Internet-facing PLCs - A New Back...

SCADACS

Internet-facing PLCs - A New Back Orifice

Johannes Klick, Stephan Lau, Daniel Marzin, Jan-OleMalchow, Prof. Volker Roth

AG Sichere Identitat

Fachbereich Mathematik und Informatik

Freie Universitat Berlin www.scadacs.org

SCADACS

Opening

SCADACS

Talk Bytes

◮ Understand the workflow of a PLC.

◮ Basic PLC programming knowlegde

◮ Download / Upload PLC code

◮ Inject own code with PLCinject

◮ Compromise a production network via one internet facingPLC

◮ PLC SNMP Scanner in STL

◮ PLC SOCKS Proxy in STL

SCADACS

Volker Roth Jan-Ole Malchow Johannes KlickDaniel Marzin Sascha Zinke Mateusz KhalilStephan Lau Stephan Arndt Mathias SekulMarvin Jacob Bode Marvin2

https://www.scadacs.org

SCADACS

PLC availability and

vulnerability

ICS Distribution - Europe

Vulnerable ICS distribution - Europe

ICS distribution - USA

SCADACS

Statistics

Categorys Devices CVEs/Exploits

BMS 31.411 9%PLCND 23.873 14%PDU 10.381 0%PLC 7.254 26%SCADA 2.254 28%HMI 1.741 41%ERP 1.400 0%TM 788 0%UPS 167 0%

SCADACS

Internet-facing PLCs

◮ What is behind an Internet facing PLC?

◮ Are there more indirect internet facing PLCs?

◮ May be a whole production network?

SCADACS

Traditional attack vectors of

SCADACS

Traditional attack vectors of PLCs

Stuxnet

◮ Compromising an off-line site through the suply chain

◮ Compromised Siemens IDE downloaded malicous code tothe PLC.

German steelwork

◮ Compromising an on-line site through the business IT

◮ Manipulation of the steel works control system damagedthe furnace

SCADACS

What we are talking about?

SCADACS

Introduction to Siemens PLCs

SCADACS

Introduction to Siemens PLCs

1. Architecture and execution model

2. Program structure and organization

3. Cyclic execution model, I/O

4. STL programs and their MC7 representation

SCADACS

Program structure

Introduction to Siemens PLCsProgram structure andorganization

◮ Organization Block (OB)

◮ Data Block (DB)

◮ Function Call (FC)

◮ Function Blocks (FB)

◮ System Function (SFC)

◮ System Data Block (SDB)

◮ System Function Block (SFB)

SCADACS

Introduction to Siemens PLCsCyclic execution model, I/O

Time slices (1 ms each)

Time slice (1 ms)

SCADACS

Programming Siemens PLC in STL

Mathematical term:

◮ Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Statement List (STL):

STL programs and their MC7 representationDescription Bytes Offset

Block signature 2 0Block version 1 2Block attribute 1 3Block language 1 4Block type 1 5Block number 2 6Block length 4 8Block password 4 12Block last modified date 6 16Block interface last modified date 6 22Block interface length 2 28Block Segment table length 2 30Block local data length 2 32Block data length 2 34Data (MC 7 / DB) x 36Block signature 1 36+x

STL programs and their MC7 representation

OB 1 with

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

is compiled to

00: 7070 0101 0108 0001 0000 0074 0000 0000 pp.........t....

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 ..’5-...c.!.....

20: 0014 000a c000 c100 ca00 d880 6500 0100 ............e...

30: 0014 0000 0002 0502 0502 0502 0502 0502 ................

40: 0505 0505 0505 050e 0520 0100 0800 0000 ......... ......

50: 0000 0000 0000 0000 0000 0000 0000 0000 ................

60: 0000 0000 0000 0000 0100 a691 0000 0000 ................

70: 0000 0000 ....

