 A while back there was this stupid idea of switching to emulated PLCs and everyone was like, why would you use a PC? That's stupid. You got a whole new class of bugs that you didn't have before. Well, it was a question of time. Now we have a whole new class of bugs right on the PLC. And our next two speakers will be presenting a worm that is living on such Siemens PLCs. It doesn't need any PC or x86 architecture to spread. It just, well, numbs away on your infrastructure while you're watching. Please give a warm welcome and applause to Mike Brögemann and Ralf Spannenberg. Yeah, hello. Sorry for the technical problems. You may already see in the photo. We fought here with 16 to 9, 4 to 3. The presentation is in 16 to 9. The laptop is currently 4 to 3 out. So the photos will be a little smaller. I hope we can all see what we want to see in the meantime. I'll just make the introduction a little bit. My name is Ralf Spannenberg. Next to me is Mike Brögemann, Hendrik. The third speaker couldn't make it because he's sick. And we probably watch him live stream from home. We are a small company. One or the other likes me. I wrote a few books once in the past. I gave a lot of classes. In the last 5 to 10 years, our business model has always moved away from classical training. And we do a lot of advice. A lot of advice in the security sector, Linux security. But in the meantime, there are a lot of resistance analysis. I don't like the word pentesting actually. Resistance analysis in the area of embedded systems, in the area of industrial control. We'll talk about that today. And also RFID systems, so transponder. Another employee will be in front of me tomorrow with me. And that's it for today. We'll talk about industrial control today. And we just picked out a family about 1.5 years ago. We wanted to get a little closer to each other because it just interested us. Mike did his bachelor's thesis on me on the subject. It's been two years now. And that was a fairly small, fairly price-effective industrial control. It's a 7. So a current series of Siemens, a 1200 model. You get these devices for 120 euros. That's not a very expensive thing. The devices then have the ability to save the model a little bit of work, a little bit of a long-term saving, so persistent saving, flash saving. They all have a built-in easy action point. And we looked at the module with a firmware version 3. So Siemens regularly brings out new software for these devices. And they are programmed with a software called Tier Portal in version 11. That's for those who might have already programmed the Siemens, the modern version of the Step 7 software. And on that basis, we just deal with it. We tried to find weaknesses there. We tried to write programs there that allow to show design weaknesses. Especially that, design weaknesses in the networks or in the industrial systems that are built with it. And to understand that a little bit, I would like to give background knowledge to these PLCs, because they work very differently than what you know from a normal computer. Such a PLC comes with a firmware or such a SPS, such a language-programmed control, like in Germany, comes with a firmware that is delivered by the manufacturer. And all manufacturers are the same. This is Schneider, this is Siemens, it doesn't matter at all. And the user then programmed a piece of software that controls the machine, actually takes over the control of the machine. So, for example, maybe a traffic light control or a web chair control or a centrifugal or air conditioning or something like that. And how does that work internally? It is so that the systems always work cyclically. That means that the company, the industry or the SPS reads their input and output. We will see again how such a SPS looks like. We brought four with us. Let's take a look at the camera. They read their input and output. Then they once run a cycle of the program. And in the end, they then run some cleaning work through, maybe communicate with the outside world, via Ethernet, something like that. And then the next cycle begins. That means the whole thing is worked out cyclically. So we don't have an object-oriented program there. We can't take any great influence and let this cycle stop in a different way, or something like that. Just one cycle will run through. The maximum cycle time lies with the devices we looked at at 150 milliseconds. That means that as soon as a cycle takes longer, these devices recognize a mistake, react a little differently and keep themselves under control, etc. It all comes down to the programming and the setting. To understand how the programming works in the background, the whole thing is programmed in blocks. This is a language that has been incorporated in the industrial control there. That you talk about organization blocks. These are the entrances into the program that I want to run cyclically. And maybe compare it with a main function in C, if you want to. The entrances into the program. Then we have function blocks that are comparable to a class that has a particular method. There are also functions, the fundamental difference between a function block and a function is that the function block has semi-persistent storage. With a function, it is that when a function is called into a cycle, all the information that it has processed there are no longer available in the next cycle. During a function block, I can store things in my own local storage there. For example, I can count the number of cycles. That is one of the differences between a function block and a function block. Functions and function blocks are written by the programmer, the user, with their own functions, comparable to a library that provides a manufacturer, an API. There are also system function blocks or blocks and system functions. On top of that, there is the possibility to store a database bank or simply use a global binary blob. There are storage that