Everything is Awesome! Or is it?
Anatomy of a Converged OT/IoT Attack
( aka a cautionary tale when IoT’ifying industrial control systems )
Dr Barney Craggs & Dr Brittany Davidson
Cyber Attacks (sophisticated?)
@BristolCyberSec Bristol Cyber Security Group
Cyber Attacks (sophisticated?)
@BristolCyberSec Bristol Cyber Security Group
Cyber Attacks (sophisticated?)
@BristolCyberSec Bristol Cyber Security Group
Cyber Attacks on Infrastructure
@BristolCyberSec Bristol Cyber Security Group
Cyber Attacks on Infrastructure
@BristolCyberSec Bristol Cyber Security Group
Cyber Attacks on Infrastructure
@BristolCyberSec Bristol Cyber Security Group
Cyber Attacks on Infrastructure
@BristolCyberSec Bristol Cyber Security Group
Cyber Attacks on Infrastructure
@BristolCyberSec Bristol Cyber Security Group
Cyber Attacks on Infrastructure
@BristolCyberSec Bristol Cyber Security Group
“Will NOT harm common people”
“Our National Infrastructure and Construction Pipeline is worth around £600 billion and public infrastructure investment will have doubled in a decade by 2022/23”.
UK Industrial Strategy
@BristolCyberSec Bristol Cyber Security Group
Attacks on Infrastructure are At-Scale
Complexity
Connectivity
Attacks (frequency & velocity) Impact
But it’s okay…
“will not harm common people!”
@BristolCyberSec Bristol Cyber Security Group
Operational Technology is Just… Different
Designed with a lifespan of decades
Prioritises safety over security
Places availability over integrity
Managed by different frameworks / teams IEC61511 / 62443 vs ISO27001 / OT vs IT
And this is not new…
“Information Technologies (IT) and Operational
Technologies (OT) have long, isolated histories with many
examples of failed attempts to integrate them or even use
tools from one environment in the other.”
NexDefense (ics.sans.org)
@BristolCyberSec Bristol Cyber Security Group
ICS into the 21st Century
Convergence of OT & IT
Integration of IoT through IIoT
Industry 4.0
OTaaS
Improved automation, sensing and visibility. Increased control over distributed operations. Better compliance with regulatory requirements and tracking. More responsive systems and improved organisational performance. More effective workforce working with improved information.
Better strategic decisions based on more timely and accurate information.
NexDefense (ics.sans.org)
@BristolCyberSec Bristol Cyber Security Group
OT into the Cloud? Industry 4.0
In essence, industry 4.0 is the trend towards automation and data exchange in manufacturing technologies and processes which include cyber-physical systems (CPS), the internet of things (IoT), industrial internet of things (IIOT), cloud computing, cognitive computing and artificial intelligence.
wikipedia
Do Cloud Platforms have Integrity, & Availability ?
Four 9’s
AWS have an min monthly uptime 99.99% uptime.
That still means
4 minutes of random downtime a month!
Lag (latency) is a function of distance
And so to the cautionary tale…
@BristolCyberSec Bristol Cyber Security Group
Typical Converged ICS/IIOT Environment
ICS/IIoT Operational Network(s)
PLCs [ S7]
RTUs [ Modbus | DNP3 ]
HMIs [ S7] IIoT [ WirelessHART | LoRa ]
Fluid Gas Thermometers Sensors
Pressure Flow Sensors Sensors
IoT [ Zigbee | Z-Wave | BLE | WiFi ]
ICS/IIoT Supervision Network
Telemetry
(ClearSCADA)
IIoT
Cloud Platform
Data
Aggregation HTTP (Kepware)
OPC
Data Analysis (Wonderware)
Data Analysis (ThingWorx)
MQTT
Smart Sockets
Smart Locks
Temperature
Sensors Data
Historian
Smart Lighting
@BristolCyberSec Bristol Cyber Security Group
2
Real World ICS with HMI & IIoT Baked In
Process control provided by commercially available control equipment from Siemens, Schneider, Westermo and Emerson. Built to Reference Architecture for ICS & IoT Security Testbeds (2019).
