Digital Bond

For Secure & Robust ICS

S4 Video: Attacking The Plant Through WirelessHART

by Leave a Comment

There are two weeks left to submit your session proposal for the S4x17 Main Stage or Stage 2: Technical Deep Dives. Take a look at the Call For Presentations and submit this month.

Subscribe to The S4 Events YouTube Channel

This S4xVideo is a great example of what we try to do on Stage 2. Jalal Bouhdada and Erwin Paternotte are two researchers the most of the ICS security had not heard of that came in and gave an important, highly technical presentation with new information for people who are experts in this field.

The researchers dig into the protocol and implementation of WirelessHART to identify security strengths and weaknesses as well as areas that deserve future research.

The main findings are:

1) the most important crypto key, the Join Key, is often left as the vendor default. This default is often in the documentation, and even if not will be available with a reasonable Internet search. Many if not most deployments are not changing the default Join Key.

Asset owners are getting a false sense of security and not properly managing risk. They hear that WirelessHART is secure, but the deployment team, and often the sales team, neglects to mention that some level of key management is required to achieve this security.

2) The firmware could be extracted via JTAG on all 5 vendor systems the researchers looked at. They were able to identify where the Join Key was in the firmware. While it was encrypted or encoded, unknown at the time, they could copy this into their own WirelessHART device and join the network.

Really great work by these researchers that we hope to see more from in the future.

Why Invest In Complexity (Toecker)

by 3 Comments

This guest post is by Michael Toecker of Context Industrial Security and a Digital Bond Alumnus. It first appeared on the SCADASEC list. I thought it was great, and Michael kindly allowed us to post it here.

The world isn’t about just the process anymore, it’s not just about moving water from A to B, or just producing X MW 24/7, or just cracking long hydrocarbons into short hydrocarbons.

It’s about moving water from A to B, while using as little electricity as possible, while monitoring proactively for failures, while watching for leaks in the pipes, while maintaining a balance between too much and too little chlorine, while maintaining an adequate reserve based on historical
trending and real-time analysis.

It’s about producing X MW, while minimizing fuel cost, while reducing unexpected failures, while minimizing emissions, while matching renewable output, while ensuring grid events don’t take you out, while also bidding into a real-time market, while….

You get the picture.

It’s not the operations piece that has gotten more complicated, it’s the business needs that have changed. The control system is the best place to get the data for all this, which means it gets the all the add-ons. This also means that we should be buying control systems with the ‘capacity’ to handle stuff like that, assuming a much steeper rate of change.

The process of listening to other business units is an engineering process, no less than any other.  The business may want to increase production, which to an engineer might mean increasing flow through a certain set of pipes. If you want to increase flow through those pipes, you have to pull out small aperture valves and put in new bigger ones. Those bigger ones might require better motor/air drives, which might mean beefing up the electrical cabinet, and probably a different scheme for stroking the valve.

More flow means you need better pumps so you have to replace the old ones. The new pumps happen to be VFDs to comply, so you need a motor control center along with better power conditioning equipment. The new pumps require liquid cooling, so there is another subsystem. And since there’s an increase in the input via the pipes, all the calculations for the reaction and the eventual output all have to be redone, tested, and implemented. And all this means you’re operators will need new training on the new parameters, and new displays, alarms, conditions, set points… And at the end, you’ll have a system which (i hope) saves enough time, money and produces enough product to be worth the trouble. Or not, maybe you’ll have a design that costs more than the value of the increased product,
which means it DOESN’T get ok’d.

How is this mechanical/electrical/hydraulic process any different from the computer one?

Upgrades cost money, get complicated, and require thought and expertise, but that’s not a reason to NOT do them. It’s a reason to bring in folks who can do the planning well, and come up with a good design and cost estimate so that the business can make the determination. If engineers don’t identify that the add-ons being requested might need new switches, vlans, rejiggering of logic, replacement HMIs, better controllers, etc, then they aren’t doing the full engineering of the job.

