SlideShare a Scribd company logo
1 of 55
Download to read offline
COMPROMISING	
  INDUSTRIAL	
  
FACILITIES	
  FROM	
  40	
  MILES	
  AWAY	
  
Lucas	
  Apa	
  
Carlos	
  Mario	
  Penagos	
  
About	
  Us	
  
Vulnerability	
  Research	
  
Exploita<on	
  
Cryptography	
  
Reverse	
  Engineering	
  
ICS/SCADA	
  
	
  
2	
  
Lucas	
  Apa	
   Carlos	
  Penagos	
  
Argen<na	
   Colombia	
  
Security	
  Consultants	
  
and	
  Researchers	
  
	
  
Agenda	
  
§  Mo<va<on	
  
§  Industries	
  and	
  Applica<ons	
  
§  Wireless	
  Standards	
  
§  Journey	
  of	
  Radio	
  Encryp<on	
  Keys	
  
§  Vendor1	
  Wireless	
  Devices	
  	
  
§  Vendor2	
  Wireless	
  Devices	
  
§  Vendor3	
  Wireless	
  Devices	
  	
  
3	
  
Mo<va<on	
  
4	
  
§  Cri<cal	
  Infrastructures	
  becoming	
  targets	
  
§  Insider	
  aLacks	
  (Lately)	
  
§  Devices	
  connected	
  to	
  Internet	
  
§  0days	
  to	
  reach	
  the	
  PLC,	
  RTU,	
  HMI…	
  
§  Stealth	
  and	
  precise	
  aLacks	
  
§  Incident	
  response	
  at	
  hazardous	
  sites	
  
§  ALack	
  families	
  of	
  devices	
  (+	
  reliable)	
  
	
  
Industrial	
  Wireless	
  Automa<on	
  
5	
  
§  Copper	
  wires	
  are	
  used	
  to	
  monitor	
  and	
  control	
  
§  Corrosion,	
  Duc<lity,	
  Thermal	
  Conduc<vity	
  
§  Cost	
  of	
  wires,	
  trenching,	
  moun<ng	
  and	
  installa<on	
  
§  Industrial	
  Wireless	
  Solu<ons	
  
§  Eliminate	
  cost	
  of	
  hardwiring,	
  logis<cs,	
  installa<on	
  
§  Heavy	
  machinery	
  involved	
  
§  Remote	
  control	
  and	
  administra<on	
  (Geography)	
  
§  Minimize	
  Safety	
  Risk	
  &	
  Dangerous	
  Boxes	
  
§  Adds	
  durability	
  
Industries	
  and	
  Applica<ons	
  
6	
  
Oil	
  &	
  Gas	
  
Refined	
  Petroleum	
  
Petrochemicals	
  
§  Plunger	
  li_/ar<ficial	
  li_	
  op<miza<on	
  
§  Well-­‐head	
  automa<on	
  
§  RTU/EFM	
  I/O	
  extensions	
  
§  Cathodic	
  protec<on	
  monitoring	
  
§  Hydrogen	
  sulfide	
  (H2S)	
  monitoring	
  
§  Tank	
  level	
  monitoring	
  
§  Pipeline	
  cathodic	
  protec<on	
  
§  Rec<fier	
  voltage	
  monitoring	
  
§  Gas/liquid	
  flow	
  measurement	
  
§  Pipeline	
  pressure	
  and	
  valve	
  
monitoring	
  
Industries	
  and	
  Applica<ons	
  (2)	
  
7	
  
Energy	
  -­‐	
  U<li<es	
  
Waste	
  &	
  	
  
Waste	
  Water	
  
§  Transformer	
  temperature	
  
§  Natural	
  gas	
  flow	
  
§  Power	
  outage	
  repor<ng	
  
§  Capacitor	
  bank	
  control	
  
§  kV,	
  Amp,	
  MW,	
  MVAR	
  reading	
  
§  Remote	
  pumping	
  sta<ons	
  
§  Water	
  treatment	
  plants	
  
§  Water	
  distribu<on	
  systems	
  
§  Wastewater/sewer	
  collec<on	
  systems	
  
§  Water	
  irriga<on	
  systems/agriculture	
  
Industrial	
  Wireless	
  Challenges	
  
8	
  
§  Defeat	
  electromagne<c	
  interference	
  (EMI)	
  
§  Handle	
  signal	
  aLenua<on	
  and	
  reflec<ons	
  
§  Reliability	
  is	
  far	
  more	
  important	
  than	
  Speed	
  
§  Higher	
  transmiLer	
  power	
  levels	
  
§  Site	
  surveys	
  to	
  assess	
  the	
  consistency	
  and	
  
reliability	
  of	
  the	
  plant	
  
§  Mainly	
  using	
  2.4Ghz	
  or	
  900Mhz	
  (ISM	
  Band)	
  
§  No	
  “business”	
  protocols	
  
Cryptographic	
  Key	
  Distribu<on	
  (WSN)	
  
9	
  
§  Distribute	
  secrets	
  on	
  a	
  large	
  number	
  of	
  nodes	
  
§  Base	
  sta<ons	
  with	
  clusters	
  surrounding	
  
§  Limita<ons:	
  
§  Deployment	
  in	
  public	
  or	
  hos<le	
  loca<ons	
  
§  Post-­‐deployment	
  knowledge	
  	
  
§  Limited	
  bandwidth	
  and	
  transmission	
  power	
  	
  
§  Methods	
  for	
  crypto	
  key	
  distribu<on:	
  
§  Out-­‐of-­‐band	
  
§  In-­‐band	
  
§  Factory	
  pre-­‐loaded	
  
IEEE	
  802.15.4	
  Standard	
  
§  Wireless	
  Radios	
  (Low	
  Power/Speed)	
  	
  
§  Set	
  the	
  encryp<on	
  algorithm	
  and	
  AES	
  Key	
  
§  Upper	
  Layer	
  Responsibility	
  
§  Each	
  node	
  can	
  have	
  an	
  ACL	
  
§  MAC	
  for	
  upper	
  layers:	
  
§  ZigBee	
  
§  WirelessHart	
  
§  ISA	
  SP100	
  
§  IETF	
  IPv6	
  -­‐	
  LoWPAN	
  
10	
  
ZigBee	
  2007	
  (Standard	
  Security	
  Mode)	
  
§  Goal:	
  Understand	
  Key	
  Schemes	
  
§  Suite	
  of	
  high	
  level	
  communica<on	
  protocols	
  
§  Based	
  on	
  IEEE	
  802.15.4	
  (Low	
  level	
  layers)	
  
§  ISM	
  radio	
  bands	
  
§  Trust	
  Center	
  introduced	
  in	
  2007	
  
	
  
11	
  
Two	
  Key	
  Distribu<on	
  Mechanisms:	
  
1.  Pre-­‐Installa<on	
  
2.  Over	
  the	
  air	
  
§  Network	
  Key	
  (AES	
  128-­‐bit)	
  
§  Pre-­‐installed	
  (Factory	
  Installed)	
  
§  Individually	
  Commissioned	
  
(Commissioning	
  tool)	
  
§  Managed	
  by	
  the	
  Trust	
  Center	
  
	
  
A	

Trust
Center	

B
ZigBee	
  Pro	
  2007	
  (High	
  Security	
  Mode)	
  
