DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies...
Transcript of DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies...
![Page 1: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/1.jpg)
1©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd.
Jos Wetzels | Principal Security Consultant, Secura
Marina Krotofil | Senior Security Engineer, BASF
CPX 360 2019
DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL SYSTEMS
![Page 2: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/2.jpg)
2©2019 Check Point Software Technologies Ltd.
• Jos Wetzels
Embedded Systems Security (ICS, Automotive, IoT, …)
Principal Security Consultant @ Secura
Security Researcher @ Midnight Blue
Security Researcher @ UTwente
Who are we?
• Marina Krotofil
ICS / SCADA Cyber-Physical Security
Senior Security Engineer @ BASF
Principal Analyst @ FireEye
Lead Cyber Security Researcher @ Honeywell
@s4mvartaka @marmusha
![Page 3: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/3.jpg)
3©2019 Check Point Software Technologies Ltd.
• Introduction
• ICS Device Exploitation
• Developing ICS Device Implants & OT Payloads
• Conclusions
Agenda
![Page 4: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/4.jpg)
4©2019 Check Point Software Technologies Ltd.
WARNING: FAST PACED TALK
https://www.disneyclips.com/imagesnewb/alice4.html
![Page 5: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/5.jpg)
5©2019 Check Point Software Technologies Ltd.
INTRODUCTION
http://ats-transporttechnieken.nl/wp-content/uploads/photo-
gallery/Draadloze%20shuttle%20voor%20zwembaden/2H8_016.JPG
![Page 6: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/6.jpg)
6©2019 Check Point Software Technologies Ltd.
Industrial Control Systems (ICS)
Physical
process
Attacker
end target
Information Technology (IT)
Operational Technology (OT)
Computer science
Engineering
![Page 7: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/7.jpg)
7©2019 Check Point Software Technologies Ltd.
ICS ARE EVERYWHERE
Electric Power Oil & Gas Water
Nuclear Manufacturing
![Page 8: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/8.jpg)
8©2019 Check Point Software Technologies Ltd.
Threats - Motives
Geopolitics Extortion Competition
![Page 9: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/9.jpg)
9©2019 Check Point Software Technologies Ltd.
Threats - Means
Espionage Sabotage
![Page 10: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/10.jpg)
10©2019 Check Point Software Technologies Ltd.
Sabotage can come in many forms
Denial of Service Injury / Loss of Life
Damage to Equipment Damage to Production Damage to Environment
![Page 11: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/11.jpg)
11©2019 Check Point Software Technologies Ltd.
All of these critical systems are safely air-gapped … right?
![Page 12: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/12.jpg)
12©2019 Check Point Software Technologies Ltd.
“Forget the myth of the air gap – the control system that is
completely isolated is history.”-- Stefan Woronka, Siemens ICS Security Director
![Page 13: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/13.jpg)
13©2019 Check Point Software Technologies Ltd.
IT / OT Convergence
Hardwired Electrical Relays
PLCs
Serial Networks
IP Networks
Wireless Networks
Industrial IoT
• Fieldbus
• Industrial Ethernet
• Wireless
• IIoT
• …• Predictive Maintenance
• Real-Time Decisions
• COTS Integration
• ‘Big Data’
• …
![Page 14: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/14.jpg)
14©2019 Check Point Software Technologies Ltd.
Brief History of ICS Security
14
https://q
ph
.fs.q
uora
cd
n.n
et/
main
-qim
g-
f741c6e5d
b3
2b
87f2
82
e5
44
48
a2
12
9ce
STUXNET
2010 20172015 2016
Ukraine
power grid
attack
(Industroyer)
Ukraine power
grid attack
(BlackEnergy)
TRITON
It’s happening: Publicly
known cyber-physical attacks
Planned
operation to
hinder Iran’s
nuclear program
First publicly
known OT recon
activities
(HAVEX)
2013
Recon and
weaponization of
capabilities
htt
ps:/
/ww
w.s
chneid
er-
ele
ctr
ic.c
om
/ww
/en/I
mages/t
ricon-I
C-
654x654.jpg
Watershed Moment
htt
ps:/
/ww
w.t
hedailybeast.
com
/cia
-eyes-r
ussia
n-h
ackers
-in-
bla
ckout-
att
ack
htt
ps:/
/ww
w.a
rabia
nbusin
ess.c
om
![Page 15: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/15.jpg)
15©2019 Check Point Software Technologies Ltd.
