarewartungVersionsverwaltungDifferenteKonfigurationsraumBenchmarkBildschirmfensterComputersicherheitHoaxPunktVirtuelle MaschineDienst <Informatik>VerknüpfungsgliedRechenschieberAdditionKreisdiagrammElektronischer ProgrammführerFlächentheorieAppletComputeranimationFlussdiagramm
19:15
Wurzel <Mathematik>Befehl <Informatik>PasswortSinusfunktionNichtlinearer OperatorMathematikLokales MinimumFisher-InformationInstallation <Informatik>PasswortSpannweite <Stochastik>SystemintegrationMailing-ListeProzess <Informatik>Wort <Informatik>MathematikForcingSystemaufruf
20:06
SinusfunktionMethode der partiellen kleinsten QuadratePasswortMenütechnikBefehl <Informatik>Nichtlinearer OperatorMathematikElektronische PublikationEindeutigkeitInternetworkingClientDienst <Informatik>ServerKonfigurationsdatenbankSoftwareTelekommunikationCASE <Informatik>Physikalisches SystemVirtuelle MaschineClientKonfigurationsdatenbankPasswortDiagrammIntegralServerKartesische KoordinatenFirewallNichtlinearer OperatorAppletUmwandlungsenthalpieBrowserInformationGemeinsamer SpeicherDienst <Informatik>Prozess <Informatik>
21:36
MultiplikationTuring-TestComputerarchitekturDienst <Informatik>ClientKartesische KoordinatenMinkowski-MetrikWorkstation <Musikinstrument>Service providerZoomTUNIS <Programm>ZeitzoneGreen-FunktionSoftwareDynamisches SystemOffice-PaketTypentheorieQuellcodeExponentVorlesung/KonferenzComputeranimationFlussdiagrammDiagramm
22:36
SoftwareRMILoginDienst <Informatik>SystemaufrufCOMAppletIndexberechnungKonfiguration <Informatik>KonfigurationsraumVerzeichnisdienstWeb-ApplikationAdressierungComputersicherheitPhysikalisches SystemEinflussgrößeSoftwareInformationPlotterObjekt <Kategorie>Office-PaketTelekommunikationSensitivitätsanalyseElektronische PublikationApp <Programm>Konfiguration <Informatik>KonfigurationsraumRohdatenStreaming <Kommunikationstechnik>Kartesische KoordinatenDateiformatAppletServerLesen <Datenverarbeitung>VererbungshierarchieBaumechanikBenutzerbeteiligungAutorisierungProdukt <Mathematik>Leistung <Physik>ComputerarchitekturClientCASE <Informatik>
24:08
Dienst <Informatik>Faktor <Algebra>FlächentheorieDatenverwaltungOrdnung <Mathematik>Elektronische PublikationNeuronales NetzGewicht <Ausgleichsrechnung>KonfigurationsraumBenutzerbeteiligungKartesische KoordinatenKraftSoftwareschwachstelleMailing-ListeServerRPCWeb-ApplikationViewerComputeranimation
24:57
VerzeichnisdienstDatentypInhalt <Mathematik>AutorisierungEinfach zusammenhängender RaumAppletAbstraktionsebeneDienst <Informatik>Faktor <Algebra>Prozess <Informatik>Exakte SequenzKonfigurationsdatenbankRMIProxy ServerAdressraumKlasse <Mathematik>Rechter WinkelMultiplikationsoperatorVerzeichnisdienstFaktor <Algebra>Dienst <Informatik>CodeAppletTaskGarbentheoriePhysikalisches SystemSystemaufrufObjekt <Kategorie>CASE <Informatik>Kartesische KoordinatenServerSoftwareschwachstelleSerielle SchnittstelleElektronische PublikationParametersystemNetzbetriebssystemKlasse <Mathematik>Web-ApplikationKonfigurationsdatenbankExploitKraftAutorisierungSkriptspracheRPCClientMailing-ListeBrowserSchlussregelComputersicherheitLeistung <Physik>Wort <Informatik>BaumechanikProzess <Informatik>DickeGamecontrollerFacebookBestimmtheitsmaßt-TestQuellcodeHoaxSelbst organisierendes SystemComputeranimation
27:35
AppletRMIKonfigurationsdatenbankMailing-ListeAttributierte GrammatikZeichenketteAbelsche KategorieLuenberger-BeobachterCOMGamecontrollerInterface <Schaltung>Dienst <Informatik>DatenverwaltungFaktor <Algebra>MAPMailing-ListeDivergente ReiheSystemverwaltungSkriptspracheDifferenteTouchscreenGreen-FunktionVorlesung/KonferenzXML
29:17
SummierbarkeitLoginDienst <Informatik>RMIKonfigurationsdatenbankOvalAppletIntelAuthentifikationNichtlinearer OperatorDienst <Informatik>TaskClientComputersicherheitAusnahmebehandlungPhysikalisches SystemFlächentheorieAuthentifikationDatenverwaltungMAPReelle ZahlProzess <Informatik>Faktor <Algebra>AutorisierungIndexberechnungEntscheidungstheorieAggregatzustandGrundsätze ordnungsmäßiger DatenverarbeitungBildschirmmaskeComputeranimation
30:42
