Digital Bond

For Secure & Robust ICS

Serial Killers: Ethernet/Serial Gateways Exposed

by Leave a Comment

One of the nastiest aspects of the attack on the Ukrainian Electric Distribution System was bricking the Moxa Ethernet-to-Serial gateways. Industry insiders have known these little devices were a security problem. Reid goes over the timeline when it was disclosed to Moxa prior to Ukraine, their public promise to fix it by August 2016, and the still awaited fix.

As you can tell by the thumbnail picture, Ethernet-to-Serial gateways commonly used in SCADA and other ICS are easily compromised in a variety of ways. Reid Wightman dives into the details in models from Moxa, Digi, Lantronix and GridConnect. It’s likely most other models are just as bad.

The technical aspects of this session, while detailed, hardly taxed Reid’s skills and are no way showing off elite ICS offensive techniques. Rather it’s the typical insecure by design, insecure proprietary protocols, and poor coding and design practices across a class of ICS equipment. We actually would not include a session like this in Stage 2: Technical Deep Dives in Miami Beach. It’s too basic.

The main reasons to watch this video are:

  1. The classic vendor responses to researcher disclosed vulnerabilities. Everything from no response, unmet promises, and the classic the device was never meant to be secure … live with it … we won’t tell people it is insecure and will continue to sell it.
  2. To think about how this quite simple, widely deployed device is so perfectly positioned for attackers. It is required for monitoring and control communications to serial PLC’s, RTU’s and controllers. And it is like the printer on the corporate network. It is a great place to hide attack code and achieve persistence even after the computers in the ICS are cleaned. From the attackers perspective an insecure device that has no cyber maintenance or monitoring is very appealing.

Reid Wightman Starts New Company: RevICS

by 1 Comment

After two years establishing and running Digital Bond Labs, Reid and I have decided that it makes more sense to run this as a stand alone business. So I have the honor to be the first to announce and congratulate Reid on his new company: RevICS.

In all candor I’ve been surprised that the synergies we expected between ICS security consulting and detailed third party assessment / penetration tests for ICS vendors as part of their security development lifecycle (SDL) were not there. The sales and marketing to potential customers are different, and the teams that do the work are different. They both are good and growing business areas, but for a small company like Digital Bond it is hard to focus on and pursue both, along with our growing S4 Events.

It has and continues to be a pleasure working with Reid. He is among the best (there is no olympic competition so I can’t definitively say the best) at ICS penetration tests / assessments to identify new vulnerabilities / 0days, particularly in embedded systems. We will continue working with him and actually issued RevICS three PO’s, so we are RevICS’s first customer.

One of those PO’s is for Reid to run the CTF at S4x17 this January in Miami South Beach. I’m excited about the approach and all of the flags that he and the CTF team have already created. It is going to be very ICS focused and have flags for all different skills and skill sets.

The Ghost of S4 CTF Past

by Leave a Comment

We have been preparing some new and interesting challenges for the S4 CTF this year, and I think that players will have a lot of fun with what we have in the works.  We have a number of nice challenges that involve breaking and entering into our ‘Killer Robot Factory’ (players from last year’s CTF may remember a few flags associated with the poor Killer Robots — for all of the pain that they cause humanity, they don’t secure their network very well).

One of last year’s challenges was to find the product order code for a feeder management relay.  This relay was used to control a breaker that could disconnect the poor Killer Robots from their electric mains.

While we have a few SEL-751As in our test lab, we though that putting one in harm’s way for the CTF might be a bit of a stretch. Even ‘good’ industrial equipment such as that made by SEL tends not to deal very well with many simultaneous users.  That, and if people messed with the equipment, it could be a pain to restore to working condition.

Instead, we built a SEL emulator (or honeypot) in Python using the cmd2 library.  The emulator is kind-of-sort-of good, and provides a sort-of-realistic simulation of an SEL relay — enough to trick CTF players, anyway.

[Read more…]

Filed Under: S4 Tagged With: ,

S4 Video: Attacking The Plant Through WirelessHART

by Leave a Comment

There are two weeks left to submit your session proposal for the S4x17 Main Stage or Stage 2: Technical Deep Dives. Take a look at the Call For Presentations and submit this month.