Example: TRITON Attack
15
![Page 16: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/16.jpg)
16©2019 Check Point Software Technologies Ltd.
Hazards and Layers of Protection
![Page 17: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/17.jpg)
17©2019 Check Point Software Technologies Ltd.
Safety Instrumented Systems
Spi-ltuf.org
• Digital, Parallel to BPCS
• Sensors / Final Elementscan be SIS-only or sharedwith BPCS
• Ideally on separate SISnetwork segmented fromPCN
![Page 18: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/18.jpg)
18©2019 Check Point Software Technologies Ltd.
Schneider Electric Triconex (SIL3)
http://iom.invensys.com/EN/pdfLibrary/Datasheet_Triconex_TriconSIL3_06-11.pdf
![Page 19: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/19.jpg)
19©2019 Check Point Software Technologies Ltd.
Schneider Electric Triconex (SIL3)
![Page 20: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/20.jpg)
20©2019 Check Point Software Technologies Ltd.
Triconex is everywhere … [OSINT]
https://w
ww
.blu
ew
ate
r.com
/fle
et-
op
era
tio
ns/o
ur-
fpso
-fle
et/
gla
s-d
ow
r/
http://s
oft
ware
.schn
eid
er-
ele
ctr
ic.c
om
/abo
ut-
us/s
uccess-s
tories/lis
ting
-con
tent/
blu
ew
ate
r/
![Page 21: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/21.jpg)
21©2019 Check Point Software Technologies Ltd.
TRITON Attack Overview
https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/
Improper
segmentation
between PCN & SIS
Attacker obtained
remote access to SIS
engineering station
![Page 22: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/22.jpg)
22©2019 Check Point Software Technologies Ltd.
• Attacker attempted to inject passive implant into safety controller
Read/Write/Execute Memory
TRITON Payload Overview
TriStation protocol
Eng. Workstation
“Your wish is
my command”
imain.bin + inject.bin
trilog.exe• script_test.py
• library.zip
• inject.bin
• imain.bin
![Page 23: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/23.jpg)
23©2019 Check Point Software Technologies Ltd.
Increasing Attack Complexity
• TRITON used implant on Triconex SIS controller
• Process shutdown could’ve been achieved much easier
What is going on here?
![Page 24: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/24.jpg)
24©2019 Check Point Software Technologies Ltd.
• Attack scenario depends on attacker goal
Sometimes this means explosions, sometimes it doesn’t
• Simple process shutdown can be costly for plant owners & achieved by simple means
Downtime, restart issues (residue in tanks/vessels/pipes, off-quality product, equipment fatigue), …
DoS on networking equipment, controllers, …
Obvious ‘Do not press’ button on HMI
• But the more precise, damaging & lasting attacks are more complicated
Attacks on Industrial Systems
![Page 25: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/25.jpg)
25©2019 Check Point Software Technologies Ltd.
• Blackout != Spoiling Chemical Batch != Pipeline Rupture != Vessel Collapse
• Damage scenario requires good process comprehension
What causes the right pipeline to explode at the right moment
What are the (uncontrollable) side-effects of my actions?
What safety mechanism & alarms might kick in?
Industrial processes are designed to be robust & recoverable
• This is why espionage & reconnaissance matter
Obtaining P&ID diagrams, historian databases, software versions, …
Cyber-Physical Attacks are Process-Specific
![Page 26: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/26.jpg)
26©2019 Check Point Software Technologies Ltd.
•“Trivial! Look at the state of ICS security!”
•“Borderline impossible! These processes are extremely complex & engineered for safety!”