Dienst <Informatik>Proxy ServerNichtlinearer OperatorAuthentifikationRMIAppletKonfigurationsdatenbankZeichenketteFunktion <Mathematik>Physikalisches SystemFaktor <Algebra>ValiditätComputersicherheitDienst <Informatik>LoginInstantiierungClientEinflussgrößePhysikalisches SystemDatenverwaltungAutomatische HandlungsplanungArithmetisches MittelBildschirmmaskeMatchingSkriptspracheSystemverwaltungSoftwareschwachstelleAppletKlasse <Mathematik>CASE <Informatik>LastNichtlinearer OperatorEin-AusgabeMultiplikationsoperatorBootenParametersystemInformationImplementierungInterface <Schaltung>Objekt <Kategorie>ForcingFreier ParameterFrequenzProzess <Informatik>Güte der AnpassungDämon <Informatik>EinfügungsdämpfungVererbungshierarchieEndliche ModelltheorieBus <Informatik>Vorlesung/KonferenzComputeranimation
33:42
ZeichenketteFunktion <Mathematik>Physikalisches SystemLeistung <Physik>ParametersystemExploitCodeRechter WinkelSkriptsprachePhysikalisches SystemBitSpiegelung <Mathematik>SoftwareschwachstelleAppletKartesische KoordinatenInjektivitätKlasse <Mathematik>Patch <Software>VariableTrennschärfe <Statistik>Prozess <Informatik>Vorlesung/KonferenzComputeranimation
34:32
ComputersicherheitInformationDienst <Informatik>Gewicht <Ausgleichsrechnung>ZweiClientSystemverwaltungHash-AlgorithmusPhysikalisches SystemPasswortSystemaufrufComputeranimation
35:39
RMIDienst <Informatik>Hash-AlgorithmusZeichenketteLoginAuthentifikationTelekommunikationPASS <Programm>PasswortDatentypEindeutigkeitIterationStrukturgleichungsmodellServerFlächentheorieStellenringSoftwarewartungFunktion <Mathematik>MathematikProzess <Informatik>InformationDatenverwaltungErschütterungInterface <Schaltung>RechnernetzEnergiedichteWeb logTaskHardwareModul <Datentyp>VersionsverwaltungMigration <Informatik>PolstelleSoftwarePacket Loss ConcealmentBimodulInformationSchlussregelFirewallSoftwareschwachstellePeer-to-Peer-NetzBootenZahlenbereichInteraktives FernsehenArithmetisches MittelKartesische KoordinatenOffice-PaketBus <Informatik>DatensatzCASE <Informatik>WellenpaketPhysikalisches SystemRechenschieberEndliche ModelltheorieMathematikGeradeOrtsoperatorPhysikalischer EffektMultiplikationsoperatorDruckverlaufZusammenhängender GraphProtokoll <Datenverarbeitungssystem>RPCDifferenteProzess <Informatik>PasswortWeg <Topologie>Elektronische PublikationEinfach zusammenhängender RaumFunktion <Mathematik>ParametersystemZweiIterationDatenfeldDatenstrukturPerspektiveQuaderURLBitProjektive EbeneBestimmtheitsmaßFlächentheorieFunktionalTelekommunikationHardwareSoftwareComputerarchitekturVirtuelle MaschineClientProdukt <Mathematik>SpieltheorieGruppenoperationMinimumBildschirmmaskeKonfigurationsraumBenutzerschnittstellenverwaltungssystemTermEchtzeitsystemHash-AlgorithmusMechanismus-Design-TheorieAuthentifikationValiditätRechenbuchServerTypentheoriePackprogrammRechter WinkelTreiber <Programm>Objekt <Kategorie>Ein-AusgabeDienst <Informatik>PhishingAlgorithmusKryptologieData DictionaryMailing-ListeBimodulAnalysisAdditionNichtlinearer OperatorTaskLoginComputeranimation
42:05
TaskHardwareModul <Datentyp>Migration <Informatik>VersionsverwaltungPolstelleSoftwareTelekommunikationServerComputersicherheitPacket Loss ConcealmentProtokoll <Datenverarbeitungssystem>MaschinenschreibenUmsetzung <Informatik>Protokoll <Datenverarbeitungssystem>Einfach zusammenhängender RaumSoftwareMigration <Informatik>Wort <Informatik>Physikalisches SystemVersionsverwaltungFlächeninhaltGleitendes MittelDatenfeldDifferenteKonfigurationsraumMathematikComputersicherheitServerEndliche ModelltheorieReferenzmodellMAPIndustrie-PCFirmwareGamecontrollerProzess <Informatik>ZahlenbereichDatenbankPunktEinflussgrößePartikelsystemBeobachtungsstudieCASE <Informatik>Vorlesung/KonferenzComputeranimation
43:31
Fahne <Mathematik>BenutzeroberflächeProtokoll <Datenverarbeitungssystem>Packet Loss ConcealmentE-MailZeitstempelTotal <Mathematik>SynchronisierungEreignishorizontComputersicherheitInformationProtokoll <Datenverarbeitungssystem>CASE <Informatik>ProgrammierungSystemaufrufEigentliche AbbildungDateiformatInternetworkingDeskriptive StatistikDatenstrukturMechanismus-Design-TheorieFolge <Mathematik>ZahlenbereichImplementierungEchtzeitsystemProjektive EbeneBesprechung/InterviewComputeranimation
44:42
QuellcodeZellularer AutomatE-MailTotal <Mathematik>ZeitstempelBenutzeroberflächeProtokoll <Datenverarbeitungssystem>Packet Loss ConcealmentFahne <Mathematik>MakrobefehlParametersystemPasswortLesen <Datenverarbeitung>Schreiben <Datenverarbeitung>ATMMAPProxy ServerAnalysisMatrizenrechnungAggregatzustandKonfigurationsraumDokumentenserverKartesische KoordinatenInformationParametersystemComputersicherheitOrtsoperatorSoftwareAutorisierungHalbleiterspeicherCase-ModdingElektronische PublikationDeterminanteDemoszene <Programmierung>RFIDZellularer AutomatXMLComputeranimation
