 Rwy'n oed yn fwy o'i addysg i'w gweld na gweithio. Roedden ni gweithio eich hollwch ar amgradellion iawn. Fel lle oherwydd yw'r clywed ar hyn o'ch ddod yn ddyn nhw a oedden nhw. David Hattling, trafodd cyfrifiad gyda'r preflu. Mae'r bydd yn ddigon i'r tro. Rydym yn y gallu bod yn eich hir oedd yng nghaer draw yn gallu'n peir i ffioedd. Roedden ni os yw'r iddynt i'r rhagleniad dda unrhyw o'r cyffredig. Rydyn ni'n gofio ar eich hir oed. I'm Andrew, I used to work at sea, that's me in the Suez canal on a container ship 13 years ago. So I know the ins and outs of boats, vessels, machinery, things like that. I also do pen testing and this... Chris? This is me on my stab-do. I come from an industrial control system background and I also do pen testing. So, what were we doing? Well, we were trying to prevent this from happening. This is Deep Water Horizon, which was a really quite serious event that happened when an oil rig had an issue down at the bottom of the sea where oil and gas started leaking up back towards the rig and it exploded. Now our customers concerned about something called a drive away. Now a semi submersible rig isn't actually attached to the seabed. It holds its position using thrusters. So there's big propellers that can turn around on the bottom of the vessel that hold it in position. The riser drops all the way down to the bottom to a thing called a BOP, a blow off prevention valve, which can shut off the oil well if it needs to. Now what they're worried about is the oil rig driving off to the side. So if we can take it off position, that riser will snap and you might get a Deep Water Horizon situation. So this is obviously quite a bad thing. So, the rigs. This was the rigs we were looking at. They were actually docked at the time. So it's called Warm Stack. So they're still operating, but not drilling at that moment in time. This did present some problems though. This is what we were presented with when we first got to the rig. Now you might notice something there. 172 steps. No lift every fucking day. Two weeks? Two weeks of this as well. It's pretty tiring. I was also there not only with Chris, but our other colleague Marsh, who was absolutely terrified of heights. Now it's really quite a long way up. He's walking across a mesh catwalk there. There's a big drop down. We had to go back down every day as well. So I was going back down. Also Marsh, he likes a smoke. Now to smoke you have to go outside onto the rear deck with the lifeboats. The problem is the view down there. You can see how far it is down to the sea. Now this rig is huge. Normally to get to the rig you'd land on a helipad. So there's a helipad on the top of it. You go down and you can get down into the accommodation and explore the entire vessel. I'm not going to tell you everything about the machinery on it, just some of it. So this is a cross section of a rig. The bridge. It's got a bridge like a ship. You can steer it. You can literally drive it from one place to another like any ship. It's also got generators. So it produces electrical power to power the thrusters. On the bottom there you can see two at each one of those legs. They can rotate. They're called azipods. Spin round and move it in any direction. You've also got big switchboards that control those thrusters and all the different motors. Then you've got the actual drilling rig in the middle there. Now there's a thing called a top drive. This is a kind of two megawatt motor that drives the drilling rig down from the top all the way to the seabed. And you've also got a very very very big hoist that lifts it all back up and down. That bit in the middle there is called the drilling package. And it's made by a different company to the rest of the rig. It's just dropped onto it and then fitted. So the bridge. It looks like this. It really does look like a large container ship bridge. There's not much different there. This is one of the engine rooms. It had eight generators. So on the left you've got a big generator. On the right a slightly smaller generator. Loads of other ancillary equipment around it. That's one of the switchboard rooms. It's a water-cooled switchboard which didn't seem like a great idea to me. That's the actual drilling derrick. So the big tower that goes up with the top drive at the top. You can see cranes. There's all pipe work everywhere. Massively complex thing. Now I love these. These are the chairs where the people command the drilling platform. So they turn the top drive on. They stack and move pipes and things like that. These are called cyberchairs. I absolutely love that. I'd like one in my house actually. It's joysticks. They look really good fun. This is one of the massive control panels that monitors the BOP on the seabed. Huge complexity. This is the BOP itself. So the BOP sits on the seabed where the drill's going into the rock and it has massive hydraulic rams. So if the drill riser snaps, if the thing goes off station it will shut it with big rams. Huge rams that close over, shut that pipe off. It was this that went wrong in Deepwater Horizon. Now to control this you've got this hydraulic equipment up on the main deck. This area was off limits to nearly all crew. Since Deepwater Horizon you're not allowed into this area. It's a high security of what I was. Maybe I wasn't, did we ask? I think we just walked in. We just walked in. Now the BOP is controlled with this little cabinet here so it's a Windows XP machine as you'd expect. A few buttons and a keyboard. Normal