Two Common Views of Cyber-Physical Attacks
![Page 27: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/27.jpg)
27©2019 Check Point Software Technologies Ltd.
• Pwning a PLC != ‘Winning’
If you don’t have a response to “OK, so now what?”, you don’t really control anything. There is more to CPS attacks than cyber-security.
• Safety != Security
Safety Controllers can be compromised too. Are you sure independent ‘dumb’ fallbacks are sufficient when SIS fails?
Both are wrong
![Page 28: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/28.jpg)
28©2019 Check Point Software Technologies Ltd.
OT is about control loops
Actuators
Control system
Sensors
Measure
process state
Computes control commands for
actuators
Adjusted to influence process
behavior
Set Point (SP)Process
Variable (PV)
![Page 29: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/29.jpg)
29©2019 Check Point Software Technologies Ltd.
Industrial Attack Components
1
Manipulate theprocess
Prevent response
Direct Indirect
Manipulationof actuators
Deceive controller/ operator
about process state(e.g. spoof sensor)
3
Operators Control / Safety System
Blind Mislead
Modify operational /safety limits
Blind aboutprocess
stateOT Payload
2
Obtain Feedback
Direct or Derived (e.g., via proxy
sensors /calculations)
Often hardest to achieve
![Page 30: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/30.jpg)
30©2019 Check Point Software Technologies Ltd.
Likely TRITON Implant Role
1
Manipulate theprocess
Prevent response
Direct Indirect
Manipulationof actuators
Deceive controller/ operator
about process state(e.g. spoof sensor)
3
Operators Control / Safety System
Blind Mislead
Modify operational /safety limits
Blind aboutprocess
stateOT Payload
2
Obtain Feedback
Direct or Derived (e.g., via proxy
sensors /calculations)
![Page 31: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/31.jpg)
31©2019 Check Point Software Technologies Ltd.
• Cyber-Physical Attack is collection of ‘clandestine control loops’• Cycle of process observation & manipulation to achieve unsafe state
• Attack Timing & Coordination are Crucial• Processes aren’t vulnerable all the time. Many scenarios take time to execute.
• Observation of state A in component B needs to trigger payloads X, Y, Z
• Need to be able to observe states equipment might not be able to directly measure
• Requires granular control across process
• Manage task quantity & timing
Clandestine Control Loops
![Page 32: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/32.jpg)
32©2019 Check Point Software Technologies Ltd.
Need implants to coordinate & execute attack• MPC860, 50 MHz
• 6 MB Flash
• 16 MB DRAM
• 32 KB SRAM
• ARM9, 14 MHz
• 512 KB Boot Flash
• 8 MB RW Flash
• 2 MB SRAM
Will need to fit implant in there
• Signals processing?
• Malicious logic?
• Comms?
Often jam-packed with functionality already
You better enjoy programming…
![Page 33: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/33.jpg)
33©2019 Check Point Software Technologies Ltd.
Implant Communications
EXPECTATION VS. REALITY
![Page 34: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/34.jpg)
34©2019 Check Point Software Technologies Ltd.
• Implant 1 needs to take action X when we enter state B. Can we measure or infer?
• Communicate through process physics Eg. change in flow rate
• Upside: Limited electronic chatter after implanting
• Hinders monitoring & forensics
• Downside: Can get real complex
• Process state detection might depend on properties sensors don’t directly measure
• Abnormal physics might propagate to places where we’re not suppressing alarms or cause other side effects ruining our attack
Implant Communications & Attack Feedback Loops
* Evil Bubbles: How to Deliver Attack Payload via the Physics of the Process, Black Hat USA 2017
![Page 35: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/35.jpg)
35©2019 Check Point Software Technologies Ltd.
Detection of process state
Non-parametric CUSUM (cumulative sum) algorithm
![Page 36: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/36.jpg)
36©2019 Check Point Software Technologies Ltd.