45:41
VersionsverwaltungElektronische PublikationServerRMIDienst <Informatik>SkriptspracheMaßerweiterungListenprogrammgeneratorAdressraumInterface <Schaltung>InformationComputersicherheitSpezielle unitäre GruppeAppletRPCZustandsdichteDefaultZeichenkettePhysikalisches SystemCodeMereologiePacket Loss ConcealmentPunktRechnernetzDateisystemSummengleichungFirewallBenutzeroberflächeWeb logEnergiedichteRegulator <Mathematik>ErschütterungDMX <Lichttechnik>FirmwareAvatar <Informatik>ServerPhysikalisches SystemDienst <Informatik>MaßerweiterungMigration <Informatik>AppletElektronische PublikationSoftwareschwachstelleWort <Informatik>OrtsoperatorMailing-ListeInhalt <Mathematik>SkriptspracheGruppenoperationLaufzeitfehlerVirtuelle MaschineInternet der DingeKonfigurationsraumFlächeninhaltQuaderSampler <Musikinstrument>DifferenteExploitComputersicherheitDefaultProzess <Informatik>InformationKartesische KoordinatenProtokoll <Datenverarbeitungssystem>Ordnung <Mathematik>CASE <Informatik>Klassische PhysikRechenschieberCoxeter-GruppeSoftwareRPCMechanismus-Design-TheorieResultanteByte-CodePasswortTransformation <Mathematik>Offene MengeParametersystemRechter WinkelZeichenketteFirewallSystemverwaltungTopologieSensitivitätsanalyseIndustrie-PCZahlenbereichVarietät <Mathematik>TelekommunikationNabel <Mathematik>GeradeUmwandlungsenthalpieFunktionalHyperbelverfahrenBenutzerbeteiligungVersionsverwaltungKomplex <Algebra>MultiplikationsoperatorSchnitt <Mathematik>MeterStichprobenumfangEinsGamecontrollerNotepad-ComputerOffice-PaketQuick-SortSummierbarkeitMessage-PassingComputeranimation
51:08
RechnernetzWeb logInklusion <Mathematik>Verhandlungs-InformationssystemDigital Object IdentifierErschütterungServerInterface <Schaltung>RankingBenutzeroberflächeInformationComputersicherheitEinfach zusammenhängender RaumNotebook-ComputerRegulator <Mathematik>SoftwaretestFirewallPasswortVersionsverwaltungPacket Loss ConcealmentExogene VariableApproximationAdressraumPhysikalisches SystemKontextbezogenes SystemMathematikSoftwareTaskProzess <Informatik>Service providerFlächentheorieArchitektur <Informatik>Nichtlinearer OperatorMereologieSoftwarewartungGruppoidDienst <Informatik>DualitätssatzProzess <Informatik>Überlagerung <Mathematik>MAPRechenschieberAppletDifferenteSoftwareschwachstelleMechanismus-Design-TheorieWeb-ApplikationDatenfeldPhysikalisches SystemGüte der AnpassungDistributionenraumSpeicherabzugNichtlinearer OperatorWort <Informatik>ParametersystemMailing-ListeProtokoll <Datenverarbeitungssystem>TelekommunikationProdukt <Mathematik>ComputersicherheitSystemaufrufRegulator <Mathematik>PunktSoftwaretestSoftwareBildschirmmaskePasswortKanalkapazitätReelle ZahlMonster-GruppeATMWeb SiteInstallation <Informatik>SchnittmengeKontextbezogenes SystemFlächentheorieWeb-SeiteKartesische KoordinatenResultanteEDV-BeratungÄhnlichkeitsgeometrieTermStandardabweichungKonfigurationsraumSmoothed Particle HydrodynamicsSystemintegrationQuaderVersionsverwaltungEin-AusgabeExogene VariableEreignishorizontBildschirmfensterEndliche ModelltheorieLeistung <Physik>Demoszene <Programmierung>Automatische HandlungsplanungDienst <Informatik>KontrollstrukturGruppenoperationBenutzerschnittstellenverwaltungssystemSchlussregelMathematikElektronische UnterschriftSoundverarbeitungURLGeradeGamecontrollerFlussdiagrammComputeranimation
57:34
SystemintegrationInternetworkingZahlenbereichGamecontrollerBenutzerbeteiligungSoftwareschwachstelleBitBildschirmmaskeSoftwarePhysikalisches SystemGeradeMAPMetropolitan area network
58:44
SoftwareAutomatische HandlungsplanungMaterialisation <Physik>BitrateInternetworkingNichtlinearer OperatorBesprechung/InterviewVorlesung/Konferenz
59:30
Computeranimation
Transkript: Englisch(automatisch erzeugt)
00:21
infrastructure we have nowadays is power generation. If there's no power, we're pretty much screwed. Our next speakers will take a very close look at common industrial control systems used in power turbines and their shortcomings. So please give a warm round of applause to Reptep, Moradek and Kors.