§  Many	
  enhancements	
  
§  More	
  memory	
  requirements	
  
§  New	
  keys	
  introduced	
  
12	
  
A	

 B	

MasterKey_TA	
  
LinkKey	
  TA	
  
NetworkKey	
  
MasterKey_AB	
  
LinkKey	
  AB	
  
MasterKey_TB	
  
LinkKey	
  TB	
  
NetworkKey	
  
MasterKey_AB	
  
LinkKey	
  AB	
  
MasterKey_TA	
  
LinkKey	
  TA	
  
NetworkKey	
  
MasterKey_TB	
  
LinkKey	
  TB	
  
Trust
Center	

①  Master	
  Key	
  
§  Unsecured	
  Transport	
  L	
  
§  Out-­‐of-­‐band	
  Technique	
  J	
  
§  Secure	
  other	
  keys	
  
②  Link	
  Key	
  	
  
§  Unicast	
  
§  Unique	
  between	
  nodes	
  
③  Network	
  Key	
  	
  
•  Regenerated	
  at	
  Intervals	
  
•  Needed	
  to	
  join	
  the	
  NWK	
  
E
n
d	
  
U
s
e
r	
  
D
e
v
i
c
e	
  
DeviceVendorID	
  
Key	
  in	
  Firmware	
  
Per-­‐Client	
  Encryp<on	
  
Key	
  
Change	
  
Encryp<on	
  
Key	
  
Per-­‐Client	
  
Encryp<on	
  
Key	
  
Device	
  Company	
  
Encryp<on	
  Key	
  
Device	
  
Company	
  
Encryp<on	
  
Key	
  
Change	
  
Encryp<on	
  
Key	
  
No	
  Encryp<on	
  Key	
  
Set	
  
Encryp<on	
  
Key	
  
No	
  
Encryp<on	
  
key	
  
No	
  Encryp<on	
  
Key	
  
The	
  Journey	
  of	
  Radio	
  Encryp<on	
  Keys	
  
13	
  
R
a
d
i
o
Reusing	
  Radio	
  Keys	
  
§  Device	
  Company	
  Key	
  aLack	
  
1.  Buy	
  same	
  Device	
  (Buy	
  same	
  Key)	
  
2.  Remove	
  Radio	
  Module	
  
3.  Connect	
  to	
  USB	
  Interface	
  
4.  Interact:	
  API	
  &	
  AT	
  Command	
  Mode	
  
5.  Send	
  frames	
  using	
  the	
  unknown	
  key	
  
Warning:	
  Not	
  possible	
  if	
  exists	
  a	
  Per-­‐Client	
  Encryp<on	
  Key	
  
14	
  
§  End-­‐User	
  Node	
  Key	
  Storage	
  
§  Shared	
  Secret	
  
§  Same	
  Firmware	
  or	
  Same	
  Radio	
  Key	
  
	
  
Exploi<ng	
  Vendor1	
  Devices	
  
§  Company	
  Profile	
  (+1990)	
  
§  Frequency	
  Hopping	
  Wireless	
  Devices	
  
§  Great	
  for	
  long	
  or	
  short	
  range	
  wireless	
  
SCADA	
  applica<ons	
  
§  Secure	
  proprietary	
  FHSS	
  with	
  128	
  bit	
  AES	
  
encryp<on	
  
§  Hazardous	
  loca<on	
  approvals,	
  Perfect	
  for	
  
outdoor	
  Ethernet	
  SCADA	
  or	
  indoor	
  PLC	
  
messaging	
  
§  30+	
  miles	
  point	
  to	
  point	
  with	
  high	
  gain	
  
antennas	
  
15	
  
Vendor1	
  Key	
  Distribu<on	
  
“<Vendor1	
  Tool>	
  is	
  easy	
  to	
  use	
  and	
  intuiBve.	
  Default	
  values	
  built	
  into	
  
the	
  so0ware	
  work	
  well	
  for	
  ini4al	
  installa4on	
  and	
  tesBng	
  making	
  it	
  
easy	
  for	
  first-­‐Bme	
  users.	
  <Vendor1	
  Tool>	
  manages	
  all	
  important	
  
se8ngs	
  to	
  ensure	
  that	
  the	
  network	
  performs	
  correctly.”	
  (User	
  Guide)	
  	
  
16	
  
§  RF	
  Encryp<on:	
  A	
  128-­‐bit	
  
encryp<on	
  level	
  key	
  is	
  
suggested	
  for	
  the	
  user.	
  
§  Blank:	
  No	
  encrypted	
  packets	
  
§  5-­‐7	
  Chars:	
  Field	
  is	
  translated	
  
into	
  a	
  40-­‐bit	
  encryp<on	
  level.	
  
§  15-­‐24	
  Chars:	
  Field	
  is	
  translated	
  
into	
  a	
  128-­‐bit	
  encryp<on	
  level.	
  	
  
Reversing	
  Passphrase	
  Genera<on	
  
Compiled	
  C++	
  Binary:	
  
§  srand	
  seeds	
  PRNG	
  
§  <me	
  returns	
  epoch	
  
§  srand(<me(NULL))	
  
§  Low	
  Entropy	
  Seed	
  
§  Same	
  algorithm	
  
§  rand()	
  
§  Bad	
  ANSI	
  C	
  func<on	
  
17	
  
ALacking	
  Weak	
  PRNG	
  
18	
  
C:>passgen.exe	
  
2013-­‐04-­‐04	
  21:39:08	
  =>	
  1365136748	
  =>	
  knc6gadr40565d3j8hbrs6o0	
  
The	
  Oldest	
  Passphrase	
  
Help	
  File	
  
19	
  
C:>passgen.exe	
  
2013-­‐04-­‐04	
  21:39:08	
  =>	
  1365136748	
  =>	
  knc6gadr40565d3j8hbrs6o0	
  
2013-­‐04-­‐04	
  21:39:07	
  =>	
  1365136747	
  =>	
  nir3f1a0dm2sdt41q91c06nt	
  
…	
  
2008-­‐04-­‐17	
  15:20:47	
  =>	
  1208470847	
  =>	
  re84q92vssgd671pd2smj8ig	
  
Comissioning	
  Tool	
  Audit	
  
§  Easily	
  breakable	
  by	
  an	
  outsider	
  
§  Further	
  Research	
  with	
  the	
  Devices	
  
§  Comissioning	
  Tools	
  needs	
  deep	
  tes<ng	
  
20	
  
Bruteforce	
  Passphrase	
  
2570	
  Passphrases	
  
Mixed	
  lower	
  case	
  alphabet	
  plus	
  numbers	
  and	
  
common	
  symbols	
  
Impossible	
  to	
  calculate	
  all	
  passphrases	
  
Need	
  to	
  derive	
  AES	
  128-­‐bit	
  key	
  on	
  real<me	
  
Weak	
  PRNG	
  ALack	
  
~156	
  Million	
  Passphrases	
  
Every	
  second	
  passed,	
  one	
  more	
  key	
  
Only	
  a	
  few	
  seconds	
  to	
  calculate	
  all	
  passphrases	
  
Calculate	
  once	
  and	
  create	
  a	
  database	
  with	
  all	
  
possible	
  AES	
  128-­‐bit	
  key	
  deriva<ons	
  
vs	
  
Vendor2	
  Wireless	
  Devices	
  
§  Market	
  leadership:	
  Oil	
  &	
  Gas	
  
§  Wireless	
  and	
  wired	
  solu<ons	
  for	
  the	
  digital	
  oil	
  field	
  
automa<on	
  
§  Trusted	
  by	
  top	
  companies	
  in	
  different	
  industries	
  
§  Family	
  System	
  (Point	
  to	
  Mul<point):	
  	
  
§  Wireless	
  Gateways	
  
§  Wireless	
  TransmiLers	
  
§  I/O	
  Expansion	
  Modules	
  
§  Hardwire	
  Sensors	
  
21	
  
22	
  
An	
  Extended	
  Family	
  of	
  Devices	
  
23	
  
§  Applica<ons	
  
§  Oil	
  &	
  Gas	
  
§  Refining	
  /	
  Petro	
  Chemicals	
  
§  Water	
  &	
  Waste	
  Water	
  
§  U<li<es	
  
§  Industrial	
  Process	
  Monitoring	
  
§  TransmiLers	
  
§  RTD	
  Temperature	
  TransmiLer	
  
§  Analog/Discrete	
  TransmiLer	
  
§  Flow	
  Totalizer	
  TransmiLer	
  
§  Pressure	
  TransmiLer	
  
§  Hydrosta<c	
  Level	
  TransmiLer	
  
§  Many	
  more..	
  