I can access where I can store believable data. And maybe compare it with a global memory. That is called a data block. We program the whole thing in different languages. There are a number of different languages with which I can program a SPS. That is partly the manufacturer's fault. That is, there are electricians who program a SPS. They program it as a process diagram or as an electric switch. In the Tier Portal, you compile and then the software that I can write directly on the SPS falls down there. I then painted a switch and said, if there is a single light at this input, then there is a single light at the third input. You can program it in a programming language as we know it. It is called structure text. That is what we did because the other one was a little bit of an abstruse. We simply lack the experience. But there are good reasons to use it. That is also the same with all manufacturers. Each manufacturer supports programming in their own way. What do we want to do now? What did we do? We wrote a worm. What is special about a worm? We know worms from the PC world. The special thing about this worm is that this worm, which we created in one SPS, we brought four of them with us, after we infected the first SPS, we can remove the computer and it constantly spreads on the other SPS. So the other SPS finds it, attacks it, infects it and then writes on it and as soon as it is written on it, it activates itself and then attacks another SPS again. We will demonstrate that in a moment. We will demonstrate that the worm which has actually spread itself has spread even further. That is basically completely clear if you think about it. Because actually it is just computers, PCs, on which the program runs. That means that it is likely that almost all industrial systems work, which one could look at. It always depends on how far the manufacturer has built up hardware mechanisms that prevent something like that. When the manufacturer is 7th, for example, I can take that away, it has a measure that can prevent that and with which I can actually, with which I can ensure that this is not possible. It is only per default, especially with these older devices, these devices are now about two years old, it is not active per default. That means that the user then has to switch off and if it doesn't work, there is this problem. Well, very briefly. What do I need for a worm? I have to find my target. The worm has to spread itself. I need a transfer mechanism that has to be used there. Then it has to activate itself on the target system. And then of course we also want to do something with the worm. The worm should bring a payload, maybe a bit of sharp code or something. What we have done is a function that we... I won't take it away, let's see in the end. That would be too much to tell. Okay, that's the background of the PLCs, etc. And now I'll hand it over to Mike and Mike will talk a little bit more. Yes, thank you very much. Exactly. So if we want to find a target, of course we'll come up with a feature that we can see with other PLCs. And with Siemens systems the port 102 is always open. The user can't turn it off. And if we find an open port 102 somewhere in the network, it's probably a Siemens PLC. And the idea that we have is simply to implement a port scanner that we just saw, the structure text. There are two functions for that. One builds TCP connection and the other builds it off. And we can simply look at how we want to implement something like this. We can see up here in the turkeys, this function which builds a connection. We have different transfer parameters here. We can ask if the function was successful or not. And essentially down here we give the target IP address and the port. As informatica we would now expect that we call the function. And as soon as it's done, it comes back and tells us I successfully built a connection or there is a error message. It didn't work. With the PLCs it works a little different. We just said we have a cycle time of 150 milliseconds. Of course we can't skip them because that's why this function is asynchronous. So we run this whole structure in every cycle. We come in from above. We call this function and with every cycle we ask if you have done it. If yes, we have found the target and we switch to another place in our program code where it can carry out the virus or the worm. The problem we still have is that there is no timeout with this function. So we don't get that there is no target that we want to attack. To do that we have to implement it ourselves. It's relatively simple. We just go and count the cycles with how often we have already passed this function. And at the highest value we say okay, in this case it's 200. We say that it won't work. But we want to understand that even if the connection wasn't built up and this function builds up the connection. It will even come back with a error message and say I couldn't build a connection. I didn't build it up. We still have to do it. We just have to release the resources because the function is always in the background trying to build a connection. So if we don't have or if we don't have we can just count up an IP address down here. We just count one byte of the IP address the last byte up. We scan, for example, a 24-bit network to PLCs. Here you can of course think of something completely different. A list of goals or a whole subnet or so many subnets to scan. We can implement it with the two functions that I just explained. The next thing we have to think about is how do we get the worm on the PLC, the program download. And you have to know that the program download usually works via TCP with these PLCs. If there is a function to build up a connection there are also two functions why don't we implement it in the programming language of the PLCs simply the protocol with which we normally download the PLC program. The challenge is to understand the protocol what this