• This is complicated, expensive stuff
• Engineering know-how, RE, vuln research, exploit & implant dev, testing, …
• High chance of messing up
• Offsets terrible IT / OT security
• Check out ‘Hacking Critical Infrastructure Like You’re Not a N00b’ @ RSAConf 2016 by Jason Larsen
• Let’s walk through the process required for developing a single exploit / implant / payload combo (eg. TRITON)
Ah, so that’s why everything isn’t blowing up all the time ….
![Page 37: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/37.jpg)
37©2019 Check Point Software Technologies Ltd.
ICS DEVICE EXPLOITATION
http://invensyscustomersuccess.blogspot.com/2013/07/bermuda-electric-evolution-and.html
![Page 38: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/38.jpg)
38©2019 Check Point Software Technologies Ltd.
1. Obtaining Materials
2. Device Analysis
3. Reverse Engineering
4. Vulnerability Discovery
5. Exploit Development
The Process
![Page 39: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/39.jpg)
39©2019 Check Point Software Technologies Ltd.
Obtaining the Documentation
![Page 40: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/40.jpg)
40©2019 Check Point Software Technologies Ltd.
• Vendor website, Direct purchase
• Steal from asset owner
• Piracy & other sketchy sources
Open webdirs & FTPs
Ebay, Alibaba
Obtaining the Engineering Software
![Page 41: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/41.jpg)
41©2019 Check Point Software Technologies Ltd.
Obtaining the Device
![Page 42: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/42.jpg)
42©2019 Check Point Software Technologies Ltd.
• Various Options
• Download from Vendor Website
• Extract from FW Update Utility, Extract from Flash
• Obtaining firmware can be complicated
• Worst-case scenario: encrypted firmware + chip readout protection requiring bypass & invasive or side-channel attacks
• Not so much for Triconex
• No readout protection on flash. Desolder -> adapter + universal programmer does the trick
• Or extract from FW update util
Obtaining the Firmware
![Page 43: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/43.jpg)
43©2019 Check Point Software Technologies Ltd.
1. Obtaining Materials
2. Device Analysis
3. Reverse Engineering
4. Vulnerability Discovery
5. Exploit Development
The Process
![Page 44: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/44.jpg)
44©2019 Check Point Software Technologies Ltd.
• We need to know
External & internal communication interfaces (how can we enter device / move laterally?)
Functional domains (where does what happen in device?)
Architectural details (MCUs / SoCs used, HW security features, …)
• Sometimes we’re lucky
FCC IDs, public teardowns, block diagrams in guides (Triconex), …
• Sometimes we’re not
• Teardown time
Device Analysis
![Page 45: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/45.jpg)
45©2019 Check Point Software Technologies Ltd.
Don’t be afraid of teardowns
* Serge Bazanski, Michal Kowalczyk
![Page 46: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/46.jpg)
46©2019 Check Point Software Technologies Ltd.
ICS Devices aren’t magic
* Stephen A. Ridley, Senrio Inc., 2016
![Page 47: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/47.jpg)
47©2019 Check Point Software Technologies Ltd.
Programmable Logic Controllers (PLCs) 101
• Originally designed to replace hardwired relays
• Ruggedized, can be standalone or modular
Power supply, CPU, IO, external comms.
IO connected to field devices (sensors, valves, …)
Source: edgefx.in,
plcdev.com
![Page 48: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/48.jpg)
48©2019 Check Point Software Technologies Ltd.
PLC CPU Firmware
![Page 49: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/49.jpg)
49©2019 Check Point Software Technologies Ltd.
Control Logic Execution
![Page 50: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/50.jpg)
50©2019 Check Point Software Technologies Ltd.
Triconex TMR Architecture
https://www.nrc.gov/docs/ML0932/ML093290420.pdf
![Page 51: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/51.jpg)
51©2019 Check Point Software Technologies Ltd.
Triconex 3008 MP
https://www.nrc.gov/docs/ML0932/ML093290420.pdf
![Page 52: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/52.jpg)
52©2019 Check Point Software Technologies Ltd.
1. Obtaining Materials
2. Device Analysis
3. Reverse Engineering
4. Vulnerability Discovery
5. Exploit Development
The Process
![Page 53: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/53.jpg)
53©2019 Check Point Software Technologies Ltd.