Why invest in some complexity? Because your competitors might be making these decisions, doing these designs, and reaping any benefits.

Image by Newtown Grafitti

DNS Slides and Tools Release

by Leave a Comment

 

Way back at S4xJapan, 2015, Labs did a small research project on DNS domain squatting.  We never thought that it would amount to much in terms of press, but did think that would be a useful talk to spur vendors into action before it was too late. Already we have discovered some very popular ICS vendors where these squat domains are hosting malware; as Dale says, it is only a matter of time before someone gets smart (and nasty), and clones a legitimate vendor website onto a squat domains. The evildoer could host malicious software updates, bad security advice, and possibly even harvest end user credentials.

We revamped the talk slightly for S4xEurope, focusing on a few European vendors who were victims of domain squatting behavior.  We are happy to publish the slides to the talk, which covers not only domain squatting but some old topics of DNS tunneling and zone transfer issues that we’ve seen with some frequency.

We would also like to point out that EnergySec published a paper on one of these issues — DNS tunneling — some time ago.  It is worth reading if you are in the energy sector, as it is a not-uncommon mistake to see on such networks.

In Japan, we hit upon the idea of scouring websites for potentially malicious links. For example, if you are an ICS vendor, perhaps you should look through your support forums for links to homoglyphs of your domain name — it could be evildoers trying to trick your users into downloading some malicious software or firmware.  While our tool is nowhere near perfect, we did write a basic version of such a webcrawler under the unimaginative name TypoScraper.  You can snag a copy from our github ‘scripts’ repository, and do with it as you will.

Image by jenniferboyer

S4x17 Call For Presentations

by Leave a Comment

Today through August 31st the S4x17 Call For Presentations is open. It is the place to present advanced topics in ICS and related fields to an audience will get it.

The process is real simple. Send an email with 2 or 3 paragraphs on your session idea to s4@digitalbond.com. We evaluate session proposals as they come in, so early submission improves your chances of acceptance.

We are expecting 500 attendees for the 3-Stage Event, and we will again focus on creating fun social events for you to spend time with your fellow attendees in Miami Beach in January.

So send us your best now.

S4 Classic Video: Langner’s Stuxnet Deep Dive

by Leave a Comment

Tomorrow we will be officially opening the S4x17 Call For Presentations (CFP), so I thought it would be the perfect time to highlight one of the S4 Classics to show what a S4 Technical Deep Dive looks like. Watch how Ralph goes through the code/logic in detail so you can see the key features of Stuxnet, and yet the key points are understandable without technical expertise and everything is large enough for the audience to see.

I started a new S4 Classics playlist on the S4 YouTube Channel, and this is the first video in that playlist. It received 38K views on Vimeo before we moved it to this new channel.

This video is from S4x12 when we were still in the 60 person case study rooms. The event has grown in many ways since then, but the technical meat has always been a key part of S4.

S4x16 Video: Langner’s Critical Penetration Analysis in Nuclear Power

by 2 Comments

A great 22 minute presentation by Ralph Langner of The Langner Group at S4x16. He provides some very specific examples of a cyber / physical attack on nuclear power plants. For example, a cyber attack on all of the feedwater systems.

What is the key to this type of attack? Studying the design plans, particularly around the last line of defense … the safety systems. Safety systems have not considered malicious cyber attacks, which makes much of the analysis and protection ineffective. He shows how the safety analysis is faulty in the feedwater system example.

Ralph then goes through a three step process that both an attacker and defender should use.

Filed Under: S4

S4xEurope Video: IRONGATE – Technical Deep Dive

by Leave a Comment

We decided to put the IRONGATE video from last week’s S4xEurope out first. There is no new big reveal over the information put out in the FireEye article, but Rob provides a lot of context that makes it easier to understand. He also focuses on unanswered questions and a comparison to Stuxnet.

