Project RunAway

Orlando, Florida

February 2020

Yair Attar, CTOMaj. (Res.)

The Team70+ experts

Automotive

1 of the top 3global OEMs

Maritime

1 of the top 3 global maritime

companies

Pulp & Paper

1 of the top 5 global paper

manufacturers

Machinery

A leading global industrial

engineering group

Energy

A global leading F500 sustainable energy company

Daniel Bren, CEOBrig. Gen (Res.)

OTORIO – INDUSTRIAL-NATIVE CYBER SECURITY SOLUTIONS PROVIDER

Partners168 years of industrial engineering

Even industrial companies can be hacked

You don’t need to be a nation state in order to have sustainable offensive capability

Even industrial companies can be hackedNo more need for zero days

No more need for nation state reconnaissance and knowledge

But wait, how can we predict this?

Companies expose themselves more and more…

• Shodan

• Leaks

• Industry 4.0

• OT security – Still in infant stages

• Connectivity between IT/OT – OT information flows upwards more than before

• Vendor and supplier interaction and involvement is on the rise

It all started when

• We started a thought experiment, what is out there that can compromise our industrial clients?

• We started looking for data that can be used to harm our customers

• Malicious Software libraries (Open-source)

• Downloadable infected OT software (Havex scenario)

• OT data exposure

• …Malicious Project files? (Stuxnet)

What are we talking about?

Project FilesCloud

Malicious

What are project files?

Overview• Project files are the saved files produced by the automation software used by industrial engineers to

configure and program the different automation components

• Most of the global automation vendors combined all their different programs into one platform (TIA portal, Automation Studio …)

Hardware configurations• Different services - SNMP, OPC, WEB, Industrial protocols• IP address, firmware, additional configurations

Network topology

Automation logic source code

Project files deep dive• Tags I/O references• Memory variables• Global data locations

HMI screens

What are we talking about?

Cloud Malicious

We started to search for them online• And found them on VT

• And on additional research sites

What is VT?

What is VT in a few words• VirusTotal is an online service that analyzes files and URLs enabling the detection of viruses, worms,

trojans and other kinds of malicious content using antivirus engines and website scanners

What is VT in a few words• Scanning reports produced are shared with the public VirusTotal community

• The contents of submitted files or pages may also be shared with premium VirusTotalcustomers

• Provides qualified customers and anti-virus partners with tools to perform complex criteria-based searches to identify and access harmful file samples for further study

We found so much data in VT• Thousands of project files (and counting)

• PLC projects / HMI / DCS / SCADA• Manuals, Emails, CAD, Remote connection• Configurations & asset management sheets• Varity of sectors• Dozens of automation vendors• 100+ new files each month

What are we talking about?

Malicious

What can an attacker do with a project file?

Basic Attack Flow – A true story

External Internet

IT Layer

OT Layer

Exploitation

Disrupting Operations

Physical Damage IP Theft

Monetary Damage

Reputation Damage

Competitive Damage

Reconnaissance & initial access to the network

Propagation and enumeration, gaining high privileges in the IT layer

Usage of gathered credentials and footholds to reach and communicate with PLCs on the

production floor

Attackers are able to influence production in any way they wish – damaging operations or stealing

data

Now that the attacker has a project file• He can determine what company is more interesting to try and attack

• When he is already in the network, he can understand what IPs and assets are interesting to attack

• He can create a tailored payload for the assets he discovered

Using these files – technical perspective• Use the automation software and investigate the project

• License

• Big projects – a lot of work understanding

• Parse & analyze them somehow • Proprietary formats

• Undocumented + very small work has been done in the past

But all this seems hard…

Can we automate this process?

Framework overview

• Interactive Python framework• Input - parsed “project file”• Tag & code analysis• Automatic industrial payload based on it

Framework overview

Original Project File

XML Representation

Tag Analysis Code AnalysisMalicious Payload

SP_Tank_Level=

BAD_VALUE

S7Comm Packet

TIA project Step7 project

2 XML

Tag analysis – which tag to change?

• HMI tags• All HMI tags may be cool

• Configurable values that appear in HMI screens may be important (because they affect something)

• Tags with limitations are more interesting

• Dictionary analysis• Tags with predefined names

• Purpose-specific dictionary

• Code analysis• Statistical

• Symbolic execution

Payload generation

• S7Comm – change I/O, memory and DB• Over TCP/IP, can be attacked remotely

• More possibilities to affect the process

• Limitations: password protection, PUT/GET is not enabled, optimized DBs

• PROFINET I/O – change I/O• Layer 2 protocol

• Limitations: must be in the controller’s LAN

Demo Time

Demo time

• POC version –• Only supports Siemens projects

• Limited analysis

• Limited payload generation

• Factory I/O instead of real process• Looks good

• Connects to ours physical S7-1500 (+ET200S) PLC

• Really simulates a physical process

• https://factoryio.com/

What are we talking about?

So how big is this event?

How did the files end up in VT?

• Intentional/unintentional• Amount of data

• Geographical/Sector spread

• Sensitive files

• Automatic/manual + what?• AV

• EDR

• Intrusion detection systems

• Email gateway filters

IT Network

OT Network

Corporate

Engineers

Process 1 Process 2

Backups,FileServers

Level 4IT Network

Level 3Operations

Level 2Process Network

Level 1Control Network

EWS

VT

Email gateway

How did the files end up in VT? - example

Company X InternationalWell known European Automotive supplier

Employees – 1000+

• 500MB+ of files

• Dozens of project files – Various types of machines

• Along with the projects themselves – PDFs, manuals, network architectures, CADs…

• In most cases the data was attached to e-mail correspondences

Dozens of the largest global OEM’s + Tier1’sas customers

OEM

How did the files end up in VT? - example

Supplier

Mail service

VT

OEM

TIER 1

Sectors

Types

What have we done?• Contacted VT

VT has a lot of warnings in the site about it, like "you further agree that you will only upload samples that you wish to publicly share and that in any case, you will not knowingly submit any sample to the service that contains confidential or commercially sensitive data or personal data of any individual without lawful permission"

You can find a "I have accidentally uploaded something private" topic in VT’s contact form to take care of unintentional upload cases

What have we done?• Contacted Siemens CERT

It is a user’s responsibility not to use an AV solution that uploads all his/her data to a third party. Especially if that third party then in turn forwardsthe data to other unknown entities that pay for this service. This is not only true for ICS related data (such as TIA project files), but also for other data that is exchanged via email

What have we done?• Notified the different CERTs from the areas that got hurt

This is some crazy sh*t, what can we do to protect ourselves?

Protect! • Use the Software’s access management when available

• Protect files at rest• Access protection using file system rights

• Encrypt files in transit• Encrypted ZIP archives

• Storage in an encrypted drive container

https://support.industry.siemens.com/cs/document/85237682/how-can-you-protect-step-7-(tia-portal)-projects-against-unauthorized-access-and-modifications-?dti=0&lc=en-WW

Project protection

Prevent unintentional upload to VT• Define EDR/DLP to stop uploading to VT

• Define mail scanner to stop uploading to VT

• Carbon Black example

https://www.carbonblack.com/2017/08/09/directdefense-incorrectly-asserts-architectural-flaw-in-cb-response/

STAY SAFE

Matan matan.dobr@otorio.com @matan_dobr

Yoav yoav.flint@otorio.com @YoavfFlint

Special thanks goes to: Itamar Shiryan, Omri Bavly, Anton Dvorkin and all the rest of the team @OTORIO