Langner Awareness Demonstration Tool
Ralph Langner, who is on our top ten list, always has some interesting tools or information when we talk. Recently he showed me an application Langner Communications uses when having difficulty convincing asset owners they should worry about security.
It is a simple demo:
1. Press “PowerScan” to obtain a detailed listing of all networked PLCs, along with model information, configuration information, and reverse DNS names.
2. Select victim PLCs by checking the box left to the list entry.
3. Select if you want to switch all outputs of all selected PLCs on, off, or randomly. Then press the “Set Outputs” button.
4. Watch the skeptical asset owner’s face drop.
The tool was originally for a specific vendors products, but it has been generalized to be effective on a few vendors now.
Author: Dale Peterson
Posted: February 10th, 2009 under Assessment Tools, Security Tools.
Comments: 3
Comments
Comment from Mike T
Time: February 10, 2009, 1:55 pm
That’s the most frightening application I’ve ever seen.
The worst part is, there is no current defense against something like this once a malicious individual is on the process network. Once they are on the same network as those PLCs, they have full capability to disrupt your process with little recourse. You’re left with putting in the strongest controls you can stand at the perimeter, and possibly segmenting your traffic to reduce the impact of such a tool.
Mike T.
Comment from Jake Brodsky
Time: February 10, 2009, 2:18 pm
This should be a significant eye opener to those who think they’re isolated. Show them this tool, and then ask them “ARE YOU SURE?”
Comment from Ralph Langner
Time: February 12, 2009, 1:28 pm
Mike, the “I’ve ever seen” part really is the problem. Funny enough, even experienced process engineers still don’t connect the dots when it comes to security.
One could say that the frightening application to start with is the engineering tool that you buy from the vendor. Look at the rich feature set with ladder logic reloading on the fly (aka code injection) and stuff. How convenient, all this works via the network with zero configuration and no authentication! Now if you have ever seen something like Wireshark, it’s time to do the math — and get frightened.
Let me carry this forward to make my point. So people do get frightened when they see the iOpener. But still, very few connect the dots a little bit further, to understand: All of this can be automated. It could operate as well with no user interface and no user interaction, as a Trojan Horse or worm. This is what I call ZCADA, or Zero Control Automated Destructive Attack software.
We won’t do a proof of concept on that as we know anyway that it works, and as I don’t want to turn our lab into a high security environment. Let’s hope nobody with too much time and bad intent will do the real thing until asset owners are prepared, and let’s try to educate people where the most critical vulnerabilities are. Our mission is not accomplished.
Write a comment