24	
  
SCADA	
  
PLC	
  
RTU	
  
EFM	
  
HMI	
  
DCS	
  
RF	
  
Modem	
  
Secure	
  Communica<ons	
  
25	
  
§  How	
  the	
  devices	
  access	
  the	
  wireless	
  informa<on?	
  
§  “Enhanced	
  Site	
  Security	
  Key”	
  
§  Security	
  Key	
  ==	
  Encryp<on	
  Key	
  ???	
  
§  Legacy	
  Devices	
  Without	
  Encryp<on???	
  
The	
  Enhanced	
  Site	
  Security	
  feature	
  designed	
  to	
  provide	
  an	
  addiBonal	
  level	
  of	
  
protec4on	
  for	
  RF	
  packets	
  sent	
  and	
  received	
  between	
  <Vendor2>	
  devices	
  and	
  
minimizes	
  the	
  possibility	
  of	
  interference	
  from	
  other	
  devices	
  in	
  this	
  area.	
  This	
  
feature	
  is	
  not	
  available	
  on	
  some	
  older	
  versions	
  of	
  legacy	
  devices.	
  	
  
Key	
  Genera<on	
  and	
  Distribu<on	
  
26	
  
§  Comissioning	
  Tool	
  
§  Create	
  a	
  “Project	
  File”	
  and	
  update	
  all	
  Nodes	
  
§  From	
  documenta<on:	
  
This	
  Key	
  MUST	
  be	
  somewhere	
  on	
  the	
  Project	
  File	
  
“If	
  the	
  project	
  file	
  name	
  is	
  changed,	
  a	
  new	
  Site	
  
Security	
  Key	
  will	
  be	
  assigned”	
  	
  
	
  
Possible	
  Scheme:	
  Per-­‐Site	
  Encryp4on	
  	
  	
  
	
  
File	
  Name	
  Change	
  =>	
  New	
  Key	
  
27	
  
Project	
  File	
  Binary	
  Diffing	
  
28	
  
ProjectA	
  
x17x58x4fx51	
  
1364154391	
  
Sun,	
  24	
  Mar	
  2013	
  
19:46:31	
  GMT	
  
ProjectB	
  
x51x58x4fx51	
  
1364154449	
  
Sun,	
  24	
  Mar	
  2013	
  
19:47:29	
  GMT	
  
29	
  
§  Support	
  Center	
  
§  Firmware	
  Images	
  &	
  Documenta<on	
  
§  Radio	
  Modules,	
  Architectures	
  &	
  Processors	
  
	
  
Component	
  IdenSficaSon	
  
RISC	
  
Understanding	
  Firmware	
  Image	
  (RISC)	
  
CrossWorks for MSP430
§  Industry	
  Standard	
  Format	
  
§  @Address	
  and	
  content	
  
§  Incomplete	
  Image	
  (Update)	
  
§  Only	
  compiler	
  strings	
  
	
  
Component	
  IdenSficaSon	
  (MSP430)	
  
430F149	
  
32	
  
YouTube	
  (XT09	
  and	
  802.15.4)	
  
No	
  Per-­‐Client	
  Key	
  
Dear	
  <<Reseller	
  Sales	
  Eng>>,	
  
We	
   are	
   going	
   to	
   borrow	
   a	
   used	
  
“Analog	
   Transmider”	
   from	
   one	
   of	
  
our	
  partners,	
  
We	
   are	
   going	
   to	
   test	
   it	
   for	
   a	
   few	
  
weeks	
  and	
  let	
  you	
  know	
  if	
  we	
  decide	
  
to	
  buy	
  a	
  new	
  one.	
  
Are	
   there	
   any	
   specific	
   concern	
   we	
  
might	
   take	
   into	
   account	
   when	
  
deploying	
   this	
   device	
   to	
   connect	
   it	
  
with	
  our	
  <Device>?	
  Or	
  just	
  upgrade	
  
all	
  project	
  configuraBon	
  files?	
  
Thank	
  you	
  
33	
  
Lucas,	
  
You	
  just	
  need	
  to	
  upgrade	
  the	
  configuraBon	
  
files.	
  
Thanks.	
  
Finding	
  Embedded	
  Keys	
  
34	
  
§  Two	
  kind	
  of	
  Firmwares	
  (ARM	
  and	
  MSP430)	
  
§  One	
  possible	
  hardcoded	
  key	
  in	
  both	
  firmwares	
  
§  “Binary	
  Equaling”	
  
	
  
Acquiring	
  the	
  Devices	
  
35	
  
§  Wireless	
  Gateway	
  
§  Gateways	
  are	
  responsible	
  for	
  receiving/
collec<ng	
  data	
  from	
  wireless	
  end	
  nodes	
  
§  The	
  collected	
  data	
  can	
  be	
  communicated	
  
with	
  third-­‐party	
  Modbus	
  device	
  such	
  as	
  a	
  
RTU,	
  PLC,	
  EFM,	
  HMI,	
  or	
  DCS	
  
§  RTD	
  Temperature	
  TransmiLer	
  
§  Integrates	
  Pla<num	
  100	
  ohm	
  RTD	
  Sensor	
  
§  Ideal	
  for	
  use	
  in	
  various	
  mission-­‐cri<cal	
  
industrial	
  applica<ons.	
  
§  Ideal	
  for	
  Monitoring	
  Air,	
  Gas,	
  Water,	
  or	
  
Liquid	
  Temperatures	
  
	
  
§  Steal	
  and	
  extract	
  
§  Site	
  Security	
  Key	
  
§  Project	
  File	
  
Resilience	
  and	
  Node	
  Capture	
  
36	
  
Stolen	
  
Node	
  
Gateway	
  
Tx	
  
Tx	
  Tx	
  
S
e
r
i
a
l	

C
a
p
t
u
r
e	

FF	
  41	
  06	
  00	
  0A	
  00	
  00	
  00	
  33	
  2E	
  1D	
  CC	
  
FF	
  41	
  0A	
  00	
  0A	
  00	
  00	
  00	
  04	
  00	
  AB	
  D0	
  9A	
  51	
  B0	
  ...	
  
A	
  crypto	
  aLack	
  disappointment	
  
§  Protocol	
  Reverse	
  Engineering	
  
§  Device	
  has	
  a	
  debug	
  interface	
  
§  Developed	
  a	
  custom	
  tool	
  to	
  receive	
  and	
  send	
  802.15.4	
  data	
  
§  2.4ghz	
  Transceiver	
  (Modified	
  Firmware	
  and	
  Reflashed	
  by	
  JTAG)	
  
§  PyUsb,	
  IPython	
  	
  
§  Scapy	
  Dissectors,	
  etc.	
  