download does. We see the protocol stack on the right and a TCP IP. That should be relatively clear. There are two more transport protocols that I won't go into. They are documented on the Internet. If you are interested, you can read it up there. The protocol S7.com plus I call it that. That makes the actual download of the program to the properties. It is binary and proprietary. That means you know very little about it. There is no official documentation of Siemens. It also differs greatly to the old protocol that the PLCs like S7300 or S7400 have seen. In the latest version it was changed a little bit. That means the virus doesn't work on the latest version. But it has exactly these features that we want to transfer to the program. We have to start and stop the CPU to do the same. And it also offers other things such as changing the input or output to the network interface. I would like to say a little bit about the protocol. What we see here is a wireshark of the first message that is sent to the PLC from the TIA portal, the development environment. It simply says something like Hello, I am the TIA portal. I would like to talk to you. We see the build-up. First we have the two protocols where I won't say so much now. Then comes the green version number. Depending on the four versions of the PLC we see one, two or three. Then follows a threshold. You also know, it has to be in such a network protocol. But it doesn't work until the end. Then follows a limitation that tells us this frame is to the end. If that is missing, this end frame, then we know that there will be a type. Then we know if it is a request or a request. There are a few zero bytes. There is a subtype that describes the further build-up of the message and a sequence number. If you look at it this way, there are still a lot of bytes missing. If you look at the bytes long enough, then you realize that there are always three bytes. They often group up and were suspicious. Then we looked at them a little more and a A3 always leads to a so-called attribute block. Every attribute block also has a build-up. We see here as a second argument an ID that describes what value it is. Then we don't know exactly. There is usually zero. That is probably a format. Then follows the data type. In this case it is a string. The string also needs a length and afterwards the actual value that is to be transferred here with the protocol. A little bit strange are the numbers. If you first sit in front of the protocol to try to understand the whole thing, then all the lengths don't fit because the numbers are coded a little bit strange in this protocol. So we see here for example this number 81, 69. If we look at the bottom, we have set the first bit and that tells us there is another bit for this number. That means the number has a variable length of the bytes. If you understand that then you understand a lot of the protocol and it is important for the basic understanding so that you can change information later. Now we see the second message. We just sent the message that we would like to talk to you. Now the PLC will answer and say I would also like to talk to you. And the only thing that interests us about this message is the 25th byte. This is a random byte. With every connection it is randomly selected and it is probably a simple replay protection so that we can not simply record something with wireshark and then play it again. We flip the first bit 80 hexadecimal on it and the result is in all the other messages that we want to send to the 23th byte. Now we can go back and record everything what the communication is for example between the TIA portal and the PLC. If we just pay attention to this step we can just play everything again and we can see how the PLC reacts or what we want to upload or what we want to do. Then certainly for our most important message that is the download blog message. The same build that I just described there are only two important information about it. The one is the blog type. We just saw them in this list there were five or six different and the blog number. The blog number is just a kind of storage space. You say storage space 1, 2, 3, depending on how many blocks you want to download. What you follow there are a lot of attribute blocks these messages are pretty long and we just see a few attribute blocks that are in the download message. This is something like when the program was changed the last time. We see in which programming language it is programmed. We see the code that the PLC really performs. Exactly and a part of these attribute blocks are really important for the PLC because he needs the bytecode so that he can perform the program. Others are only saved for the tier portal on the PLC so that you can simply get the program back even if you don't have it on your computer anymore. That means that as an engineer I can always connect to the PLC and tell me what programs are on it list with everything that is on it including source text and everything that I would like to do. Exactly Now you can think about a few things that can help us what an attacker can do. The first is that we have data redundancy. I said here is this storage space place 1 the block number will also be transferred as an attribute to another place later in this message. This information is not two times and the question is which of these two information values do we see in the PLC or in the tier portal. You can say both. On the one hand the PLC takes it as a storage space and I can say here save this block instead of 537 then she will do it she will also perform this program block. At this point I don't change this number for example to 1. 