SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas

Video thumbnail (Frame 0) Video thumbnail (Frame 1358) Video thumbnail (Frame 2341) Video thumbnail (Frame 4974) Video thumbnail (Frame 7271) Video thumbnail (Frame 9707) Video thumbnail (Frame 10958) Video thumbnail (Frame 17009) Video thumbnail (Frame 18010) Video thumbnail (Frame 20427) Video thumbnail (Frame 27705) Video thumbnail (Frame 28666) Video thumbnail (Frame 31630) Video thumbnail (Frame 34179) Video thumbnail (Frame 36487) Video thumbnail (Frame 38520) Video thumbnail (Frame 40701) Video thumbnail (Frame 44738) Video thumbnail (Frame 48087) Video thumbnail (Frame 51709) Video thumbnail (Frame 53145) Video thumbnail (Frame 57228) Video thumbnail (Frame 58239) Video thumbnail (Frame 59386) Video thumbnail (Frame 61083) Video thumbnail (Frame 62605) Video thumbnail (Frame 67034) Video thumbnail (Frame 68851) Video thumbnail (Frame 71353) Video thumbnail (Frame 72870) Video thumbnail (Frame 74637) Video thumbnail (Frame 75618)
Video in TIB AV-Portal: SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas

Formal Metadata

Title
SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
On Christmas Eve, a call was made from a prison warden: all of the cells on death row popped open. Many prisons and jails use SCADA systems with PLCs to open and close doors. Not sure why or if it would happen, the warden called physical security design engineer, John Strauchs, to investigate. As a result of their Stuxnet research, Rad and Newman have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to "open" or "locked closed" on cell doors and gates. Using original and publicly available exploits along with evaluating vulnerabilities in electronic and physical security designs, this talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions. John J. Strauchs, M.A., C.P.P., conducted the security engineering or consulting for more than 114 justice design (police, courts, and corrections) projects in his career, which included 14 federal prisons, 23 state prisons, and 27 city or county jails. He owned and operated a professional engineering firm, Systech Group, Inc., for 23 years and is President of Strauchs, LLC. He was an equity principal in charge of security engineering for Gage-Babcock & Associates and an operations officer with the U.S. Central Intelligence Agency (CIA). His company and work was an inspiration for the 1993 movie, "Sneakers" for which he was the Technical Advisor. He was a presenter at Hackers On Planet Earth (HOPE) in 2008 and DojoCon in 2010 and is a consultant for Recursion Ventures. Tiffany Strauchs Rad, BS, MBA, JD, is the President of ELCnetworks, LLC., a technology development, law and business consulting firm with offices in Portland, Maine and Washington, D.C. Her consulting projects have included business and technology development for start-ups and security consulting for U.S. government agencies. She is also a part-time Adjunct Professor in the computer science department at the University of Southern Maine teaching computer law, ethics and information security. Her academic background includes studies at Carnegie Mellon University, Oxford University, and Tsinghua University (Beijing, China). She has presented at Black Hat USA, Black Hat Abu Dhabi, Defcon 17 & 18, SecTor, Hackers on Planet Earth, Chaos Communication Congress and regional information security conferences. Tiffany also researches car computers and is fond of virus research (both biological and digital). Teague Newman is an independent information security consultant based in the Washington, D.C. area with extensive penetration testing experience. In 2009, he competed in the Netwars segment of the US Cyber Challenge and ranked within the Top 10 in the US in all rounds in which he participated. He is also an instructor for Core Security Technologies and has instructed professionals on the topics of information security and penetration testing at places like NASA, DHS, US Army, US Marine Corps (Red Team), DOE, various nuclear facilities as well as for large corporate enterprises. His projects include GPU-based password auditing and liquid nitrogen overclocking. Dora The SCADA Explorer: Exploit writer.