§  Against	
  the	
  perfect	
  scheme:	
  Per-­‐Site	
  EncrypSon	
  Key	
  
	
  
	
  
37	
  
§  Key	
  not	
  really	
  used	
  for	
  data	
  encrypSon	
  
§  Key	
  only	
  used	
  to	
  ”authenScate”	
  devices	
  (capture	
  SiteSecurityKey)	
  
§  No	
  integrity	
  and	
  confidenSality	
  	
  
§  No	
  protecSon	
  for	
  RF	
  Packets	
  L	
  (vendor	
  lied)	
  
§  Predict	
  IEEE	
  802.15.4	
  next	
  seqnums	
  to	
  inject	
  
A	
  crypto	
  aLack	
  
Temperature	
  Injec<on	
  Live	
  Demo	
  
§  Designed	
  an	
  HMI	
  Project	
  
§  Developed	
  an	
  OPC	
  based	
  
driver	
  for	
  the	
  HMI	
  
§  Developed	
  an	
  exploita<on	
  
framework	
  (Map/Inject)	
  
§  Chemical	
  Safety	
  Board	
  (US)	
  
background	
  video	
  
§  Cost	
  of	
  the	
  aLack:	
  $40	
  USD	
  
§  Live	
  Demo	
  	
  
38	
  
KEEP
CALM
AND
GET TO THE
CHOPPA!
Remote	
  Memory	
  Corrup<on	
  
§  Iden<fy	
  all	
  the	
  protocol	
  fields	
  
§  Memory	
  corrup<on	
  bug	
  using	
  unhandled	
  values	
  on	
  
a	
  parsing	
  func<on	
  
§  Remotely	
  exploitable	
  over	
  the	
  air	
  
§  Plant	
  Killer	
  	
  	
  	
  	
  =>	
  	
  
§  We	
  recorded	
  a	
  demo	
  (no	
  leak	
  today)	
  
40	
  
41	
  
SCADA	
  
PLC	
  
RTU	
  
EFM	
  
HMI	
  
DCS	
  
RF	
  
Modem	
  
Vendor3	
  Devices	
  
42	
  
§  Company	
  Profile	
  
§  Self-­‐proclaimed	
  leader	
  in	
  process	
  and	
  industrial	
  
automa<on,	
  “Undisputed	
  leader	
  in	
  sensors”	
  
§  Clients:	
  Nearly	
  all	
  manufacturing	
  companies	
  from	
  
Fortune	
  500	
  
§  22.000	
  different	
  products	
  across	
  40	
  industries	
  
§  Wireless	
  System	
  (Family)	
  
§  Wireless	
  Gateway	
  
§  Master	
  device	
  used	
  to	
  control	
  network	
  
<ming	
  and	
  comm	
  traffic	
  	
  
§  Nodes	
  
§  Collect	
  data	
  -­‐>	
  TX	
  Gateway	
  
Compromising Industrial Facilities From 40 Miles Away
Research	
  
44	
  
§  Wireless	
  Family	
  Technical	
  Note:	
  
“Mul<-­‐layer	
  security	
  protocol	
  protects	
  your	
  data”	
  
§  Network	
  Security	
  
§  Data	
  Security	
  
§  Data	
  Integrity	
  and	
  Control	
  Reliability	
  
	
  
“The	
  wireless	
  I/O	
  systems	
  provide	
  a	
  level	
  of	
  security,	
  data	
  
integrity,	
  and	
  reliability	
  far	
  exceeding	
  most	
  wireless	
  systems	
  on	
  
the	
  market	
  today”	
  
Quotes	
  (Network	
  Security)	
  
“This	
  family	
  is	
  designed	
  to	
  
completely	
  eliminate	
  all	
  
Internet	
  Protocol	
  (IP)	
  based	
  
security	
  threats.	
  Wi-­‐Fi	
  
access	
  points	
  have	
  the	
  
poten<al	
  to	
  route	
  any	
  and	
  
all	
  data	
  packets,	
  which	
  is	
  
why	
  these	
  systems	
  use	
  
encryp<on”	
  
45	
  
Route	
  packets	
  =>	
  Use	
  encrypSon	
  
§  One	
  model	
  =>	
  Ethernet	
  
Data	
  Radio	
  
§  Uses	
  AES-­‐256	
  key	
  J	
  
§  Other?	
  No	
  encryp<on	
  
Quotes	
  (Data	
  Security)	
  
“The	
  protocol	
  only	
  carries	
  sensor	
  data	
  
values.	
  Only	
  I/O	
  data	
  is	
  transmiLed	
  in	
  
the	
  wireless	
  layer.”	
  	
  
“A	
  hacker,	
  if	
  they	
  managed	
  to	
  receive	
  
wireless	
  data,	
  would	
  only	
  see	
  the	
  
actual	
  sensor	
  data,	
  not	
  what	
  the	
  
sensor	
  was	
  reading	
  or	
  what	
  role	
  the	
  
sensor	
  played	
  within	
  the	
  wireless	
  I/O	
  
network."	
  
46	
  
§  Insecure	
  I/O	
  data	
  
§  Sensor	
  Readings	
  
§  Binding	
  codes	
  
Quotes	
  (Comm	
  Protocols)	
  
“Widely	
  used	
  open	
  protocols	
  such	
  
as	
  Wi-­‐Fi	
  have	
  serious	
  security	
  
issues.	
  Even	
  a	
  high	
  degree	
  of	
  
encryp<on	
  may	
  not	
  protect	
  your	
  
data.	
  It	
  is	
  common	
  for	
  new	
  
encryp<on	
  schemes	
  to	
  be	
  hacked	
  
within	
  months	
  of	
  
implementa<on.	
  Proprietary	
  
systems	
  are	
  more	
  difficult	
  to	
  hack	
  
than	
  an	
  open	
  standard.”	
  
47	
  
§  Encryp<on	
  is	
  
useless	
  
§  Open	
  standards	
  
are	
  easier	
  to	
  hack	
  
	
  
Quotes	
  (Comm	
  Protocols)	
  
“Vendor	
  achieves	
  data	
  security	
  
by	
  using	
  a	
  proprietary	
  
protocol,	
  pseudo-­‐random	
  
frequency	
  hopping,	
  and	
  
generic	
  data	
  transfer.	
  The	
  
protocol	
  only	
  carries	
  I/O	
  data,	
  
making	
  it	
  impossible	
  for	
  a	
  
malicious	
  executable	
  file	
  to	
  be	
  
transmiLed.”	
  	
  
48	
  
§  FHSS	
  to	
  avoid	
  
sniffing	
  
§  The	
  family	
  is	
  
malware	
  safe	
  
	
  
Quotes	
  (Integrity)	
  
“When	
  the	
  data	
  is	
  transmiLed,	
  a	
  
CRC	
  algorithm	
  ensures	
  that	
  the	
  
data	
  arrives	
  intact.	
  If	
  the	
  CRC	
  
algorithm	
  fails,	
  the	
  corrupt	
  data	
  
packet	
  is	
  discarded	
  and	
  the	
  data	
  is	
  
automa<cally	
  retransmiLed	
  using	
  
a	
  new	
  frequency	
  during	
  the	
  next	
  
communica<on	
  cycle.”	
  	
  
49	
  
§  Cyclic	
  
Redundancy	
  
Check	
  
§  No	
  integrity	
  
§  No	
  security	
  
§  Only	
  for	
  network	
  
errors	
  
Quotes	
  (Comm	
  Protocols)	
  
“This	
  protocol	
  does	
  not	
  
operate	
  like	
  an	
  open	
  
protocol	
  such	
  as	
  Wi-­‐Fi	
  and	
  
is	
  not	
  subject	
  to	
  the	
  risks	
  
of	
  an	
  open	
  protocol.”	
  	
  
50	
  
Disclosure	
  and	
  Coordina<on	
  
§  8	
  vulnerabili<es	
  reported	
  (today’s	
  vendors)	
  
§  1	
  patched	
  =>	
  PRNG	
  Vulnerability	
  (ICSA-­‐13-­‐248-­‐01)	
  
§  Are	
  vendors	
  responsible?	
  	