STL programs and their MC7 representationSignature

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationVersion

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationAttribute

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationLanguage

STL 01, LAD 02, FBD 03, SCL 04, DB 05, GRAPH 06,SDB 07

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationType

OB 08, DB 0A, SDB 0B, FC 0C, SFC 0D, FB 0E, SFB 0F

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationNumber

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationLength

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationPassword

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationLast modified date

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationLast modified date

44771125 milliseconds and 11523 days since 1/1/84=⇒ 7/20/15 12:26:11.125 pm

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationInterface last modified date

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationInterface length

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationSegment table length

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationLocal data length

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationData/Code length

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

STL programs and their MC7 representationOpcodes

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

S7comm

S7commS7comm Protocol Structure

S7commDownload Procedure

SCADACS

S7commprotocol details

Wireshark can dissect S7comm with the dissector available at

http://sourceforge.net/projects/s7commwireshark/

S7commCommunication setup

S7commList all blocks

S7commList all OBs

S7commDownload OB 1 to PLC

S7commInsert OB 1 into filesystem

SCADACS

Attack Overview

SCADACS

Attack OverviewInstrumenting live PLC programs with own malware

◮ Upload original PLC code to your machine

◮ Prepend your own code to the original code (also used byStuxnet)

◮ Download the modified code to the PLC again

◮ Next cycle executes new code, without service disruption

SCADACS

Attack OverviewPLC Code Injection

◮ Example PLC code which calls FB 1

SCADACS

Attack OverviewPLC Code Injection

◮ OB1 with prepended malicous function call to FC 666

SCADACS

Attack

SCADACS

Attack

1. Instrumenting live PLC programs with scanning malware

2. SNMP scanning

3. Collecting the scan results

4. Instrumenting live PLC programs with proxy malware

5. Connecting to PLCs through the proxy malware

Attack IOverview

PLC 1 is connected to the Internet

Attack IIOverview

Attacker downloads the main program block. . .

Attack IIIOverview

. . . patches it and uploads a SMNP scanner

Attack IVOverview

The local network is scanned

Attack VOverview

Attacker downloads the scanning results

Attack VIOverview

A SOCKS proxy enables him to reach the net behind the PLC

Attack ISNMP Scanner - Details

◮ Get the PLC’s IP

Attack IISNMP Scanner - Details

◮ Calculate the subnet mask

Attack IIISNMP Scanner - Details

◮ Configure UDP connection

Attack IVSNMP Scanner - Details

◮ Send UDP packets (SNMP get request)

SOCKS5 Proxy - Details

SOCKS5 Proxy - Details I

◮ SOCKS5 protocol (RFC 1928)

◮ without authentication or encryption

SOCKS5 Proxy - Details II

Jump list for state machine

SOCKS5 Proxy - Details III

Bind and listen for incoming connections

SOCKS5 Proxy - Details IV

Receive clients authentication negotiation

SOCKS5 Proxy - Details V

Reply with no authentication

SOCKS5 Proxy - Details VI

Receive clients connect request. . .

SOCKS5 Proxy - Details VII

. . . and store IP and port

SOCKS5 Proxy - Details VIII

Connect to destination host. . .

SOCKS5 Proxy - Details IX

. . . and prepare a confirmation message. . .

SOCKS5 Proxy - Details X

. . . and send it to the client

SOCKS5 Proxy - Details XI

◮ connection to client and destination host are established

◮ now we can proxy

◮ send client’s messages to destination and vice versa

◮ an error while receiving means one partner disconnected

◮ send remaining data then disconnect and wait for nextclient

SOCKS5 Proxy - Details XII

◮ The SOCKS implementation on the PLC is able totransfer up to 730 KB/s if it is running alone.

◮ In combination with a memory intensive benchmark PLCprogramm the proxy was able to transfer up to 40KB/s.

Attack VideoSOCKS5 Proxy - Details

Connecting to PLCs through the proxy malware

...Video Presentation...

Evaluation

EvaluationQuestions

◮ Can such attack detected by timing?

◮ Can the attack exceed the default cycle time of 150ms?

Measurements I

How to measure

◮ Pull data from OB1 PREV CYCLE variable

◮ Store the result in a DB

◮ Upload DB from PLC

◮ Compare values for the baseline programm and theSOCKS Proxy (idle / under load)

Measurements II

Measurements III

Baseline Proxy idle Proxy under loadMean 85.32 85.40 86.67Std. Deviation 0.4927 0.5003 0.5239Std. Error 0.01089 0.01106 0.01158

Result:

◮ There exists a significant but not relevant timingdifference between the baseline program and its malicousSOCKS proxy version regarding the default cycle time of150 ms.