Computer program Presentation of a group Prisoner's dilemma Coroutine Feldrechner Mereology Packet Loss Concealment Malware Malware Feldrechner Logic System programming Object (grammar) Information security Physical system Vulnerability (computing)
Point (geometry) Multiplication sign Principal ideal Projective plane Computer Information technology consulting Student's t-test Local Group Type theory Computer science Musical ensemble Speech synthesis Information Information security Information security
Cybersex Area Rounding Enterprise architecture Group action Enterprise architecture Multiplication sign Independence (probability theory) Computer network Core dump Mereology Exploit (computer security) Area Wave packet Coding theory Roundness (object) Password Software testing Software testing Information Information security Information security Design of experiments
Module (mathematics) Presentation of a group Game controller Context awareness Dependent and independent variables Demo (music) Prisoner's dilemma System administrator Bit Computer Packet Loss Concealment Mereology Exploit (computer security) Computer Proof theory Type theory Personal digital assistant Feldrechner Codec Office suite Table (information) Information security Vulnerability (computing)
Slide rule Presentation of a group Code State of matter Connectivity (graph theory) Multiplication sign Voltmeter Mereology Likelihood function Computer Theory Packet Loss Concealment Product (business) Term (mathematics) Logic Software testing Process (computing) Design of experiments Information security Vulnerability (computing) Game controller Weight Uniqueness quantification Prisoner's dilemma Moment (mathematics) Projective plane Computer program Basis <Mathematik> Maxima and minima Bit Line (geometry) Electric power transmission Packet Loss Concealment Computer System call Substitute good Component-based software engineering Computer hardware Codec Row (database)
Computer virus Operations research Wave Computer virus Computer file Prisoner's dilemma Sheaf (mathematics) Computer worm Right angle Data structure Information security
Color confinement Color confinement Patch (Unix) State of matter Prisoner's dilemma Multiplication sign Cybersex Maxima and minima Water vapor Bit Electric power transmission Software Term (mathematics) Software System programming Video game Hacker (term) Information security Vulnerability (computing) Physical system
Point (geometry) Computer program Game controller Existential quantification State of matter System administrator Multiplication sign 1 (number) Similarity (geometry) Solid geometry Machine vision Packet Loss Concealment Number Centralizer and normalizer Office suite Position operator Vulnerability (computing) Physical system Block (periodic table) Prisoner's dilemma Shared memory Computer Hecke operator Line (geometry) Control flow Packet Loss Concealment Computer Data management Process (computing) Software Visualization (computer graphics) Logic
Word Game controller Line (geometry) Rule of inference Machine vision Thumbnail
Point (geometry) Computer virus Cybersex Game controller MUD State of matter Logarithm Prisoner's dilemma Multiplication sign Constructor (object-oriented programming) Boom (sailing) Computer Rule of inference Graphical user interface Frequency Centralizer and normalizer Intrusion detection system Information security Information security Physical system Perimeter Perimeter Physical system
Point (geometry) Game controller Trail Functional (mathematics) Simultaneous localization and mapping Computer program Computer Block diagram Function (mathematics) output Right angle Office suite Form (programming)
Point (geometry) Programming language Presentation of a group Mathematical singularity Constructor (object-oriented programming) 1 (number) Boom (sailing) Packet Loss Concealment 10 (number) Formal language Arithmetic mean Different (Kate Ryan album) Term (mathematics) Logic Object (grammar) Communications protocol
Point (geometry) Algebraic closure Point (geometry) Algebraic closure Packet Loss Concealment Packet Loss Concealment
Point (geometry) Game controller State of matter Multiplication sign Direction (geometry) Letterpress printing Valuation (algebra) Function (mathematics) Open set Number Latent heat Centralizer and normalizer Causality Feldrechner Internetworking Office suite Logic gate Information security Vulnerability (computing) Simultaneous localization and mapping Key (cryptography) Prisoner's dilemma GUI widget Knot Control flow Performance appraisal Process (computing) Software Universal product code Right angle Procedural programming
Torus Presentation of a group Game controller Patch (Unix) Time zone Mereology Entire function Computer Packet Loss Concealment Centralizer and normalizer Causality Bit rate Feldrechner Internetworking Intrusion detection system Software Local ring Information security Perimeter Physical system Vulnerability (computing) Patch (Unix) Block (periodic table) Prisoner's dilemma Bit Control flow Computer Entire function Performance appraisal Internetworking Software Intrusion detection system Personal digital assistant Order (biology) System programming Block (periodic table) Exception handling Perimeter Physical system
Point (geometry) Game controller Computer file Execution unit Range (statistics) Virtual machine Mereology Computer IP address Packet Loss Concealment Number Workstation Twitter Wave packet Facebook Internetworking Feldrechner Videoconferencing Office suite Information security YouTube Wireless LAN Prisoner's dilemma Data storage device Computer Computer network Instance (computer science) Storage area network Digital video recorder Type theory Internetworking Personal digital assistant System programming Website Summierbarkeit Information security Perimeter Physical system
Point (geometry) Computer program Email Game controller Divisor Prisoner's dilemma Multiplication sign Interface (computing) Time zone Control flow Computer Social engineering (security) Number Product (business) Internetworking Causality Software Internetworking Feldrechner Software System programming Videoconferencing Gamma function
Type theory Internetworking Demo (music) Internetworking Building Prisoner's dilemma Control flow Computer Buffer overflow Computer Physical system
Internetworking Prisoner's dilemma Multiplication sign Chaos (cosmogony) Information Process (computing) Escape character Control flow Information security Vector potential Event horizon Computer
Torus Code Prisoner's dilemma Execution unit Virtual machine Exploit (computer security) Database Line (geometry) LAD <Programmiersprache> Packet Loss Concealment Computer programming Exploit (computer security) Computer Product (business) Type theory Software Logic Right angle Endliche Modelltheorie Table (information) Simulation Buffer overflow
Computer program Greatest element Functional (mathematics) Game controller Venn diagram Virtual machine Exploit (computer security) Open set LAD <Programmiersprache> Computer Packet Loss Concealment Formal language Number Feldrechner Computer hardware Logic gate Social class Area Demo (music) Computer Cartesian coordinate system Packet Loss Concealment Exploit (computer security) Process (computing) Software Personal digital assistant Function (mathematics) Computer science Library (computing)
Scripting language Mechanism design Game controller Digital electronics Software State of matter Telecommunication Interpreter (computing) Mereology Packet Loss Concealment
Game controller Touchscreen Information State of matter Variable (mathematics) Packet Loss Concealment Demoscene Expected value Centralizer and normalizer Process (computing) Software Function (mathematics) Telecommunication Videoconferencing Computer worm
