 Thank you. Hello everyone, this is Jan from Istanbul, Turkey and I am at Sarkand today and we will be talking about the playing with electricity and red teaming in power distribution companies or hacking in the power distribution companies. Before getting started, I would like to thank the ICS Village team having us. It's a really great opportunity to meet you all. We really like to part of the community activities all over the world. We also have some community activities in Turkey as well, so it's really great to be meeting you all over here. Basically, we have one hour with you and basically we have three parts of our presentation. The first part is overview. We will give a brief information about the electricity architecture and power distribution company architecture and give you some scale application architecture and then we will discuss red teaming scenarios and then we will perform some attacks on our simulation lab. Actually, thanks to Sarkand, our simulation lab had some nerve issues. We changed our hardware like four times the last three days. It worked at the end of the day and we did videos for this presentation to avoid any problems. We will have some videos and we will talk about it. All right, so let's do it. Sarkand, please go ahead and introduce yourself please. Thank you, Jean. First of all, good afternoon for the American site spectator and maybe good night or good evening for the European and Asian sites spectator. First of all, I'd like to thank you for giving us the opportunity in this beautiful organization and I'd like to express my pleasure being there. Now I will give information about myself. I am Sarkand Tamal. I am an electric and electronic engineer. I have seven years experience about industrial control systems, systems based on electric distribution, transmission, and power generation. For the last one year of my career, I'm focused on the cybersecurity systems and also focused on the industrial control system cybersecurity topics. Thank you, Jean. We can go on now presentation. I am also an electronic engineer and I have more than 80 years cybersecurity background and the last five years I mostly concentrated on critical infrastructure and I say SCADA cybersecurity. At the moment, we're both working for cyber-wise for critical infrastructure cybersecurity at the moment and today, as we mentioned, we will discuss electricity subsector and power distribution, red teaming, and cybersecurity. All right. We want to start with why electricity matters actually. It's not just for us, but for all the rest of the world. It's the backbone of all critical infrastructure. When it fails, it directly affects the data life or modern life fundamentals. For example, it affects health sector, transport sector, transportation, and finance sector, and so on. Once it fails, it directly affects people and public safety and it's really backbone of the critical infrastructure. So we want to take that part and we wanted to build a presentation to point. So we will be discussing about the red teaming in power distribution companies, but before it, we need to understand the electricity architecture in process-wise. Basically, it has three parts. We have power generation, we have transmission lines, and then we have a power distribution part. Most of the time, power plants and power generation located in the out-of-the-city centers. That means we need to carry electricity long way off kilometers. It means we require the transmission lines. And finally, that means we need power up-down operations. Once we are over from the transmission lines, we came up with the power distribution. Actually, it is the last line of the customer touch. I mean, if something fails in power distribution part, it directly affects customer and our business. To be honest, the distribution companies and electricity distribution process is not too much complicated when we compare the power plants or the petrochemical industry. So it is easy to attack and also it is the defense. Serkan, would you like to add something? At some point in that presentation, today we tell you the distribution. But I would like to be aware of this point. The transmission layer is a critical part of the electricity architecture because it is a bridge between power generation and power distribution. And it is the backbone of the electricity architecture. Today's topics are distribution electricity, but transmission is very, very critical in the cybersecurity perspective. And actually, it depends over the countries or over the regions. Sometimes it is operated by the government. Sometimes it is operated by private companies. It really depends on the region and countries perspective. But I really agree with you that this transmission line is also the core of the electricity architecture. Thank you. So let's dive into the power or electricity distribution infrastructure. First of all, it's a really great example of the SCADA because you have people, which means the supervisory element of the SCADA. And you have remote locations. As you can see on the screen, there are lots of different substations connected via different type of communication media to your control center or emergency control center. So what we said, it's a great example of the SCADA application because you get data from all over the different, different, the remote located substation. And sometimes you control over the remote substations. So on the other hand, you have remote offices like payment offices, headquarters, government agencies to report for or you have direct integration. For example, in Turkey, renewable power plants has to report the nearest power distribution company for the regulation. Basically, what we can say, there are lots of remote locations we have that we need to control. And that means we need different types of communication