saf safeguar arding ng civilizat ation
play

SAF SAFEGUAR ARDING NG CIVILIZAT ATION RIPPLE20: WHAT YOU NEED - PowerPoint PPT Presentation

Mar 24, 2024 •174 likes •615 views

I N I N D U S T R I A I A L C O N T R O L S Y S T E M E M S C Y B E R E R S E C E C U R I T I T Y SAF SAFEGUAR ARDING NG CIVILIZAT ATION RIPPLE20: WHAT YOU NEED TO KNOW REID WIGHTMAN & KATE VAJDA Vulnerability Researchers Reid

  1. I N I N D U S T R I A I A L C O N T R O L S Y S T E M E M S C Y B E R E R S E C E C U R I T I T Y SAF SAFEGUAR ARDING NG CIVILIZAT ATION RIPPLE20: WHAT YOU NEED TO KNOW REID WIGHTMAN & KATE VAJDA

  2. Vulnerability Researchers Reid Wightman Kate Vajda • Principal Vulnerability Analyst • Senior Vulnerability Analyst • Embedded systems • Sys & network admin • Lead exploitation • Penetration tester & Does the hard work • • Tags along Fancy home lab Growing home lab • • 2

  3. What you need d to know Devices Impacted Devices that rely on the Treck TCP/IP stack JSOF’ JS F’s Fi Findings gs: Prevention Strategy ht https://www. www.jso sof-te tech.c .com om/ri /ripple2 e20/ Strategies for blocking malicious targeting Key takeaways for the following: Mitigation Tactics Strategies for mitigating the risks associated Research Implications What this means for the community 3

  4. Vulnerabilities identified in Treck TCP/IP Stack JSOF Research Team White Paper Vendor Coordination Device identification § Released with demo § Several vendors list which § Embedded systems with § Focused on 2/19 vulns devices are affected, more no native IP stack § Not so easy to detect all identified importantly; § JSOF talk tomorrow (8/5) § How they are affected vulns (see ‘fixed dates’ in § DoS or RCE? at BlackHat JSOF advisory) § Many CPU and even ‘overall device’ architectures

  5. Th The Bugs gs • “Treck TCP/IP” stack is really an IP stack • The ‘big’ bugs (3) include memory corruption as outcome • The ‘more minor’ (16) bugs result in out-of-bound reads/memory leaks • Impacts vary by devices, some bugs fixed/semi-fixed years ago according to JSOF

  6. De Devices wi with Tre Treck TC TCP/IP IP stack Each device needs to Storage Devices be investigated Medical Printers Devices Switches Devices and Power Supplies systems include: Wireless Sensors Modules Control RTOS Servers Relays Remote Terminal Units 6 6

  7. De Device ices Tested APC SmartUPS Network-controlled uninterruptable power supply A s A subset o of d device ces a affect cted; t these a are cu currently part of our research ch for Digi Connect Wi ME 9210 Ripple2 Ri e20 vulner erabilities es. Embedded wireless network interface SCADAPACK 32P RTU These devices live in our home labs Programmable remote terminal unit ABB REF615 Feeder protection and control device 7

  8. Ge Generic c PL PLC Archit itec ecture Sensors/Sensor Data Actuators Input Module Processing Unit Output Module (with CPU) (Control Logic / Protection Logic) (with CPU) Network Card [Optional] (with CPU) Serial/Direct Connection Ripple20 bugs live here Data Collection Programming Systems PC

  9. Ge Generally, Et Ethernet processors

  10. De Deep d dive i int nto AP APC S SmartUPS • Devices inspected: Smart-UPS with 963X-series Ethernet cards • Cards run uC/OS-II operating system with Treck stack on an ASIC (x86-ish – possibly RDC C62xx-series DSP) • Cards communicate with UPS board, including ‘lights out’ type management (more later)

  11. De Deep d dive i int nto AP APC Sm Smar artU tUPS 11

  12. De Deep d dive i int nto AP APC S SmartUPS • 963X cards support: • SNMP • BACnet • Modbus/TCP • BACnet allows ‘shutting the UPS off’ by design • Modbus/TCP allows poweroff on SOME UPS models (not SmartUPS though)

  13. De Deep d dive i int nto AP APC S SmartUPS

  14. De Deep d dive i int nto AP APC S SmartUPS

  15. De Deep d dive i int nto AP APC S SmartUPS

  16. De Deep d dive i int nto AP APC Sm Smar artU tUPS

  17. De Deep d dive i int nto AP APC Sm Smar artU tUPS AP963X Network Card Smart-UPS Ethernet CAN CAN relays BACnet Modbus/TCP SNMP RMS 17

