Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Project RunAway
Orlando, Florida
February 2020
Yair Attar, CTOMaj. (Res.)
The Team70+ experts
Automotive
1 of the top 3global OEMs
Maritime
1 of the top 3 global maritime
companies
Pulp & Paper
1 of the top 5 global paper
manufacturers
Machinery
A leading global industrial
engineering group
Energy
A global leading F500 sustainable energy company
Daniel Bren, CEOBrig. Gen (Res.)
OTORIO – INDUSTRIAL-NATIVE CYBER SECURITY SOLUTIONS PROVIDER
Partners168 years of industrial engineering
Even industrial companies can be hacked
You don’t need to be a nation state in order to have sustainable offensive capability
Even industrial companies can be hackedNo more need for zero days
No more need for nation state reconnaissance and knowledge
But wait, how can we predict this?
Companies expose themselves more and more…
• Shodan
• Leaks
• Industry 4.0
• OT security – Still in infant stages
• Connectivity between IT/OT – OT information flows upwards more than before
• Vendor and supplier interaction and involvement is on the rise
It all started when
• We started a thought experiment, what is out there that can compromise our industrial clients?
• We started looking for data that can be used to harm our customers
• Malicious Software libraries (Open-source)
• Downloadable infected OT software (Havex scenario)
• OT data exposure
• …Malicious Project files? (Stuxnet)
What are we talking about?
Project FilesCloud
Malicious
What are project files?
Overview• Project files are the saved files produced by the automation software used by industrial engineers to
configure and program the different automation components
• Most of the global automation vendors combined all their different programs into one platform (TIA portal, Automation Studio …)
Hardware configurations• Different services - SNMP, OPC, WEB, Industrial protocols• IP address, firmware, additional configurations
Network topology
Automation logic source code
Project files deep dive• Tags I/O references• Memory variables• Global data locations
HMI screens
What are we talking about?
Cloud Malicious
We started to search for them online• And found them on VT
• And on additional research sites
What is VT?
What is VT in a few words• VirusTotal is an online service that analyzes files and URLs enabling the detection of viruses, worms,
trojans and other kinds of malicious content using antivirus engines and website scanners
What is VT in a few words• Scanning reports produced are shared with the public VirusTotal community
• The contents of submitted files or pages may also be shared with premium VirusTotalcustomers
• Provides qualified customers and anti-virus partners with tools to perform complex criteria-based searches to identify and access harmful file samples for further study
We found so much data in VT• Thousands of project files (and counting)
• PLC projects / HMI / DCS / SCADA• Manuals, Emails, CAD, Remote connection• Configurations & asset management sheets• Varity of sectors• Dozens of automation vendors• 100+ new files each month
What are we talking about?
Malicious
What can an attacker do with a project file?
Basic Attack Flow – A true story
External Internet
IT Layer
OT Layer
Exploitation
Disrupting Operations
Physical Damage IP Theft
Monetary Damage
Reputation Damage
Competitive Damage
Reconnaissance & initial access to the network
Propagation and enumeration, gaining high privileges in the IT layer
Usage of gathered credentials and footholds to reach and communicate with PLCs on the
production floor
Attackers are able to influence production in any way they wish – damaging operations or stealing
data
Now that the attacker has a project file• He can determine what company is more interesting to try and attack
• When he is already in the network, he can understand what IPs and assets are interesting to attack
• He can create a tailored payload for the assets he discovered
Using these files – technical perspective• Use the automation software and investigate the project
• License
• Big projects – a lot of work understanding
• Parse & analyze them somehow • Proprietary formats
• Undocumented + very small work has been done in the past
But all this seems hard…
Can we automate this process?
Framework overview
• Interactive Python framework• Input - parsed “project file”• Tag & code analysis• Automatic industrial payload based on it
Framework overview
Original Project File
XML Representation
Tag Analysis Code AnalysisMalicious Payload
SP_Tank_Level=
BAD_VALUE
S7Comm Packet
TIA project Step7 project
2 XML
Tag analysis – which tag to change?
• HMI tags• All HMI tags may be cool
• Configurable values that appear in HMI screens may be important (because they affect something)
• Tags with limitations are more interesting
• Dictionary analysis• Tags with predefined names
• Purpose-specific dictionary
• Code analysis• Statistical
• Symbolic execution
Payload generation
• S7Comm – change I/O, memory and DB• Over TCP/IP, can be attacked remotely
• More possibilities to affect the process
• Limitations: password protection, PUT/GET is not enabled, optimized DBs
• PROFINET I/O – change I/O• Layer 2 protocol
• Limitations: must be in the controller’s LAN
Demo Time
Demo time
• POC version –• Only supports Siemens projects
• Limited analysis
• Limited payload generation
• Factory I/O instead of real process• Looks good
• Connects to ours physical S7-1500 (+ET200S) PLC
• Really simulates a physical process
• https://factoryio.com/
What are we talking about?
So how big is this event?
How did the files end up in VT?
• Intentional/unintentional• Amount of data
• Geographical/Sector spread
• Sensitive files
• Automatic/manual + what?• AV
• EDR
• Intrusion detection systems
• Email gateway filters
IT Network
OT Network
Corporate
Engineers
Process 1 Process 2
Backups,FileServers
Level 4IT Network
Level 3Operations
Level 2Process Network
Level 1Control Network
EWS
VT
Email gateway
How did the files end up in VT? - example
Company X InternationalWell known European Automotive supplier
Employees – 1000+
• 500MB+ of files
• Dozens of project files – Various types of machines
• Along with the projects themselves – PDFs, manuals, network architectures, CADs…
• In most cases the data was attached to e-mail correspondences
Dozens of the largest global OEM’s + Tier1’sas customers
OEM
How did the files end up in VT? - example
Supplier
Mail service
VT
OEM
TIER 1
Sectors
Types
What have we done?• Contacted VT
VT has a lot of warnings in the site about it, like "you further agree that you will only upload samples that you wish to publicly share and that in any case, you will not knowingly submit any sample to the service that contains confidential or commercially sensitive data or personal data of any individual without lawful permission"
You can find a "I have accidentally uploaded something private" topic in VT’s contact form to take care of unintentional upload cases
What have we done?• Contacted Siemens CERT
It is a user’s responsibility not to use an AV solution that uploads all his/her data to a third party. Especially if that third party then in turn forwardsthe data to other unknown entities that pay for this service. This is not only true for ICS related data (such as TIA project files), but also for other data that is exchanged via email
What have we done?• Notified the different CERTs from the areas that got hurt
This is some crazy sh*t, what can we do to protect ourselves?
Protect! • Use the Software’s access management when available
• Protect files at rest• Access protection using file system rights
• Encrypt files in transit• Encrypted ZIP archives
• Storage in an encrypted drive container
https://support.industry.siemens.com/cs/document/85237682/how-can-you-protect-step-7-(tia-portal)-projects-against-unauthorized-access-and-modifications-?dti=0&lc=en-WW
Project protection
Prevent unintentional upload to VT• Define EDR/DLP to stop uploading to VT
• Define mail scanner to stop uploading to VT
• Carbon Black example
https://www.carbonblack.com/2017/08/09/directdefense-incorrectly-asserts-architectural-flaw-in-cb-response/
STAY SAFE
Matan [email protected] @matan_dobr
Yoav [email protected] @YoavfFlint
Special thanks goes to: Itamar Shiryan, Omri Bavly, Anton Dvorkin and all the rest of the team @OTORIO