1 is likely to be given because the tier portal just starts from 1, 2, 3 to be numbered. This allows me to hide code on this PLC because in this moment for example an engineer says there is something strange on this PLC let's look at it. What does it actually do? What are the programs on it? Then she will go there gets all the programs but 2 times this block 1. In reality it is not in reality it is saved on another place inside the PLC but the tier portal doesn't know what it should do and just draws one. And so we can just hide parts of the code on the PLC. Another thing also data redundancy the code is saved in two variants. Once we have a zipped XML as you can see here there are comments that means if the engineer goes there he will get the original source text out of the PLC if he wants to do that. And we need a bytecode that the PLC will perform. Now I can if I know how to download this XML text to exchange something something that looks harmless something that looks like it should be and in reality for the PLC just some other code the engineer will never see what is really being done. That is of course a nice feature for such a worm. Then what you also have to know you can just leave these blocks for example this XML source text you don't necessarily have to do with it is also very good. You don't even have to think about what helps us it just reduces the amount of data that we have to download. At this point we understood so much we know how a message looks like we can calculate length fields so we can create our own messages we understood this anti-replay mechanism and what you have to do now download the program with the help of the TIA portal just to implement it there is just a little bit of work to do you just have to do that and what you do then is you load the virus down now all the messages and the finished program is downloaded and we take this now and save these messages that we just downloaded just in these data blocks that we have available and then we just load it with our own tool of course we can't do this with the TIA portal and then import the PLC the first PLC on the first PLC we have to import what we have done is we have written the worm completely we have the worm in the TIA portal we have written it on it we have let wireshark run with it we have just snipped the data and put it in the worm that we have built in and we will see about that then we have finished the first two functions what is still missing are the last two the question is how do we activate the program we have downloaded it but how do we perform it and there comes a function of the PLC to help us we had said that an OB is a kind of main function with this PLC it is so that it can give its main function you just load a second OB the PLC then sees that it is there and just takes it afterwards the good thing about it is the original program that was on the PLC before is just carried out that's it we don't have to do much then we have the payloads at the end think about what you want the Nile of Service is a possibility that means we can stop the PLC we can manipulate the outputs we still have the DCP function available that means we can build a connection to the command and control server you can implement a proxy you can actually do what you want you have the whole programming language available and with that we have worked on all four points of the virus and for that we have prepared a demo I will be with my laptop the attacker we will import the first PLC then I will remove my laptop and the virus will be prepared under these four 7-inch controls and afterwards they will all build a connection to the command and control server that's it let's take a look as soon as we have the picture they have four PLCs these are the PLCs that we can see here or here that's how they look you have the Ethernet interface then there are inputs and outputs and up here there are the 22 volts there are more inputs and outputs we have assembled four of them and I will now remove the Ethernet interface so that they are not connected so now I have removed three the fourth is connected to the switch that we see up here with the laptop and Mike will now inject the worm so the first thing I will do is I start the command and control server then they can connect directly so it runs now connection in the next step I have just written a script that will now initiate the virus inject the first PLC now I have to give the IP address the PLC you have to know now it runs the PLC is already switched off the virus is just being loaded now the PLC is running again we do not see any difference on the program the original program is running even though the virus is active you have to see that the command and control server already have a connection the first PLC has already connected to us what we are doing now is we pull the laptop off the laptop is off and I put a second PLC on I hope I did not wait too long now this PLC will attack so we will see the same thing it will be switched off it is already on the scan it will be switched off and from now on it is switched off we see that it is running now the virus is being loaded we see that it is running again now that was the one that we used to know so we can see that it does not do everything it is switched off it does not have a network connection and I put the other one on that means the worm that has spread in here it is running again and now it has to come down we have it in an IP address in such a space that we have a little time it will work we know where it is scanned that means I hope that it will work 2ms it is out 2ms per IP address I think we have it in distance of 50 IP addresses it is running again that means now all 4 should be switched off that means I put the one on I put the laptop on and after a short time all 4 PLCs should be connected there comes the first there is the second there I have 4 we see now 4 pieces so now we have a complete connection to the command control server in the background if the running light is still running you can stop one running light maybe put it off here it is turn off the light make it dark turn on some light or everyone can you use it as a bag? what else can we do? can