no need to marry to change your name
play

No Need to Marry to Change your Name! Attacking Profinet IO - PowerPoint PPT Presentation

Sep 30, 2023 •475 likes •675 views

20.06.2019 No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S tefan Mehner, Hartmut Knig Brandenburg University of Technology Cottbus - S enftenberg Evolution in Industrial Control Systems

  1. 20.06.2019 No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S tefan Mehner, Hartmut König Brandenburg University of Technology Cottbus - S enftenberg

  2. Evolution in Industrial Control Systems Fieldbus Industrial Ethernet https:/ / www.indu-sol.com/ produkte/ profibus/ ueberwachung/ profibus-inspektorr-nt/ http:/ / wiki.hmkdirect.com/ mediawiki/ index.php/ File:ProfinetIOTopology.j pg 2

  3. Profinet IO - Overview ethernet-based fieldbus protocol specified in IEC 61784-2 real-time capable Profinet Application HTTP device roles: SNMP DHCP NRT Real-time data … • IO Supervisor TCP/UDP • IO Controller IP • IO Device RT IRT Ethernet 3

  4. Profinet IO - Project Configuration IO Supervisor IO Controller IO Device 1) Engineering of Profinet system 2) Assignment of IP address 3) Assignment of device name 4) Engineering 5) Checking the device name 6) Assignment of IP address 7) Connection establishment 8) Data exchange 4

  5. Profinet IO - Project Configuration Engineering of Profinet system Assignment of IP address Name Assignment IP Assignment Assignment of device name Engineering Checking the device name Assignment of IP address IO Device IO Controller IO Device IO Supervisor Connection establishment Data exchange name="device1"? name="device1"? DCP Timeout name="device1" who has "192.168.0.10"? ARP Timeout set name="device1" set ip="192.168.0.10" 5

  6. Attack - Goal IO Supervisor IO Controller IO Device 1) Engineering of Profinet system 2) Assignment of IP address 3) Assignment of device name 4) Engineering 5) Checking the device name 6) Assignment of IP address 7) Connection establishment 8) Data exchange 6

  7. Attack - Steps Engineering of Profinet system Assignment of IP address Assignment of device name Attacker IO Controller IO Device Engineering Checking the device name Assignment of IP address Connection establishment Data exchange 1) Topology Discovery name= “controller“ name= “device 1 “ 2) Port Stealing name= “device 1 “ ? 3) Reconfiguration of IO Device name= “mallory“ 7

  8. Results Topology Controller Device Reconfiguration Sequence Port Stealing PS + R (PS) (R) !! ! !! Star CPU1516 ET200SP !! ! ET200S x !! ! !! Pepperl+Fuchs !! ! !! ifm !! ! CPU315 ET200S x ( ! ) !! !! Line CPU1516 ET200SP ( !! ) ( ! ) ET200S x ( ! ) !! !! Pepperl+Fuchs !! ( ! ) !! ifm CPU315 ET200S NA NA NA !! (. . . ) = attacker connected to CPU x = not successful ! = successful; AR restored after attack NA = not applicable !! = successful; AR permanently broken 8

  9. Results - Behavior of ET200S DCP behavior specified in DIN EN 61158-6-10:2015-09 • 9

  10. Extended Attack - Goal IO Supervisor IO Controller IO Device 1) Engineering of Profinet system 2) Assignment of IP address 3) Assignment of device name 4) Engineering 5) Checking the device name 6) Assignment of IP address 7) Connection establishment 8) Data exchange Paul, A., Schuster, F., König, H.: Towards the Protection of Industrial Control Systems – Conclusions of a 10 Vulnerability Analysis of Profinet IO. (DIMVA 2013) 


  11. Attack - DoS on Name Assignment Engineering of Profinet system Assignment of IP address Assignment of device name Attacker IO Supervisor IO Device Engineering Checking the device name Assignment of IP address Connection establishment Data exchange name="device1"? name="device1"? DCP Timeout DCP Timeout name="device1"? 11