kind of stuff. There's some quite amusing stuff on this rig. It's been about for quite a long time. I think the BOP was fucked to be honest. There's a load of third-party stuff on the same vessel though. When you're drilling you've got to pump something called mud down that drill chain that takes all the bits of rock and brings it back up again. So there's another company on the vessel that deals with all of this and this is called the Cement Lab and the Mud Lab where they analyse stuff that comes back up from the seabed. So we've got all these different things on the ship. We've got propulsion, the ship bits. Again, the drilling control network, which are the drilling bits. You've got the BOP, the blout preventer, corporate. So it's just got a normal network like anything else. You've got crew, Netflix, dodgy far sharing and pornography, third-party for those labs and the core network, all of the networking equipment that goes in between it. Now this was complicated. We were expecting to be quite complicated but not quite as much. So we did this work in a certain way. We did some onshore prep first. So they gave us documentation as much as they could give us and they could work out what we needed to take with us. It wasn't in London, surprisingly. So we had to travel there. Once we'd done that, we went offshore. We went there to the rig and we spent a week investigating what was going on. It was really good fun actually. I just spent the whole week in a boiler suit like crawling around in little bit spaces. You spent most of the time in the accommodation in the air-condition bit. There was food there and Marsh didn't leave a single little room. After we'd done that, we kind of gathered a load of information about what was on the vessel. We saw it was different so we came back to the office. We bought a load of equipment that we'd found on the vessel to rip apart and find vulnerabilities in and we tried to find cracking passwords, things like that. Then we went back to completely hack the oil rig. It was really good fun this. So the way the networks were connected, you've got the propulsion systems. You've got the things that actually steer and drive the ship. It's completely air-gapped on this oil rig. You've also got the other side of things, so you've got a satellite connection coming in. So that's the way the internet comes into the ship. You've got the core networking that goes to the DCN, so that's the drilling network. You've got the corporate, the third party, all of those labs. You've got the crew or smut network, as we'd probably more likely call it. To just give an idea of the complexity of the drilling control network, this is what it looks like. You've got your three cyberchairs at the top there. You've got probably four or five different protocols here, such as TCPIP, different fibre. It's really quite crazy. A serial. A lot of stuff to take in. The problem was, when we got on the vessel, we found that the documentation didn't line up at all with what was on there. Not only was the documentation wrong, but lots of it had been amended, and this was only on the vessel. This hadn't gone back shore-side. So what tricks did we use? One thing we found really useful on ships was the whole ship or whole vessel traffic interception. So we take the main V-SAT connection going in and out of the ship, and we unplug it, and then we intercept all of that traffic. So we use one of these little passive network tabs. Now you probably recognise the top there, a riverbed. It's an accelerator. When you've got a slow satellite connection, you want to condense that information down to use less bandwidth. I've just sat there in line with that, taking all of the traffic from the ship. I log it into an Intel NUC and there's a lot of pornography there most of the time to be honest, but there's also other interesting things. So we just sit in the network in that position. Really helpful. Another trick we use, another Intel NUC, and this time we're using three USB Ethernet adapters to passively monitor control networks. So again, we're seeing if there's traffic on those networks that's really, really interesting. If someone says a network's air gap, it's actually quite hard to determine that on something that's big. If I suddenly see someone pinging Google on this network, I know that's not air gap anymore. The other thing, I'm sure some of you probably used one of these in the past, especially if you've ever worked in IT, it's a network tracer. So you plug Ethernet into the little box there and then you wave it about in network cabinets to find where that cable goes. A huge amount of the work we did was tracing cables about the vessel. It worked for Ethernet, it worked for wired Ethernet, but it wasn't so great for this stuff, fibre. There was fibre everywhere. You've got to bear in mind this thing is huge. You can't run an Ethernet cable through an industrial environment over 150 metres and expect it to work. So there's a lot of fibre. We couldn't trace it. It was something we really struggled with, but we could intercept it. So what we've got here, at the top there, we've got two media converters taking fibre through to Ethernet and then we're intercepting it again. So it's a really simple way of doing things. It uses those little plug-able modules so we can actually change the different protocols that we're using, get back to Ethernet, intercept it and mess about with it if we want as well. The other thing we were doing, Cisco switches, Juniper