Proper map Information Transport Layer Security Prisoner's dilemma Computer network Tendon Proper map Subset Internetworking Hypermedia Software Hypermedia Blog
Point (geometry) Key (cryptography) Patch (Unix) Patch (Unix) State of matter Computer Online help Packet Loss Concealment Packet Loss Concealment Computer Type theory Software Telecommunication Operator (mathematics) Software Procedural programming Information security Information security
Core dump Core dump Information security Information security
hi everyone thank you very much for for coming to our presentation we're going to be talking about some research we did with plcs and prisons correctional facilities and I'll give you an introduction of my my co-presenters sorry I hope that's not too loud the
objectives we're going to talk about today or we're going to analyze the SCADA systems and PLC vulnerabilities we're going to discuss modern prison design we have a specialist here who is designed over hundreds of prisons and correctional facilities in his career and we're going to theorize some possible attack vectors and routines of malicious code introduction I'm going to talk to you about ladder logic and while it's very easy to learn in a program in this it's part of the the devil in that the details of why some of the plcs are vulnerable to some of the tax that we've created we're also going to recommend some solutions some are technical and as with a lot with security they're also managerial this is me I do a lot of
stuff actually right now this put this project I've been doing a lot more technical work when I'm an attorney as well I work in Washington DC most of the time but I'm also in Portland Maine I'm a part-time agile computer science professor at the University of Southern Maine and I'm so glad i have like every year a bunch of students from that University come to DEFCON I have a bunch of academic backgrounds have studied in China was interesting and did a lot of work overseas I presented to other black hats def cons so you may have seen me presenting about more like freedom of speech First Amendment issues but this is the other type of research that I do and let me turn this over in my father
John Strauss introduced himself well not nothing to introduce y'all can read at the only point I want to make is my specialty really is physical security now that's what y'all call me even though 99% of why I do is electronic systems and so I did the engineering or the specs and drawings of and I've done a lot of what's called just a design which is mostly Corrections also courthouses
all right I am Teague Newman I'm an independent security researcher and penetration tester I'm based out of Northern Nevada up here and also Washington DC in 2009 I competed in the net Wars challenge it was part of the US cyber challenge in all the rounds that I competed in I place it on top down the nation I also do training and penetration testing for course security I've taught people all over in all different facets from you know enterprise to government as you can see for places like NASA with US Marine Corps red team so I'm all over the place some of the stuff that I do on my own time is gpu-based password auditing like somebody up here and liquid nitrogen overclocking us so that's me we also have a other special number of
our team dora the scada explorer is here in the audience but Dora did not want to appear on stage he's an exploit writer he has great backpack while kinds of tricks inside with the great exploits he's good at coding he lives in the tropical area of columbia maryland and dora has done a lot of great work for our group so we're very glad that dora is is here with us today in the audience all right so one thing that we're going
to describe here is we're not talking about any vendors per se well we did do our research as you can see our PLC that we we purchased on ebay and everything it's up here on the table we'll have close-ups of the picture if you can't see it it's a big room the red team always wins so what we're here to discuss is really about we did a lot of research and some of our attack vectors and exploits for the control computers this is not a talk about Siemens per se but as the picture suggests i mean this this jail facility is Alcatraz it was designed to be no one could break out of prison there right well we did our research you know suggests otherwise you know this case to be true as well but the red team always wins so we're not here to to discuss particular vulnerabilities because what's clear and what we've releasing in this presentation today is that with plcs it doesn't matter what vendor it is so while Siemens is our research a module there is up it's not just about siemens about any plc because we will discuss and we'll show you a demo of what we've done with the control computer alright
so well why present about prison vulnerabilities one of the big things that we were talking about here is not our exploits per se we're not releasing our exploits we've used it for a proof of demonstration all of you about the work that we've done but it's really to kind of hit home the idea if you work in a facility in which plc's exist these are the types of things that you should know now all of us most of us in this room will know what we know what plc's are a lot of us have looked at Stuxnet but if you work in a Correctional Facility or you work in other types of facilities that have plc's and even water treatment plants those employees may not know what that is this part of the problem that we have seen in the correctional facilities is wardens guards or officers that work there their responsibility is actually it's pretty high some of the vulnerabilities we saw Siemens or GE whatever the essence of they can't fix them what needs to be done is these people working these facilities need to know that there are devices that can be vulnerable to attacks so the u.s. puts a lot of money in funding into securing some of our you know what we call you know the USS assets of high secure facilities bank vaults things like that where you may see plcs but when it comes to the our countries shall we say worst liabilities in a sense we are encouraging some heightened security because of the discoveries that we've made so we're trying to talk to the people who do work in correctional facilities and that's why we went public with our research and we'll tell you about a little bit how we did that but a lot of law enforcement agents to we talked about who work in these prison facilities didn't really know much about this so we're bringing awareness to that issue so when we when
we did the research because this has to do with the u.s. correctional facilities that we were looking at we briefed some federal agencies you can see from the slide there they're friends they're friendly but was great is that when we said hey we found this vulnerability we want to talk to you about it it took about two months to really get together everyone from these agencies but when we did it was it was a positive experience in the sense that they were willing to listen and talk to us about what we did and they they're allowing us to present here and that's that's why we're really grateful for this because it's not we didn't talk to Siemens or GE because it's really about the correctional facilities in this presentation we're doing so we were glad and we are grateful to those agencies who allowed us to do this presentation all right so