  12. Attack - DoS on IP Assignment Engineering of Profinet system Assignment of IP address Assignment of device name Attacker IO Controller IO Device Engineering Checking the device name Assignment of IP address Connection establishment Data exchange name="device1"? name="device1"? DCP Timeout DCP Timeout name="device1" name="device1" name="device1" Ip=" " who has who has "192.168.0.10"? "192.168.0.10"? ARP Timeout ARP Timeout Is at "de:fe:07:20:ab:cd" set ip="192.168.0.10" 12

  13. Results 13

  14. Status of Disclosure Process reported attack to German BSI PNO informed by BSI feedback: • attack scenario is known • Profinet systems should be protected by cell security concept • only applicable for inside attacker • next version of Profinet with improved security features 14

  15. Conclusion and Future Work novel attack on Profinet IO automation systems • topology discovery • port-stealing • reconfiguration attack • Denial of Service attack from [Paul2013] comprehensive evaluation of the applicability next step: SDN-based firewall to detect and prevent such attacks 15

  16. Hardware 16

  17. Topologies 17

  18. Status of Disclosure Process 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OF M OF MARR ARRIA IAGE GE Eph Ephesia esians ns 5 HOW DO YOU DECIDE WHO TO MARRY? No

OF M OF MARR ARRIA IAGE GE Eph Ephesia esians ns 5 HOW DO YOU DECIDE WHO TO MARRY? No

THE THE M MYSTER TERY OF M OF MARR ARRIA IAGE GE Eph Ephesia esians ns 5 HOW DO YOU DECIDE WHO TO MARRY? No person really decides before they grow up who they're going to marry. God decides it all way before, and you get to find

600 views • 27 slides
Step By Step System To Get The Man You Want To Marry You If you prefer to watch the video

Step By Step System To Get The Man You Want To Marry You If you prefer to watch the video

Step By Step System To Get The Man You Want To Marry You If you prefer to watch the video presentation, Click Here Page 1 http://datinginstructor.com/ggr-video Step By Step System To Get The Man You Want To Marry You Im T -Dub and what we are

475 views • 28 slides
Better To Marry Than Burn A Little Review 1 Corinthians 7:1-9 Doesnt verse 9 trump all

Better To Marry Than Burn A Little Review 1 Corinthians 7:1-9 Doesnt verse 9 trump all

Better To Marry Than Burn A Little Review 1 Corinthians 7:1-9 Doesnt verse 9 trump all other considerations? Didnt Paul tell his readers to remain in their present condition? The spouse of an unbeliever is not bound,

358 views • 9 slides
Whom to Marry? Agile experiments for tough technology decisions Thijmen de Gooijer, IT Architect

Whom to Marry? Agile experiments for tough technology decisions Thijmen de Gooijer, IT Architect

Whom to Marry? Agile experiments for tough technology decisions Thijmen de Gooijer, IT Architect My talk in Numbers 100 employees 10 year BizTalk lifecycle 6 months to delivery 2 relationship tests 2 Swedish Local Government Debt Office

563 views • 22 slides
copier copy marry marrying baby babies happy happiest cry cries Look at each sentence to

copier copy marry marrying baby babies happy happiest cry cries Look at each sentence to

A root word is the basic form of a word before any parts are changed or added on. We have seen how root words can be changed by adding different suffixes (endings) copier copy marry marrying baby babies happy happiest cry cries Look

333 views • 10 slides
Object-oriented Programming Objects: marry data with related methods Specifying a class

Object-oriented Programming Objects: marry data with related methods Specifying a class

Object-oriented Programming Objects: marry data with related methods Specifying a class does not create any objects No memory allocation (or almost none) An object is an instance of a particular class There can be many

298 views • 11 slides
Second-Cousin Marriages Meena Boppana, Anibha Singh, Ashley Cho June 23, 2010 Axioms of a

Second-Cousin Marriages Meena Boppana, Anibha Singh, Ashley Cho June 23, 2010 Axioms of a