  
§  Did	
  they	
  no<fy	
  their	
  customers?	
  
§  Is	
  documenta<on	
  truly	
  aligned?	
  
§  Is	
  firmware	
  upgrade	
  easy?	
  
Conclusions	
  (Securing	
  the	
  scheme)	
  
52	
  
§  Out	
  of	
  bands	
  methods	
  
§  Pre-­‐share	
  a	
  strong	
  secret	
  for	
  the	
  ini<al	
  link	
  (eg:	
  serial	
  comm)	
  
§  Also	
  802.15.4	
  AES	
  Encryp<on	
  at	
  lower	
  layers	
  (MAC)	
  
§  Secure	
  the	
  Node	
  Physical	
  Access	
  (Mainly	
  KDC)	
  
§  Use	
  hardware	
  An<-­‐tamper	
  mechanisms	
  
§  Audit	
  Source	
  Code	
  //	
  Audit	
  Site	
  regularly	
  
§  ICS-­‐CERT	
  Hardening	
  Guides	
  
§  Don’t	
  trust	
  vendor’s	
  documenta<on,	
  go	
  further.	
  
Conclusions	
  
53	
  
§  Problem	
  space	
  has	
  always	
  been	
  an	
  open	
  topic	
  
§  The	
  journey	
  of	
  keys	
  allows	
  prac<cal	
  aLacks	
  
§  WSN’s	
  standards	
  maturity	
  is	
  growing	
  
§  Vendors	
  can	
  fail	
  when	
  implemen<ng	
  them	
  
§  No	
  evidence	
  of	
  previous	
  security	
  reviews	
  
§  Tes<ng	
  the	
  field	
  loca<on	
  is	
  possible	
  with	
  the	
  proper	
  
Hardware	
  and	
  open	
  source	
  So_ware	
  
	
  
CC1111	
   RZUSB	
   TelosB	
   HackRF	
  
Aknowledgements	
  
54	
  
§  ICS/CERT	
  –	
  US/CERT	
  
§  References:	
  Piotr	
  Szcezechowiak,	
  Haowen	
  Chan,	
  A.	
  
Perrig,	
  Seyit	
  A.	
  Camtepe,	
  Bulent	
  Yener,	
  Rob	
  Havelt,	
  
Travis	
  Goodspeed,	
  Joshua	
  Wright…	
  
§  All	
  IOAc<ve,	
  Inc.	
  
THANK	
  YOU	
  !	
  
Lucas	
  Apa	
  (lucas.apa@ioac<ve.com)	
  
Carlos	
  Penagos	
  (carlos.hollman@ioac<ve.com)	
  
@lucasapa	
  
@binaryman<s	
  

More Related Content

What's hot

Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Honeywell
 
From Air Gap to Air Control
From Air Gap to Air ControlFrom Air Gap to Air Control
From Air Gap to Air ControlEnergySec
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorEnergySec
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DividePriyanka Aash
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...EnergySec
 

What's hot (20)

Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
From Air Gap to Air Control
From Air Gap to Air ControlFrom Air Gap to Air Control
From Air Gap to Air Control
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Lessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy SectorLessons Learned for a Behavior-Based IDS in the Energy Sector
Lessons Learned for a Behavior-Based IDS in the Energy Sector
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity Divide
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
 

Viewers also liked

Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationEnergySec
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS EnvironmentsEnergySec
 
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...energybiographies
 
Energy Biographies Final Research report
Energy Biographies Final Research reportEnergy Biographies Final Research report
Energy Biographies Final Research reportenergybiographies
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedEnergySec
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration EnergySec
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through SecurityEnergySec
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsEnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
How I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterHow I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterEnergySec
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response TeamEnergySec
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersEnergySec
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
 

Viewers also liked (20)

Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
 
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
 
Energy Biographies Final Research report
Energy Biographies Final Research reportEnergy Biographies Final Research report
Energy Biographies Final Research report
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
How I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterHow I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart Meter
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response Team
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
 

Similar to Compromising Industrial Facilities From 40 Miles Away

LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Power Systems, Inc.
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
QEI Multifunction Gateway
QEI Multifunction GatewayQEI Multifunction Gateway
QEI Multifunction GatewayLeePearce18
 
Rail-net Indian railway internet
Rail-net Indian railway internetRail-net Indian railway internet
Rail-net Indian railway internetRahul Kumar
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
C4 L6000 Eth Operation Manual
C4 L6000 Eth Operation ManualC4 L6000 Eth Operation Manual
C4 L6000 Eth Operation Manualguest9fe343e
 
SIEMENS PXG3.L BACnet/IP Router
SIEMENS PXG3.L BACnet/IP RouterSIEMENS PXG3.L BACnet/IP Router
SIEMENS PXG3.L BACnet/IP RouterCONTROLS & SYSTEMS
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
LayerZero Series 70: ePanel-1 Wall-Mounted Power Panel
LayerZero Series 70: ePanel-1 Wall-Mounted Power PanelLayerZero Series 70: ePanel-1 Wall-Mounted Power Panel
LayerZero Series 70: ePanel-1 Wall-Mounted Power PanelLayerZero Power Systems, Inc.
 
UGM 2015: X1149 workshop
UGM 2015: X1149 workshopUGM 2015: X1149 workshop
UGM 2015: X1149 workshopInterlatin
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G MgtAnil Patil
 
Overview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksOverview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksDuncan Purves
 

Similar to Compromising Industrial Facilities From 40 Miles Away (20)

LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power PanelLayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
LayerZero Series 70: eRPP-FS Front/Side Access Remote Power Panel
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
LayerZero Series 70: eRDP Remote Distribution Panel
LayerZero Series 70: eRDP Remote Distribution PanelLayerZero Series 70: eRDP Remote Distribution Panel
LayerZero Series 70: eRDP Remote Distribution Panel
 
LayerZero Series 70: eRPP Remote Power Panel
LayerZero Series 70: eRPP Remote Power PanelLayerZero Series 70: eRPP Remote Power Panel
LayerZero Series 70: eRPP Remote Power Panel
 
QEI Multifunction Gateway
QEI Multifunction GatewayQEI Multifunction Gateway
QEI Multifunction Gateway
 
Railnet
RailnetRailnet
Railnet
 
Rail-net Indian railway internet
Rail-net Indian railway internetRail-net Indian railway internet
Rail-net Indian railway internet
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
C4 L6000 Eth Operation Manual
C4 L6000 Eth Operation ManualC4 L6000 Eth Operation Manual
C4 L6000 Eth Operation Manual
 
SIEMENS PXG3.L BACnet/IP Router
SIEMENS PXG3.L BACnet/IP RouterSIEMENS PXG3.L BACnet/IP Router
SIEMENS PXG3.L BACnet/IP Router
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
LayerZero Series 70: ePanel-1 Wall-Mounted Power Panel
LayerZero Series 70: ePanel-1 Wall-Mounted Power PanelLayerZero Series 70: ePanel-1 Wall-Mounted Power Panel
LayerZero Series 70: ePanel-1 Wall-Mounted Power Panel
 
UGM 2015: X1149 workshop
UGM 2015: X1149 workshopUGM 2015: X1149 workshop
UGM 2015: X1149 workshop
 
Vertx v2000 ds_en
Vertx v2000 ds_enVertx v2000 ds_en
Vertx v2000 ds_en
 
Profinet network qualification - Peter Thomas
Profinet network qualification - Peter ThomasProfinet network qualification - Peter Thomas
Profinet network qualification - Peter Thomas
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G Mgt
 
Overview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksOverview of Wireless Sensor Networks
Overview of Wireless Sensor Networks
 
PROFINET network qualification Peter Thomas - oct 2015
PROFINET network qualification   Peter Thomas - oct 2015PROFINET network qualification   Peter Thomas - oct 2015
PROFINET network qualification Peter Thomas - oct 2015
 

More from EnergySec

Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueEnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherEnergySec
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
 
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...EnergySec
 
Sea Changes, Strategic Implications, Board Cyber Perspectives
Sea Changes, Strategic Implications, Board Cyber PerspectivesSea Changes, Strategic Implications, Board Cyber Perspectives
Sea Changes, Strategic Implications, Board Cyber PerspectivesEnergySec
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityEnergySec
 

More from EnergySec (20)

Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure Program
 
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...
 