00:44
Good morning Congress. Thank you for waking up in the morning. We will talk about the security of power plants today, specifically about automation systems
01:05
that are used in the power plants. You might think that this is another talk about how insecure the whole industrial things around us are and more or less it is. So for years we and our colleagues speak about problems in
01:25
industrial security. We are happy to say that things are getting better but it's just that the temper is a little bit different and feels a little bit uncomfortable. So anyway we will speak about like how power plants are built, what is the automation inside, what are the vulnerabilities and like the
01:43
high-level overview of what you can do with this. But at first a little bit of introduction. We are security consultants. We work with a lot of industrial things like PLCs, RTUs, SCADAs, DCSS, whatever it is. We were
02:02
doing this for too long. For so long that we have a huge map of contacts with a lot of system integrators and vendors and throughout the time we are not just doing the consultancy work for some asset owner. For example for a power plant we also talk to other entities and we try
02:23
to fix things all together. We work at Kaspersky and actually the whole research was done not just by me, Rado and Alexander who are here but also with the help of Yevgeniya and two Sergys. Things that are
02:45
very important to note is that everything that we will discuss right now is reported to a respective vendor basically a long time ago. You can see like vendors here but more or less we will speak only about one
03:02
vendor today. It is Siemens but we would like you to understand that similar security issues can be found in all other industrial solutions from other vendors. You would find some of the findings not for example that's stellar and it doesn't require like weeks of work to find them out and this
03:24
would be true specifically for all other vendors which are not mentioned in the talk. Jokes aside we will share security issues of real power plants out there and it might look like we are kind of irresponsible
03:43
guys but in fact this is the other way around. I mean that to do some kind of research on with these systems that are working in the power plants you need to get access to them you need time to do this research you need to have some knowledge to do this research and all these resources they
04:06
are limited for guys like us for penetration testers for auditors for power plant operators and engineers but for the bad guys like the potential attackers or adversaries this is that actually their job they they have a lot
04:21
of investments to do some research so we assume that bad guys already know this and we just we would like to share some information with the good guys so they would be able to act upon this. So let's go to the talk itself. Power plants. Power plants is like the most common way how humans get their power
04:45
their electricity they're everywhere around us and I believe the closest one to Leipzig is called Lippendorf power station and during this research when we were preparing an introduction we were surprised how many information about power plants you can get from the internet it's not
05:04
just for example a picture of this of the same power station on the Google Maps it is actually a very it's a very good scheme of what you can see on the marketing materials from vendors because when they sell some system that
05:21
automate power plant operations they sometimes start with building construction and on their on their websites you can find a schematic pictures of actually which building does what and where you will find some equipment which versions of equipment are used in these systems but if you like if you don't have this experience you can just Google things
05:43
and you will find out which systems are used for automation in power plants for example for Lippendorf it's some system that is called Siemens SPP AT 2000 and P 3000 which is actually have another Siemens system inside called Siemens SPP AT 3000 so it's a little bit confusing and it is and we
06:05
are still confused this is exactly the system that would be that we will focus today the Siemens SPP AT 3000 and again it could be any other automation system but it just happened the way that we've seen this system
06:24
more and more often than others there is a way how you can actually see all the generation sites throughout the world thanks to the carbon monitoring communities this is not just power plants this is also like nuclear sites
06:42
wind generation solar plants etc and etc they are all here marked by different fuel types of generation for example there is a coil and gas power plants marked there so the topic is really huge and like what we will
07:03
focus today in our talk is mostly the power plants which are work on coal and gas this is important to mention the heart of each power plant is actually a turbine we don't have a picture of the turbine on the slides but more or less I think everybody saw it on the airplane they are very very similar
07:23
specifically in terms of size and mostly how they work on different vendors websites you can actually find a lot of information where those turbines are used and this is for example the map of the turbines from
07:41
Siemens not all turbines specifically are used in power plants so they have a lot of different applications like chemical plants oil and gas a lot of other things but if you correlate this information from previous slides you would be able to identify like which systems are used by which power plant and if you will Google more information you can actually tell the
08:02
versions and the generations of the systems that are used on these power plants this is important because of the vulnerabilities that we will discuss later on on the slide so before we will speak about what is the automation on power plants we should understand a little bit how they work
08:22
so we will go from right to left and it's very easy a little a little notice throughout the talk we will simplify a lot of things for two reasons one of them to make it more suitable for the audience and another thing we don't really understand everything by ourselves so the first
08:41
thing you should get is a fuel fuel could be for example a coil or coal or gas and you will just put this inside the combustion chamber where you would put it set it up on fire actually and it will generate a lot of pressure which will go to the turbine and because of the pressure the
09:00
turbine will begin to rotate the turbine have a shaft which will drive the electricity generator which is obviously will generate electricity and put it on the power grid so it is important from now on to understand that when we generate some for some electricity on the power plant we put
09:21
this this power not just for for example for this Congress Center or for some city we put it in a big thing called power grid where other entities will sell this electricity to different customers there is also a very interesting point about like when we do generate this pressure and
09:44
the combustion chamber is on fire we have a lot of excessive heat and we have two options like one of them is to safely put it in the air with condensing towers this is a option number one and another option is we can do some form of recuperation for example we would take this heat we will
10:02
warm water the water will produce steam and we will put this steam in the steam turbine and produce additional electricity this is kind of a optimization of some of some form so what is the automation in this process the automation systems that are used on the power plants are usually called
10:24
distributed control systems or DCS's and everything that I just that I just described actually is automated and inside those systems the vendor of the solution want to simplify all things for the operator because we don't want
10:41
like hundreds of people working on the power plant we just want like maybe dozens of people working there and they want to simplify the whole the whole process of like they don't care about where they get this guess or call how much they need it they just should be able to stop the generation process started and the control one main thing which is called how much power
11:04
we should produce to the power grid so like how many megawatts of electricity we should produce this is this this describes the actually the complexity hidden inside these solutions because there are a lot of
11:22
small things happening inside and we will discuss it a little bit later as I said this DCS is they're not exclusively used on the power plants there are a lot of other sites that would use the same solutions the same software and hardware the DCS is not just like a software that you can