Second-Cousin Marriages Meena Boppana, Anibha Singh, Ashley Cho June 23, 2010 Axioms of a Marriage Society Only people with the same marriage type are allowed to marry. Brothers and sisters cannot marry. Marriage type for a child is

238 views • 21 slides
2019 Citrus Tree Census Will future production marry with expected demand? Mara Milner Market

2019 Citrus Tree Census Will future production marry with expected demand? Mara Milner Market

2020 Citrus Australia Market Outlook Forum - Melbourne 2019 Citrus Tree Census Will future production marry with expected demand? Mara Milner Market Information & Quality Project Officer, Citrus Australia Presentation - overview 2019

157 views • 14 slides
ART OF CHANGE 21 PRSENTATION 2 ART OF CHANGE 21 ABOUT US Art of Change 21 works in the field

ART OF CHANGE 21 PRSENTATION 2 ART OF CHANGE 21 ABOUT US Art of Change 21 works in the field

ART OF CHANGE 21 PRSENTATION 2 ART OF CHANGE 21 ABOUT US Art of Change 21 works in the field of sustainable development and art and the interlinkages between art, social entrepreneurs and the youth. Art of Change 21 started its activities

302 views • 13 slides
Change Management Change Management Change Management Appreciate the balance within Change

Change Management Change Management Change Management Appreciate the balance within Change

Slide 2 Purpose of this Session Objectives Understanding of Change Management principles within RBS Understand why CM is important / necessary Change Management Change Management Change Management Appreciate the balance within

249 views • 4 slides
Communicating Change The journey Change is when things What is change move from a current to

Communicating Change The journey Change is when things What is change move from a current to

Communicating Change The journey Change is when things What is change move from a current to future state Know your vision, your How do end goal, and get clear on you drive what needs to change to change reach it Sometimes the best

550 views • 23 slides
Changing Times, Emerging Generations: A snapshot of the megatrends affecting higher education.

Changing Times, Emerging Generations: A snapshot of the megatrends affecting higher education.

Changing Times, Emerging Generations: A snapshot of the megatrends affecting higher education. Mark McCrindle THETA Conference Monday 11 May 2015 Change. Change. Change. Change. Change. Change. Change. Change. Chang Change. Change.

2.25k views • 87 slides
sUpPORt c O n S T a N t cHAnGe cHAnGe cHAnGe nealford.com @neal4d to make di ff erent in some

sUpPORt c O n S T a N t cHAnGe cHAnGe cHAnGe nealford.com @neal4d to make di ff erent in some

cHAnGe sUpPORt c O n S T a N t cHAnGe cHAnGe cHAnGe nealford.com @neal4d to make di ff erent in some particular to undergo a modi fi cation of to give a di ff erent position, course, or direction to cHAnGe to replace with another to make a

750 views • 71 slides
2/27/2015 2015 PROFESSIONAL ETHICS & CONDUCT Is Change Inevitable? 1 2/27/2015 2

2/27/2015 2015 PROFESSIONAL ETHICS & CONDUCT Is Change Inevitable? 1 2/27/2015 2

2/27/2015 2015 PROFESSIONAL ETHICS & CONDUCT Is Change Inevitable? 1 2/27/2015 2 2/27/2015 3 2/27/2015 The Handwriting on the Wall Change Happens Anticipate Change Monitor Change Adapt To Change Quickly Change Enjoy Change! Be

580 views • 25 slides
If the rate of change on the outside exceeds the rate of change on the inside the end is

If the rate of change on the outside exceeds the rate of change on the inside the end is

If the rate of change on the outside exceeds the rate of change on the inside the end is near -Jack Welch Change brings exceptional opportunities for those ready to take action -John Burke Motels els Man anuf ufacturi acturing

530 views • 29 slides
Effectively Engaging in Should change Have been thinking about changing Change but

Effectively Engaging in Should change Have been thinking about changing Change but

