hiring
AAA  AAA 

Chaos Computer Club (CCC) SCADA Presentation Report

Ralph Langner, one of the bright lights in the European SCADA Security community, attended the CCC annual meeting in Berlin right before the new year. There was a Hacking SCADA presentation.

Begin Ralph’s Report

The Chaos Computer Club’s annual meeting is the place to go when looking for black hat hackers, at least from their European Chapter. A presentation titled “Hacking SCADA. How to own critical infrastructure” for this audience would certainly give an impression about the black hats’ state of the art, so I reasoned. The presentation was done by two fellows from Italy, Raoul “Nobody” Chiesa and “Mayhem” Alessio Pennasilico. More than the cool nicknames indicated that the presenters put some effort on being recognized as members of the hacker community.

Most of the one hour presentation consisted of stuff that all of us learned in elementary school. Exhibit D was a reference to “The Register” about trusty old Vitek (where would our profession be without him). The audience was also educated about the Siberian gas pipeline explosion, Davis-Besse, etc. pp. All these nice references flipped by, topped with AIC vs. CIA, raising so many memories. Now one of the two occasions when the presentation went about hitting its subject (”Hacking SCADA”) was a short video by Eric Byres, showing Eric explain how a hacker would go about manipulating a Modicon PLC by searching the required information on the Internet. The second (and last) time that the presenters briefly touched the subject of their presentation was a reference to a “case study” they had done in a small Italian manufacturing company, where they managed to DoS what appeared to be an Allen-Bradley CompactLogix L32E. All and all, the little technical detail that could remotely be associated with “hacking” boiled down to less than ten minutes, with half of it consisting of Eric’s video, and the other half of an occasional blind-shot DoS of one specific PLC that doesn’t have much of a record in critical infrastructure.

So how does all this relate to “owning critical infrastructure”, one might reasonably ask. Here’s how. You need to drink enough Italian grappa, which the presenters passed along generously before and after the presentation, and which they enjoyed themselves throughout the presentation (no kidding). If you try hard enough, you might end up in some kind of Die Hard 4.0 fantasy with yourself as the hacker mastermind. After all, if you managed to DoS one lousy compact PLC —- sorry, Rockwell –, you might as well control the power grid and water utilities, which may appear to be all the same under the influence. But even if you don’t, you still have a chance convincing some asset owner to hire you as a security consultant. This was what made up the final fifteen or so minutes of the presentation when the audience was introduced to the presenters’ “Cristal project”.

Now here’s the good news: Asset owners, you don’t need to worry about hackers. When they talk about “owning critical infrastructure”, they’re just sharing their wildest dreams. In reality, they have nothing in their hands. Zero. Nada. Niente. It will take several more years until the hacker community has learned to master various flavours of PLCs with their different protocols and vulnerabilities. It will take further years until they get to things like OPC and furnish advanced attack methods against it. And by the time they come up with decent exploits for the various SCADA applications that we use today, most CxOs will already be retired. We have heard over and over again that the IT folks aren’t particularly good at securing SCADA environments. Guess what, they aren’t good at attacking them either. However our hackers do think nobody will notice because the stuff is all so complex. That’s what I call “insecurity by obscurity”.

End Ralph’s Report

Interesting report. Thanks Ralph. I’m not as optimistic that the hacker community will progress as slowly as Ralph predicts.

Author: Dale Peterson
Posted: January 3rd, 2008 under Conferences.
Comments: 14

Comments

Comment from Ron Southworth
Time: January 3, 2008, 9:13 am

Hi Dale That is sad to hear about the video
I am still trying to persuade my employer to purchase a copy and now it sounds as if it is in the underground.

I hope BCIT or Eric can track them down for copyright infringements if they did not obtain the tape legally of course.

This sort of thing is inevitable as the naughty people start to look at other ways to gain income or notoriety..

All the best for S4 I hope it is a success for you.

Comment from stephan beirer
Time: January 3, 2008, 10:07 am

I also attended that talk and I can confirm Ralph Langner’s report 100%. That presentation was definitely the worst talk of the whole conference (probably the worst talk I ever saw) - 90 % of the information was taken from Google, the presenters were drunk and I guess the Allen-Bradley was the only piece of automation equipment they ever saw - probably that’s the reason why they called that a “critical infrastructure”.