11:41
install it's a set of hardware and software there is input output models sensors etc and etc as I said sometimes they start from building construction like there is a field please build us a power station so it's a more complex projects so most of most of the time there are a lot of
12:00
vendors that are doing it as I said we are focusing in this talk on the Siemens one oh just a short just a short description of how how simplified things are for operators of this DCS software so for example if we would like to answer the question how we would regulate the output in megawatts of
12:26
our power plant we would need to control basically three things again we are oversimplifying here first of all you would control how many this is example for the for the gas turbine so we would need to regulate how many guests we would put inside the combustion chamber we would control the
12:44
flame temperature and we will control the thing that gets air inside the turbine but basically three things that are controlled by simple PLCs in the whole system and you would be able for example to change 100 megawatts to 150
13:03
megawatts based on these settings so the system itself that we are going to discuss is called Siemens SPP T 3000 and actually again as all other DCS systems or from other vendors this is a typical industrial systems system it has
13:23
all these things called PLCs, RTUs, HMIs, servers, OPC traffic etc and etc the only thing that is different specifically for Siemens SPP T 3000 is that they have two main things called application server and automation server
13:43
that's this software running on this service is not what you will find on other installations despite the fact that there are a lot of like if you would read the manuals for for the systems from Siemens there would be a
14:00
lot of different networks and highways and a lot of things like Siemens would state that there is no connection between the application network and external networks in practice and in reality you will find things like specific sensor network like monitoring of vibration foreign objects and some noises
14:23
inside the turbine you will find the demilitarized zone because all in all like all power plant operators they won't have like on-site maintenance guys engineers they would try to do a remote support they would need to install updates for operating system over for their like signatures for their
14:41
antiviruses they would need to push some OPC traffic so like information about the generation process outside either to corporate network or to some regulator because the whole energy market is regulated and there are different entities who would monitor how many electricity you are generating or they basically will tell you how many electricity you should generate
15:00
because this is how many electricity was sold on the energy market basically the whole talk with this structure like this we will speak first about application servers then automation server and then some summary it all started with the process called coordinated vulnerability disclosure
15:22
we notified Siemens about some issues almost a year ago and like a month at the beginning of December Siemens published an advisory it was it was not an advisory just from from with the issues just from us a lot of other teams also contributed to it and this December this year's December doesn't
15:45
mean that Siemens just released the patches when they the the system SPP 80 3000 is exclusively supported so the system integrator for the system is Siemens itself so throughout the year after we notified them about some security issues they started to roll out patches and install updates on
16:04
critical infrastructure they support and hopefully they did it with all the sensitive issues there is a lot of things to discuss here we will skip because we are a little bit in a hurry things like not all vulnerabilities are the same and we use for example see the SS here to to
16:24
talk about like how critical the vulnerability is but it's actually not very applicable to the industrial sites you should understand what you can do with each vulnerability how you can impact the process and we will skip this part there's actually a kind of a threat model in a white paper that we
16:43
will release later on like during January we will hope so application server application server is this main is a main resource that you would find in the SPP 80 3000 network like if if someone will remotely connect to
17:05
the system it would end up an application server if someone wants to start the generation process or to change some values it would be the application server if there are other servers that would for example try to communicate the application server they will actually start their work by
17:22
downloading their software from application server and then executing it so the first thing you might notice here is there are a lot of a lot of network ports available on this on this machine and actually this is like the first point there is a huge attack surface for for the adversary to choose
17:44
like whether or not you would like to compromise some semen software or it's Windows software or it's some another third party huge attack surface starting from the fact that the all of the installation of this SPP systems are kind of different so depending on the version and on the
18:03
generation you can find different Windows versions from I don't know 2003 to 2016 hopefully they are all updated right now but because the the update process for such for such installations is is a hard thing to do
18:24
I mean you should wait for maintenance and it should be like maybe once in a half a year or once a year you will always find some window where you can use some remotely exploitable vulnerabilities like eternal blue or blue keep more mentioned on the slide there's tons of different
18:43
additional software like old segue that will allow you to do privilege escalation badly configured tomcats and we have here this funny pie charts that show how configuration of different software is aligned with the best practices from these benchmarks those are usually those are basically
19:02
security configuration hardening guides the most important thing in the application server is a lot of Java software and in a minute rather will tell you about this surprise surprise the one of the most notable problems in
19:22
the Simmons SPP 80 3000 is actually passwords there there are three important ranges the first first of them is like who what's all the installations before 2014 or maybe 2015 all passwords for the for the all power stations were the same and you can easily Google them we will also
19:44
publish like the full word list in the white paper after this years Simmons started to generate the unique passwords for all power plants but until this year it was kind of hard to change this password so you need to be
20:00
aware of how to do this you need to know the process you maybe need to contact to contact your system integrator to do this starting up from this December it would be much easier specifically to change password so it's in in the past even if you know you have these issues you were not able to simply change all these things along with the password passwords you
20:21
can find the like the full diagrams and integrator documentation that can like show you how the system is built how it's operating specific accounts etc and etc of course this was not published by Simmons those some power plant operators who thought that would be a good idea to share this information so as I said the most important thing of the application
20:44
server is a bunch of Java applications and please welcome Radu who will share the details about this hi everyone let's look how software works on
21:01
application server the browser can communicate with systems through a thin client and third client a thin client act as Java plate inside and to explore browser and communicate with server through HTTPS so it can be
21:21
outside of application at work and its communications can be constrained by firewall in opposite in case of that client software should be installed on operator machine and clients directly communicates with my registry to find services and after that directly communicates with this my services so
21:44
fed client should belong to application for illustration of architecture was kindly provided by SPPA throws rural not to be missed let divided into
22:00