Sea Changes, Strategic Implications, Board Cyber Perspectives
Sea Changes, Strategic Implications, Board Cyber PerspectivesSea Changes, Strategic Implications, Board Cyber Perspectives
Sea Changes, Strategic Implications, Board Cyber Perspectives
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
 

Recently uploaded

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 

Recently uploaded (20)

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 

Compromising Industrial Facilities From 40 Miles Away

  • 1. COMPROMISING  INDUSTRIAL   FACILITIES  FROM  40  MILES  AWAY   Lucas  Apa   Carlos  Mario  Penagos  
  • 2. About  Us   Vulnerability  Research   Exploita<on   Cryptography   Reverse  Engineering   ICS/SCADA     2   Lucas  Apa   Carlos  Penagos   Argen<na   Colombia   Security  Consultants   and  Researchers    
  • 3. Agenda   §  Mo<va<on   §  Industries  and  Applica<ons   §  Wireless  Standards   §  Journey  of  Radio  Encryp<on  Keys   §  Vendor1  Wireless  Devices     §  Vendor2  Wireless  Devices   §  Vendor3  Wireless  Devices     3  
  • 4. Mo<va<on   4   §  Cri<cal  Infrastructures  becoming  targets   §  Insider  aLacks  (Lately)   §  Devices  connected  to  Internet   §  0days  to  reach  the  PLC,  RTU,  HMI…   §  Stealth  and  precise  aLacks   §  Incident  response  at  hazardous  sites   §  ALack  families  of  devices  (+  reliable)    
  • 5. Industrial  Wireless  Automa<on   5   §  Copper  wires  are  used  to  monitor  and  control   §  Corrosion,  Duc<lity,  Thermal  Conduc<vity   §  Cost  of  wires,  trenching,  moun<ng  and  installa<on   §  Industrial  Wireless  Solu<ons   §  Eliminate  cost  of  hardwiring,  logis<cs,  installa<on   §  Heavy  machinery  involved   §  Remote  control  and  administra<on  (Geography)   §  Minimize  Safety  Risk  &  Dangerous  Boxes   §  Adds  durability  
  • 6. Industries  and  Applica<ons   6   Oil  &  Gas   Refined  Petroleum   Petrochemicals   §  Plunger  li_/ar<ficial  li_  op<miza<on   §  Well-­‐head  automa<on   §  RTU/EFM  I/O  extensions   §  Cathodic  protec<on  monitoring   §  Hydrogen  sulfide  (H2S)  monitoring   §  Tank  level  monitoring   §  Pipeline  cathodic  protec<on   §  Rec<fier  voltage  monitoring   §  Gas/liquid  flow  measurement   §  Pipeline  pressure  and  valve   monitoring  
  • 7. Industries  and  Applica<ons  (2)   7   Energy  -­‐  U<li<es   Waste  &     Waste  Water   §  Transformer  temperature   §  Natural  gas  flow   §  Power  outage  repor<ng   §  Capacitor  bank  control   §  kV,  Amp,  MW,  MVAR  reading   §  Remote  pumping  sta<ons   §  Water  treatment  plants   §  Water  distribu<on  systems   §  Wastewater/sewer  collec<on  systems   §  Water  irriga<on  systems/agriculture  
  • 8. Industrial  Wireless  Challenges   8   §  Defeat  electromagne<c  interference  (EMI)   §  Handle  signal  aLenua<on  and  reflec<ons   §  Reliability  is  far  more  important  than  Speed   §  Higher  transmiLer  power  levels   §  Site  surveys  to  assess  the  consistency  and   reliability  of  the  plant   §  Mainly  using  2.4Ghz  or  900Mhz  (ISM  Band)   §  No  “business”  protocols  
  • 9. Cryptographic  Key  Distribu<on  (WSN)   9   §  Distribute  secrets  on  a  large  number  of  nodes   §  Base  sta<ons  with  clusters  surrounding   §  Limita<ons:   §  Deployment  in  public  or  hos<le  loca<ons   §  Post-­‐deployment  knowledge     §  Limited  bandwidth  and  transmission  power     §  Methods  for  crypto  key  distribu<on:   §  Out-­‐of-­‐band   §  In-­‐band   §  Factory  pre-­‐loaded  
  • 10. IEEE  802.15.4  Standard   §  Wireless  Radios  (Low  Power/Speed)     §  Set  the  encryp<on  algorithm  and  AES  Key   §  Upper  Layer  Responsibility   §  Each  node  can  have  an  ACL   §  MAC  for  upper  layers:   §  ZigBee   §  WirelessHart   §  ISA  SP100   §  IETF  IPv6  -­‐  LoWPAN   10  
  • 11. ZigBee  2007  (Standard  Security  Mode)   §  Goal:  Understand  Key  Schemes   §  Suite  of  high  level  communica<on  protocols   §  Based  on  IEEE  802.15.4  (Low  level  layers)   §  ISM  radio  bands   §  Trust  Center  introduced  in  2007     11   Two  Key  Distribu<on  Mechanisms:   1.  Pre-­‐Installa<on   2.  Over  the  air   §  Network  Key  (AES  128-­‐bit)   §  Pre-­‐installed  (Factory  Installed)   §  Individually  Commissioned   (Commissioning  tool)   §  Managed  by  the  Trust  Center     A Trust Center B
  • 12. ZigBee  Pro  2007  (High  Security  Mode)   §  Many  enhancements   §  More  memory  requirements   §  New  keys  introduced   12   A B MasterKey_TA   LinkKey  TA   NetworkKey   MasterKey_AB   LinkKey  AB   MasterKey_TB   LinkKey  TB   NetworkKey   MasterKey_AB   LinkKey  AB   MasterKey_TA   LinkKey  TA   NetworkKey   MasterKey_TB   LinkKey  TB   Trust Center ①  Master  Key   §  Unsecured  Transport  L   §  Out-­‐of-­‐band  Technique  J   §  Secure  other  keys   ②  Link  Key     §  Unicast   §  Unique  between  nodes   ③  Network  Key     •  Regenerated  at  Intervals   •  Needed  to  join  the  NWK  
  • 13. E n d   U s e r   D e v i c e   DeviceVendorID   Key  in  Firmware   Per-­‐Client  Encryp<on   Key   Change   Encryp<on   Key   Per-­‐Client   Encryp<on   Key   Device  Company   Encryp<on  Key   Device   Company   Encryp<on   Key   Change   Encryp<on   Key   No  Encryp<on  Key   Set   Encryp<on   Key   No   Encryp<on   key   No  Encryp<on   Key   The  Journey  of  Radio  Encryp<on  Keys   13   R a d i o
  • 14. Reusing  Radio  Keys   §  Device  Company  Key  aLack   1.  Buy  same  Device  (Buy  same  Key)   2.  Remove  Radio  Module   3.  Connect  to  USB  Interface   4.  Interact:  API  &  AT  Command  Mode   5.  Send  frames  using  the  unknown  key   Warning:  Not  possible  if  exists  a  Per-­‐Client  Encryp<on  Key   14   §  End-­‐User  Node  Key  Storage   §  Shared  Secret   §  Same  Firmware  or  Same  Radio  Key    
  • 15. Exploi<ng  Vendor1  Devices   §  Company  Profile  (+1990)   §  Frequency  Hopping  Wireless  Devices   §  Great  for  long  or  short  range  wireless   SCADA  applica<ons   §  Secure  proprietary  FHSS  with  128  bit  AES   encryp<on   §  Hazardous  loca<on  approvals,  Perfect  for   outdoor  Ethernet  SCADA  or  indoor  PLC   messaging   §  30+  miles  point  to  point  with  high  gain   antennas   15  