switches, they've all got console ports on them. So these are USB or serial ports. If you plug into one of those, you'll get a serial console come up. If you pull the power out of the back of the switch and reboot it with holding the mode button down, you can get it into this mode where you can just type flash in it and it will boot and then you can get the config of the switch out. So what we were relying on there was the password from one switch being the same as the password on other switches. So we decrypted the passwords from these and we had access to the entire core network. Another thing we did, and I think this is something that maybe was a bit different to traditional ICS testing, this thing is called an up-logics. It's an out-of-band management device and the idea is, if you're dialing into the main router on the ship and you change the config and you lock yourself out, or to allow you back in, it uses the serial console. Now an interesting thing is it stores the passwords on it. So you don't have to know the password for that router. You don't have to know the password for the power distribution units connected to. So you're coming in out of band into this up-logics and then you've got all these different switches, routers that you can connect to. It's like a back door. Now what we did was we ripped it out, fixed it because it wasn't working properly. So we fixed the power supply, ripped it out, pulled the hard drive out, read the data off the hard drive, reverse engineered the way it encrypts the passwords stored on that hard drive, and then we had the passwords for all of the core networking equipment connected to it. Now it's quite funny actually. Do any of you like Bob the Builder? Do any of you know what Bob the Builder is? Hannah likes Bob the Builder and Lee, awesome! The password used to encrypt all of the password on the up-logic was Builder, Muck, Dizzy. Now Bob the Builder has two companions called Muck and Dizzy. Now passwords. If you've ever been at sea you'll realise that people write passwords down everywhere. Nearly every monitor will have a password stuck to the bottom of it. So obviously that laptop had the password Q2W3E. The admin password for a console. I really like the font there. It brings a certain something to it. This one's good. We found another PC. Password hint. Who do you work for? Do you know what's really embarrassing? I typed about 30 passwords before I typed in the name of the company because I didn't read the password hint. There's a go. Four character password. Awesome. The problem with this is is all of these different parts of that network are operated by different people. It's not one entity and when that happens you tend to get password reuse. So the drilling control network with a given password it will be reused on another vessel. The core network, the ones they're using on those switches will be used on other switches and other vessels, not just oil rigs or other ships. Now this one was probably the most interesting finding that shocked our customer the most. There was a jump box. Now I found this PC. It was in a machine room buried underneath the drilling platform. It was turned on. So IP config as you normally would do and I saw that it said media disconnected on the main Ethernet adapter but you could see the domain there, corp.local. Now Windows preserves the domain that you were previously connected to on the network address so I knew that this had been connected to a domain network in the past. So I had a look around and I saw there was a cable about 2cm away from a network socket on the wall. Now I thought maybe maybe if I plug that in I'll get an IP address and I'll be straight on to the domain. Now what's happened here? We've now got a bridge between the corporate network and the drilling control network. Now the reason we think this was put in was the electrician didn't like walking out to the middle of the rig to get access to the drilling control network. He preferred to do it from his office so he added this little jump box. It got better though. There was a team viewer running on the jump box so when it was connected to the corporate network there was a 4 digit pin protecting access from the open internet to the drilling control network. So now we've got anyone on the internet able to access the drilling control network. Domain admin So one of the other things that we saw earlier was we saw this little tap that we put in and this was just to remind ourselves that this was monitoring and capturing all the network traffic across the visa so all of the incoming and outgoing network traffic onto this particular oil rig. So we left that on there overnight recorded all traffic onto an intel nut and the next day we came back and we saw some credentials. Now this is an FTP credential that we've gathered here. Who knows the tool CrapMap? Anyone use the tool CrapMap exec? So CrapMap exec is a password spraying tool that allows you to put a username a password and a domain if you need it and you give it an IP range and it will go and test that password and report back to you in a yellow font which we'll see in a second whether that works. Now we were a bit suspicious and a bit like well it's an FTP user account it's not going to have any permission surely. Unfortunately it did it had domain admin rights an FTP account that was transferring data to and from the corporate environment back in their head office back to this oil rig had domain admin rights. Okay that's not good. So then we explored a little bit more and any of you who come across the tool Bloodhound it will generate this beautiful graph for you and this was the permissions that the FTP user account had over their network. So we explored a little bit more and bear in mind we sat on an oil rig we found that from the oil rig I had domain admin permissions on to the corporate network back in their head office. But not that, there are other head office in one of the other environments in a different region and then I explored a little bit more now they've got 65 oil rigs this company I had domain admin rights and could get from one oil rig across all 65 around the world. Now obviously the latency across the satellite communications was a little bit slow about 150 milliseconds but that is not good not good at all. So we then noticed this as well and so this is back to that drilling control network and we noticed very small little thing in this in this diagram DR So is a think of a black box on an aircraft and a black box is a data record or a data historian it is there to record all of the things that happen on this oil rig from all of the different networks now if we pop back to that diagram there this is the drilling control network and there is a network connection going back up to this data historian so we thought okay this is an interesting thing now this data historian called proof bomb proof you know supposed to be as a robust as a flight recorder black box on a flight recorder and then we found this piece of paper and that was on there as well so that wasn't great either and so now we've got this sort of nice network where we can go from the oil rig back into the core back into the data flight recorder and then we're back into the drilling control network from the internet and that's not good so one of the things that we noticed is that because of these massive differences so going from a top of an oil rig down to the bottom stanchions is a long way that was that 172 steps that we saw so what they did is they had fibre networks absolutely everywhere to get the communications from the top of the oil rig down to the very very bottom where the thrusters were now these are all semen scalant switches and as you can see they've all got fibre connections in and they've got the ethernet connections in now there's a well known auth bypass written by a guy called Black Swan Burst look it up it's really really interesting but we bought one of these and what we noticed is that when you change the password it got longer that's pretty interesting and literally these things were everywhere absolutely everywhere and one of our colleagues Chris Wade who you may have seen on track 1 talking about NFC and if you haven't seen it go and watch it on the playback videos absolutely awesome research he went what we call full weight full full weight and I'm going to do a little demonstration for you here one second so the auth bypass generates a script file for you and you're not on the screen Chris I'm not on the screen okay not that way so the config file that you can download looks like this there's loads of rubbish in there but what was really really interesting is this encrypted password for the admin account and the standard user account so what we did is we bought loads and Chris attached a JTAG connector to it and debugged using IDA ARM processor and went through the entire firmware to work out how to reverse engineer this password which was absolutely awesome roll it all and excuse my poor typing now we've hashed a little bit out here this has been disclosed through Siemens already because we don't want to give away the key but basically those passwords are hashed with a key and that is not good so now we've got full access to everywhere on this and we can decrypt any password for any Siemens sign-out switch that were absolutely everywhere on this oil rig now the thing was that password that was decrypted wasn't just for the switches on that vessel it was common across the drilling packages that have been installed on all vessels so by reverse engineering that encrypted password when we got access to other ones we found loads of other interesting stuff there I was wandering around the vessel and I noticed I walked into what's called the oily zone which is where they do works on hydraulic parts and there was this little room and when I was in that little room I could see on my laptop a network a wifi network called oily zone now that turned out to have the password oily oily that was just plugged directly into the corporate network again we didn't really find out why but what we suspect is someone like messing about on their phone instead of working put their own access points in and again you've got this situation where a wifi network has just been attached to the corporate network again Shoreside had no idea now the concept of an air gap a lot of industrial control networks should be air gapped a lot of people say they're air gapped what they quite often mean is they think they're air gapped and come back to the BOP here so this is a cabinet there's a PC, a load of PLCs fibre networks but it's the core of the BOP controls so when something really bad happens there was literally big emergency buttons all over the vessel that you could hit so you were going off station it drops the riser down and fires the BOP this was the thing that did that now what we found that little area down the bottom there is where that area was and it was essentially sealed off when at sea we had a look and what we saw we found this office and this was kind of buried in the accommodation and there was this two screens there they were turned off but we turned them on and we found that one of them was an HMI so an interface to the BOP in the accommodation it was a slightly dodgy looking connection on the wall so on the left was the normal network on the right was the really dodgy network that probably shouldn't have ended up in the accommodation but it should have strict controls has been brought to the other side of the vessel airgapping again now the propulsion network on this vessel was isolated from everything else so there was no way on to it from outside the vessel but when we looked at the switches we found that they hadn't changed the password so these were Allied Telesys switches with the standard password on them so they hadn't changed them they'd made that assumption that no one would ever get on that network now the propulsion control system I think it had about 700 of these PLCs so quite a large number of them all over the place they don't even have the facility to have a password set on them so you can just turn it into them and reconfigure them once you're in that network so if this ever did end up connected to the internet it's a game over situation now an interesting thing was that there wasn't just the rig we were on there there was one next to it that was in something called cold stack so that's where they turned everything off so that was the power they've removed parts it's probably not going to work again so the other rig was there now oddly this guy didn't volunteer to come with me first off you have to go down 172 steps along up 172 steps back down and around again there were no toilets there was no electricity and there was no air conditioning that's a lot of steps if you need a poo we found again one of these uplogics devices so these back doors into all of the equipment now this one was powered down so we couldn't really do anything with it it was a bit awkward to work with we also found this so everywhere, of the drives on this there was quite a lot of interesting files but this one was called company.exe.jpeg and that strongly suggests that some kind of malware controls failed along the line now you remember I said on the other ship propulsion was air gap, that grey box represents the air gap, again we looked on this vessel and I saw that little Cisco router I mean it's gaffer tape to the top of that PC the oil and gas industry is well known for it's very robust engineering it's got a cable coming out of it and that cable led to a 3G antenna and essentially what this is was a remote access mechanism into the propulsion system so it's mandated, it's made by the manufacturer of the propulsion systems but now what we've got is the situation where that isn't air gapped anymore there was a handy laminated piece of paper that had the username and password for that little Cisco box right there so now I've got the situation where there's remote access onto the propulsion network so it's quite crazy this really there's a lot of different ways we saw bad things happening now in conclusion really I think this is one of the most interesting jobs we've done there was a lot of stuff to find I don't think we scratched the surface really to be honest it was fascinating that the two oil rigs next to each other were actually supposed to be the same they were supposed to be almost identical they'd come out of the same yard they had the same equipment on them but there were all these differences between the two of them the complexity I mean it was unprecedented if we hadn't had that tracing tool to trace out ethnic cables we'd have been screwed it would have been impossible to have found what was going on sometimes they'd go down a deck sometimes they'd just go through walls it was really difficult the documentation was completely different to reality it was a hindrance rather than the help what we found really interesting was the crew were actually really receptive to us being on board we were maybe expecting them to be a bit reticent you know with the geeky guys they're there just trying to get their job done but they were actually really really helpful I think they learnt a lot as well and yeah we certainly learnt some things from them as well the other thing I found that worked really well was that we combined Chris's ICS knowledge so he knows the industrial control systems with my hardware knowledge he can pull hard drives out and then read memory get JTAG going off things so it allowed us to find vulnerabilities that took us deeper into the rig I also found out that bananas in other parts of the world are really really weird but yeah that's our talk on all rigs I hope you enjoyed it and if anyone's got any questions fire away are we hiring not right at this second but we quite often do we're a growing company so I'm going to say not everything's as fun as that but I have to say some of it is ships are good fun sorry this two of you back to it so some of them have been mitigated they've been mitigated rather than fixed sorry I've seen NT4 XP was the oldest on this one but I've seen NT4 XP was the oldest we found on there but there was probably embedded stuff that was running from things from before XP any more questions from anyone follow us on Twitter we start fights on the, I start fights on the internet he's quite nice really so give us a follow and you see interesting stuff like that thank you very much thank you