the story of Christmas Eve as you may see in the bio or another bio the abstract of our presentation all the doors on death row popped open a little while ago and I'm gonna have Jon strokes here my dad tell you about the story of Christmas Eve because he was called in to figure out why death row all the doors popped open and it's also kind of the basis of this whole entire presentation and that is that quite some time ago I designed an electronic security system that is all the electronics for a State Penitentiary that included a death-row is a maximum security facility we were done it was occupied inmates were brought in thing was running everything seemed to be going fine and then Christmas Eve I'm at home and I get a call from the warden all the doors and death row had popped open spontaneously that concerned him now it turned out nothing really bad happened David got everybody in but it concerned me a little bit in terms of what could have happened and why building things like that so we'd immediately went out there and try to track down what caused it what it turned out to be it was the contractor had not used the manufacturers and model numbers of the equipment weight exactly specified they had made some substitutions now in hindsight it's in all likelihood I would have proved two substitutions but it the problem was the two components that is a PLC and a relay had never been used at a correctional facility before and some kind of voltage surge occurred and there was a printed circuit board that had a one-way diode on it as we found out and it was leaking voltage and it was leaking just enough not very much just enough to trip the relays which then open up all the doors easily fixed now go forward in time and I'm sitting there watching news about Stuxnet in Iran and how they attacked the PLC's and got two centrifuges moving fast and I had a Eureka moment I said wait a minute we had that happen at a high-security prison accidentally what could you do if you did something deliberately and the other thing occurred to me was wait a minute nobody knows that plc's are used in prisons they really don't most large security systems don't use plcs we'll get into this again later why use plc is in prisons but if most people don't know that plc's are used in prisons then all the skater talk about skater attacks is focused on power grids and nuclear facilities and all kinds of other things but not prisons and it's a vulnerability that that if you know about it you can protect yourself because ninety-eight ninety-nine percent of the solution to the problem is procedural not technically so this research ideas started a lot with looking at the Stuxnet and those of us that were interested in following that the code is very well designed well engineered I mean it took a lot of professionals perhaps a nation-state I'm sure you all hear those theories but I got this idea to start looking at where else PLC's that are vulnerable and FX they're not a part of this research project per se but they have really fantastic analyses they've done of Stuxnet I mean going through line by line with the code and then black hat Abu Dhabi last year we all got to sit down and really talk about some of the essence of what makes stuck student unique and so after these presentations I came back to the US and I sat down with my my father who as it has a lot of design experience and with Teague who's a fantastic penetration tester and that's when we said well this is a this could be interesting so what if someone
wrote a warm or a virus that could affect correctional facilities that was our big question all right so I'm going to turn over my dad's going to do a big section now on the design of Prisons the reason this is important if you understand the structure and why things are designed in prisons you understand why some of the PLC's and where their mul neural is is a problem so Culinary Institute of America
and I also work we actually had a really neat wave file we're going to play but apparently we can't do that right now so that does nothing to do with anything it
started with Stuxnet attack was and this is what i read not personal knowledge against step 7 of the siemens software and apparently just some microsoft patches he can do that that minimize this vulnerability but it goes back to
the fact that it's all about the programmable logic controller the PLC it's not just as SCADA systems for like power lines pipelines water systems prisons use plcs now let's go back to nomenclature just for a minute what is the prison or a penitentiary a prisoner penitentiary is something that's probably run by the federal government or the state government its confinement for a year to life I mean it's serious confinement when people talk about a jail and a lot of times they used the terms improperly a jail is usually county city or town facility and confinement is usually less than a year the only thing about a jail that makes them a little bit interesting is some jails could be really huge as pointed out Orange County Jail in California is 2500 inmates and the other thing about a jail that makes it an important to look at is that jail is often used for pretrial confinement that is while you're waiting trial they put you in jail so you could be a pickpocket here could be a terrorist it could be a serial killer so anybody could be in a jail even though the confinements very low in the United States they're about I
think exactly right now 117 Federal Correctional Facility 1700 prisons that is State Penitentiary's 3,000 jails throughout the United States and of these correctional facilities about 160 are operated privately and most possibly all I haven't surveyed them all so i can't speak definitively use plc's and air
that's me in jail now we're going to
this because if you if you understand what the vulnerability really is you got to understand how a prison operates or a jail at large jail operates and what the electronics are and how they how it works this is the contemporary design of the jail it involves a central control and in housing pods or housing controls in the whole idea is ergonomic sand that is it's no longer the way Hollywood portrayed large prisons where their long cell blocks with bars fact most new modern facilities don't even have bars they have solid doors with vision palace but these long cell blocks don't exist the idea is economics is central control can see down those alleys into every housing pod the control in every housing pod ideally can see every single cell so it is visual contact with everybody you're managing and that minimizes the number of people that you need to operate the facility going back to a point I made earlier is i have heard two misconceptions one is that some people think that plcs are used in all security systems and as i said they're not most large security systems for example use some kind of operating system that's specifically written and designed for security systems the two probably most common once people know our Linnell internationals on guard or software house secure 9000 and there are a bunch of others but those are two really big ones that have big share of the market they'd only as plc's now are the similarities between what they use in a PLC of course there are the only thing is their controllers are dirt data gathering whatever you want to call our smarter more multifunctional multitasking much more state-of-the-art now no one's ever tested those systems so I can't really speak to it but you wouldn't put a PLC now why do you use a PLC in a prison the reason is it's very simple it's very basic it's easy to program and more importantly it's easy to track because nine times out of ten after you do your programming say you're doing to 300 cells there's five six hundred cells that could equate to twenty thirty thousand points in a system if you did conventional programming that's one heck of a lot of tracking you have to do somethings not working you know