media. In distribution companies, we really need to take care of the communication media security as a part of the defense mechanism. On the other hand, sometimes some companies or some governments or some countries has a smart meter application, which means smart meters has direct effected electricity. They open and close the electricity via metering control center through the smart meters. Why I'm telling you this because it will affect our red teaming scenarios and understanding the infrastructure. What we need to understand from this slide, we need the loss of high level of connectivity. There are different types of communication media, and we have lots of different type of substation and equipments. And the rest of it, we have lots of different type of integration. All right, I'm gone. All right, I will give a brief information and pass to the second stage. We discussed about the electricity architecture, and then we discussed about the power distribution architecture. Now, we will discuss about the CK architecture. It's also distributed in the server side. But before jumping into it, we need to understand there's a need of a high level of connectivity in a such a power distribution company. Sometimes we need to connect the outreach management system, ERP application, call center, and so on. Maybe Sir, I can give some example about that. Yes, we mentioned about the previous presentation that we said that distribution, like the distribution touch the customs. So this means that the distribution company, so many customers works into like customers management, outreach management, VFMs, other stuff, so many stuff for the customers. Reason of that, the distribution systems must be and have to be integrated IT software applications, like John mentioned, that's OMS. OMS, like VFM, like the other companies, third-party softwares. Because of that, the distribution system is a little different from the transmission and power generation system. And also the distribution network, so many substations. This means that's so many data, so many connection station. So we need the power rule systems. We have to separate this load to separate server, like application server, like communication server, like data server, like backup server, and so on, like HMI server. So distribution systems a little bit distributed and separated structure. It's very similar to IT environment, actually. You have some type of application servers, communication servers. It do some kind of load balancing and it requires really great integration of IT application or business application. Sometimes it's part of SCADA applications, like we call it outreach management system or call centers. They are directly talking or integrating with our SCADA application. Because once you have a blackout or kind of the blackout or shock on the electricity, you will get some calls, you need to reach out to customers, you need to get some data from SCADA. So it's really integrated with IT applications, sometimes cloud applications. And on the other hand, you have entrusted parties like vendors, remote offices, other type of control centers or government agencies. So sometimes it's done via the firewall, sometimes directly connected to your industrial equipments. It really depends on the customer strategy or sometimes they are not really aware of what kind of communication channels they have. But what we need to remember through here, our SCADA architecture is distributed as a server roles. And it's like an IT application and it has integration with the business side. And also it talks with the substation through our communication media. So I will leave the comments to Sarkam about substation because he's expertise lots of years ago. We have talked about the substation architecture. The substation architecture is a distribution substation process. We have some main devices for the process we use. The first one is RETU. RETU is a telecontroller which connects field devices to SCADA systems. We think that the data concentrative or data transfer devices are too. Energizer is an energy meter which gets information from the CT and VT transformer from electric sites information and translating the digital sites and give and directly send this information to SCADA systems. Protection relay is a critical equipment in the distribution and also transmission and also generation as you know that. Protection relay is the first IED device, first electronic device connected physical electric system. It is a bridge cyber and physical world. The reason of that protection is the most critical parts and most critical device in the distribution systems. As many as in cyber security perspective if you want to shut down the electricity you have to control the protection relay. But maybe you can attack the RETU, maybe attack the SCADA systems. It's just blocked our monitoring from the field sites. But if you want to control electricity, shutdown electricity or re-energized electricity you have to control protection relay. The fourth device is the smart meter. Smart meter as you know that's for billing purposes and maybe low voltage site for customer sites, shutdown electricity or re-energized electricity. This last two devices is physical device. The first one is low-volt circuit breaker. It is controlled electricity line. And the last one is the medium voltage criticals means circuit breaker also inside these criticals. It's controlled electricity line, networks. Next slide please. I think, yeah, yes. Yes, we have line IED device, protection light device. I would like to say it's again because it is very critical. Protection device has two parts, one of the hardware, the other is the software. The hardware sites they have unlock inputs, unlock output, digital input, digital output and the other cellular internet interface. Voltage and current