Ron, the BCIT video was taken from YouTube, but it seems to be removed already..

happy new year, all the best:s

Comment from Eyal Udassin
Time: January 3, 2008, 10:16 am

Hi Ralph & Stephan,

Sorry to hear about the waste of time, unfortunately there are a lot of people who don’t perform real research yet try to pass their work as such.

Our presentation at S4 was specifically designed to correct these impressions of how the hacker community approaches and studies the SCADA environment and its’ vulnerabilities.

Hope to see you there,
Eyal.

Comment from stephan beirer
Time: January 3, 2008, 10:58 am

btw: here are the slides:

http://conference.hitb.org/hitbsecconf2007kl/materials/D1T2 - Raoul Chiesa and Mayhem - Hacking SCADA - How to 0wn Critical National Infrastructure.pdf

and if you have enough bandwith and time to waste , here is the official video recording of the presentation:
http://dewy.fem.tu-ilmenau.de/CCC/24C3/matroska/24c3-2227-en-hacking_scada.mkv

Eyal: unfortunately I won’t be at S4, but I look forward to read about your work in the proceedings..

Comment from Jake Brodsky
Time: January 3, 2008, 3:38 pm

The key point is whether this is representative of what is going on in the community. I made this point earlier on the SCADA Gospel list: Kids will happily hack a soda machine because they understand it, and because the down-side isn’t that serious. However, they won’t hack a substation because they don’t understand it, and the downside if they’re caught is pretty serious.

I think we have some time. I’m not sure how long things will stay that way, however.

Comment from Ralph Langner
Time: January 3, 2008, 4:04 pm

Well, Eyal… depends… do you bring booze?? ;-)

Comment from stephan beirer
Time: January 4, 2008, 5:50 am

Jake, these kids were in their end-30s, early 40s..;)

Comment from Jake Brodsky
Time: January 4, 2008, 7:42 am

Stephan, I use the term “kids” because the combination of creativity and social immaturity needed to commit these kinds of crimes is usually found in those under the age of 25.

Comment from Joe Weiss
Time: January 4, 2008, 11:14 am

I wasn’t at the conference and just looked at their September 2007 presentation. Unfortunately, I have to disagree about the bashing of the presentation - it seems reasonable. This almost looks like the same lynching party that started after the release of the Aurora tape. Forget about trying to find weaknesses and recognize there is credible information given at a black hat conference. SAIC gave even more credible technical details several years ago at a black hat conference.
Joe Weiss

Comment from Ralph Langner
Time: January 5, 2008, 6:27 am

Joe, with all due respect — the title of the presentation was not “SCADA (in)security for beginners”, it was “How to own critical infrastructure”. While I would agree that our proud hackers have put together a nice intro to SCADA security in general, I deny that they have anything to say about the subject of their presentation. BTW, it looks different when I’m going to lynch somebody. There would have been several things about the presentation worth of lynching them, such as making a fun out of Eric, but around Christmas time I am usually not in the lynching mood.

Comment from stephan beirer
Time: January 5, 2008, 9:43 am

Joe, just have a look at the 1-hour video linked above and you’ll see that Ralph is absolutely right…

Comment from Ron Southworth
Time: January 5, 2008, 9:17 pm

Hi Guys Thanks for the link to the video. Somthing to add to my archives.

I would consider the video a good glimpse at the black hat community for those who have not been exposed to an event of that type before it would be an excellent example. I have sat in the back corner at a few of these types of sessions before (complete with long hair, clip on earings and beard). The language, accuracy of information, drinking on stage, etc used is nothing startlingly new from my perspective. I hope the community publishes more of their meeting material in “public places”.

Comment from Alessio L.R. Pennasilico
Time: January 9, 2008, 9:16 am

Dear Dale, dear Ralph,

We read the report about our lecture at the CCC congress: it is an honor for us to be cited by Digitalbond, which work is very important for us. But it’s very dramatic to read the impression that you had at the conference: we think that you completely forgot the spirit of the event and the aim of the lecture.
We are so sorry because, maybe, talking together in Berlin would have been better than exchanging e-mails after your post.