this button is supposed to do this we use ladder logic it simplifies it because when you print it out particularly in a long sheet of paper it looks like a ladder and you could follow the lines trace them with your fingers you'll go from this point down to this point down to this point it ends up where you want to go but it's that simplicity and vulnerability that make it vulnerable I also want to make one correction is that we've been doing some news interviews and one of the news interviews seem to imply that I said that corrections officers weren't smart or or should have known this stuff how many people here drive a car how many you know what a PCV valve is or if you do most don't just because you drive a car doesn't mean you're required to know what a positive crankcase ventilation valve is it's a very important valve particularly in older cars and that's the point is why should a corrections officer or a warden or administrator know what a what a PLC is or how its programmed there especially their skills or to operate the facility as efficiently and probably with not enough people and not enough money and try to make it work well that's their job so I don't mean to anything I've said or whatever maybe in the press and I'm not criticizing the corrections industry or corrections officers this is the same
kind of design now it doesn't look like a spoke of a wheel it's the same concept its ergonomics that is vision lines for control you can see in other words we are rule of thumb was when we designed was if you could directly see the door then you didn't need a video camera there or anything else you couldn't see the door you put a camera there and not only that you put a camera on both sides of the door not just one side so that you can see if somebody for examples under duress or being compelled to do something many have hundreds of cells
but all but the smallest jails or prisons have some kind of central control so what does it look like starts
out with the central control this is the hub of the wheel this is the brain of the entire facility and it runs everything virtually everything you know even things like showers and lights you know depending on what state and jurisdiction your and they have different rules but the whole purpose of
the entire facility is obviously about door control to keep people in and monitor wats selling wits and motives and to monitor sensors reward limit switches they also monitor many other kinds of systems like closed-circuit video surveillance duress alarms that is someone's being held at knife point or shank point I guess binocular intercoms and some facilities not all of them have some kind of perimeter a lot of times there's a perimeter patrol that is there's a fence intrusion detection system concertina wire barbed wire and so forth those Saints attendant nuisance of false alarm had higher and they sometimes have patrol vehicles out there they have a graphic interface sometimes their graphic interface between the patrol vehicle and central control is radio frequency which you got to remember the big boom in prison and jail construction was about 15 20 years ago and backed in nobody talked about cyber security or viruses or any of that stuff it just wasn't important back then and these facilities are still operating and they haven't changed Harley at all
they all go back all these activities go back to a programmable logic controller usually it's a self-standing racks on place in an equipment room not it not in a control room in some place in there will be a big relay bank because the PLC's themselves don't have the ability or the power to do things what they did again it's basically a very dumb form of multiplexing basically and they
controlled many functions now this is a very simple up five block diagram of what works and Teague and Tiffany will be going back to this shortly yeah basically have inputs and the inputs or panel switches lock sensors door sensors you want to do it know that the door is closed and you know that the door is locked in the early days for example when electronics were first introduced inmates found that they could put pencils in a track on a sliding door why are sliding doors preferred over swing doors the biggest reason is safety of the corrections officer swing doors often end up putting corrections officers in the hospital because some of these inmates have nothing to lose either that or have no sense of consequences and they'll slam that iron door shut so sliders are preferred even though it was slightly more expensive they'll put pencils in there sometimes it'll Jam up the door right up to the point where that before the limit switch trips so you think the doors locked but it really is because it limits which hasn't tripped yet there are by most accounts 40 to 50
manufacturers of plcs throughout the world these are the most common ones using correctional facilities and of these I'd say that the top ones are Alan Bradley GE and square d now here are
some very basic plc facts two points here in terms of protocols lon works is real popular I don't know again this is a different industry famille so you may not be familiar with lon works but the objective of lon works is is primarily one thing it's to minimize by as much as forty percent the amount of wiring conduit you use in wire conduit and correct facility could end up being tens of thousands of dollars in cost savings or much more never thing is programming language the most common programming language for plc's was then is still true today maybe after our presentation they might change his ladder logic simply because it's easy to follow easy to track easy to review it doesn't mean you couldn't use any of the other languages to program your PLC it's just simply that they don't and again back 15 20 years ago at the boom of correction facility design and construction it was the most common sense saying to do make it as simple as possible
in large facilities PLC's monitor thousands of points contact closures that then control hundreds of devices mostly motives and solenoids here's one
schematic design but a better one to look at it would be this one and the
point I want to make here is that no you probably are not going to monitor 34 points but if you want it to be a purist about it and know the exact status of this one door you could monitor 34 points just on its one schematic and that's another reason why that the PLC is ideal is so easy to review and teen by bringing this up a little bit later but look littless no doubt there under the note speed control we were playing around with well if you did it maliciously what could you do well I remember a demonstration using a pneumatic sliding doors that basically our air driven pistons and I saw that when when we turned off the speed control switch we could actually crack a two by four and a half using the door so if you want it to for example hurt somebody that'd be one way of doing it and then all the way out not just inside
of silly even the offense sally port gates ultimately our control back into central control now during the day for example they'll be direct control right at the sally port gate but say two o'clock in the morning again they're short-staffed don't have enough people a lot of times they'll switch control back to central control and that point you would have a vulnerability going from inside a correct facility all the way out to the gate during the day you probably would not because they'll have what's called direct control and the only way central control would take it over to an override which you would rarely do and we're going to harp on this a number of times and i will repeat it again one more time right now because it's so important ninety-eight ninety-nine percent of the solution to fix to this vulnerable not technical and in fact there's probably no technical way to giving a hundred percent fix for the PLC vulnerability book if you air gap it make everybody follow strict procedures have no unauthorized connections you probably don't have a problem at this point I will turn it over to Teague and Tiffany and they're going to look at specific vulnerabilities and infection vectors