Subscribe to The S4 Events YouTube Channel

This S4xVideo is a great example of what we try to do on Stage 2. Jalal Bouhdada and Erwin Paternotte are two researchers the most of the ICS security had not heard of that came in and gave an important, highly technical presentation with new information for people who are experts in this field.

The researchers dig into the protocol and implementation of WirelessHART to identify security strengths and weaknesses as well as areas that deserve future research.

The main findings are:

1) the most important crypto key, the Join Key, is often left as the vendor default. This default is often in the documentation, and even if not will be available with a reasonable Internet search. Many if not most deployments are not changing the default Join Key.

Asset owners are getting a false sense of security and not properly managing risk. They hear that WirelessHART is secure, but the deployment team, and often the sales team, neglects to mention that some level of key management is required to achieve this security.

2) The firmware could be extracted via JTAG on all 5 vendor systems the researchers looked at. They were able to identify where the Join Key was in the firmware. While it was encrypted or encoded, unknown at the time, they could copy this into their own WirelessHART device and join the network.

Really great work by these researchers that we hope to see more from in the future.

Why Invest In Complexity (Toecker)

by 3 Comments

This guest post is by Michael Toecker of Context Industrial Security and a Digital Bond Alumnus. It first appeared on the SCADASEC list. I thought it was great, and Michael kindly allowed us to post it here.

The world isn’t about just the process anymore, it’s not just about moving water from A to B, or just producing X MW 24/7, or just cracking long hydrocarbons into short hydrocarbons.

It’s about moving water from A to B, while using as little electricity as possible, while monitoring proactively for failures, while watching for leaks in the pipes, while maintaining a balance between too much and too little chlorine, while maintaining an adequate reserve based on historical
trending and real-time analysis.

It’s about producing X MW, while minimizing fuel cost, while reducing unexpected failures, while minimizing emissions, while matching renewable output, while ensuring grid events don’t take you out, while also bidding into a real-time market, while….

You get the picture.

It’s not the operations piece that has gotten more complicated, it’s the business needs that have changed. The control system is the best place to get the data for all this, which means it gets the all the add-ons. This also means that we should be buying control systems with the ‘capacity’ to handle stuff like that, assuming a much steeper rate of change.

The process of listening to other business units is an engineering process, no less than any other.  The business may want to increase production, which to an engineer might mean increasing flow through a certain set of pipes. If you want to increase flow through those pipes, you have to pull out small aperture valves and put in new bigger ones. Those bigger ones might require better motor/air drives, which might mean beefing up the electrical cabinet, and probably a different scheme for stroking the valve.

More flow means you need better pumps so you have to replace the old ones. The new pumps happen to be VFDs to comply, so you need a motor control center along with better power conditioning equipment. The new pumps require liquid cooling, so there is another subsystem. And since there’s an increase in the input via the pipes, all the calculations for the reaction and the eventual output all have to be redone, tested, and implemented. And all this means you’re operators will need new training on the new parameters, and new displays, alarms, conditions, set points… And at the end, you’ll have a system which (i hope) saves enough time, money and produces enough product to be worth the trouble. Or not, maybe you’ll have a design that costs more than the value of the increased product,
which means it DOESN’T get ok’d.

How is this mechanical/electrical/hydraulic process any different from the computer one?

Upgrades cost money, get complicated, and require thought and expertise, but that’s not a reason to NOT do them. It’s a reason to bring in folks who can do the planning well, and come up with a good design and cost estimate so that the business can make the determination. If engineers don’t identify that the add-ons being requested might need new switches, vlans, rejiggering of logic, replacement HMIs, better controllers, etc, then they aren’t doing the full engineering of the job.

Why invest in some complexity? Because your competitors might be making these decisions, doing these designs, and reaping any benefits.