We, of course, admit that a better title should have been “Introduction to SCADA security problems”, but our aim was to attract as much people as we can. You know, it’s “marketing” :) Our goal was to get involved as much people as we can. We, in fact, strongly believe that a critical infrastructures problems exist, and as much people take care of it, the better would be. Many of the attendees was not aware about what SCADA is, what kind of problem must afford, and why is important to discuss it. The names we used, instead, were not intended to make people think we belong to the underground: those are the names with which people have known and called us since many years.Also about hackers, I think we attribute different meanings to the same word: Ralph, our aim is not to teach criminals how to exploit assets. We refer to hackers as people who are able to understand, think and modify them, creating a better solution. Our talk was not about exploiting networks, but about existing problems and their management.

We are quite sure that Ralph was disappointed about the lecture: you were not the intended audience. We wanted to talk to people used to take care about worm propagation, sql injection, binary exploit, and so on, and to tell them that SCADA is a different world, with different problems, rules and priorities.
The problem was to make people understand that this is a real problem, and people can really die because of your program or your sysadmin work.
It was one of our goal: make all those pentester present understand that a single nmap scan could be very dangerous; make them understand that HMI, DCS, RTU, PLC cannot be managed or tested like a normal webserver.

I perfectly understand that having many years of study and research on this topic make this lecture ridiculous, but, as we said, you were not the intended target of this talk. The CCC is full of very expert people, but IT people often do not know this topic. Our goal was to provide publicly well-documented proofs of an existing problem, of which hackers (read as security researchers) have to be aware of.

The other big bullet we wanted to discuss was about disclosure. We started the talk with a disclaimer about the German law that make illegal many security tools. Than we presented intentionally only material that can be found by anyone on the Internet to make people understand about how information are managed. Then we presented some real data deriving from an anonymous source. This was to make people understand that there is no, or little, disclosure about this technologies and that “SCADA experts” are worried about hackers and try to disclose nothing. This is, in our opinion, wrong.

For this reason we founded Cristal project: to stop writing white papers/best practices and create a real case history archive. As we said during the conference, we think that any case history is more impressive than any abstract paper.
It’s true, we were presenting a case history about some little devices, but remember that we are a little project, just born, non-profit, all based on volunteer.
Nobody paid us or the customer to test, and the involvement of more people, companies and organizations is our first aim.

As you may understand, it is very difficult to have a big company disclosing their infrastructure, their hardware and software. The project is just born and our main goal is to disclose as many case history as we can. We prefer to talk about a real company, a real product, although not so critical, than to predicate the useless “do it in this right way”.
If you think that to give information about SCADA world outside it, that you have better contributes and more experience, I agree with you, Please join to the project and help us to make it more useful!

To finish, some words about grappa… Yes, we offered grappa before and after the conference: it is a common practice of “Italian Embassy”, the group of italian people that usually go to Chaos Computer Club events. The “Italian Embassy”’s motto, “Italian Grappa”, represents our social purpose: to offer italian hand made espresso and grappa to all our friends and all other people at the event. We think that these people have a lot of things in common with our point of view on life, technologies, laws… and fun :)

The CCC is a very informal context, in fact, as you saw, no one was wearing a tie or a suit. So the talk was obviously thought to inform but with fun… It was in our scope to talk about important topics but without make the public bored.

We hope that this mail can give a better look on our work and presentation, and we truly hope that the next time we will be in the place we can drink a grappa all together :)

mayhem & raoul

Comment from Ralph Langner
Time: January 9, 2008, 3:43 pm

Alessio, no sweat. I think the one big problem with your presentation is the title. The presentation just does not deliver what the title advertises. Which is, on the other hand, a piece of solid and valuable information: what is communicated at 24C3 does not teach hackers how to hack SCADA and how to own critical infrastructure, period. And that is, after all, a good thing — seriously.

By the way, I did approach you after the presentation and asked if you know Eric Byres personally — just because I had the feeling that you probably didn’t know about whom you were making “funny” comments during the video. Something I recommend to rethink for your upcoming presentations. Eric knows much more about all this stuff than most of us, and besides that, he is just one hell of a nice guy.

Write a comment