when we did a valuation of a facility it was here in the US and we were we were able to go in and take a look at both the internet access some of the security there and really talked to some of the people who work there the guards to get an idea of how much knowledge they had about IT and for information security and what they had in the facility so one of the things that the vulnerabilities we found were open doors and gates there times when we were talking to the officers prison guards there where there have shorter staff and in the morning hours when controls are shifted to central control because of staffing shortages there if you were a malicious attacker these are some of the things that you would you would look at and if you're inside a prison you'll be able to you know you would theoretically be able to see the movement of some of the guards so this is something that we thought would be a one of the vulnerabilities as my father said cause phase lock sliders to go out of phase printing permitting doors from opening and closing this was interesting too because uh we my father's done some research and some work in a fire fire protection fire evaluation and do you want to mention something with the slam dunk slam doors the mic should be working yeah oh there's a knot on all do it there's one feature called you have to specify when you request the lock manufacture it's called a remote latch hold back I usually use the initials for that and the purpose of that is that if there's an evacuation most of these a lot of these doors are called slam locks as soon as it slammed the door shut it's locked it stays locked and only way you can open it is with a mechanical key someone has to be there and then depending on a state some states for example won't allow any Corrections offset open more than a certain a number of doors because this assumption is it might be a smoke-filled corridor and you have to be able to identify the keys by feel so it's a complicated process now if you wanted to for example if you heard the Bloods and the Crips and he wanted to get somebody on the other side what you would do is start at mattress fire some place which happens every year and in fact every couple years inmates of Diana particularly from smoke inhalation would be to get an evacuation started and if you knew if you could suppress this the remote latch hold back in the PLC software and he didn't like the guy behind you all he had to do is slam the door and that door will be locked and whoever's going either side of door is not going to get out
emergency release of entire cell blocks or the entire facility we are going to be discussing and T's going to mention it to a cascading release where you if you release all of the doors at once it actually can break it can break the locks and cause pretty severe damage so we discussed I think T is going to mention a little bit more that in his part that he's doing and perimeter fence
intrusion detection systems have high rates of false alarms so that's another
vulnerability we looked at and one of the things that a lot of people have asked asked about this presentation is well this is not possible because the prison system is not on the internet you know it's it's supposed to because the highest secure facility including maximum security they should be off the internet when we did some research and we actually looked at a facility it's not as the IT and the the way that they set up the networks in some cases was an afterthought they designed the prison and the security in it and then the networks and all that came in later after after it had been designed and some of the IT contractors maybe didn't have backgrounds in security so what we found is that the systems are not as air-gapped as you may think there's not as much network segmentation as you may think and we were able to see some some problems with that one of the problems we found is that the plcs and the control computers those things need some patching and updates things like that so inside the house of control of the central control center that you remember from the picture we had up there there's an electronic not electronic but there's like a computer room equipment room that's where a lot of the computers are and when Teague and I did our evaluation we were able to go and take a look at this stuff and some of the stuff we found was surprising also if there's a commissary or sometimes some of the lower security prisons stuff like that they have like vendors fast food vendors and stuff that sell food in the facility those have a lot of internet connections to order food or supplies things like that we are we were able in one circumstance to trace that network back to the control room so if that is an attack back vector that we looked at that you shouldn't be able to get from the commissary to the control room but we did see that that was in some of it something that we did see so we are
dismissing the myth that the PLC's are they're invulnerable because they're not connected to the Internet this is another thing that we saw that if people are in the control room just like the Stuxnet attack if you have a USB Drive something like that that's how you can create the infection can take place also when we were at this facility on site we saw IT was there doing some fixes on something they were in the equipment room unsupervised and maybe at this particular facility the guards knew who these guys were but what we found is when we follow them down in there you know it's we didn't say anything back going on with them but we it's a type of attack vector when we're thinking about it that's a way that you could get that in there so another thing we found is that there was an interesting story and it's in our way about when patrol vehicles when they get close to the for instance like police stations small jails things connected to courthouses when they're bringing in inmates for people that are standing trial if they had a video camera the video is actually transferred like via Wi-Fi to the control computer inside of the prison and t can you mention more about that so this is working right so what occurs is some of these DVRs now when they get within range they're actually just start uploading video files to essentially the jail land to a storage machine on there well it's been proven at this point that the sum of the DVRs in the police cars had public IP addresses and they actually have been hacked remotely compromised and they were able to upload whatever type of file they wanted instead of a video file to whatever the storage unit you know the San or nas or whatever would be at that particular facility number of other things were also it will be done such as watch the video live but the most interesting thing is is that the DVR in fact was on a public IP address it was compromised and they were able to upload a file to within the jail that was not a video and from a story we read that some of those some people have figured out that if they live near a jail they can pick this up it was not an encrypted signal and the videos went up on youtube so that was a unfortunate so they definitely need some guidance or assistance from the infosec community so though we're here to me this part of that reason so something we saw that was