• Engineering protocols are of great interest
Can contain sensitive functionality: PLC start/stop, file download, firmware & control logic download
Often legacy, proprietary protocols.
Usually no security whatsoever
• If we can talk to PLC via this protocol, might get RCE on device!
• Want to know packet structure & semantics
Protocol RE
https://www.gegridsolutions.com/products/manuals/energy/994-
0146-D20MX-v1.5x-Product-Documentation-Set-Binder.pdf
![Page 54: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/54.jpg)
54©2019 Check Point Software Technologies Ltd.
• Compare to functionally similar older (documented) protocols
• Functionally granular packet capturing & group diffing
Start packet capture -> initiate action X -> stop capture
• Testing for common encodings & fields
TLV, sequential identifiers, checksums, entropic analysis, …
“Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns”
– Rob Savoye, FOSDEM 2009
Protocol RE – PCAP Only
![Page 55: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/55.jpg)
55©2019 Check Point Software Technologies Ltd.
PCAP-Only Analysis
![Page 56: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/56.jpg)
56©2019 Check Point Software Technologies Ltd.
• Want reconstruction to be complete & sound
• Want to write reliable exploits
• PCAP-Only can be incomplete, inaccurate or opaque
• Undocumented / rare behavior, inferred semantics, encryption / compression
• PCAP-Only can damage your sanity
Ideally we assist analysis with binary RE
![Page 57: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/57.jpg)
57©2019 Check Point Software Technologies Ltd.
• tr1com40.dll
TriStation (UDP/1502) communication DLL
Debug symbols present
RE message structure
Easy semantic mapping of function codes
• Don’t need full RE
Only interested in handful of message types
We want an exploit not a protocol parser
Protocol RE – From Binary
![Page 58: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/58.jpg)
58©2019 Check Point Software Technologies Ltd.
1. Obtaining Materials
2. Device Analysis
3. Reverse Engineering
4. Vulnerability Discovery
5. Exploit Development
The Process
![Page 59: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/59.jpg)
59©2019 Check Point Software Technologies Ltd.
• The next step is getting code exec
• Ideally pre-auth vulnerability but
• Pre-auth is a relative concept here…
• ICS Vulns are often simple byproduct of RE
• Shake a stick at it & vulns fall out
Vulnerability Discovery
http://www.fao.org/docrep/006/AD226E/AD226E12.gif
![Page 60: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/60.jpg)
60©2019 Check Point Software Technologies Ltd.
• Serial-to-Ethernet/WiFi Gateway
• Web Interface
• Broken auth (hashing on client side)
• CMD injection in ping test form
Example: Moxa Nport W2150A*
* Thomas Roth, 2017
![Page 61: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/61.jpg)
61©2019 Check Point Software Technologies Ltd.
• Energy usage monitoring & control fans,coolers, load shedders
• OptoMMP protocol (TCP/UDP 2001)
Based on IEEE 1394 (FireWire)
No authentication
Byte-addressable R/W memory map
Disable IP filter, enable FTP, fetch creds
• Upload unsigned firmware over FTP
Example: Opto 22 OPTEMU-SNR-DR2*
* David Barksdale, Jeremy Brown, 2016
![Page 62: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/62.jpg)
62©2019 Check Point Software Technologies Ltd.
• Large PLC for process applications
• Backdoors
• FTP w. hardcoded creds: Read / Write configuration, firmware, passwords, …
• Telnet: C interpreter
• Unauthenticated Proprietary Modbus Extension
• Start / Stop PLC, Overwrite programmable logic
• Gazillion ways to get code exec
Example: Modicon Quantum PLC*
* K. Reid Wightman,
Rubén Santamarta,
2011-2012
![Page 63: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/63.jpg)
63©2019 Check Point Software Technologies Ltd.
You get the idea …
https://i.redd.it/e5l1ngm7rzr01.jpg
![Page 64: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/64.jpg)
64©2019 Check Point Software Technologies Ltd.