information takes with unlock input modules and also control unlock system like set points, power, like set about the frequency, let's say about the voltage, you have to set unlock output. And digital input and digital output is mostly critical because digital input comes from basically circuit breaker position, isolated position, the other information about the physical systems. And digital output is control the circuit breakers means that you control the electricity. Because of that in the scalar systems and most of the communication protocols or animal direction or cyber security perspective, we focus on the digital output signal. In the beginning of this device, they have serial interface because in that time more Ethernet IP rolled. And today's most of device has Ethernet interface and it's gains advantage of the Ethernet IP rolled. But it is some cause of the site effect from cyber security, this gains of advantages. I will tell about later. In the software sites communication protocols, communication protocols means that industrial communication protocol like Modbus, like Probus, like IC-104, DMP-3, the other. This helps communicate with R2 or communicate with the SCADA systems to send information to the upper level. Logic functions control like circuit breaker or other blocking materials functions, logic functions, and configuration interface. This is the critical part of the AID device. As I mentioned that they have Ethernet interface. Most of AID device nowadays use web service interface for configuration software or configuration interface. This is the sustainability about systems as the big point of this AID device nowadays. Thank you Serkan. Actually, we always get afraid or get freaked about touch such intelligent electronic devices. Because as you mentioned, one part is physical that controls electricity and one part is cyber. It's R2 or SCADA applications. It's like the last line of the physical and cyber breach. Once you control it, you control the electricity, you can control it through the R2 or you can directly send commands to the AID or you can trigger some SCADA application set points and it will directly affect the intelligent electronic devices. But once you're planning a red teaming or pentesting activity, you need to be aware of such a devices can affect the electricity and you need to be really careful what you are playing with. All right, so now we can discuss about red teaming app watch and red teaming scenarios. Before jumping into the details, I wanted to discuss how much red is that because since it's a critical infrastructure, since it's a last line of the custom touch, can we be really free to be really red teaming? In that case, most of the asset owners and most of the cybersecurity companies get afraid to avoid the consequences of that thing happening. I may say that nobody does directly red teaming, maybe it's like light pink teaming, let's say, because we really need to be aware of that the public safety and process safety is much more important than your color activity. So you really need to take care of the process, you really need to take care of the public safety because we always think in that way, if we shut down electricity for the hospital and if we kill someone in that hospital because of no electricity. So it really has a great boundary for us to do our tests or pentesting activities or red teaming activities in a controlled way. So it's not really red, light pink maybe, but to understand each other in a better way, I want to express that part as well. So I would like to mention about the course steps. We divided into five main steps, actually we discussed about the first two of them, to understand the process, understand the architecture. Once you do any red teaming activity in any kind of ICS infrastructure, in that case we are talking about power distribution. We gave brief information about electricity architecture, distribution architecture, SCADA architecture and substation architecture. And we thought that power distribution companies process is not too much complicated. We have very limited type of signals compared to power plants and petrochemicals. So it's a really easy process to ease the attack and use the defense. Now we need to define our landscape and then we will try to create some kind of scenarios to directly develop for red teaming activity usage. And then finally we will perform some kind of attacks in our simulation lab. I don't want to talk about the IT based or getting into the IT and then jumping into OT kind of red teaming activities or landscape, but once you are talking about the power distribution red teaming, we wanted to give you brief landscape information that what you need to know, what you are going to face and how it will affect your planning. So basically we have eight categories that we will discuss today. The first one is protocols. There are different types of protocols you will see in the field, in the distribution companies. Basically in SCADA parts, I mean the wide area network, you will see ISC104 and TMP3 and substation level. You will see different types of protocols, sometimes schools, MMS, and so on. And upper level and supervisory level, you will see soft pass and the control level, you will see Modbus, TCP, R2, even sometimes serif protocol. And then if you have smart meters and even in SCADA application, you may have the power line communication. It's still PLC, but it's different term. We will discuss it today as well. And then we said that communication media is very important. If you get into the communication media somehow, let's say you get into the APM network based on GSM or you get into the RF signals, you then directly interact with substations, interact with R2s and interact with control center equipments and emergency control center equipments. So communication media