most alarming though that really got us to say we want to talk to the government soon because we'd really like some prison wardens guards and the Federal Bureau of Prisons to start training people working in these facilities why you need to not access gmail not access Twitter from the control computer we did see that so we're in the control room and cheek was down in the equipment room looking at the PLC's things like that and and I'm up there and we're watching someone on the control computer pulling up Gmail and that was a that's one of the concerns we found is it's if they knew why this is very risky both for their lives and those of the public at large I'm sure they wouldn't do that but sometimes and we've my father and I've talked a lot of law enforcement officers you know it gets really late at night people get bored they're going to they're going to start checking Facebook things like that they need to know why they should not do that inside the control room particularly and this is this is why we were glad to be
talking about this because we did see that so you can cause widespread panic pandemonium either by locking all the cell doors down opening them up so the cascade program we talked about you can destroy all the locks Oh in one go so there are a lot of reasons why if you work in these facilities know that Stuxnet is not just something in a round it's not just something that affects nuclear power plants it can affect your facilities here the prison in which you work so taking are going to discuss some
infection vectors we talked about so I'm going to talk about from some of the infection vectors from without so we talked about the software updates straightforward wishes tags from outside the facility there been other research that have shown that some plcs are connected to the internet and it's something that if you know the model number and all that make the attack vector a lot easier malicious attacks from outside the sanitized point connections to the outside we saw that I mean we've seen connections to the commissary connections to the outside on the control computer via checking gmail so there are a lot of ways that if we want to do a malicious attack we could do it so also from without clearly at this point we have seen that someone was checking their gmail from the control computer so a client-side attack factor is completely within scope at that point in time because we know that it has you know they are checking email of course from out again there is potential via these DVRs if they're uploading wirelessly from the police cars and now this would be within a jail not a prison but you also have to look well if they're uploading wirelessly there's wireless there as well now how does the network segmentation look in that situation clearly it'll probably be different everywhere but it's probably not always going to be done correctly it's is rare to see it done perfect all the time from within obviously we have the typical social engineering attack factors we've seen people technicians working alone in the equipment room who says they're really technicians right stucks pretty well proved that even if stuff is air-gapped it doesn't particularly matter you can still compromise it so obviously the other thing to think about as well is its people say that stucks was via USB drive now think about all the stuff we have now with the teen sees and everything else it doesn't just have to be a USB Drive it can be you know any particular hid interface so obviously there's clearly all the social engineering vectors and there are a number of external vectors as well alright so we
talked about we don't believe that in all facilities internet access is isolated there's some maximum-security facilities we saw that the prisoners had some access to a computer that they we read this at an article in the next article said well the prisoners are finding all these flaws in it so they're essentially red teaming it in a way and then the prisons fixing all the holes they found including buffer overflows they saw the prisoners were doing so this is the internet access isolated we don't know from that system but it's a type of thing that they need to be very cautious about this so what kind of
badness is possible this is where we're going to talk about I'm just going to briefly say this is how we set up our basement lab we're going to Teague's going to give you some pictures of that and we're gonna have a demo of our PLC what we're working but ok so the worst
day is scenario one of them is open all the doors mayhem open some of the doors release from prison is this unlikely but
maybe you still have to get past the guys with the guns so that's this little difficult as well but past 30 years helicopters have been used for prison escapes eight times six of which were initially successful they were picked up later for other things but which event is more unlikely so when we hear that oh this is really unlikely this might happen there have been some very unlikely things with helicopters but we think that because of the Stuxnet the copycats things like that it actually may become a lot more likely we can
close all the doors during a fire let's say you don't want to witness to testify against you and trial lock all the doors and if there's a fire everyone parishes in that side so prisoners are locked in
and locked down a housing unit so how much did this research costs us and when some people say that to do this type of plc research it's going to cost you know it's going to take a big lab and if research facility a lot of money to do it it did not for us at all it caused a twenty-five hundred dollars most of those were legit licenses we made it clear that we saw the license as elsewhere but because we're doing this well and also we we wanted to get the legit license so we could do a lot of research on it as well but we bought this from the vendor and the Siemens model that you see here is the s7 300 the same one exploited by Stuxnet it's the same one that we do see in some prisons and there are a lot of exploits that are available that we found a exploit database calm or exploit DB calm there a lot that are free they're out there so our exploits by the way they're unique to some others that have been done out there but they're pretty simple to write I've seen some buffer overflows on a stack 30 lines of code I mean that's not difficult at all to do so we had a lot of fun doing this type of research and T's going to now talk to you about like our basement lab what we had set up so for the lab it's a
computer with that plugged into it it could literally be this right here there's nothing spectacular about it all you need is a machine that will run the software and a way to connect plc to that machine it's nothing fancy we set it up in about 10 minutes so definitely not advanced persistent threat especially yeah so anyhow that's what the lab looks like that is the machine with the PLC on the table that's it that's all that's what we use to research this and this is the
programming language this is just an example of it it's as easy as if you have taken some basic computer science engineering classes of really understanding just a lot watchable gates vs this is an end this is an or and what you see below is what it's going to look like in the program so you it is pretty simple to I get this work if you understand these the logical diagrams they're all right so for these attacks