Insecure by Design
![Page 65: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/65.jpg)
65©2019 Check Point Software Technologies Ltd.
Legacy & Long Lifespans
![Page 66: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/66.jpg)
66©2019 Check Point Software Technologies Ltd.
“The pro’s don’t bother with vulnerabilities; they use features
to compromise the ICS”*
-- Ralph Langner
* Depending on your definition of vulnerability
![Page 67: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/67.jpg)
67©2019 Check Point Software Technologies Ltd.
• Vuln is a freebie of protocol RE
Unauthenticated safety program download
‘Start Download Change’ (FC: 0x01)
‘Allocate Program’ (FC: 0x37)
‘End Download Change’ (FC: 0x0B)
• No safety program signing
• Skip directly from RE to XDEV …
TRITON: Execute My Packet Please!
![Page 68: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/68.jpg)
68©2019 Check Point Software Technologies Ltd.
1. Obtaining Materials
2. Device Analysis
3. Reverse Engineering
4. Vulnerability Discovery
5. Exploit Development
The Process
![Page 69: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/69.jpg)
69©2019 Check Point Software Technologies Ltd.
• After finding a suitable vulnerability / feature, we need to craft an exploit to gain code execution, e.g.
Insert implant into unsigned firmware update
Hijack control-flow with buffer overflow
…
TRITON: How to go from downloading safety program to executing code on PLC CPU?
Exploit Development
![Page 70: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/70.jpg)
70©2019 Check Point Software Technologies Ltd.
• Developed in IEC 61131-3 and CEMPLE
Compiled for PowerPC, executed by runtime on CPU module main processor
• Another freebie: no breaking out of sandboxes, runtime exploitation or chip lateral movement
Triconex Safety & Control Applications
![Page 71: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/71.jpg)
71©2019 Check Point Software Technologies Ltd.
• TRITON does not overwrite original logic but appends to it
‘Download Changes’ (FC: 0x01) instead of ‘Download All’ (FC: 0x00)
Adds malicious code to internal linked list of programs
Safety logic continues to run without interruption!
TRITON Code Execution
![Page 72: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/72.jpg)
72©2019 Check Point Software Technologies Ltd.
Complication: Keyswitch
https://images-na.ssl-images-amazon.com/images/I/41jr93jKzML._SX466_.jpg
![Page 73: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/73.jpg)
73©2019 Check Point Software Technologies Ltd.
ICS IMPLANT & OT PAYLOAD DEVELOPMENT
http://iom.invensys.com/EN/Pages/IOM_NewsDetail.aspx?NewsID=78
![Page 74: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/74.jpg)
74©2019 Check Point Software Technologies Ltd.
• Directly implant OT payload or implant backdoor
Keeps OT payload secret until Zero Hour (‘killswitch’)
• Cross-Boot Persistence
Requires modifying flash / enough space
• Memory Residence
Requires executable RAM
Reboot = implant gone (but… safety controller uptime)
Also complicates forensics!
ICS Implant Strategies
![Page 75: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/75.jpg)
75©2019 Check Point Software Technologies Ltd.
• Common Devices Throughout ICS (cross-facility)
> 18000 Triconex systems in > 80 countries
• Common Software Throughout ICS (cross-vendor)
Protocol / Connectivity Stacks
Control Runtimes / RTOSes
• Construct arsenal of exploits & implants against common devices & software stacks
One time upfront investment, no huge turnover
TRITON makes more sense as tool in such an arsenal than as expensive on-off
ICS Implant Scalability
![Page 76: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/76.jpg)
76©2019 Check Point Software Technologies Ltd.
THE TRITON IMPLANT
![Page 77: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/77.jpg)
77©2019 Check Point Software Technologies Ltd.
• Runs Enhanced Triconex System Executive (ETSX) 6236
Sparse documentation exists on NRC site
27 system calls, flat memory model w/o permissions, minimal privilege separation
Safety / Control programs stored in linked list, executed by runtime in user mode
Triconex 3008 MP Firmware
Source: United States Nuclear Regulatory Commission , Document number NTX-SER-09-10, Page 96
![Page 78: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/78.jpg)
78©2019 Check Point Software Technologies Ltd.