13
Simple Conveyor
Process
Basic pneumo-electric conveyor sorter. Will sort three sized counters into respective containers under normal “auto” operations.
Realistic Top-End
Field site operations monitored in ClearSCADA, with Kepware middleware and ThingWorx providing IIoT platform. Segregated networks and ability to integrate whole field site into broader BCSG CNI testbed via secure datacomms.
Demonstrator Environment
ICS/IIoT Operational Network(s)
PLCs [ S7]
RTUs [ Modbus | DNP3 ]
HMIs [ S7] IIoT [ WirelessHART | LoRa ]
Fluid Gas Thermometers Sensors
Pressure Flow Sensors Sensors
IoT [ Zigbee | Z-Wave | BLE | WiFi ]
ICS/IIoT Supervision Network
Telemetry
(ClearSCADA)
IIoT
Cloud Platform
Data
Aggregation HTTP (Kepware)
OPC
Data Analysis (Wonderware)
Data Analysis (ThingWorx)
MQTT
Smart Sockets
Smart Locks
Temperature
Sensors Data
Historian
Smart Lighting
@BristolCyberSec Bristol Cyber Security Group
Attack Objectives
1 2 3 4 5
Compromise IIoT cloud platform (ThingWorx) Create network environment for staging attack Undertake network & ICS reconnaissance Mask attack
Manipulate process
@BristolCyberSec Bristol Cyber Security Group
Compromise Cloud Platform
TRUST
1
Our position is that ThingWorx has already been compromised due to it’s reliance upon Tomcat 8.5
CCrirtiitcicaall High
CVE-2018-8014 CVE-2018-1136 CVE-2017-5651 CVE-2018-8034
CVE-2017-12617 CVE-2017-7675 CVE-2016-6796
P1 of 2 ! CVE-2018-11784 CVE-2017-7674
CVE-2018-8037 CVE-2016-6794 CVE-2018-1304 CVE-2016-0762 CVE-2018-1305
CVE-2017-15706
CVE-2016-8745 CVE-2016-6817 CVE-2016-6797 CVE-2016-5018 CVE-2017-5664
Medium
@BristolCyberSec Bristol Cyber Security Group
Create Network Environment
2
Trust Trust
Trust
3 – Engineer opens Kepware man .pdf
4 – Embedded exploit opens HTTP outbound request
@BristolCyberSec Bristol Cyber Security Group
1 – Terminate ThingWorx 2 – Setup HTTP listener
5 – HTTP session established 6 – Autoroute identifies
available remote subnets 7 – Proxy setup via HTTP session
Generic Network / Specific ICS Recon
“gateway”
???
“proxy”
Trust
3
Trust
Trust
1 – Network port scans 2 – PLC enumerations 3 – Logic upload
Note: Whilst tags in PLC logic may contain descriptions reverse engineering logic is time consuming, and complex processes are hard to comprehend.
Verbose tags in ThingWorx can provide addition recon.
@BristolCyberSec Bristol Cyber Security Group
Mask Attack / Manipulate Process
4
5
Trust
Trust
Trust
1 – “Reconfigure” RTU taking it offline
2 – Freeze HMI values in PLC 3 – Force maintenance mode
4 – Overrun conveyor with no sorting
@BristolCyberSec Bristol Cyber Security Group
Takeaways / Carry outs
OT kit hasn’t always been designed to be converged with IT, so you need to maintain both mindsets and use appropriate frameworks as one size doesn’t fit all
Maintaining IT patching more critical as it provides the pivot Defence in depth – secondary/tertiary controls to detect & mitigate
threats especially in converged OT/IT environment
Make recon harder, be wary of the desire for semantic tagging
Human factors plays a critical role in both the attack but also the defence – you cannot engineer out the human-in-the-loop
@BristolCyberSec
@BristolCyberSec Bristol Cyber Security Group