is also too much important for us to rectify planning. On the other hand, you need to be aware of the third part integration. There are different types of integration. It depends on the country and region and the regulation. You see some of them in our list. And also as a set owner, you have some kind of remote locations or local locations, like control center, energy control center, material control center, headquarter, payment offices or communication center for like RF towers. So asset owner locations also matters to us. On the other hand, substation is very important for us because it is remote located and physical and cyber control is very limited compared to control center or emergency control center or headquarter. In that case, you will be facing with industry protocols on industrial devices and you may apply some kind of hopping attacks. What I mean by that, you once you get into the specific remote substation, you can jump over the other substation. You can jump over the control center or emergency control center. You may create some fake signals. It's like coming from the old remote substation and so on. So it's very great endpoint and great defense point for us. But I should stress out that in substation, we have some physical controls. For example, if someone opens the door or if someone opens the cabinet, if someone is moving in the substation, it creates some alerts and sends signals over the one or four of the control center. So we still have some type of controls that we need to be aware of when we plan associate activities or when we plan red teaming activities. On the other hand, technology, I'm sure that all the villagers have a proper knowledge of them. I don't want to express each of them because it's like the IT-wise pentesting or red teaming because it's server network devices and some kind of field devices. So I don't want to go each of them. And on the other hand, we have people. For example, in Turkey, we have a specific revelation for assessment in the power generation and distribution companies. And it requires social engineering activities for the energy people, let's say the asset owner people. Sometimes we see that some red teaming activities hit the vendor engineers or OT partner engineering company engineers. So people's segment is also really very different types of mechanisms they have. For example, in Turkey, we need to do physical pentesting. We need to do phone calling. We need to do email-based social engineering. It's all written down by the regulation. And also yet another landscape for us, the industrial process, and we will discuss it yet in another conference because since it is the less signals and it's less complicated in the power distribution and power industry, the industrial process vulnerabilities may affect public safety directly. So we avoid to mention the entry points of process vulnerabilities, but we can discuss it later for another industries on the following days. All right. So I hope we understood the process. We understood the architecture and defined some kind of landscape. Again, it may change the region, country, and regulation, but we need to understand the basics of the distribution. So we need to create some kind of scenarios. In this presentation, we created three types of scenarios. We have created a specific table for that. I will discuss it through them. It's again not IT-based red teaming or pentesting. We try to create some kind of directly affect on electricity-based scenarios. So in the scenario, we have a chance to work with our IoT team leader and hardware security leader with Fatih Kairan. Actually, he developed this scenario and applied it in the field. Once upon a time, we were in the distribution company and came up with the idea that we figured out somehow the smart meters were controlling the city's electricity, which means if we could find a way to send a proper comment to smart meters, it will directly shut down the electricity. In that case, the smart meters were talking through the power line communication, so we created our scenario based on this. So to understand the team mates to each other in a better way, we create such a table to define our success criterias, difficulty factors, and decide if switching is required or not. I will work through the one table and I will pass through the rest of it because we will perform a real-time simulation for the rest of it. In this scenario, we targeted the shutdown electricity, but before jumping into that, we classified our tactic and techniques based on monetary, manipulation of control, and manipulation of weave, and our entry points was smart meters, power line communication, complexity in this scenario was high, difficulty was high because unknown protocols were there, specific hardware design is required, and high voltage work environment can be dangerous because we lost one of our laptop and one of our team members got injured during this test because you work with the high voltage directly with the plugs. To better understanding, you plug the smart meter into the city network, so you turn into that specific smart meter into weapon to target the electricity for better understanding. I will discuss it through this presentation. So dependency was the communication interface reverse engineering or protocol reverse engineering, required time was high for us, and also what was our success criterias, understand the protocol, send and receive packets on the power line, send command cutoff electricity for a defined area. Sometimes we create some SOC success criteria for our customers to detect better the next attacks. In that case, it could be hardware or smart meter log management, OMS log management, core center log management or smart meter replication log management could be a success criteria in that case. We defined log sources for redeeming