• Stage 1: Argument-Setter
• Stage 2: Implant Installer (inject.bin)
• Stage 3: Backdoor Implant (imain.bin)
• Stage 4: Missing OT Payload
TRITON: Multi-Stage Payload
* ICS-CERT MAR-17-352-01 HatMan—Safety System Targeted Malware (Update
A)
![Page 79: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/79.jpg)
79©2019 Check Point Software Technologies Ltd.
• Egghunt for Control Program (CP) fstat field
• Sanity test write operation
• Use field for stage 2 FSM control
Payload Stage 1: Argument-Setter
* ICS-CERT MAR-17-352-01 HatMan—Safety System Targeted Malware (Update
A)
![Page 80: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/80.jpg)
80©2019 Check Point Software Technologies Ltd.
Payload Stage 2: Full FSM
* ICS-CERT MAR-17-352-01 HatMan—Safety System Targeted Malware (Update
A)
![Page 81: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/81.jpg)
81©2019 Check Point Software Technologies Ltd.
Payload Stage 2: Implant Installer
* ICS-CERT MAR-17-352-01 HatMan—Safety System Targeted Malware (Update
A)
Requires Supervisor Privileges
![Page 82: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/82.jpg)
82©2019 Check Point Software Technologies Ltd.
Payload Stage 3: Backdoor Implant
* ICS-CERT MAR-17-352-01 HatMan—Safety System Targeted Malware (Update
A)
![Page 83: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/83.jpg)
83©2019 Check Point Software Technologies Ltd.
Payload Stage 3: Backdoor Implant
* ICS-CERT MAR-17-352-01 HatMan—Safety System Targeted Malware (Update
A)
![Page 84: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/84.jpg)
84©2019 Check Point Software Technologies Ltd.
• Once backdoor is injected, we have god mode
• Still need OT payload to carry out ‘meat’ of the attack
• Not recovered from incident, hard to determine attack (sub) goal
• Asset owner can make educated guess, we can only speculate …
• Which we will!
Payload Stage 4: OT Payload Delivery?
![Page 85: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/85.jpg)
85©2019 Check Point Software Technologies Ltd.
Possible TRITON OT Payloads
1
Manipulate theprocess
Prevent response
Direct Indirect
Manipulationof actuators
Deceive controller/ operator
about process state(e.g. spoof sensor)
3
Control / Safety System
Modify operational /safety limits
Blind aboutprocess
state
![Page 86: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/86.jpg)
86©2019 Check Point Software Technologies Ltd.
OT Payload:I/O Spoofing
![Page 87: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/87.jpg)
87©2019 Check Point Software Technologies Ltd.
I/O Spoofing
Measurement InstrumentationController
Input Signal Output Signal
![Page 88: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/88.jpg)
88©2019 Check Point Software Technologies Ltd.
I/O Translation
![Page 89: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/89.jpg)
89©2019 Check Point Software Technologies Ltd.
OT payload:Alarm Suppression
![Page 90: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/90.jpg)
90©2019 Check Point Software Technologies Ltd.
Alarm Propagation
Safety shutdown
Alarm
Alarm
Goal: catalyst deactivation
![Page 91: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/91.jpg)
91©2019 Check Point Software Technologies Ltd.
Hiding Alarms
![Page 92: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/92.jpg)
92©2019 Check Point Software Technologies Ltd.
Suppressing Alarms
![Page 93: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/93.jpg)
93©2019 Check Point Software Technologies Ltd.
• PC-based HMI
• Management & Bypass of Priority 1Alarms
• Each HMI function is mapped toTriconex logic function blocks
Example: Triconex Safety View
Source: Invensys / Schneider Electric
![Page 94: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/94.jpg)
94©2019 Check Point Software Technologies Ltd.