you put it on again? exactly we can choose one the command control server can do something there is a filter M that is the excitement when it is up here the one up here the one that means it is working again that we don't want to hear that the one that has a digital connection the other one has read it that's why we made this a lesson we actually have 3 different models I think there are 2 different company units all of them are 1 to 3 of these Siemens-based systems we will talk about 4 later can we show something else? do you have something else in the petto? a proxy I don't know who of you last year or what this year I don't know there are some researchers that have implemented a proxy on the older systems we also have a socks proxy if we can do that we can scan for example an nmap scan we see that the ports are scanned that makes the plc scan on the plc there is a socks proxy and it runs the network scan since the plc has connected to us it would also work through a nut firewall that means we could then scan the network behind behind this firewall accordingly over these proxy scans so that is also realized the special I don't know if it is clear the protocol that has been used by Siemens has not been documented yet there is a open source solution or a software solution with which we can form these functions Mike in the first line has tried to get out of the packages what is the purpose of the package especially the numbers that he mentioned there is still a long way to go the number itself is only 7 bits it took a very long time until we understood it now you want to switch it off now you are out of the box now you are out of the box the power supply is not enough we have a power supply it takes a moment because they have a bit of a buffer now you are out of the box and now we will see that here just the are switched off not from itself the power supply is not enough it is not enough to pull around it is a feature no safety hatches next to it we have not used any weak spot that is all with design the protocol gives us these possibilities the protocol offers not the possibility with default settings there is no protection but with default settings what has to happen here someone has to come to the TIA portal with a programming PC with a PG as it is called by Siemens or if the system has a web server you can switch it on and activate it I think that is enough back to the portfolio now it is interesting to see how the virus or the worm affects the PLC we have seen that the program lasted about 10 seconds that is because we download a new main block we have to stop the program that also creates a lock depending on what the machine controls it is very noticeable if the engine stops for 10 seconds a lot of alarm clocks can start but maybe with a rail if it does not arrive in 10 seconds then you would probably not notice it but you can also improve it if you do not download a new main block but just extend an existing one that is also a feature by the Siemens PLC that you can change the running time without stopping you have to implement something like download the program load it up change it that makes the worm more complicated that is why it is not implemented it is technically possible we also need a bit of storage 38 kb RAM then we have 220 kb kb persistent storage that is a relatively small model with 77% but of course also because we have a format and control server a lot of features if I know exactly what I may have for a bad function I can reduce it again effect on the cycle time of course we have to pay attention otherwise we will immediately generate a mistake we only need 7 milliseconds and that corresponds to what we would expect because all functions are written all asynchrons were what I just explained and we are as good as no cycle time that is why we need it then also how do you get the worm out there is a possibility to do factory set after that the entire user program is deleted also the virus or you simply write the worm OB then the virus is also gone then we have one more thing the tia portal sees the virus how does it look we see here on the right just different blocks that is an original program that was downloaded on the plc by some engineer and he can now go there and say please tell me what is on the plc right now then here on the right everything green that means that's the same thing you did that is up to date and down here we see the circle changes there is something new we can try with what I just told you to hide it would be another possibility if you play around with these attribute blocks if you enter a few strange values then the tia portal will fall and you don't have and the engineer doesn't have a real possibility to understand what actually happens on the device protection how do you protect yourself from the whole thing that's a big question and there are different possibilities for protection how to achieve something like that of course the device doesn't connect to the network so internet of things with the old industrial control is a bad idea also industrial 4.0 with the old industrial control and that's already too old although it's only two years old that's a bad idea that's just per se besides this worm that we just presented we also found real weak spots in the systems that actually allowed us to actually bring the system to the crash or other things to do with it and that's not just Siemens it's all created by the bank and especially the older systems and the way some manufacturers deal with it is sometimes really scary with Siemens for example we have a very good contact we report the weak spots and they react relatively quickly try to fix and patch and see the problems are also better in the current models but we have another manufacturer with Subishi that was for the first half of the year a contact manufacturer then we somehow made it a USA we sent everything the complete description and a curl call then we get