spaces in red zone the items that process request from thin client and redirects them to my services and in green zones are my services which act as network services on dynamic TCP ports as prepare consists of containers each container can encapsulate inside one or more my services all type of
22:28
containers are represented on illustration and all of them have self-explanatory names before we're going deep inside internals office
22:40
let me introduce some tools which used in this research first of all all jars files inside this papa are obfuscated with commercial product but the security measure can be easily bypassed by public available to the facilitator Elsa sometimes it is useful to see how legit software
23:03
communicates with system it helps to understand architecture of system and workflow of clients in case of super power my detector was written it represents raw TCP streams in human readable formats inside it use method
23:27
to read object from Java's decay it is known that this method is unsafe to insecure civilization so be careful not to be exploited through remote pickup the first pillar of SPPA it's Apache web server according it config
23:45
folder Orion software config can be accessed by an authority user in fact this folder contains some sensitive information of system for example files
24:00
PC system configuration that smells and files inside AFC contain startup options and configuration of all containers as a application work or automation it work as a configuration of order of application in Tomcat also
24:20
can be accessed using this vulnerability and about Tomcat there are three web applications registered remote diagnostic viewer manager and order according to configurations of Tomcat at Apache web server as or on servlets can be accessed through HTTPS and in the file web.xml the
24:48
list of also let's of order an application and the list is really huge so some of this let's have attractive name it's for taking for example
25:00
browser that in fact it allows an authority that user directory listing directories of operation system but in case of exploitation another select is more attractive file uploads related allows you allows an authority that
25:23
file upload with system rights parameters based year and target may fully control the name of the file so this vulnerability can be easily transformed to remote code execution you can override some startup scripts of power or simply inject a special in top-cut web application and get remote
25:46
code execution with system rights. Also there are some servlets which contains word service factory in the names in fact they redirect HTTP request to my services inside they parse parameters from HTTP request and
26:09
search desirable RMI service according to parameter service rule and further invoke call to the public method of security service and the name of the
26:23
method defined in serialized object in the data section of HTTP request else parameters parameters of these calls also defined in this object so now we have situation when thin client and fat client can access RMI services
26:46
but in case of fat client it can also directly communicate with RMI registry so if application server missed some important Java security
27:00
update it contains insecure deserialization vulnerability and using public to use of serial we can simply exploit it and get a code execution with system rights again and the next task will be to list all available RMI services of a SPUPI system at first step we simply use
27:25
class locate registry of Java is the time and get big list of services all but one makes RMI services I assume that they perform some general
27:40
interface for coma for control and manage containers of SPUPI for further investigation we only choose lookup service in fact this service looks like some collection of another RMI services using its public method
28:05
list we get the name of all available services and using the name and public method lookup we get the reference of RMI series all of my services in this step implement interface service factory so according
28:27
this we can assume that and that this is again collection of another RMI services but in fact it doesn't have public method to get the name of
28:41
the service so we need to decompile so we need to decompile the class and find some factory methods which create RMI series for example create admin script and inside we can find as name of created service as it can be
29:08
guessed it's admin service so using public method get service and this name we finally get the reference to next level RMI service and in final step we
29:21
get the reference to RMI services which perform real job of SPUPI but this RMI service also contains a lot of public methods for an authority user so to sum up we traverse a registry and at each level we found a
29:44
lot of RMI services and as the last item also contains a lot of public methods so the attack surface of SPUPI system is very huge so now when we list all available RMI services the next question is how does
30:05
authentication of client request performs on the system to answer this question let's look how client request to security service protest on system first of all clients get the reference to security service using some
30:24
client ID further PC serious factory try to get valid session using this client ID in session manager if session manager will failed in his task the
30:41
exception will be fraud and client will be failed but if it succeeds valid session ID will return to PC serious factory and further in its turn instance of security service will be created in factory method and value of session ID will be stored in a login ID inside security service and
31:10
finally client will get the reference to security service further he can call some public method of it but this methods can perform privilege checks
31:25
of user using login ID in a security manager so to sum up we have two security measures in the system but there's a question how user client can perform login operation if he doesn't have any valid client ID in this case
31:45
at start up of the system session manager will be added on a new session with client ID equals zero and client will use this client ID and perform login operation but attacker can also use this feature and simply
32:03
bypass first log so to sum up there is only one security measure on the system and in it fully delegated to two method of my services but amount of my services is huge amount of public methods is really huge and so it's
32:26
become really difficult to manage security service of system according to this information so we know we know all inputs of system we know all
32:41
possible security measures of system so it's time to find vulnerabilities in the list of from my service this one which looks some attractive its admin service it can be accessed with an animus session inside it has public method transcript this method doesn't perform any privilege checks so we can
33:06
call it without any credentials and so on at first step this method create instance of class loader using bytes from arguments and in fact this step
33:23
will load arbitrary Java class this class should implement interface admin script and defined method execute and this method execute will be called by run script of my services for this case we create Java class that
33:44
simply run OS command from arguments of run script and we get code execution on system with system right of course there is more powerful post exploitation of this vulnerability then simply run OS command you can this vulnerability
34:06
allows inject arbitrary Java class inside running is prepared application so you can use some Java reflection to to patch some variables of system
34:23
and and have influence of own technology practice of SP power also privilege check inside methods of my service can be bypassed with second ability in session service this service has public met get like in
34:46
sessions in fact this method return or session data of all again users on system this information includes a user names IP and client ID so if in this
35:05
amount this client ID of user that has some admin privileges attacker can use this client ID to get reference to security service and this reference will be with some more privileged session further further attacker can
35:28
call public method of security service get all users and get all private information about all users of the system and password hashes also
35:44
included in this private information so to sum up we have two or both of these vulnerabilities can be accessed through HTTPS and firewalls rules can
36:04
be bypassed in general all communication in with my services are encrypted so user names and password phish are transferred in plain text this is this this is more critical for for fat client case so moreover password