  18. De Deep d dive i int nto AP APC S SmartUPS • Summary: • Crashing the 963x != disabling UPS protection • Remotely powering off/on UPS is a design feature of BACnet (all models) and Modbus (some models) • Actually exploiting the bug to poweroff device requires RE, learning CAN commands (or, calling the firmware funcs) • Before freaking out, keep these things in mind

  19. Sh Shal allow di dive ve into to Di Digi C Conne nnect W Wi M ME 9 9210 Serial converter requires device maker to modify firmware • Device has an ARM processor running “NET+OS” • Default firmware provides access to UDP/2362 (Digi Discovery Protocol) • Only device (so far) reported to be vulnerable to CVE-2020-11896 for RCE • h/t to Finite State for walking us through device firmware •

  20. De Deep d dive i int nto Di Digi C Conne nnect W Wi M ME 9 9210 Wi-Me 9210 Industrial Product Ethernet Serial Serial I/O (more likely): User-written ICS Direct serial Protocols protocol access

  21. De Deep d dive i int nto Sc Schneide der El Electr tric SCA SCADAPac ack RT RTU • All SCADAPack 32 RTUs affected • Device inspected: SCADAPack 32 P4 • Runs on SH-3 CPU/Unknown OS • Logic and Ethernet on one set of firmware

  22. De Deep d dive i int nto Sc Schneide der El Electr tric SCA SCADAPac ack RT RTU

  23. De Deep d dive i int nto Sc Schneide der El Electric SCA SCADAPac ack RT RTU SH-3 (Main Processor) IO Boards Ethernet Unknown Unknown I/O (ISA) Other protocols. Modbus/TCP Really, who cares, Project access because <——

  24. De Deep d dive i int nto Sc Schneide der El Electr tric SCA SCADAPac ack RT RTU Logic transfer done using Modbus/TCP (proprietary function code) No security on project transfer Check out our device à

  25. De Deep d dive i int nto Sc Schneide der El Electr tric SCA SCADAPac ack RT RTU Modbus TCP (TCP/502) Modbus RTU (UDP/49152) Modbus ASCII (UDP/49153) DNP requires activation (TCP/20000 and UDP/20000)

  26. De Deep d dive i int nto AB ABB R REF61 615 - Odd hybrid network architecture - CPU looks like a PowerQUICC (haven’t got the main board out yet though!) - Ethernet appears to be a separate board, but…

  27. De Deep d dive i int nto AB ABB R REF61 615

  28. De Deep d dive i int nto AB ABB R REF61 615 PTP Chip REF615 Network Card REF615 Controller Board REF615 Controller Board Ethernet Passthrough Passthrough Serial Serial Raw I/O Modbus/TCP DNP3 61850 PTP

  29. De Deep d dive i int nto AB ABB R REF61 615 - One of the more worrisome vulnerable products, strangely - Protection logic is updated via FTP - Crashing device may impact ability to protect against electrical issues, memory leaks actually useful - No immediate impact from this loss, but as part of a coordinated effort…could be bad

  30. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Opto22 SNAP-PAC-S1: all versions Coldfire / Motorola CPU Also same processing

  31. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1

  32. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Opto-22 IO Module Ethernet Serial? Serial? I/O Direct memory Other protocols. access Really, who cares, (IEEE-1394 over because TCP) <—— 32

  33. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Direct memory access, the software even gives you the addresses!

  34. De Deep d dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Device can be restarted through OptoMMP protocol, no authentication necessary.

  35. Deep d De dive i int nto Opt Opto22 SNA NAP-PA PAC-S1 S1 Ports open : FTP (TCP/21) • • OptoMMP (TCP/2001) SNMP (UDP/161) • • Use IP filters Direct memory access •

  36. Impact Summary Device Loss of View Loss of Control Notes APC Smart-UPS Total ‘Soft’ loss Configurable to allow unauth control Wi-ME 9210 Total N/A (in most systems, ‘Soft’) SCADAPack Total ‘Hard’ loss Insecure by Design Opto22 Total ‘Hard’ loss Insecure by Design REF615 Total ‘Hard’ loss Device has actual security 36