vectors as we said we do have exploits of our own but there are publicly available exploits I mean there's a handful out there you can find them at exploit DB there is some going and metasploit right now Luigi at least like 34 exploits for scada systems-- in one day these are not particularly difficult to obtain alright so now we talk about our attack vector our attack vector that we're demonstrating here is actually similar to what Stuxnet did what we're doing is we are directly calling the PLC's application functions so once you are on that machine that monitors controls or programs the PLC's it's it's open season so basically however you get on that machine we discussed the attack vectors now you're on it what do you do migrate in the process access the library's and call the application functions so it's using the library's how they are designed to be used that's why we're saying this is not particular to Siemens yes we have that but it's the software exists and it has libraries it's going to work across any vendor ok now we're going to do our demo we took demo of our exploit writer so you're going to get to hear Dora the SCADA explorers voice hopefully the audio will work on this we've been having some trouble with audio ok before i get into the demo i kind of want to explain some things here so what we have is this this plc there's a number of lights on the bottom and a number of lights on the top and i just kind of like me clear what's going on you have to use your imagination because these are just lights but what occurs is when you flip a switch on the bottom light comes up on the bottom and on the top the bottom picture it as what you would see at the monitoring computer says all right switch is flipped so in our case it would say the status of that door is locked when you see the light occurring at the top that is what the current status of the actual door in this case would be so if the lights on up top the door is locked if the lights off up top the door is unlocked so you'll also notice in the demo there's typically the cascadian release programs that we talked about that would be doors opening or closing sequentially it wouldn't be all at once the possibility was there that if everything occurred at once you could have voltage in rush and you can start frying some electronics you'll notice is pretty easy for us to not cascade things so anyway just remember the bottom is what you would see in a monitoring area and the top is what's actually occurring on the other end with the hardware all
right so what we see in the middle here this is our PLC that switches on the bottom represent the actual not control themselves so other physical mechanism or the software changing the state the LEDs on the right side of this which is represent their estate so that would be if the switch is actually physically on or off the LEDs you see at the top represents the actual lock state which should be like a secondary sensor that's telling you is this lock actually locked over what stated currently isn't as you as you see switching back and forth the LEDs update the show that status now on the software you basically have all of the internal states again are the same things you can see the lock controls in the lock States for themselves and in the software the LEDs or the column with the true and false is basically art of the state of the switches and the lock States at the lab where they currently are alright so once we actually start running the exploit or via not exploit via interpreter script we're going to basically migrate into the control circuit the communications part of the software that handles communications with
yeah actually if you want to look at the peel see you look look it's about to you trigger and then they go and as you can see in the software itself the state of the switches are still currently turned
on so basically yeah showing that false information really um so what we've done if you want to share the meterpreter if you'll play kind of what we've done is migrated into the communications process said using the Siemens actual dll was sent using railgun the communications commands to send that basically any of the information update the variables on the device itself and basically all we did all right so you'll notice there with this last shot of the software to that is basically what you would see in the control center you'll see that in fact all the doors are still locked and clearly on the plc they were not in fact let me embroider on that just for a second that is my original expectation was that we would somehow be able to control the PLC to unlock a door turns out we were able to do much more than that we can now unlock the door but tell central control it's still locked when it really isn't yeah we are in fact not only are we manipulating the physical state of the door we are also suppressing alarms and notifications as well okay can we go back to the other screen
this is what it looks like for those of you can't see it up here that was the same one in the video so there's a close-up picture of it and this is when
we toured a Correctional Facility we took some pictures of like the relays and plcs and some of the wires and networks there and we're showing you a few of those in here these are also by
the way I'm our white paper is was published by wire but also its encore securities website under what other blogs about Def Con so you can pull up our white paper and more information on this and see more pictures all right so
this is the really the summary we're gonna be talking about the remaining remediation here now on which is pretty clear for what we're going to do use a device for some tendon purposes those of us in this room we get that all right but for those of you watching you know elsewhere online prison wardens guards this is very important for you because there's some things that can't be fixed with plcs it's up to you really to those acceptable use policies have a reason why they're there proper network segmentation restrict physical media the same stuff that would prevent stuxnet this is the stuff that we're discussing here so many modern jails and prisons
were designed ten years ago before these attacks were known so what we're suggesting is evaluate some of the designs and security that you have have it take a look at the IT network I mean very carefully because if an attack did occur on a you know correctional facility is pretty big deal forcing and updating procedures and policies you know and really under having the guards understand why this is a big deal is the most important thing this is the biggest risk mitigating thing that you can do is educate your employees if you have plc's that run safety critical operations or correctional facilities know that these attacks can't exist one one point I'd like to make is you know clearly the way we're doing it you can't really patch that so education is huge how do you you know how would you do it otherwise that's why you need to everybody always says it but you know the layered defense is you got to really have it all in place especially for things like this that can be deemed you know critical infrastructure for a particular facility where it may involve lives of people so you got to determine what's important and then implement it hard
alright we also want to give a big shout out to door the skate explorer for being awesome and for any of you out there or watching online if you think that we or door hold the keys to the castle here we do not these X points are going to be public and it's nothing that was terribly terribly difficult to do so so we gotten some interesting request i'll tell you since some articles have been written about us and no we won't help you and you know it's a type of thing that that's one of the reasons that dora has vin de has been very quiet here are we going to be taking questions in this room too oh we are okay great oh ok thanks thanks for the feds invited us for a briefing and special thanks to
core security
Feedback