  • 16. Vendor1  Key  Distribu<on   “<Vendor1  Tool>  is  easy  to  use  and  intuiBve.  Default  values  built  into   the  so0ware  work  well  for  ini4al  installa4on  and  tesBng  making  it   easy  for  first-­‐Bme  users.  <Vendor1  Tool>  manages  all  important   se8ngs  to  ensure  that  the  network  performs  correctly.”  (User  Guide)     16   §  RF  Encryp<on:  A  128-­‐bit   encryp<on  level  key  is   suggested  for  the  user.   §  Blank:  No  encrypted  packets   §  5-­‐7  Chars:  Field  is  translated   into  a  40-­‐bit  encryp<on  level.   §  15-­‐24  Chars:  Field  is  translated   into  a  128-­‐bit  encryp<on  level.    
  • 17. Reversing  Passphrase  Genera<on   Compiled  C++  Binary:   §  srand  seeds  PRNG   §  <me  returns  epoch   §  srand(<me(NULL))   §  Low  Entropy  Seed   §  Same  algorithm   §  rand()   §  Bad  ANSI  C  func<on   17  
  • 18. ALacking  Weak  PRNG   18   C:>passgen.exe   2013-­‐04-­‐04  21:39:08  =>  1365136748  =>  knc6gadr40565d3j8hbrs6o0  
  • 19. The  Oldest  Passphrase   Help  File   19   C:>passgen.exe   2013-­‐04-­‐04  21:39:08  =>  1365136748  =>  knc6gadr40565d3j8hbrs6o0   2013-­‐04-­‐04  21:39:07  =>  1365136747  =>  nir3f1a0dm2sdt41q91c06nt   …   2008-­‐04-­‐17  15:20:47  =>  1208470847  =>  re84q92vssgd671pd2smj8ig  
  • 20. Comissioning  Tool  Audit   §  Easily  breakable  by  an  outsider   §  Further  Research  with  the  Devices   §  Comissioning  Tools  needs  deep  tes<ng   20   Bruteforce  Passphrase   2570  Passphrases   Mixed  lower  case  alphabet  plus  numbers  and   common  symbols   Impossible  to  calculate  all  passphrases   Need  to  derive  AES  128-­‐bit  key  on  real<me   Weak  PRNG  ALack   ~156  Million  Passphrases   Every  second  passed,  one  more  key   Only  a  few  seconds  to  calculate  all  passphrases   Calculate  once  and  create  a  database  with  all   possible  AES  128-­‐bit  key  deriva<ons   vs  
  • 21. Vendor2  Wireless  Devices   §  Market  leadership:  Oil  &  Gas   §  Wireless  and  wired  solu<ons  for  the  digital  oil  field   automa<on   §  Trusted  by  top  companies  in  different  industries   §  Family  System  (Point  to  Mul<point):     §  Wireless  Gateways   §  Wireless  TransmiLers   §  I/O  Expansion  Modules   §  Hardwire  Sensors   21  
  • 22. 22  
  • 23. An  Extended  Family  of  Devices   23   §  Applica<ons   §  Oil  &  Gas   §  Refining  /  Petro  Chemicals   §  Water  &  Waste  Water   §  U<li<es   §  Industrial  Process  Monitoring   §  TransmiLers   §  RTD  Temperature  TransmiLer   §  Analog/Discrete  TransmiLer   §  Flow  Totalizer  TransmiLer   §  Pressure  TransmiLer   §  Hydrosta<c  Level  TransmiLer   §  Many  more..  
  • 24. 24   SCADA   PLC   RTU   EFM   HMI   DCS   RF   Modem  
  • 25. Secure  Communica<ons   25   §  How  the  devices  access  the  wireless  informa<on?   §  “Enhanced  Site  Security  Key”   §  Security  Key  ==  Encryp<on  Key  ???   §  Legacy  Devices  Without  Encryp<on???   The  Enhanced  Site  Security  feature  designed  to  provide  an  addiBonal  level  of   protec4on  for  RF  packets  sent  and  received  between  <Vendor2>  devices  and   minimizes  the  possibility  of  interference  from  other  devices  in  this  area.  This   feature  is  not  available  on  some  older  versions  of  legacy  devices.    
  • 26. Key  Genera<on  and  Distribu<on   26   §  Comissioning  Tool   §  Create  a  “Project  File”  and  update  all  Nodes   §  From  documenta<on:   This  Key  MUST  be  somewhere  on  the  Project  File   “If  the  project  file  name  is  changed,  a  new  Site   Security  Key  will  be  assigned”       Possible  Scheme:  Per-­‐Site  Encryp4on        
  • 27. File  Name  Change  =>  New  Key   27  
  • 28. Project  File  Binary  Diffing   28   ProjectA   x17x58x4fx51   1364154391   Sun,  24  Mar  2013   19:46:31  GMT   ProjectB   x51x58x4fx51   1364154449   Sun,  24  Mar  2013   19:47:29  GMT  
  • 29. 29   §  Support  Center   §  Firmware  Images  &  Documenta<on   §  Radio  Modules,  Architectures  &  Processors     Component  IdenSficaSon   RISC  
  • 30. Understanding  Firmware  Image  (RISC)   CrossWorks for MSP430 §  Industry  Standard  Format   §  @Address  and  content   §  Incomplete  Image  (Update)   §  Only  compiler  strings    
  • 32. 32   YouTube  (XT09  and  802.15.4)  
  • 33. No  Per-­‐Client  Key   Dear  <<Reseller  Sales  Eng>>,   We   are   going   to   borrow   a   used   “Analog   Transmider”   from   one   of   our  partners,   We   are   going   to   test   it   for   a   few   weeks  and  let  you  know  if  we  decide   to  buy  a  new  one.   Are   there   any   specific   concern   we   might   take   into   account   when   deploying   this   device   to   connect   it   with  our  <Device>?  Or  just  upgrade   all  project  configuraBon  files?   Thank  you   33   Lucas,   You  just  need  to  upgrade  the  configuraBon   files.   Thanks.  
  • 34. Finding  Embedded  Keys   34   §  Two  kind  of  Firmwares  (ARM  and  MSP430)   §  One  possible  hardcoded  key  in  both  firmwares   §  “Binary  Equaling”    
  • 35. Acquiring  the  Devices   35   §  Wireless  Gateway   §  Gateways  are  responsible  for  receiving/ collec<ng  data  from  wireless  end  nodes   §  The  collected  data  can  be  communicated   with  third-­‐party  Modbus  device  such  as  a   RTU,  PLC,  EFM,  HMI,  or  DCS   §  RTD  Temperature  TransmiLer   §  Integrates  Pla<num  100  ohm  RTD  Sensor   §  Ideal  for  use  in  various  mission-­‐cri<cal   industrial  applica<ons.   §  Ideal  for  Monitoring  Air,  Gas,  Water,  or   Liquid  Temperatures    
  • 36. §  Steal  and  extract   §  Site  Security  Key   §  Project  File   Resilience  and  Node  Capture   36   Stolen   Node   Gateway   Tx   Tx  Tx   S e r i a l C a p t u r e FF  41  06  00  0A  00  00  00  33  2E  1D  CC   FF  41  0A  00  0A  00  00  00  04  00  AB  D0  9A  51  B0  ...  
