No Need to Marry to Change your Name! Attacking Profinet IO - - PowerPoint PPT Presentation

no need to marry to change your name
SMART_READER_LITE
LIVE PREVIEW

No Need to Marry to Change your Name! Attacking Profinet IO - - PowerPoint PPT Presentation

Sep 30, 2023 475 likes •677 views

20.06.2019 No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S tefan Mehner, Hartmut Knig Brandenburg University of Technology Cottbus - S enftenberg Evolution in Industrial Control Systems

slide-1
SLIDE 1

No Need to Marry to Change your Name!

Attacking Profinet IO Automation Networks Using DCP

20.06.2019 S tefan Mehner, Hartmut König Brandenburg University of Technology Cottbus - S enftenberg

slide-2
SLIDE 2

Evolution in Industrial Control Systems

Fieldbus

2

Industrial Ethernet

https:/ / www.indu-sol.com/ produkte/ profibus/ ueberwachung/ profibus-inspektorr-nt/ http:/ / wiki.hmkdirect.com/ mediawiki/ index.php/ File:ProfinetIOTopology.j pg

slide-3
SLIDE 3

Profinet IO - Overview

ethernet-based fieldbus protocol specified in IEC 61784-2 real-time capable device roles:

  • IO Supervisor
  • IO Controller
  • IO Device

3

Ethernet IP TCP/UDP

HTTP SNMP DHCP …

Profinet Application NRT Real-time data RT IRT

slide-4
SLIDE 4

Profinet IO - Project Configuration

4

IO Supervisor IO Controller IO Device

1) 8)

Data exchange

7)

Connection establishment

6)

Assignment of IP address

5)

Checking the device name

4)

Engineering

3)

Assignment of device name

2)

Assignment of IP address Engineering of Profinet system

slide-5
SLIDE 5

Profinet IO - Project Configuration

Name Assignment

5

Data exchange Connection establishment Assignment of IP address Checking the device name Engineering Assignment of device name Assignment of IP address Engineering of Profinet system

IP Assignment

IO Controller IO Device

name="device1"? name="device1" who has "192.168.0.10"? ARP Timeout set ip="192.168.0.10"

IO Device IO Supervisor

name="device1"? DCP Timeout set name="device1"

slide-6
SLIDE 6

IO Supervisor IO Controller IO Device

1) 8)

Data exchange

7)

Connection establishment

6)

Assignment of IP address

5)

Checking the device name

4)

Engineering

3)

Assignment of device name

2)

Assignment of IP address Engineering of Profinet system

Attack - Goal

6

slide-7
SLIDE 7

Data exchange Connection establishment Assignment of IP address Checking the device name Engineering Assignment of device name Assignment of IP address Engineering of Profinet system

Attack - Steps

7

1) Topology Discovery

name=“device1“ name=“controller“

2) Port Stealing

name=“device1“? name=“mallory“

3) Reconfiguration

  • f IO Device

IO Controller Attacker IO Device

slide-8
SLIDE 8

x = not successful ! = successful; AR restored after attack !! = successful; AR permanently broken

Results

8

!! (. . . ) = attacker connected to CPU NA = not applicable

Topology Controller Device Port Stealing Reconfiguration Sequence (PS) (R) PS + R Star CPU1516 ET200SP ! !! !! ET200S ! x !! Pepperl+Fuchs ! !! !! ifm ! !! !! CPU315 ET200S ! x !! Line CPU1516 ET200SP (!) !! !! ET200S (!) x (!!) Pepperl+Fuchs (!) !! !! ifm (!) !! !! CPU315 ET200S NA NA NA

slide-9
SLIDE 9

Results - Behavior of ET200S

DCP behavior specified in DIN EN 61158-6-10:2015-09

  • 9
slide-10
SLIDE 10

IO Supervisor IO Controller IO Device

1) 8)

Data exchange

7)

Connection establishment

6)

Assignment of IP address

5)

Checking the device name

4)

Engineering

3)

Assignment of device name

2)

Assignment of IP address Engineering of Profinet system

Extended Attack - Goal

10 Paul, A., Schuster, F., König, H.: Towards the Protection of Industrial Control Systems – Conclusions of a Vulnerability Analysis of Profinet IO. (DIMVA 2013)


slide-11
SLIDE 11

Data exchange Connection establishment Assignment of IP address Checking the device name Engineering Assignment of device name Assignment of IP address Engineering of Profinet system

Attack - DoS on Name Assignment

11

IO Supervisor Attacker IO Device

name="device1"? DCP Timeout name="device1"? name="device1"? DCP Timeout

slide-12
SLIDE 12

Data exchange Connection establishment Assignment of IP address Checking the device name Engineering Assignment of device name Assignment of IP address Engineering of Profinet system

Attack - DoS on IP Assignment

12

IO Controller Attacker IO Device

name="device1"? name="device1" DCP Timeout name="device1" Ip=" " who has "192.168.0.10"? ARP Timeout Is at "de:fe:07:20:ab:cd" name="device1"? name="device1" who has "192.168.0.10"? set ip="192.168.0.10" DCP Timeout ARP Timeout

slide-13
SLIDE 13

Results

13

slide-14
SLIDE 14

Status of Disclosure Process

reported attack to German BSI PNO informed by BSI feedback:

  • attack scenario is known
  • Profinet systems should be protected by

cell security concept

  • only applicable for inside attacker
  • next version of Profinet with improved

security features

14

slide-15
SLIDE 15

Conclusion and Future Work

novel attack on Profinet IO automation systems

  • topology discovery
  • port-stealing
  • reconfiguration attack
  • Denial of Service attack from [Paul2013]

comprehensive evaluation of the applicability next step: SDN-based firewall to detect and prevent such attacks

15

slide-16
SLIDE 16

Hardware

16

slide-17
SLIDE 17

Topologies

17

slide-18
SLIDE 18

Status of Disclosure Process

18