activities and then we defined a purpose method and a chain activity. In that case, our proposal was shut down the electricity via unexpected point of entry through unexpected communication media turn plug and matters into industrial attack equipment. So our idea was simple. So power line communication works through the power signals. You modulate it and put your data into the electricity signals. So it directly talks through the electricity. I think yesterday there was a specific session about that. In that case, we will look into how it's used in distribution companies. In that case, we have a data concentrator, which is directly connected to different types of customers, almost tightening and there are smart meters and there are some power line communication interfaces and it connects to the backend system through the APN in that case over the internet. So guess what? It was the broadcast messages going through the specific power line. If you have specific hardware, you can develop it or you can turn smart meter into your tool. In that case, we made it and we were able to understand the reading data and the shutdown the electricity comments. So since it's broadcast, each of smart meters get the data and once you give order, everyone gets the order, but one of them apply it and report back to center. So once you see the data, you see the smart meter ID and in that case, the power line communication we're using the DLSM-QSM protocol. In that case, that specific number defines the shutdown the electricity comments, double commenting one or four very similar. And also in that case, we were able to get readout data. In this case, this is the readout code for the DLSM-QSM protocol. What we are trying to say that you don't directly attack the SCADA application, RT user IDs. The best way and easy way find yet another proper line end of your goal. So in that case, the power line communication and smart meters gave us a chance to shut down the electricity, but you need to deal with high voltage electricity, you need to deal with power line communication, new type of protocols, modulation, demodulation and encryption type of fees require much more time. But most of the time, the asset owners and the pen testers doesn't pay attention on the deck channel. So you really create a value for your customer and people safety in that case. So as I know, the European countries also have great implementation of smart meters. We don't need to take care of these standards as well. Okay. So our last two scenarios based on the R2Us and industrial protocols, we will show how to do it industrial red teaming in a real lab environment, which took days for Serkan and got all during these sessions. Basically, we have two different scenarios for this presentation, one of them extracting data from config files without further reverse engineering or further implementation of anything. And think about that, you have some type of configuration files, you don't have any access to OT environment or substation yet, but you will figure out some type of data to plan your next session of red teaming activities. We have a specific example of that. Since I discussed deeply and very detailed the last table, I don't want to discuss it losing any time on that. So I will jump into the next one because we will discuss it real scenario. The yet another scenario for this session is the remote substation protocol attack. In that case, the attacker needs to interact with the substation equipments. It can be done via Raspberry Pi implementation and connect through the Wi-Fi and so on, like we did in our lab environment. And we will shutdown the electricity using the protocol commands. Once we understand what kind of protocols used and how once we understand the protocols, we will figure it out to where to send the data and finally send the data to shutdown the electricity. To have better understanding each other, what we are trying to say, if you are planning to red teaming activity in a power distribution company or assessment, you need to understand the process, you need to understand architecture, you need to understand the landscape. Once you have a tree element, then you can create your scenarios. You need to think out of the box, but that box doesn't mean you can go out public safety rules or process safety rules. So it's really hard to balance. And we want to give you some simple ideas to reach out your end goal, rather than implementing some IT-based or IT-related red teaming activities. I think I can be free from now and put second into fire. As a tradition, we face to face with the Murphy's room. But finally we succeed on the setup lab. Now I have given information about lab setup. It's a very simple part of substation process. We have one R2, ABB 1 for 0, and one ID device, one SCADA server, SCADA PCs, and also one switch. We use care player software as a SCADA master. And also we use MOTLAS-TSP protocol and also IS-1 over 4 protocol. MOTLAS-TSP use an ID device between R2 and IS-1 over 4. We use it R2 between SCADA, ESM, Kepler device. The tricky part is the heart implemented hardware substation as an attacker. We think that we have some Raspberry Pi device or the other device as attacker machine. Before jumping into details, I would like to mention that this setup doesn't indicate any one of these on ABB R2s. It's just a simple R2 that we could use on the market and we know how to configure it. So we will do some protocol based simulation, but it doesn't just affect the ABB. It's based on we leverage of the protocol usage actually to avoid any misunderstanding. And also it is very common R2 used in Europe and Asian sites. And also this is the second reason we chose this R2. Now we can jump into the labs videos. All right. So we will start with interfaces and signals. The first video is about configuration