  37. Current detection strategy for Ripple20 Active Reversing Passive § Scanning for vulnerable § Passive signatures (Dragos § Firmware static analysis devices (OS Platform!) for incorporated functions § Suricata: § Verify vulnerability fingerprinting) https://github.com/LubyRuffy/Finge https://github.com/CERTCC/PoC- Exploits/blob/master/vu- rPrinting-Ripple20 257161/vu-257161.rules § Nmap too § Zeek rules: https://github.com/corelight/ri pple20

  38. Prevention Strategy Block IP-over-IP Restricts the easy ‘denial of service’ vuln Three severe vulnerabilities are blocked by preventing IP-over-IP, IPv6, and DNS. Block or restrict DNS The remaining vulns are less severe, If absolutely required, configure and are blocked by restricting ICMP, control systems DNS servers to only allow forwarding of your domain 6to4, DHCP; however in most ICS these requests remaining vulns are not useful to an attacker. Restrict other services Majority of vulns are in DNS, DHCP, and ICMP processing. Most are memory leaks, which are not as useful to ICS attackers. 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SAF SAFEGUAR ARDING ING CIV IVIL ILIZ IZATIO ION FORGING A CYBERSECURITY DEFENSE FO FO

SAF SAFEGUAR ARDING ING CIV IVIL ILIZ IZATIO ION FORGING A CYBERSECURITY DEFENSE FO FO

I N I N D U S T R I A I A L C O N T R O L S Y S T E M E M S C Y B E R E R S E C E C U R I T Y SAF SAFEGUAR ARDING ING CIV IVIL ILIZ IZATIO ION FORGING A CYBERSECURITY DEFENSE FO FO FOR UTILITIES JASON D. CHRISTOPHER INDUSTRIAL

563 views • 29 slides
Tokeni z ation and Lemmati z ation FE ATU R E E N G IN E E R IN G FOR N L P IN P YTH ON Ro u

Tokeni z ation and Lemmati z ation FE ATU R E E N G IN E E R IN G FOR N L P IN P YTH ON Ro u

Tokeni z ation and Lemmati z ation FE ATU R E E N G IN E E R IN G FOR N L P IN P YTH ON Ro u nak Banik Data Scientist Te x t so u rces Ne w s articles T w eets Comments FEATURE ENGINEERING FOR NLP IN PYTHON Making te x t machine friendl y

983 views • 35 slides
TSX: FM; LSE: FQM Cautio tionar nary y Note e Regar arding ing Forwar ard-Looking Looking

TSX: FM; LSE: FQM Cautio tionar nary y Note e Regar arding ing Forwar ard-Looking Looking

TSX: FM; LSE: FQM Cautio tionar nary y Note e Regar arding ing Forwar ard-Looking Looking Stat atemen ement Some Some of of the the stat statemen ments ts con contain tained ed in in the the foll ollowing wing mat material

364 views • 33 slides
Heterogeneity in Contact Dynam ics: Helpful or Harm ful to Forw arding Algorithm s in DTNs? 7 th

Heterogeneity in Contact Dynam ics: Helpful or Harm ful to Forw arding Algorithm s in DTNs? 7 th

Heterogeneity in Contact Dynam ics: Helpful or Harm ful to Forw arding Algorithm s in DTNs? 7 th Intl. Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt09) June 24, 2009 Chul-Ho Lee and Do Young Eun Dept.

706 views • 44 slides
Saf afeguar arding t the Guest Experience wi with Director of Operations, Marigot Bay Resort

Saf afeguar arding t the Guest Experience wi with Director of Operations, Marigot Bay Resort

Presenters Jeff Aguiar , Director of Sales, Intelity Tim Butterworth , Commercial Director, Crave Interactive Perle Flavien , Saf afeguar arding t the Guest Experience wi with Director of Operations, Marigot Bay Resort &amp; Marina

462 views • 29 slides
Vis u ali z ation of Linear Models C OR R E L ATION AN D R E G R E SSION IN R Ben Ba u mer

Vis u ali z ation of Linear Models C OR R E L ATION AN D R E G R E SSION IN R Ben Ba u mer

Vis u ali z ation of Linear Models C OR R E L ATION AN D R E G R E SSION IN R Ben Ba u mer Assistant Professor at Smith College Poss u ms ggplot(data = possum, aes(y = totalL, x = tailL)) + geom_point() CORRELATION AND REGRESSION IN R Thro

440 views • 23 slides
TSX: FM; LSE: FQM May 2014 Cautio tionar nary y Note e Regar arding ing Forwar ard-Looking

TSX: FM; LSE: FQM May 2014 Cautio tionar nary y Note e Regar arding ing Forwar ard-Looking