4/27/2014 Discussion Topic Something about yourself that you: Want to change Need to change Effectively Engaging in Should change Have been thinking about changing Change but havent changed yet Something you have

249 views • 5 slides
Open Programmable Architecture for Java-enabled Network Devices Tal Lavian Technology Center

Open Programmable Architecture for Java-enabled Network Devices Tal Lavian Technology Center

Open Programmable Architecture for Java-enabled Network Devices Tal Lavian Technology Center Nortel Networks tlavian@NortelNetworks.com Santa Clara University 9/29/99 1 Programmable Network Devices Openly Programmable devices

1k views • 44 slides
A Knowledge Proxy bridging between SNMP and ACMP Formatvorlage des Untertitelmasters durch

A Knowledge Proxy bridging between SNMP and ACMP Formatvorlage des Untertitelmasters durch

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen A Knowledge Proxy bridging between SNMP and ACMP Formatvorlage des Untertitelmasters durch Klicken Final Presentation: bearbeiten Bachelor

390 views • 9 slides
Meeting 20/01/2010 - Outcome PVSS servers (PVSS project + Linux System) + create a

Meeting 20/01/2010 - Outcome PVSS servers (PVSS project + Linux System) + create a

Meeting 20/01/2010 - Outcome PVSS servers (PVSS project + Linux System) + create a fwSystemOverview project on TN + configure several UNICOS production machines to be monitored Central PLC agent + update code to be

100 views • 7 slides
Robust Traffic Matrix Estimation with Imperfect Information: Making Use of Multiple Data Sources

Robust Traffic Matrix Estimation with Imperfect Information: Making Use of Multiple Data Sources

Robust Traffic Matrix Estimation with Imperfect Information: Making Use of Multiple Data Sources Qi Zhao, Georgia Institute of Technology Zihui Ge, AT&T Labs-Research Jia Wang, AT&T Labs-Research Jun (Jim) Xu, Georgia Institute of

261 views • 24 slides
System Administration with pkgsrc <seb@ssr.univ-paris7.fr> a.k.a <seb@NetBSD.org>

System Administration with pkgsrc <seb@ssr.univ-paris7.fr> a.k.a <seb@NetBSD.org>

System Administration with pkgsrc <seb@ssr.univ-paris7.fr> a.k.a <seb@NetBSD.org> PkgsrcCon 2006 Who ? What ? Networks (data & voice) department of Paris 7 University About 20 supporting servers All running NetBSD,

228 views • 19 slides
Lost Silence: An emergency response early detection service through continuous processing of

Lost Silence: An emergency response early detection service through continuous processing of

Lost Silence: An emergency response early detection service through continuous processing of telecommunication data streams Qianru Zhou Heriot-Watt University, Edinburgh, U.K. October 2017 1 Motivation At 21:30 on 1st June, 2015, on the

475 views • 19 slides
Securing HTCondor Flocking Kevin Hrpcek UW-Madison Space Science and Engineering Center SSEC

Securing HTCondor Flocking Kevin Hrpcek UW-Madison Space Science and Engineering Center SSEC

Securing HTCondor Flocking Kevin Hrpcek UW-Madison Space Science and Engineering Center SSEC Earth Atmospheric Research Weather, climate, numerical weather prediction CIMSS, SIPS, SDS, McIDAS Collaboration with

697 views • 25 slides
The Simpsons: Best. TV Show. Ever.* Speaker: Sam Creed UDLS Jan 16 2015 *focus on Season 1-8

The Simpsons: Best. TV Show. Ever.* Speaker: Sam Creed UDLS Jan 16 2015 *focus on Season 1-8

The Simpsons: Best. TV Show. Ever.* Speaker: Sam Creed UDLS Jan 16 2015 *focus on Season 1-8 Quick Facts animated sitcom created by Matt Groening premiered Dec 17, 1989 - over 25 years ago! over 560+ episodes aired longest running scripted

598 views • 24 slides

More recommend