R2. I jump into that just a second. Yes, we use R2 until 500 software for programming R2, configuration R2. We created it before an open existing project. This part a little bit takes time. It may be boring. They hide the project file deep inside my file system. Yes. And Turkish character error now. This is the R2 util 500 software interface. This is the network tree. We have three communication line. One is IS-104 for SCADA communication. The other one is MOTPASS TCP for ID device MOTPASS communication line. You can easily see that some parameter of the communication protocol. Yes, it is the 1-on-4 communication protocol setup. As you see that ASTRO address, ASTRO address structure, informal structure, maximum length of idle. And then this is the MOTPASS TCP site configuration. This is the network tree. Now we are in the hardware tree. In the hardware site we choose our R2 main CPU model and also we add the field level signal information in that site, hardware site. And also as you see that the MOTPASS TCP communication configuration zone. This is the IP address of the ID device. And also again 1-on-4 configuration section. Now this is the R2 interfaces. It has two eternal interfaces. As you see that IP address of the interfaces. And this site we configured our field level signal like an active power. That is the MOTPASS site with holding register index number 13. And this is the SCADA IS-104 site. ASTRO address 1 information object address 103. And the other signal like phase A current, phase B current. We record all and show the all parameters of the signal because we may want the MOTPASS signal on-lub and maybe you want to replay your on-lub. So we wanted to give you brief info in this section. The other sections will be much, much faster let's say. But once you understand that part configuration it's much more easier to understand the rest of the simulation. This is the type of the MOTPASS signal. As you see that's force commands, signal commands. And register read cost status with cost as used for the information single point information. Digital input like position of circuit breaker. And switch control means that sends control command to the circuit breaker. Power limit set point. And the other meter inch information. Phase A current, phase B current, phase C current. It's a very simple model of the substation. So we can jump into the second one. Second phase report. In this report we directly connect the radio web interfaces. As you see that's this is the IP address of the first internet interface. Use username and password. In that site you can easily see that configuration management site. You'll see that the configuration file. Which configuration is now active. When you update this configuration file and also get configuration file from the device and also delete this configuration etc. And also directly on site you can easily monitor signal system log, system event status and client session log. And also hardware tree. Hardware tree is the live monitoring about R2. Especially in the site you see that R2 is active. R2 is operable means that it's connected to ID device. As you see that's CPI switch position is on. And also meter inch information about systems. It is live data. Real-time data. Now I can talk about a little bit configuration file if you wish. Our third video related the configuration file and extracting some data. Again it doesn't integrate any vulnerabilities on the R2. But somehow if you reach out backup systems or if you reach out the file server and the IT system. Once we have a configuration file now we will download it and extract some data from it. It's really easy actually before furthering reverse engineering implementation. In that case we are not into the remote substation. We are not in the control room. Somehow we get data about the configuration file. It can be engineering workstation file server again or backup system. Maybe engineering partner workstation. Once I get the configuration file I am directly able to see what kind of R2 is used. What version and what purpose they are using. What kind of interfaces and what kind of IP addresses they have. And also what kind of protocols they have. It will affect my further planning actually in the red teaming activity. What kind of devices connected with that R2 in substation. And what kind of signal parameters they are looking for it. So once I have that information without any probing any scanning activity or any physical attachment it's really leverage of your efforts once you have that kind of specific knowledge. We have also some specific projects that reverse engineering to read all the data not people readable format at the moment. You have much more better information than knowledge about the targeted system. So in that case we want to show you you don't need to go to the control center or remote substation. Somehow if you are able to get config files you may read directly with the not bad plus plus and read some data understand the process understand the protocols interfaces and plan a better red teaming activity or targeted attack into the targeted system. So I will jump into your part sir. Yes before we do is about the normal traditional application and communication with SCADA systems and R2 first of all I would like show to my IP address and same subnet with the R2 interface one and then we use set before kept server as a SCADA software SCADA master program. This is the configuration of the master sites kept their sites kept server sites configuration file as we see that communication address common address advanced settings network interface as we have same subnet same address more advanced parameter for IC 1 and 4 originator address like and also network interface. Network interface means that it's the IP of the radio and the port of the IC 1 over 4 and this site we also