• Consider simple water tank level alarm
• OR of measurement DIs -> alarm DO
Example: Triconex Alarm Function Blocks
![Page 95: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/95.jpg)
95©2019 Check Point Software Technologies Ltd.
• Safety Program resides in-memory as code
• OT payload can modify instructions to set alarm to fixed FALSE
• Stored program on flash remains untouched
• Attacker needs to know
1. Where program lives in memory
2. Which instructions of program to modify
Example: Suppressing Alarms
![Page 96: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/96.jpg)
96©2019 Check Point Software Technologies Ltd.
Analyzing Safety Program
![Page 97: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/97.jpg)
97©2019 Check Point Software Technologies Ltd.
Hot-Patching Safety Program
![Page 98: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/98.jpg)
98©2019 Check Point Software Technologies Ltd.
Example: Alarm Suppression
![Page 99: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/99.jpg)
99©2019 Check Point Software Technologies Ltd.
More Speculation Ahead:Why Did The Attack Fail?
![Page 100: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/100.jpg)
100©2019 Check Point Software Technologies Ltd.
• Failed Privilege Escalation / Backdoor allows for raw RWX
• You read / write / execute the wrong thing in the wrong place …
• Getting into a fight with the watchdog
• Very common embedded way to shoot yourself in the foot
• Missed diagnostics?
Option A: b0rked payload?
* https://betterembsw.blogspot.com
![Page 101: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/101.jpg)
101©2019 Check Point Software Technologies Ltd.
Option B: TMR?
https://patentimages.storage.googleapis.com/5a/1a/88/f75a93ace8c548/US8037356.pdf
![Page 102: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/102.jpg)
102©2019 Check Point Software Technologies Ltd.
Conclusions
![Page 103: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/103.jpg)
103©2019 Check Point Software Technologies Ltd.
• Obtaining Necessary Materials – Easy
• Public documentation, no firmware protection, buy 2nd hand components
• Protocol RE / Vulnerability Discovery - Easy
• Unauthenticated engineering protocol
• Software with debug symbol
• Exploit Development - Moderate
• No program signing, no sandboxing
TRITON Cost & Complexity Assessment
![Page 104: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/104.jpg)
104©2019 Check Point Software Technologies Ltd.
• Implant Development - Moderate
• Required (simple) Privesc Exploit, required firmware RE or other ways to know internals, Take TMR / diagnostics into account
• OT Payload Development - Hard
• Hardest part: deep firmware RE + understand position of particular SIS instance in process
• Likely doesn’t scale well beyond target facility
TRITON Cost & Complexity Assessment
![Page 105: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/105.jpg)
105©2019 Check Point Software Technologies Ltd.
• If part of broader ICS arsenal, where’s the rest?
• In what light should TRITON dev cost be seen?
• Expensive for a one-off, cheap for a scalable one-time upfront?
• What does the attack failure tell us?
• Implant development = Software development = 99% Frustration
• Maybe stability sacrificed in R&D cost/benefit judgement? Maybe they were in a rush?
• If or when for copycats?
• Either of TRITON or as blueprint against other SIS and ICS
Open Questions
![Page 106: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/106.jpg)
106©2019 Check Point Software Technologies Ltd.
• Ali Abbasi, Uni Bochum, Germany
• Thorsten Holz, Uni Bochum, Germany
• Felix ‘FX’ Lindner, Recurity Labs
• Various security community folks who kindly contributed to our knowledge and experience
Thank You
![Page 107: DESIGNING EXPLOITS & IMPLANTS FOR INDUSTRIAL CONTROL ... ©2019 Check Point Software Technologies Ltd. 24 •Attack scenario depends on attacker goal ̶Sometimes this means explosions,](https://reader034.fdocuments.net/reader034/viewer/2022042318/5f078e067e708231d41d9050/html5/thumbnails/107.jpg)
107©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd.
Jos Wetzels | Principal Security Consultant, Secura
Marina Krotofil | Senior Security Engineer, BASF
Designing Exploits & Implants for Industrial Control Systems
THANK YOU