  • 37. A  crypto  aLack  disappointment   §  Protocol  Reverse  Engineering   §  Device  has  a  debug  interface   §  Developed  a  custom  tool  to  receive  and  send  802.15.4  data   §  2.4ghz  Transceiver  (Modified  Firmware  and  Reflashed  by  JTAG)   §  PyUsb,  IPython     §  Scapy  Dissectors,  etc.   §  Against  the  perfect  scheme:  Per-­‐Site  EncrypSon  Key       37   §  Key  not  really  used  for  data  encrypSon   §  Key  only  used  to  ”authenScate”  devices  (capture  SiteSecurityKey)   §  No  integrity  and  confidenSality     §  No  protecSon  for  RF  Packets  L  (vendor  lied)   §  Predict  IEEE  802.15.4  next  seqnums  to  inject   A  crypto  aLack  
  • 38. Temperature  Injec<on  Live  Demo   §  Designed  an  HMI  Project   §  Developed  an  OPC  based   driver  for  the  HMI   §  Developed  an  exploita<on   framework  (Map/Inject)   §  Chemical  Safety  Board  (US)   background  video   §  Cost  of  the  aLack:  $40  USD   §  Live  Demo     38  
  • 40. Remote  Memory  Corrup<on   §  Iden<fy  all  the  protocol  fields   §  Memory  corrup<on  bug  using  unhandled  values  on   a  parsing  func<on   §  Remotely  exploitable  over  the  air   §  Plant  Killer          =>     §  We  recorded  a  demo  (no  leak  today)   40  
  • 41. 41   SCADA   PLC   RTU   EFM   HMI   DCS   RF   Modem  
  • 42. Vendor3  Devices   42   §  Company  Profile   §  Self-­‐proclaimed  leader  in  process  and  industrial   automa<on,  “Undisputed  leader  in  sensors”   §  Clients:  Nearly  all  manufacturing  companies  from   Fortune  500   §  22.000  different  products  across  40  industries   §  Wireless  System  (Family)   §  Wireless  Gateway   §  Master  device  used  to  control  network   <ming  and  comm  traffic     §  Nodes   §  Collect  data  -­‐>  TX  Gateway  
  • 44. Research   44   §  Wireless  Family  Technical  Note:   “Mul<-­‐layer  security  protocol  protects  your  data”   §  Network  Security   §  Data  Security   §  Data  Integrity  and  Control  Reliability     “The  wireless  I/O  systems  provide  a  level  of  security,  data   integrity,  and  reliability  far  exceeding  most  wireless  systems  on   the  market  today”  
  • 45. Quotes  (Network  Security)   “This  family  is  designed  to   completely  eliminate  all   Internet  Protocol  (IP)  based   security  threats.  Wi-­‐Fi   access  points  have  the   poten<al  to  route  any  and   all  data  packets,  which  is   why  these  systems  use   encryp<on”   45   Route  packets  =>  Use  encrypSon   §  One  model  =>  Ethernet   Data  Radio   §  Uses  AES-­‐256  key  J   §  Other?  No  encryp<on  
  • 46. Quotes  (Data  Security)   “The  protocol  only  carries  sensor  data   values.  Only  I/O  data  is  transmiLed  in   the  wireless  layer.”     “A  hacker,  if  they  managed  to  receive   wireless  data,  would  only  see  the   actual  sensor  data,  not  what  the   sensor  was  reading  or  what  role  the   sensor  played  within  the  wireless  I/O   network."   46   §  Insecure  I/O  data   §  Sensor  Readings   §  Binding  codes  
  • 47. Quotes  (Comm  Protocols)   “Widely  used  open  protocols  such   as  Wi-­‐Fi  have  serious  security   issues.  Even  a  high  degree  of   encryp<on  may  not  protect  your   data.  It  is  common  for  new   encryp<on  schemes  to  be  hacked   within  months  of   implementa<on.  Proprietary   systems  are  more  difficult  to  hack   than  an  open  standard.”   47   §  Encryp<on  is   useless   §  Open  standards   are  easier  to  hack    
  • 48. Quotes  (Comm  Protocols)   “Vendor  achieves  data  security   by  using  a  proprietary   protocol,  pseudo-­‐random   frequency  hopping,  and   generic  data  transfer.  The   protocol  only  carries  I/O  data,   making  it  impossible  for  a   malicious  executable  file  to  be   transmiLed.”     48   §  FHSS  to  avoid   sniffing   §  The  family  is   malware  safe    
  • 49. Quotes  (Integrity)   “When  the  data  is  transmiLed,  a   CRC  algorithm  ensures  that  the   data  arrives  intact.  If  the  CRC   algorithm  fails,  the  corrupt  data   packet  is  discarded  and  the  data  is   automa<cally  retransmiLed  using   a  new  frequency  during  the  next   communica<on  cycle.”     49   §  Cyclic   Redundancy   Check   §  No  integrity   §  No  security   §  Only  for  network   errors  
  • 50. Quotes  (Comm  Protocols)   “This  protocol  does  not   operate  like  an  open   protocol  such  as  Wi-­‐Fi  and   is  not  subject  to  the  risks   of  an  open  protocol.”     50  
  • 51. Disclosure  and  Coordina<on   §  8  vulnerabili<es  reported  (today’s  vendors)   §  1  patched  =>  PRNG  Vulnerability  (ICSA-­‐13-­‐248-­‐01)   §  Are  vendors  responsible?     §  Did  they  no<fy  their  customers?   §  Is  documenta<on  truly  aligned?   §  Is  firmware  upgrade  easy?  
  • 52. Conclusions  (Securing  the  scheme)   52   §  Out  of  bands  methods   §  Pre-­‐share  a  strong  secret  for  the  ini<al  link  (eg:  serial  comm)   §  Also  802.15.4  AES  Encryp<on  at  lower  layers  (MAC)   §  Secure  the  Node  Physical  Access  (Mainly  KDC)   §  Use  hardware  An<-­‐tamper  mechanisms   §  Audit  Source  Code  //  Audit  Site  regularly   §  ICS-­‐CERT  Hardening  Guides   §  Don’t  trust  vendor’s  documenta<on,  go  further.  
  • 53. Conclusions   53   §  Problem  space  has  always  been  an  open  topic   §  The  journey  of  keys  allows  prac<cal  aLacks   §  WSN’s  standards  maturity  is  growing   §  Vendors  can  fail  when  implemen<ng  them   §  No  evidence  of  previous  security  reviews   §  Tes<ng  the  field  loca<on  is  possible  with  the  proper   Hardware  and  open  source  So_ware     CC1111   RZUSB   TelosB   HackRF  
  • 54. Aknowledgements   54   §  ICS/CERT  –  US/CERT   §  References:  Piotr  Szcezechowiak,  Haowen  Chan,  A.   Perrig,  Seyit  A.  Camtepe,  Bulent  Yener,  Rob  Havelt,   Travis  Goodspeed,  Joshua  Wright…   §  All  IOAc<ve,  Inc.  
  • 55. THANK  YOU  !   Lucas  Apa  (lucas.apa@ioac<ve.com)   Carlos  Penagos  (carlos.hollman@ioac<ve.com)   @lucasapa   @binaryman<s