If this is really a Grad Student Research Project, I would think we would hear who did it in the next couple of weeks. Some of the S4xEurope attendees were going to try to help make contact with the author of PLCSIM.

Here are some highlights of the video:

3:56 Why IRONGATE is interesting from a technical perspective.
6:08 Is the industry numb to this type of release due to naming, hype, process?
8:20 A flow chart showing the major steps of IRONGATE.
14:20 The actual DLL replacement code.
16:20 Record and replay code.
19:25 Comparison and contrast with Stuxnet.

The last ten minutes is Q&A.

S4x16 Keynote Video – General Michael Hayden

by Leave a Comment

General Hayden gave the Day 1 Keynote at S4x16 and really brought it. He had strong and often controversial opinions that were well defended. He pointed out where he disagreed with President Obama, FBI Director Comey and most of Europe. Check it out below or on our new S4 Events YouTube Channel.

Viewing Notes:

After a bit of intro and opening comments, it really gets cooking after the first 7 minutes.

7:44 He is less worried about a “Cyber 911” than Leon Penetta and others

14:06 Disagree with President Obama’s characterization that the Sony attack was cyber vandalism, but he does not have a better description … and he sees that as a problem.

15:20 Shame on us, not shame on China for the OPM hack. If he had the same ability to do this to China as Director NSA he would, and he wouldn’t even need to ask for permission.

17:30 “The government will be permanently ‘late to need’ in providing cyber security”

24:15 A three minute self-described rant on Europe, their “Pathological Government Structure”, and regulation/legislation that goes so far beyond the US Patriot Act.

27:56 General Hayden’s views on Encryption, which are contrary to FBI Director Comey.

29:00 Government is not, and will never be, the main player in cyber security.

34:40 Americans are going to be remember for the Internet like the Romans are remembered for their roads.

Why IRONGATE Is A Big ICS Security Story

by Leave a Comment

We were thrilled to add a session by Rob Caldwell / FireEye to next week’s S4xEurope agenda when we learned in April about the ICS malware they have named IRONGATE. This is the second biggest ICSsec story of the year to date, albeit a distant second from the Ukrainian Power Utility hack.

FireEye published some technical info on IRONGATE today, and I’m really looking forward to the technical deep dive at S4xEurope.

Three reasons why this is an important story, and none of them are this exact malware’s ability to damage real world ICS.

  1. This is the first post-Stuxnet ICS example of a Stuxnet-like man-in-the-middle attack with a record / replay feature so operators do not see what is truly going on. Many predicted that attackers would learn and mimic Stuxnet techniques. They have.
  2. Fingerprinting so it only affects a specific ICS, again like Stuxnet.
  3. IronGate arrived in VirusTotal in 2014. Yes 2014. And it had clear SCADA markers, such as SCADA.exe. How much other malware attacking an ICS is sitting in repositories around the world, or even worse undetected on operational ICS.

The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS. We need significant improvement in detection capabilities for ICS integrity attacks.

There will be a lot of speculation on who created this and for what purpose, and it will be just that … speculation. There is no evidence that this is a warning of a significant attack, or that it is not. It could be as innocent as a researcher seeing if proof of concept Stuxnet-cousin malware working in his lab would be detected in VirusTotal. Or it could be a preparatory step in related malware development by a more offensive minded organization.

Step back from that speculation, and think of the implications of the three points highlighted in this article.

S4x16 Video: Billy Rios … Infusion Pump Teardown

by Leave a Comment

Billy Rios of Whitescope gives a classic S4 Technical Deep Dive on a medical device called an Infusion Pump at S4x16 in Miami South Beach. He opens them up, shows the hardware, connections between boards, attack paths, default credentials, rogue firmware upload and more.

Billy goes over three different infusion pumps.

3:00 Hospira PCA

14:40 Hospira PLUM A+

18:10 Hospira SIMBIQ

If time is limited look at Billy’s analysis of the first and third infusion pumps. The Simbiq actually has a CAN Bus.

 

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments