Industrial Control System Simulation

Transcript

1. Do It Yourself ICS Platform Industrial Control System Simulation Thomas

   Roccia | @fr0gger_ | Security Researcher, Advanced Threat Research Team

2. Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_ https://www.mcafee.com/blogs/author/thomas-roccia/ http://troccia.tdgt.org

   Dia duit!

3. Agenda ▪ Introduction ▪ Attack On ICS ▪ Build Your

   Own ICS Simulation ▪ Overview of Modbus Protocol ▪ Hardware Details ▪ Software Details ▪ Use Cases ▪ Demo ▪ Take Away @fr0gger_ | @OWASPCork

4. Section 1 | Section 2 | Section 3 | Section

   4 Why Studying Industrial Control System? Industrial systems are used anywhere in the world. Attack on Industrial Systems have an Impact on physical world. Geopolitical and economical interests for attackers.

5. @fr0gger_ | @OWASPCork

6. STUXNET 2010 HAVEX 2013 BLACKENERGY 2015 INDUSTROYER 2016 TRITON 2017

   ICS Malware over the past • First ICS Malware • Targeted Iranian Centrifuges • Change Rotation Speed • Target Energy grids… • Detect ICS devices via OPC • Remote Access • Target Ukraine’s power Grids • Destroy system • Remote access to Scada systems • Target Ukraine’s power Grids • Data wiper • Shutdown for the second time the power grid • Target Middle Eastern oil and gas facility • Interact with Schneider Triconex • Attack detected before impact

7. Section 1 | Section 2 | Section 3 | Section

   4 ICS Simulation Overview ▪ The goal of this project is to provide a functional industrial model that can simulate process monitoring based on the Modbus protocol.

8. “Modbus is a serial communications protocol originally published by Modicon

   (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Modbus has become de facto a standard communication protocol and is now a commonly available means of connecting industrial electronic devices” Overview of Modbus Protocol

9. Section 1 | Section 2 | Section 3 | Section

   4 Overview of Modbus Protocol ▪ Millions of automated devices across the world are using Modbus. ▪ It allows the monitoring of industrial processes and devices such as valves, engines and thermometers, among many others. ▪ It works by following the client/server model. ▪ To communicate with TCP/IP, the reserved port 502 for Modbus has been assigned.

10. Section 1 | Section 2 | Section 3 | Section

    4 Overview of Modbus Protocol ▪ To store data, Modbus uses the following tables within the protocol implementation: ▪ The coil and discrete inputs store 1-bit values (a Boolean value that is either on or off) and the registers store numerical 16-bit values. For each type of data there is one read/write and one read-only table. Tables Access Object Size Coil Read-write 1 bit Discrete input Read-only 1 bit Input register Read-only 16 bits Holding register Read-write 16 bits

11. Section 1 | Section 2 | Section 3 | Section

    4 Overview of Modbus Protocol ▪ Modbus uses function codes that are numerical that tell the automate whether to read or to write to a specific table. Function code relates to a specific data table address range. Function Code Action Description Read Coils 0x01 This function code is used to read from 1 to 2000 contiguous statuses of coils in a remote device. Read Discrete input 0x02 This function code is used to read from 1 to 2000 contiguous statuses of discrete inputs in a remote device. Read Holding Registers 0x03 This function code is used to read the contents of a contiguous block of holding registers in a remote device. Read Input Registers 0x04 This function code is used to read from 1 to 125 contiguous input registers in a remote device. Write Single Coils 0x05 This function code is used to write a single output to either ON or OFF in a remote device. Write Single Register 0x06 This function code is used to write a single holding register in a remote device. Read Exception Status 0x07 This function code is used to read the contents of eight exception status outputs in a remote device. Diagnostics 0x08 MODBUS function code 08 provides a series of tests for checking the communication system between a client device and a server, or for checking various internal error conditions within a server. Write Multiple Coils 0x0F This function code is used to force each coil in a sequence of coils to either ON or OFF in a remote device. Write Multiple Registers 0x10 This function code is used to write a block of contiguous registers (1 to 123 registers) in a remote device. Read/Write Multiple Registers 0x17 This function code performs a combination of one read operation and one write operation in a single MODBUS transaction. The write operation is performed before the read. Read Device Information 0x2B/0x0E This function code allows reading the identification and additional information relative to the physical and functional description of a remote device, only.

12. Hardware Details ICS Simulation ▪ Arduino Mega: the core module

    that uses Modbus (https://store.arduino.cc/mega-2560-r3) ▪ Ethernet shield: for TCP/IP connection and monitoring (https://www.arduino.cc/en/Main/ArduinoEthernetShieldV1) ▪ Motor Shield: to control the motors (https://www.velleman.eu/products/view/?id=412538) ▪ An OLED screen: to shows the speed of the engine (https://www.amazon.com/Diymall-Yellow-Arduino-Display- Raspberry/dp/B00O2LLT30) ▪ LEDs: to monitor the status (green if OK, red if something wrong) ▪ A buzzer: for the siren ▪ A steam generator: to simulate an overheated (https://www.graupner.com/Super-steam-generator-6-V/2324/)

13. Software Details ICS Simulation ▪ The data monitored with Modbus

    in this model includes: ▪ Device Information: retrieved with the function code 0x2b (43). ▪ Speed Engine: speed of the motor, data stored in register 6. ▪ Gauge value: speed represented as a percentage. Data is stored in register 7. ▪ Temperature: arbitrary value generated with the motor speed value. The quicker the motor runs, the higher the temperature is. Data stored in register 10. ▪ LED status: 2 LEDs, a green one to indicate that everything is working great and a red one to indicate that something is going wrong. The green LED status is stored in coil 0. The red LED in coil 1.

14. ICS Simulation 3D Model

15. Section 1 | Section 2 | Section 3 | Section

    4 ICS Simulation - Usecases ▪ Modbus is a clear text protocol without any authentication. ▪ The TCP frame is composed with the following fields: Transaction identifier Synchronizing communication Protocol identifier 0 for Modbus TCP Length Length of the packet Unit Identifier Identifier of the slave Function Code Function to execute

16. Section 1 | Section 2 | Section 3 | Section

    4 ICS Simulation - Usecases ▪ In the below screenshot we requested the PLC to give us the information about the device with the function code 0x2B (43):

17. Section 1 | Section 2 | Section 3 | Section

    4 ICS Simulation - Usecases ▪ It is also possible to retrieve information about the register with the function code 0x03 (Read Holding Register): • Register 6: Speed value • Register 7: Gauge value • Register 8: Temperature

18. Section 1 | Section 2 | Section 3 | Section

    4 ICS Simulation – Basic Modbus Attack ▪ With Pymodbus it is possible to interact directly with the PLC. We wrote a simple tool that can grab information about the PLC such as: ▪ Device info ▪ Register values ▪ Coil values

19. ICS Simulation Demo

20. Section 1 | Section 2 | Section 3 | Section

    4 Conclusion ▪ Attack on ICS are critical. ▪ As defenders it is interesting to practice on simulation. ▪ Practicing on ICS system can be expensive. ▪ 3D printing a model can be an affordable solution to practice on ICS System.

21. Thank you. @fr0gger_