configure our signal this means that it is analog short float volume Astralis one over three and so it is the breaker control command command single command means j cj. Actually it will directly affect the open and close breakers later than we will apply some scenarios. It's really important to understand what type of parameter and what type of commands they take. Now we connected to R2 as you see that this is the real-time data as you see active power 2400 and also breaker control is zero breaker pulse is one means that the closed now we sent the breaker control control command is one yes it takes the commands in the real-time and real-time operation when we sent this command we reanalyzed circuit breaker or shut down the circuit breaker with this command and also I would like to show some wire shark traffics between Kepler and R2 this is the Ethernet we apply our display filter for IS-104 yes as you see that this is the test frame in the protocol now we recent the command again and show the traffic yes this is command single command Astralis one over seven as you see that this is the wire shark single command address is one IO address is 107 and also set command value is zero as you see you can easily get this information from the wire shark because the IS-104 is an open text protocol not encrypted or hashing port hash protocol you can easily get information from the traffic in that case you see that the single or double command take place in IS-104 in that case we sent the specific shutdown or open command in a targeted area in case it was zero it means we shut down the electricity through a legitimate traffic I mean it was a traffic generated by the control center now we will try to apply as a attacker point of view who is in the remote substation via implemented hardware this is a five video of us yes we have information about the second interface about R2 now in the attacker machine I configure my IP address for the second interface of the R2 as you see now I use M-MAP for some research and some search vulnerability or open ports in that case we are looking for who has an IOC-104 in that case in that protocol use specific ports if nobody changes so we are looking for in the same subnet if someone has that specific protocol please be aware it's an attacker point of view and cut into the substation looking for some IOC-104 endpoints and two devices we found it this is the R2 device as you see from the IP address and also IS-104 is open port and also services up but now we have only information about R2's protocols and R2's IP address but we don't any information about the signal and signal address now we use capware again we configure capware again as you see we tried it one now it's connected to R2 now in the protocol structure we have general integration commands when we send this command R2 get a response and send all information about in this R2 insight we send GI commands to the R2 I don't know any information about the object address but when we send this command R2 response to these commands and now we can easily observe which address and which type of information inside of it as you see that so this is one IO address is 100 and value is also as you see 332 etc etc so basically protocol gives an opportunity to us to pull all kind of signals and data from the R2 for a specific protocol line as an attacker we use exact same tool but it's simulation environment again you can use your lab environment that specific tool yet another tool we have it's developed by I think the master degree student in Germany they called ISE test and to be make sure all of you we will send the legs command through the depth as specific tool connect again R2 now we send command again get information from terrific and also we send commands to 107 as you see from wire shack traffic we send commands and also on of on commands and also as you from terrific it is action confirmation from the R2 in number of line 18 and 37 this means that's R2 accept this comment once you get into the substation you pull data through the protocol and you send the command through the protocol again in that case single commander double command supported by the 104 and then you are able to shut down the electricity in that case if it's your end goal you may apply very different type of scenarios and redeeming activities but we want to show you that it can be done there are some safety mechanisms or configuration mechanisms to avoid it sometimes you implement the IP based solution or animal detection solution to count that kind of activities so in the station we are end of our presentation with takeaways we would like to stress out during great teaming activity we need to think out of the box but we still need to take care of public and process safety it's really a rule of thumb for us power distribution environment is not complicated as process wise when compared to power plants or petrochemical but it has direct effect of the other critical infrastructures and customers directly power distribution companies have lots of different interdependencies therefore information getters career role for red teaming activities and power distribution companies easy to target and easy to defend compared to other ICS infrastructure so we have two minutes left if you have any questions please feel free to ask we will go on discord as well as well as well as we can so Sarkand if you have any comment please do it or we can get questions if you have any questions we are we will be in discord we will be happy for your answer for your questions John and Sarkand thank you for your talk I noted in the discord speaker q&a that I consider this a mandatory talk to watch for both learning about one-on-one and assessments so really really appreciate y'all dying dialing in and supporting us thank you very much having us I hope you enjoy