36:34
hashes doesn't perform any doesn't have any session protection mechanism so
36:41
if attacker can perform man-in-the-middle attack against some user office papaya and captures traffic between this user and application server he can get valid username and password hash of the system and simply
37:00
reuses credentials and perform login operation on the system moreover he also can change the password of this user I talk a lot about user names and pressures so it's time to understand how this items organized on the system
37:20
Alex hello everyone let's continue our discussion about application server on the previous slide you can see how remote notification works now on the
37:41
slide you could see how remote authentication works on the and now I'm going to tell you about how it's organized locally after the system after the system gets started it begins to read two files user one dot XML and pedata one dot exam to get user list and their password
38:04
respectively as they use the users one file is is a simple XML while the data one has a slightly more difficult structure it's a gzip archive encoded in base 64 the right drivers position object in the jay-jay pakaya for containing a specific XML the field of the XML presents on the slide they
38:25
are used to calculate hash value and check password during their authentication on the bottom of the slide you can see password check algorithm in a pseudocode it's as a cryptographic scam is a typical for is
38:43
a type called cry crypt hashing scheme like in your Unix and Linux machine it has a number of iterations souls and the only one things is add it was added is hard-coded soul which is the same for all user as a tool for
39:00
password as a tool to extract password hashes and their parameters from the pedata one file has been developed on the slide you can see its output as a tool the tool can be used during the password audit auditing to check password the check week or dictionary password and their hash calculation
39:23
parameters the tool is available as link below and draw the line draw the line and application server analysis first as we have seen attack surface is
39:41
really huge and includes a lot of different components secondly it's about remote connections no remote connections according to vendors or someone else who told you it you should check it anyway and the last
40:10
thing is attacker has a opportunity to impact power generation process for example it can start stop generation change some output value or get some
40:24
additional information about generation process and all this action can be done we are from application server it's all about application server and let's start discussion about automation the main goal of the automation server
40:42
is to execute real-time real-time automation functions and tasks dependent on their dependent dependent on the power plant project architecture and its features the role of the automation server can be different we
41:01
have distinguished three roles the first one is automation role there may be slight confusion because the term is used both for server and for its role but analyzing automation server configuration and publicly available information we have found that whatever the role is almost the same hardware
41:24
and software are used and we have decided to use this kind of classifications that seems less confusing to us at the same time it's like different from the vendors classification anyway meaning automation
41:45
role have an automation role means that the server is responsible for interaction with input output modules which control and monitor power plant equipment such as turbine electric generator or some some other the second
42:01
role is communication in this role this role is used for connection the third-party software and system in other words it's just a protocol converter supporting such protocols as modbus IEC 101 104 and some other and
42:21
the last role is a migration role this role is used to to connect previous version of SPPA T3000 and as a legacy system such as SPPA T2000 or Telepermae automation role in automation role automation server in
42:41
automation role can be run on the sematic s7 PLC and in an industrial or industrial PC other all can be run only on a natural PC now let's talk a little more about each role and let's start with automation role based on PLC
43:01
PLC I will directly control field devices like walls in turbine and access to them yeah and access them is a game over for any security discussion as they usually represent the lowest level in different reference models such as Purdue model for example any configuration changes and
43:23
updates for PLC are required to stop to stop technological process so these devices always have security and misconfiguration firmware without security updates and unsecure industrial protocols in case of SPPA as they are
43:41
seven protocols helping LPC data dialogue information about a seven protocols in the internet but not so much about PLC data protocol so we had to deal with it and analyzed ourselves it's not a special protocol for SPPA when you program your sematic PLC and need to exchange some that some
44:05
data between them in real time you use this protocol it's a quite simple protocol and maybe its description is available somewhere in the internet but we couldn't find it so just a case show you its structure anyway there are
44:26
no security mechanism in the this protocol so so only obstacle while do the main in the middle attack to spoof data in the is the sequence number which we can get from a packet and just files the implementation for protocol
44:44
analysis we have developed a desector which available at the link below during the security assessment of PLC configurations one of the main things which we check is unauthorized access to the to reading and writing PLC
45:03
memory availability of unauthorized access is determined by position of the mod selector of the PLC and some other configuration parameters during the previous research conducted one of our colleague Daniel partnership the
45:23
privilege matrix has been obtained they shows unsecure states and configurations of PLC as a tool for gathering information from the PLC over the network and its analysis has been developed by Danilo and also available in our repository now let's talk about application so based on
45:44
industrial pitch PC it's just a Linux box during the start it tries to download some additional files from the application server this file includes include jar files scripts some configuration protocols files and some
46:02
other in order to execute jar files the PTC virtual machine is used is a runtime Java machine widely spread in industrial iot and military area it super contains a head-of-time compilation mechanism as a result jar
46:22
files contains a bytecode transformation that's why regular decompiles fails with them to solve this problem we have written a PHP script to perform reverse transformation after that regular decompiles have been successful
46:43
running jars open RMI services on the automation server and some their extension for example in case of migration server there are on RPC services which are extension of classic Java my services are used and on the slide you can see the list of the of these services the security issues
47:05
of automation server based on industrial PC present are present on the slide firstly as you can see it's there is a possibility to spoof downloaded files from application server the files downloaded over HTTP and there are no
47:21
security security mechanism during the process secondly it's about default credentials you can get access over SSH to server with user same admin and password same next it's vulnerabilities in RPC in or on RPC services this
47:45
allowed to perform sensitive data exposure and remote execution and finally the last group is vulnerabilities found in the software used to fill a migration role for communication with SP 80 2000 also known as txp system
48:01
with a number of issues or migration server is old XP you are not you are in magic position a few words about our own RPC vulnerabilities they are in runtime engineering service this service contains request runtime
48:21
container method where the first argument defines the action to be executed using the action read file it's possible to get content of any file from the system using the right config file it's possible to write any information to the server to the server and for example it can be a jar
48:44
files which execute a shell comment from the comment line and using some STP specific functions you can execute this job files later that's all about automation server to sum up automation server can based on PLC or
