Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems

Presented at DEF CON 26 (2018), Aug. 11, 2018, 10 a.m. (45 minutes)

In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a "through the eyes of the attacker" experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies. In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities. In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers. In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.

Presenters:

• Marina Krotofil - ICS/SCADA Security Professional
  Marina Krotofil is an experienced ICS/SCADA professional. She previously worked as a Principal Analyst in Cyber-Physical group at FireEye (USA), Lead Cyber Security Researcher at Honeywell (USA) and as a Senior Security Consultant at the European Network for Cyber Security (Netherlands). She spent seven years researching on offensive Industrial Control Systems (ICS) security: discovering and weaponizing unique attack vectors, engineering damage scenarios and understanding attacker techniques when exploiting ICS. Marina offensive security skills serves her well during Incident Responses, ICS malware analysis and when engineering defenses. She authored more than 20 academic and white papers on ICS security and is a frequent speaker at the leading security events around the world. She holds MBA in Technology Management, MSc in Telecommunication and MSc in Information and Communication Systems. @marmusha
• Jos Wetzels - Security Researcher, Midnight Blue Labs
  Jos Wetzels is an independent security researcher with Midnight Blue specializing in embedded systems security across various domains ranging from industrial and automotive systems to IoT and networking equipment. He previously worked as a researcher at the Distributed and Embedded Security group (DIES) at the University of Twente (UT) where he developed exploit mitigation solutions for constrained Industrial Control Systems (ICS) used in critical infrastructure, performed various security analyses of state-of-the-art network and host-based intrusion detection systems and has been involved in the AVATAR research project regarding on-the-fly detection and containment of unknown malware and Advanced Persistent Threats. He has assisted teaching hands-on offensive security classes for graduate students at the Dutch Kerckhoffs Institute for several years. @s4mvartaka

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#Krotofil
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Krotofil and Wetzels - Through the Eyes of the Attacker Designing Embedded Systems Exploits for Industrial Control Systems.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Krotofil and Wetzels - Through the Eyes of the Attacker Designing Embedded Systems Exploits for Industrial Control Systems.srt (subtitles)
• https://www.youtube.com/watch?v=3x4MukvjEm8

Similar Presentations:

• Black Hat USA 2018 / TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever
• NolaCon 2018 / Changing the Game: The Impact of TRISIS (TRITON) on Defending ICS/SCADA/IIoT
• ToorCon San Diego 20 (2018) / Anatomy of ICS Disruptive Attacks: Lessons learned from CRASHOVERRIDE and TRISIS