TSX: FM; LSE: FQM May 2014 Cautio tionar nary y Note e Regar arding ing Forwar ard-Looking Looking Stat atemen ement Some Some of of the the stat statemen ments ts con contain tained ed in in the the foll ollowing wing mat

659 views • 47 slides
e-laws EASM m member su urvey rega arding th e charter rs and by Present tation o of the

e-laws EASM m member su urvey rega arding th e charter rs and by Present tation o of the

e-laws EASM m member su urvey rega arding th e charter rs and by Present tation o of the re esults General in nformation : Al l 442 curre nt EASM me embers wer re individua ally invited o on 20 th Jan 2 2018 to pa rticipate

400 views • 24 slides
Product I nform ation 4 .0 Gebrauchsinform ation 4 .0 ( GI 4 .0 ) Digital Product

Product I nform ation 4 .0 Gebrauchsinform ation 4 .0 ( GI 4 .0 ) Digital Product

Product I nform ation 4 .0 Gebrauchsinform ation 4 .0 ( GI 4 .0 ) Digital Product Information System for Pharmaceuticals Dr. Georg Lang November 2018 I downloaded the App and tested it with my medicines. I see an additional benefit

78 views • 7 slides
F u ndamental Val u ation : Anal yz ing Projections E QU ITY VAL U ATION IN R Cli Ang

F u ndamental Val u ation : Anal yz ing Projections E QU ITY VAL U ATION IN R Cli Ang

F u ndamental Val u ation : Anal yz ing Projections E QU ITY VAL U ATION IN R Cli Ang Senior Vice President , Compass Le x econ Anal yz ing Projections Projections are critical inp u t in disco u nted cash o w anal y sis Garbage - In

261 views • 14 slides
NE T L Gasific ation Pr ogr am Ove r vie w 2019 Gasific ation Syste ms Pr oje c t Re vie w

NE T L Gasific ation Pr ogr am Ove r vie w 2019 Gasific ation Syste ms Pr oje c t Re vie w

NE T L Gasific ation Pr ogr am Ove r vie w 2019 Gasific ation Syste ms Pr oje c t Re vie w Me e ting April 9, 2019 K. David L yons, T e c hnology Manage r , Ga sific a tio n Syste ms, NE T L Solutions fo r T oday | Options fo r T

446 views • 15 slides
We ste rn Cape E duc ation De partme nt e -E duc ation Strate gy E nhanc ing L e ar ning

We ste rn Cape E duc ation De partme nt e -E duc ation Strate gy E nhanc ing L e ar ning

We ste rn Cape E duc ation De partme nt e -E duc ation Strate gy E nhanc ing L e ar ning utilizing e T e ac hing and e L e ar ning Pr e se ntation to Mille nnium@E DU Me e ting k B.K. Sc hr e ude r Ne w Yor De puty Dire c to r-Ge ne

656 views • 24 slides
USA A 2018 2018 CO CONSULT LTAT ATION P PRE RESENTAT ATION G GUIDE DE ENACTU EN TUS J

USA A 2018 2018 CO CONSULT LTAT ATION P PRE RESENTAT ATION G GUIDE DE ENACTU EN TUS J

USA A 2018 2018 CO CONSULT LTAT ATION P PRE RESENTAT ATION G GUIDE DE ENACTU EN TUS J S JUDGING ING CRITER ITERION ION Which Enactus team most effectively used entrepreneurial action to empower people to improve their livelihoods

377 views • 3 slides
Ev Eval aluat ation of of Ri Risk-base based Re Re-Au Authenticat ation Me Meth thods

Ev Eval aluat ation of of Ri Risk-base based Re Re-Au Authenticat ation Me Meth thods

Ev Eval aluat ation of of Ri Risk-base based Re Re-Au Authenticat ation Me Meth thods Stephan Wiefling* # , Tanvi Patil + , Markus Drmuth # , Luigi Lo Iacono* H-BRS University of Applied Sciences (*) Ruhr University Bochum ( # ) UNC

923 views • 38 slides
Relati v e Val u ation E QU ITY VAL U ATION IN R Cli Ang Senior Vice President , Compass Le

Relati v e Val u ation E QU ITY VAL U ATION IN R Cli Ang Senior Vice President , Compass Le

Relati v e Val u ation E QU ITY VAL U ATION IN R Cli Ang Senior Vice President , Compass Le x econ La w of One Price Relati v e v al u ation is based on the La w of One Price , i . e ., t w o assets that look the same m u st ha v e the price