49:04
industrial PC in case of PLC it's a simple PC is the usual PLC with with known security issues in case of industrial PC is just a Linux box we should try to download some additional files from the application server and
49:23
some of them execute with your virtual machine so far we haven't mentioned any network equipment using distributed control system using the research we saw a wide variety of network devices and network infrastructure including switches firewalls and more rare devices such
49:45
as data diet for example we try to summarize all this information and got common SP pay network topology scam we have shown in purple usual places of
50:01
the same devices can be found in other vendors distributed control system network devices in industrial network usually have a lot of security issues the reason for this is that the most of them don't require any configuration before start and can be run out of the box and that's why the
50:27
things like guessables NMP community string with credentials for different services firmware with publicly publicly available exploits and just a lack of
50:41
security configurations all this all the things are usual for are usual for network devices and they are usual community issues for industrial network I think that's all now so the topic of power plants is
51:08
huge the system is huge and we try to cover this and that's a lot of small things in the talk and it's like everything can be summed up on this slide these those are just the vulnerabilities as you can see like
51:21
problems in Java in web applications in different simple mechanisms that you can exploit to actually directly even not go into the PLCs or field layer field level you can impact the process itself what we don't cover in this talk is actually what's like havoc or disaster could be caused by attacking
51:42
such systems because it's actually not that bad I mean there if we are talking about things like blackouts of the cities or things like this this is not what you can do with as a concept system because the like the distribution of the power power in the grid is not the according to the threat model is not the problem of the power generation they should be like
52:02
another regulator who should watch for like enough capacity in the network to to fill this to fill the electricity to the customers so what we're really speaking here is like the is how we can impact the for example the turbine the turbine is itself for example but we had no access
52:21
to the real turbine they're being expensive and we haven't found anyone willing to provide us one so we would destroy it but the point is we have an educated guess like PLCs they control a lot of parameters of this turbine and the turbine is like a big mechanical monster that is actually self degrading by working and putting it into different like
52:44
uncomfortable operating modes will degrade it even faster or it will break it and it's not easy you can have a spare PLC or some other device you won't have a spare turbine so the the impact is there but it's not like very huge so what we try to do with this research mostly is like to
53:07
understand how we can help the power plant operators out there and we have to find in all the issues and analyzing like this infrastructures on the customer sites we understood that all of the installations actually the
53:21
same and we can write a very simple do-it-yourself assessment and hopefully even like engineers on the power plants can test themselves it is very easy like set of steps on two or three pages you connect to application network you connect to the automation network you run the tests you get the results and afterwards you talk with Siemens or you can fix something by
53:43
yourselves and basically you don't have to hire like expensive consultants to do the job you can you should be you should be able to do it by yourself we hope that you will be able to do it of course like to summarize the whole situation around DC SS it is if you have seen other
54:04
industrial solutions like skaters like substations anything actually you would find a lot of similarities and they hope like it will have the same pain points as all other solutions there is a good document from the IAC
54:20
624 for free which describes how like power plant operator or asset owner should talk to the system integrate and in the vendor with the vendor in terms of what security they should require and how they should control it we urge any power plant operator to read this standard and to
54:40
require security from their vendors and system integrators because nowadays it depends from vendor to vendor maybe vendor is more interested in the security of the plant or some regulator and like nobody knows how to act this is the document where which describes how you should talk with all other entities of course read the slides or read the white paper in the
55:04
January call Siemens updated systems change your passwords and configurations this is actually very easy to at least to shrink the attack surface a lot of things inside SPH 3000 network is a modern windows boxes
55:20
and it's kind of easy to set up some form of monitoring so you should talk to a security operation center they would be able to look for some locks not most of the impact that we showed like it was that the input from the Java applications and you won't be able to monitor this with like security events and windows but at least it's still some form of detection process
55:43
inside your network and again finally to summarize it is not like a problem of one DCS from from Siemens there are exactly the same issues for other vendors not mentioned here we will release a lot of things today tomorrow
56:02
and in January basically like the big white paper about everything that we found out with the recommendations what to do with the word lists with a do-it-yourself security assessments with a lot of tools one of the tools would help you to do the research and other tools would help you for example if you are using intrusion detected detection systems like IDSS you
56:24
would be able to parse the protocols and maybe write some signatures for them we work closely with Siemens we want to say thank you for the Siemens product search they did a great job in communications between us and the product team that develops the products of the Siemens as the pay fee for thousand itself the main outlines from the vendor response is
56:43
that if you are power plant operator you should hurry and install a new version 8.2 sp2 there are the Siemens is trying to like educate and raise awareness inside their customers that first of all they should change passwords that there are critical vulnerabilities and they should do
57:02
something with it and there is not all the problems are fixable by Siemens themselves there is an operator is viable for some of the activities to do to the security by themselves so that's actually it thank you thank you
57:21
very much Thank You Congress if you have any questions please welcome all of you for this excellent talk we have a short three minutes for questions if
57:42
you have questions please line up at the microphones and all if you're using hearing aids there is an induction loop at microphone number three do we have questions from the Internet yes question from our signal angel please so we've got a question with the vulnerabilities found could you
58:00
take over those plants from the World Wide Web without further amount the middle attacks can you please repeat a little bit louder please sorry with vulnerabilities found could you take control over those plants without worldwide them from public internet without further amount in the metal
58:23
attacks actually no this is and this is some form of the good news as those systems are exclusively supported by one system integrator by Siemens they are more or less protected from the external access of course there would be external access but it's not that easy to to reach it and of course it's
58:44
we're not talking about internet we're talking about some corporate networks of things like this next question microphone 3 please yes hello I also have a power plant on my planet and it's kind of bad for the atmosphere I figured so my question is can you skip back to where the red button is to
59:05
switch it off and I'm asking for a friend when I thought about that this materials can be used in this way but yeah specifically if you have
59:23
operators engineers friends on the power plants you can talk to them do we have any more questions from the Internet no questions any question from the hall I guess not well then thank you very much for this talk and