PLCinject

PLCinjectRelease

◮ How to use PLC Inject

◮ example

PLCinjectLive Demo

PLCinject with example Payload (running light) and a PLC

Mitigation strategies

1. Enabling protection-level 3

2. Network-level access control

3. If all else fails, means to woo deities to lend disasterprotection

Summary

◮ An internet facing PLC can be used as a gateway withoutservice disruption

◮ This enables an attacker to reach indirect Internetconnected PLCs too

◮ Taking these indirect connected systems into account, theattack surface regarding ICS could be much bigger thanexpected

Internet-facing PLCs - A New Back...

Documents

I np ut/Output I nterface Circuits and LSI Peripheral Devices 10 textbook.pdfavailable at output lines 03 through O15 of port 1. EXAMPLE I0.2 Write a series of inskuctions that will

S7 300 PLC OB1 PLC PLC PLCSIM - dl.poweren.irdl.poweren.ir/downloads/PowerEn/Book/2019/Mar/جزوه آموزش PLC S7-300 (PowerEn... · I0.0, I0.1, I0.2 Q0.0 PLCSIM LAD/STL/FBD PLC

Elemento de Processamento de Sinais - PLCgerson.luqueta.com.br/index_arquivos/CLPbasico.pdf · PC –CLP (MPI) I0.0 I0.1 Byte 0 Byte 4 ... 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4

Die Systemfamilie SIMATIC S7ftp.gongkong.com › UploadFile › datum › 2008-12 › 2008121614281900001.pdf3 simatic® 控制器 siemens simatic sf run stop q0.0 q0.1 q0.2 q0.3 q0.4

Kinco-K2SeriesPLC 1 Productintroduction - spstiger · 2018-01-04 · Q0.0 and Q 0.1 support up to 50 KHz. ( The resistor of load should be less than 1.5 KΩ), Q0.4 supports up to

Nombre del proyecto: ESTACION TOMA DE DATOS VIALESrepository.udistrital.edu.co/bitstream/11349/22508/2/Anexo-1 Sistem… · %FC0 %I0.2 NotUsed 0 %FC1 %I0.3 NotUsed 0 %FC2 %I0.4 NotUsed

35013228 K01 000 01 - · PDF filezLas operaciones numéricas están incluidas en el ... Ejemplo de escalón 2 %I0.1 %I0.3 ... continuidad al área de actividad donde se

Simatic S5 to Simatic S7 Migration - Siemensf... · 2020-06-13 · i0.0～q127.7 q0.0～q127.7 py0～ pw128～254 f0.0～f255.7 s0.0～s8191.7 py0 fy0 sy0 データ d0.0 dl0 dr0 dw0

Resultado de los ejercicios del 0 al 5SSP Juan Fra Deseamos realizar un circuito de un paro marcha prioridad paro que activan dos salidas KA0 y KA1 a la vez (Q0.0 Y Q0.1) dispone de

Manual do Keyprogram - keylogix.com.br · em 0 transfere 1 para o endereço, caso contrário transfere 0. No exemplo acima a saída (%Q0.0) será acionada somente quando a entrada

Title 社会資本と資本蓄積 - 資本蓄積の現代的特徴を …...2) Robert R. Doane， The Anato叫 I0.1 American lVl四 lth，pp. 260-261; Subcommittee on Economic Statistics

old.scemi.comold.scemi.com/jxky/JPKC/DZDQX/GYKZ/GYKZ/swf/sysxzd… · Web viewPLC地址 WinCC地址符号表数据类型变量名 I0.0 M0.0 Start BOOL 启动开关 I0.1 M0.1

EXPERIMENT N0. 2 Introduction to PLC and Ladder Logic · PDF fileEXPERIMENT N0.4 Introduction to PLC and Ladder Logic ... v Draw a ladder diagram for turning the output Q0.0 ON when

LOGIC SENSOR PROOUT Gate Driver Providing Galvanic …DISFIL 4 10 20 µs DIS Input Delay Time t DDIS 4 10 20 µs Output OUT1 ON-Resistance (Source-side) R ONH I0.2 0.55 1.3 Ω OUT