383 views • 21 slides
I nform ation &amp; Referral I nform ation &amp; Referral - Building on our Mandate Building on

I nform ation &amp; Referral I nform ation &amp; Referral - Building on our Mandate Building on

I nform ation &amp; Referral I nform ation &amp; Referral - Building on our Mandate Building on our Mandate - Why Focus on Information and Referral? Recent studies have indicated that older adults are unable to identify services or

565 views • 21 slides
Watershed Charter School APC Meeting Agenda 1.Welcome and Call to Order 2.Head Teacher Update

Watershed Charter School APC Meeting Agenda 1.Welcome and Call to Order 2.Head Teacher Update

Watershed Charter School APC Meeting Agenda 1.Welcome and Call to Order 2.Head Teacher Update 1.Watershed School restart considerations and comparison with drafted FNSBSD plans 2.Questions 3.Testimony 4.Watershed School Restart Plan

250 views • 5 slides
An infinite family of Steiner triple systems without parallel classes Daniel Horsley (Monash

An infinite family of Steiner triple systems without parallel classes Daniel Horsley (Monash

An infinite family of Steiner triple systems without parallel classes Daniel Horsley (Monash University) Joint work with Darryn Bryant (University of Queensland) Part 1: Steiner triple systems and parallel classes Steiner triple systems

1.05k views • 94 slides
The Future of APC Management in Polymetastatic Disease William K. Oh, MD Deputy Director, Tisch

The Future of APC Management in Polymetastatic Disease William K. Oh, MD Deputy Director, Tisch

The Future of APC Management in Polymetastatic Disease William K. Oh, MD Deputy Director, Tisch Cancer Institute Chief, Hematology and Medical Oncology Icahn School of Medicine at Mount Sinai @williamohmd Disclosures Consultant/SAB: Amgen,

1.19k views • 20 slides
An Unsupervised Autoregressive Model for Speech Representation Learning Yu-An Chung Wei-Ning Hsu

An Unsupervised Autoregressive Model for Speech Representation Learning Yu-An Chung Wei-Ning Hsu

An Unsupervised Autoregressive Model for Speech Representation Learning Yu-An Chung Wei-Ning Hsu Hao Tang James Glass Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Cambridge, Massachusetts,

1.24k views • 13 slides
Bioinformatics: Network Analysis Kinetics of Regulatory Networks: Basic Building Blocks COMP 572

Bioinformatics: Network Analysis Kinetics of Regulatory Networks: Basic Building Blocks COMP 572

Bioinformatics: Network Analysis Kinetics of Regulatory Networks: Basic Building Blocks COMP 572 (BIOS 572 / BIOE 564) - Fall 2013 Luay Nakhleh, Rice University 1 Basic Building Blocks Here we show how simple signaling pathways can be

371 views • 20 slides
EDGE IN A BOX A joint solution with APC by Schneider Electric, StorMagic and HPE MAKING THE

EDGE IN A BOX A joint solution with APC by Schneider Electric, StorMagic and HPE MAKING THE

2019 2020 EDGE IN A BOX A joint solution with APC by Schneider Electric, StorMagic and HPE MAKING THE COMPLEX SIMPLE MAKING THE COMPLEX SIMPLE PRESENTERS &amp; AGENDA 2 NEED FOR EDGE COMPUTING EXPLODING EDGE COMPUTING MARKET $47B WHAT IS

370 views • 14 slides
Auxiliary Mixture Sampling for Age-Period-Cohort Models Andrea Riebler &amp; Leonhard Held

Auxiliary Mixture Sampling for Age-Period-Cohort Models Andrea Riebler &amp; Leonhard Held

Auxiliary Mixture Sampling for Age-Period-Cohort Models Andrea Riebler &amp; Leonhard Held University of Zurich Reisensburg, September 2007 Introduction Age-Period-Cohort Models Auxiliary Mixture Sampling Summary and Outlook Outline

367 views • 33 slides
Modelling Biochemical Reaction Networks Lecture 18: Modeling the cell cycle, Part II Marc R.

Modelling Biochemical Reaction Networks Lecture 18: Modeling the cell cycle, Part II Marc R.

Modelling Biochemical Reaction Networks Lecture 18: Modeling the cell cycle, Part II Marc R. Roussel Department of Chemistry and Biochemistry Further development of the model Our model so far includes inactivation of APC by MPF, and

134 views • 11 slides

More recommend