Image by Newtown Grafitti

DNS Slides and Tools Release

by Leave a Comment

 

Way back at S4xJapan, 2015, Labs did a small research project on DNS domain squatting.  We never thought that it would amount to much in terms of press, but did think that would be a useful talk to spur vendors into action before it was too late. Already we have discovered some very popular ICS vendors where these squat domains are hosting malware; as Dale says, it is only a matter of time before someone gets smart (and nasty), and clones a legitimate vendor website onto a squat domains. The evildoer could host malicious software updates, bad security advice, and possibly even harvest end user credentials.

We revamped the talk slightly for S4xEurope, focusing on a few European vendors who were victims of domain squatting behavior.  We are happy to publish the slides to the talk, which covers not only domain squatting but some old topics of DNS tunneling and zone transfer issues that we’ve seen with some frequency.

We would also like to point out that EnergySec published a paper on one of these issues — DNS tunneling — some time ago.  It is worth reading if you are in the energy sector, as it is a not-uncommon mistake to see on such networks.

In Japan, we hit upon the idea of scouring websites for potentially malicious links. For example, if you are an ICS vendor, perhaps you should look through your support forums for links to homoglyphs of your domain name — it could be evildoers trying to trick your users into downloading some malicious software or firmware.  While our tool is nowhere near perfect, we did write a basic version of such a webcrawler under the unimaginative name TypoScraper.  You can snag a copy from our github ‘scripts’ repository, and do with it as you will.

Image by jenniferboyer

S4x17 Call For Presentations

by Leave a Comment

Today through August 31st the S4x17 Call For Presentations is open. It is the place to present advanced topics in ICS and related fields to an audience will get it.

The process is real simple. Send an email with 2 or 3 paragraphs on your session idea to s4@digitalbond.com. We evaluate session proposals as they come in, so early submission improves your chances of acceptance.

We are expecting 500 attendees for the 3-Stage Event, and we will again focus on creating fun social events for you to spend time with your fellow attendees in Miami Beach in January.

So send us your best now.

S4 Classic Video: Langner’s Stuxnet Deep Dive

by Leave a Comment

Tomorrow we will be officially opening the S4x17 Call For Presentations (CFP), so I thought it would be the perfect time to highlight one of the S4 Classics to show what a S4 Technical Deep Dive looks like. Watch how Ralph goes through the code/logic in detail so you can see the key features of Stuxnet, and yet the key points are understandable without technical expertise and everything is large enough for the audience to see.

I started a new S4 Classics playlist on the S4 YouTube Channel, and this is the first video in that playlist. It received 38K views on Vimeo before we moved it to this new channel.

This video is from S4x12 when we were still in the 60 person case study rooms. The event has grown in many ways since then, but the technical meat has always been a key part of S4.

S4x16 Video: Langner’s Critical Penetration Analysis in Nuclear Power

by 2 Comments

A great 22 minute presentation by Ralph Langner of The Langner Group at S4x16. He provides some very specific examples of a cyber / physical attack on nuclear power plants. For example, a cyber attack on all of the feedwater systems.

What is the key to this type of attack? Studying the design plans, particularly around the last line of defense … the safety systems. Safety systems have not considered malicious cyber attacks, which makes much of the analysis and protection ineffective. He shows how the safety analysis is faulty in the feedwater system example.

Ralph then goes through a three step process that both an attacker and defender should use.

Filed Under: S4

S4xEurope Video: IRONGATE – Technical Deep Dive

by Leave a Comment

We decided to put the IRONGATE video from last week’s S4xEurope out first. There is no new big reveal over the information put out in the FireEye article, but Rob provides a lot of context that makes it easier to understand. He also focuses on unanswered questions and a comparison to Stuxnet.

If this is really a Grad Student Research Project, I would think we would hear who did it in the next couple of weeks. Some of the S4xEurope attendees were going to try to help make contact with the author of PLCSIM.

Here are some highlights of the video:

3:56 Why IRONGATE is interesting from a technical perspective.
6:08 Is the industry numb to this type of release due to naming, hype, process?
8:20 A flow chart showing the major steps of IRONGATE.
14:20 The actual DLL replacement code.
16:20 Record and replay code.
19:25 Comparison and contrast with Stuxnet.

The last ten minutes is Q&A.

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments