 structures we have nowadays is power generation. If there's no power, we're pretty much screwed. Our next speakers will take a very close look at common industrial control systems used in power turbines and their shortcomings. So please give a warm round of applause to Reptep, Muradak, and Kors. Good morning, Congress. Thank you for waking up in the morning. We will talk about the security of power plants today, specifically about automation systems that are used in the power plants. You might think that this is another talk about how insecure the whole industrial things around us are, and more or less it is. So for years, we and our colleagues speak about problems in industrial security. We are happy to say that things are getting better, but the temper is a little bit different and feels a little bit uncomfortable. So anyway, we will speak about how power plants are built, what is the automation inside, what are the vulnerabilities, and the high-level overview of what you can do with this. But at first, a little bit of introduction. We are security consultants. We work with a lot of industrial things like PLCs, RTUs, SCADES, DCSS, whatever it is. We were doing this for too long. We've been doing this for so long that we have a huge map of context at such a point that we have a lot of contact with the integrators, the vendors. This has allowed us, in particular, to work for people who manage power systems, for example energy centers. So something that is very important to know is that everything we are going to talk about today has already been reported to the vendors concerned. And we are going to talk mainly about one of the vendors, it's Smenth. But we will see that similar problems can be found in similar solutions by other vendors. And it applies to other vendors that we will not necessarily mention today. Apart from that, we will talk about security problems that apply to real energy centers. We are kind of irresponsible guys. It may seem irresponsible, but in reality it's the opposite. To do some kind of research with these systems that are in the power plants, we have to access these systems to work on them, to know them. All these resources, they are limited. They are difficult to access for people like us. But for potential attacks, it's their job to invest time and research to carry out this attack. So we can assume that the bad guys already know all this and it's important to share this knowledge so that people can act well. So the energy centers are the most common means for human beings to get electricity. They have it everywhere. And the closest to it is the Lipendorf Power Station. And we can be surprised by the amount of information we can get from the internet. For example, on Google Maps, we can see that we get a very good way of getting electricity. And so we see what the building is doing on this page. We also see which equipment is being used. And if you don't have this experience, you can just look at it and you see which system is being used to automate it. It's a system that's called SPAT 2000 and SPPAT 3000, which are Siemens systems. And so it's SPAT 3000. It's a little confused, so we're not sure yet, but it's exactly the system on which we're going to take our look today. And we'll see again, it could be another system. It's just that we've seen this system more and more often than the others, so we're going to talk about it. So you can look at all the systems and all the electrical centers thanks to the people who monitor the coal. So these are the different types of power creation and we all see them by color. So we have the coal, we have gas, we have hydrolysis, we have nuclear and that's a lot. So what we're going to do today is those that work with gas or coal. So the plug. What works is a turbine. We unfortunately don't have a photo of a turbine, but I hope everyone has seen it on a plane how it looks like in a plane. Especially in terms of size and the way it works. On the website of different vendors, you'll see the different types of turbines. So these are the Siemens turbines, specifically used in power plants. So they're not only used in the electrical centers. We can also do a lot of other things with them, but if you compare with the previous slide, you'll see those that were used in the electrical centers. This is important because because of the vulnerability that we're going to have today. So before we talk about automation in an electrical center, you need to understand a little bit how it works. On the right side, and it's very easy. We'll simplify a lot of things to make it more suitable for all this sort of thing. We don't really understand everything. So the first thing you should do is to have a fuel tank. So we're going to have gas or coal and you put it in a combustion chamber where you turn it on, you put the fire on and it's going to generate a lot of pressure that's going to go to the turbine and because of that turbine, the turbine is going to start to turn. The turbine has an axis that's going to turn that's going to be used with a kind of dynamo that's going to generate electricity. So when we generate electricity, we put the power that's generated is not only for certain buildings but for the electric grid for all that is the local or national electric circuit. There's another point. When we generate this, we have a lot too much heat when we put the fire on and a big question is how do we do to cool that? The first thing is with a conversation. The second thing is to take this heat to warm water and we do hot water and the hot water is going to be turned into steam in steam and we put that in a second turbine which is going to be a steam turbine to optimize. It's an optimization in a way. So what is the automation in this process? The automation systems that are used is a system distributed, DCS and it automatizes everything in the cycle. So everything I just described. The vendors of these solutions want to simplify, want to simplify everything for their clients because instead of having 100 people working it's just a dozen. They want to simplify the whole process. They don't care how much they need how much fuel they need. They just need to launch the process and they need to know how much power we're supposed to produce at this moment, how many megawatts of electricity we're supposed to produce. That's what you need to know. The complexity that is hidden in these solutions because there are a lot of small things that are happening inside. So we're not going to talk about that. So this DCS system is not only for power plants but also for other things. We're going to use the same materials, the same software. For example, it's not only a software that you can install. It's an interaction between software and material. And so sometimes it starts with construction of buildings with the buildings. So it's a lot more complex. There are a lot of vendors. So as we said, we're going to talk more about Siemens, but there are several. So a short description of how things are simplified for operators. So for example, if you want to answer the question how do we regulate the output in megawatts, we need to control three things. We simplify again. First, you control, for example, a gas turbine. We need to know how much gas we're going to put in the combustion chamber. We need to control the flame temperature and we need to control the air that's going to be in the turbine. So that's simple PLC. And you can change from 100 megawatts to 150 megawatt just on these three settings. So the system itself that we're going to discuss, is the SPPA T3000. Again, as well as all other systems, DCS, other vendors, it's a typical industrial system with PLC, DATU, DHS, MIS, servers, OPC. It's the only thing that we have that is different for Siemens. They have two main things called OPC, which are the server, and the automation server, with the software that works on it. It's something that will belong to the other vendors. So if you read the manuals for Siemens, there will be a lot of different networks, a lot of different routes, it looks like there's no connection between the application network and the external network. In practice, you're going to see with specific sensors for the turbine vibrations, you're going to see all the... all the electrical centers won't have people who are doing maintenance. They're going to need to install on the system, install the antivirus, and they're going to need to launch OPC traffic, information on the production outside, for example, for regulators or on the energy market. So also for certain entities that monitor how much electricity there is for the energy market. So our presentation is going to be structured like this. We're going to talk about the application, then automation, and then... So we're going to start with... So all of this starts with the coordination of vulnerability. So at the beginning of December, in December, Simen published an AdViso about different vulnerabilities identified by us, but not only other entities contributed. So it's... The system is just supported by Simen. There's no specific integrator. So they're going to install their package, they're going to install the message on the critical infrastructure, and so we hope that everything that's already been patched up. There's a lot to talk about. We're going to talk about it, because we have a lot to say. So most of the... there are several vulnerabilities that are the same, actually. And they also say... they also talk about the criticality of things, but it's not necessarily applicable to an industrial site, because each vulnerability can impact the process, and we're going to jump on it. So that's the attack model, and we're going to... In January, we're going to give you that, we're going to do a white paper, you know what I mean. So the software application is the main resource that you would find in the SPP in the network. If you access the system, you'll find yourself in the app. If someone wants to launch the electricity generation, or to change the values of energy, it's there too. There will be other servers that are going to try to communicate with the app. They're going to download the app at the start. So there's a lot of open ports on this server. On this machine, we can see that this is the first point. It's a huge attack surface, absolutely amazing, but even if you want to compromise the Siemens or another one-third, you have a lot of attack, the attack surface. So all the installation of this SPP system are different. So depending on the version, the generation, you're going to see different windows, from 2003 to 2016. So we hope that they're all updated in the meantime, because the update for an installation like this is something very difficult. You have to put yourself in maintenance, and it's something we do once every six months or once a year. So you always have to find a window to install. So there's always a possibility to have an operating window for profitability. There's a lot of additional software, so for example, old Sieguins that don't configure Tomcat, so for example, we see the configuration of different software is aligned with the best practices of Benchmark 6 to secure an installation. It's a lot of fun. There's a lot of software in Java, so you have to talk about it. Surprise, one of the most biggest problems in the SPP 3.0 is the password. There are three things. All the installations before 2014 or 2015 have the same password, and we find that on Google. They published all their documents. So after 2015, the passwords are automatically generated, but until this year, it was difficult to change the password. So you had to know the process, you had to contact your integrator, and starting in December this year, it's a lot easier to verify, to change that. So even if you know you have this problem, you can't just change the password. So otherwise, you also have the complete diagrams and the two integrators for the integrators, how the system is built, etc. So it wasn't published by Siemens, it's simply an electrical center that has put it online, it's made by itself. So the most important thing is that the application services are a number of applications in Java. So my colleague is going to talk about it. Hello everyone. So let's see what kind of software is running on this kind of server. So, a light customer communicates with the server via HTTPS. HTTPS or HTTPS. So communication can be protected, thanks, by a firewall. In the case of a heavy client, we have discovered the service via a registered friend. So an illustration of the architecture for a SPPA. So if we organize that in different categories. So we have requests that come from light customers and are redirected to the good service. So we see that there are several containers that use RMI services. All the containers are represented, all different types. And all have names that explain themselves. So before starting to dive in before we show you some tools. So the first one is a deofuscator. The Java code is obfuscated. But we can avoid this problem by simply using it publicly available. And otherwise it is also convenient to see how the system communicates. It helps to understand the architecture of the system and the client's workflow. And so for SPPA it represents the TCP streams in a system that is readable for human speech. So this method is unsafe so they use it. So we have to go and see SPPA. So the first thing we're going to see is the Apache server. So we're going to look at the Orion directory on the config. And this directory contains sensitive files for example PCSystemConfiguration.xml or the AFC which contains the starting configuration of the different services or for the automated system. Otherwise there is a Tomcat where we can start using the visualizations. So this is the surface attack. So we have a distance diagnostic we have the configuration of Tomcat, Apache, we see the Orion server which can be accessed via HTTPS and in the file web.xml we have a list of all the services and applications and this list is huge. So some of the very attractive names like for example Browse Servlet which allows an authorized user to look at the content of the directory also on the operating system. So in the case of the problem operation, it's even better since there is a second one which is even better it's for file upload to the file. With the system right it's so with the target name parameter we can completely install things, that is without authentication we can install the good shell via Tomcat and we install that with the system right so some servlets which also have the name factory service inside so it generates the HTTP so they pass the requests to the HTTP and the search and we will look at the services and it's a parameter that we give them the service URL and and we see the all that ok, the parameters are simply put inside the request and it builds a request so now we have we have light customers who can accept the RMI and they can also communicate directly with the registry so if the application is missing some security security and there will be vulnerabilities inside that we can use and so we can simply exploit these vulnerabilities and recover the code execution for instance with the system and the right system and the first step we will simply use the lookup service a little bit to get a list of services except the the except I think they implemented a general for Aspepar and so what we did was we simply used the lookup service and it looks like a collection of another RMI service at least the public methods give the name of all the services and by using by looking at the names and services we have all the RMI services at this moment we implemented the RMI service factory so we have we can assume that that it will be we can also have another RMI service so we can combine we decompile we decompile the class and we find some factory methods which so like get service and inside we can find the name of the created service we can also guess so using public methods get service and the name we can have a reference to the to the next RMI service and so in the end we have the references on the RMI services which actually have usable methods so these services are a lot of public methods for the methods for the users authorized or not authorized understood and each step we have found a lot of RMI services and a lot of public methods so so the surface attack of this system is absolutely huge so when we list all this all the services available how does the authentication find feet so we will look at this question we will have the requests to the security service so the first thing is that the client will have a reference to the security service using a customer then the create security service will try to have a session in the manager of the session if the manager does not work there is an exception and the client will not get anything but if it works we get a PC service factory and so we will be able to instantiate the method create an instance of the security service the session ID and the client will be stored as login ID security service and the client will get a reference on the security service where it will be able to import the methods so these methods will be able to check in checking their ID so we have two security but how? how do we do to register? so we will with a security service the client will use this ID and it will end a bypass of the authentication and we will be able to delegate methods exposed by the RMI these public methods are huge and it is difficult to manage the security of these services so now we know all the inputs on these systems we know their security measures now so among the list of RMI there is one that looks particularly interesting is the admin service so we will be able to get an anonymous session via the run script method so we can call it without identifying so first of all this method creates an instance and at this stage it will imply another Java class in fact we will create a second class that will simply implement admin script and this class will be executed by run script so we create the class and so and this class is created by the arguments of run script and we pass the parameters so we have the execution on the system but otherwise there is another exploitation which is you can inject arbitrary classes in the code so you can use Java reflection to patch in the system and to have an influence on all the technology of the SPPR otherwise we also have the verification of privileges in the second class we are in the session service so so we use getLoginSession which gives a list of login session data of all the users with their name and their IP and their client ID except that the client ID is of the user we can have the client ID of the users who are admin and so we can use this client ID to have a second reference to the client security service to have a second privileged session we will continue an attacker an attacker a security service second time and to have all the private information of all the users of the system with the password passwords and their information to sum up we have both of these these two vulnerabilities allow access via HTTPS and firewall and so everything can be turned in general all the rmi communications are encrypted so the user names and the password in text are not encrypted it's much more critical ah sorry the rmi communication is not encrypted it's in text so all the password password no no session protection so if someone can attack an SPPA user and the traffic between this user and the application server he can recover a user name and a password password password password and he can reuse it to do operations on the system so he can even change the password of the user so I talk a lot about the names and password password password password we will try to understand how you implemented in the system Alex, you go hello everyone I will continue the discussion here we can see how the authentication works sorry on the previous slide we could see how the authentication works and now I will explain how it works so when the system starts it reads two files users 1.xml and pdata 1.xm so the user store and the store of the passwords respectively so the first one is xml simply it's the message 24 it's and it's going to be xml and the content content of this xml is presented on the slide is used to calculate a hash and create a password and so at the bottom you can see the verification of the password in pdata it's it's typical it's a typical for Unix and Linux there is a number of iterations there is the salt the salt and the salt that has been added it's the salt is the same for all users it's hardcoded so here there is something to to extract the password of course because it was developed you can see what it comes out and the tool can be used of course to check the password and it's public this tool there is a line so the app the first thing it's an attack which is absolutely huge it includes different components secondly it's with distance connections whether it's going to have maintenance it's going to have OPC someone else you should check it anyway and the last thing is the attacker can impact the generation of electricity he can stop the salt he can change the value generated electricity generated and he can simply collect information on the generation and so all this can be done from the application server that was just the app now we will continue we will talk about the purpose of the server is to automate in real time and it depends on the architecture of the electric center the role of the server can be different we saw three roles the first is automation it can be confused because it's on one side the function and the server name but when you look at the configuration and the information we realized that everywhere it's almost the same hardware and the same software and so we have we used this classification which is less confused for us at the same time on the other side it's also a little different from the model classification meanwhile the role of automation that the server is responsible for interaction with the input and output with the input and output modules that will control the equipment like for example the turbine the generation of electricity and so on the second role is communication and the third role is connection with third-party software and third-party systems so with the protocols so we will have the bus protocol 1004 and the last role is migration which is to connect to the older SPPA installations like the legacy system like SPPA 2000 or so so the role of automation the automation of the server the automation of the server will be utilized on an S7 on industrial PLC we will talk a little more about each role now so we will launch so we are based on PLC so we have security problems we control the the machines so it will directly access so there is no security system since it is the lowest level in the attack models without any changes or updates of a PLC you have to stop a technological system so there is always the configuration even the systems there is no security since the S7 is not super secure there is not a lot of information about the S7 protocol on the internet so we had to analyze it so it is a protocol for SPPA for the PLC so there is an exchange of data in this protocol it is a pretty simple protocol and maybe its description is available on the internet but we could not find it so we will show you its structure so there is some security mechanisms on this protocol so we can do attack models on it so for the protocol analysis we developed a dissector which is available so during the security test on the configuration one of the main things that we checked is the unauthorized access in writing in memory so it is defined by the position of their selector so during previous research by colleagues the privilege matrix was determined so it was able to show different things on the PLC configuration so this analysis is available in our repository so it is just a Linux so at the beginning it has downloaded some files from the application server so jars, script, batch and some other files to execute already we use a java vm a ptcperc vm the ptcperc vm is a system of completion to solve the problem of decomposition we wrote a PHP script which performs the reverse confirmation on the automation server we have RMI servers so in the case of the migration server there are rpc servers which are also RMI servers so the security problems on the industrial system so there is a possibility of spoofing the telechanged files from the server on the other hand there is a problem related to the use of default identifiers which are used especially via ssh for access to the server so cm admin and cm password then there are vulnerabilities that affect the rpc services that allow them to access files or rce and then there are vulnerabilities that affect the migration server if you have read about vulnerabilities that affect the rpc so this service contains a method where the first parameter defines the action that will be executed which will allow access to the content of any file present on the system and also to write content on files on the server so we will also be able to pass a file which will be able to be executed later so that's all for the automation server to summarize a little bit so it can be based on plc or pc industrial in the plc case we have specific security problems and industrial systems it's just a boxlinux with which it can be added so far we haven't talked about network equipment so during our research we were able to meet a great variety so firewalls, switches etc we tried to summarize all these information and to make a way for the network function for our SPPA the same type of equipment can be found in equipment provided by other sellers so these equipment they are often affected by many security problems it's a bit linked to the fact that usually there is no particular configuration at the beginning and they must be able to work just as soon as we start them so we're going to have problems such as the obsolete firmware identifiers by default a lack of configuration in terms of security all these things are quite common for network equipment and these are common security problems for the industrial systems I think that's all now we're going to discuss so the electric systems are huge we saw this, we saw that we saw a lot of things and everything is planned on this slide it's that we have problems in hardware, in applications in the configurations, in the mechanisms the use we don't even need to go over it we can impact the power generation it's what kind of disaster could be used you have to arrive with a attack like this so with blackouts this is not what you can do the distribution of electricity is not the problem of the generation it's a problem for the to verify that there is enough capacity in the network so what we're talking about is how we can so we're going to talk about the turbine but we don't have access to the real turbine so we didn't find someone who wanted to lend us one to destroy it but the point is we're going to we're going to guess and the turbine is huge it's huge, it's a mechanic which is breaking by itself and so there are different use modes and in certain use modes it's going to degrade even faster and so you can have a PLC of exchange but a turbine maybe less so it's not there but it's not huge so what we tried to do was to understand how we can help the electric power plants to find all the problems and analyze the structures and understand that all the installations are the same and that we can we can simplify our analysis to do what a simple engineer can do his test on the security connect to this place yes connect there and do a simple test and then call Siemens to fix something and we don't need consultants who are too expensive you should be able to do it yourself of course it's a DCS it's like other industrial installations there's a lot of similarity and it's the same places that hurt there's a good document of the IC 62 443 which that describes how the users should talk to the integrator and the seller and how the seller should confirm we suggest to each operator to read this document and talk to your seller because now it's a little different from our days between the different sellers but it's a document that describes how to talk with other entities of course read this slide read the whitepaper that comes out in January call Siemens call the systems change your password very easy at least to reduce the surface attack and there's a lot of in a network SPP 3000 it's Windows so we can also set up a monitoring and talk with your V6 admin to at least have the logs or Java applications you can't check with Windows systems but at least you can look a little bit on your network what's going on and finally it's not a problem of a Siemens DCS it's the same problem with our other seller that we didn't mention here we're going to which is we're going to make a big whitepaper with everything we found in it with our recommendations with our security assessment with our tools with other tools so for the with our sector with the we talk to Siemens we say thank you they did a great communication work with us and their production team who develop themselves what the seller does is if you are if you are if you operate a an electric center and they are and so they try to talk with their client to change the password to update and to sensitize everyone and so it's not just Siemens it's also the operators who can do things that have an impact on security so that's about it thank you very much do you have any questions thank you very much for this great talk we have 3 minutes for the questions if you have questions tell us if you use the the problem of the ears you go to the microphone 3 your question on the internet so with with the vulnerability identified would it be possible to take control from the internet I repeat with the vulnerability identified would it be possible to obtain control from the internet no that's the good news we we have tried to see they are more or less protected from the outside there are certain accessors and we are not going to talk about the internet we are going to talk about the network next question microphone 3 hello I also have an electric power plant and it's not very good for the atmosphere as I realized so my question is can you tell us where is the red button to stop the power plant I ask it for a friend we did not think like that but yes specifically if you are if you are an engineer do not go with the internet other question on the internet no question no question thank you very much and applause so thank you