the answer back we should describe exactly with which tools with which software we would have done I wrote back just read our advisory then it took four months until the information came yes we patched it and no there is no update for the old systems it only gets patched in the new systems that we are now selling that means also that in industry control like this one with built-in Ethernet the way something in house automation control, climate control flight control or something else which are problematic different manufacturers try to secure their systems a little and with these devices here with this company version there is the possibility to switch on an access protection the access protection is for default when I switch it on I can switch it into two variants I can switch it on as a write or as read write protection then it protects it because I am not able to switch on the program on the PLC I am not able to switch on the write protection I am not able to transfer a program on the PLC I can read the program I am also able to manipulate the access protection from the outside but I can't play a program on it what should we do to secure the system something like this should be switched on by default the users should be aware of it there has to be more awareness with the users who implement these devices that they know that such things are possible that they basically have a real PC because that is what we have we have a real PC with all the problems that we have in the PC world for 20 years, 25, 30 years trying to fight of course you can do it with firewalls the PLC opens up the connection there is no connection to the internet then we have to think what other manufacturers look like is there a possibility that other manufacturers are just as affected that is probably not a very specific problem there are also other manufacturers that build such devices what do we need for the WURM we need an internet connection we have to have the possibility that the program the user program is played by TCP we need in the programming language of the PLC programmable TCP function these are a few leading manufacturers Siemens, Mitsubishi, Schneider Rockwell these are the those who are still out are the ones who actually bring in their models from themselves or offer them as an additional module and who then also have TCP functions in their PLC language that is basically just this Modicon Easy this is probably something like a Siemens logo something very small and these are the ones who actually have TCP functions in their programming language the other one was that the program was played by TCP and they offer TCP IP functions in their programming language basically it would be possible for all these variants to plant something like a WURM because the PLC just has these functions if this is the case we don't know what we currently know is that on the S7 300 and 400 it would probably be relatively easy because these protocols are well known and well understood when the Access Protection they also don't have the Access Protection what we know is that on the 1500 and on the 1200 V4 it doesn't work that way the protocols have changed they look different the big problem is now that you don't just if you would go there and say I have here the 1200 I will play the V4 version 4 then it won't work this is Hardware version 3 I can only play it until 4 version 3 that means I have to buy new ones is now a business model maybe this manufacturer I don't know but it has to be clear that you can't make any update on a new version if you don't buy the new Hardware that's about it well that means what we will do in the future maybe we will look at some other manufacturers we have one or two devices for Mitsubishi and we also have one or two devices for Schneider Electric and what would be very interesting we have only looked at Ethernet those of you who really know that the SPS communicates a lot about fieldbus and it would be and then I often have only one a slightly stronger one that works as a gateway between the fieldbus system and the Ethernet and then it would be very tricky if I could infect the gateway and then it would spread to the fieldbus I don't know I don't know those are things we will continue to do we will look at them and with that I am done and we will open for questions and maybe we will answer them thank you very much for the great talk and the demo god was with you if you have any questions please ask behind the four speakers that we have from the internet yes, the signal feature please we have a lot of questions many are about these protection things can you switch them on and off can I control the whole thing about the worm from the device itself and do all the manufacturers that deactivate the default yes, the manufacturers I don't know if that is the case with everyone it is not activated and yes, I can deactivate the protocol but of course I need the password and then I can use the password directly the whole thing is protected and the programmer has to have the option to switch it off so this protocol can also be switched off microphone to the left please we have looked at whether it is exploitable whether you come from PLC to the PLC of the engineers so far not yet you can only do one thing do we have more questions our signal engine how do you get into the network of the PLC do I have to take my laptop or do you have one thought I sell a new machine I have a tool with textile there are several web chairs and I just sell another web chair and the chair comes with the worm on the PLC in this company that means I don't really need physical access to the network I just have to make sure that one official SPS actually comes into the company in this industrial network and that can also be a component of a machine, something from the manufacturer or during the transport you know you are infected microphone to the left I have a question about the program is there any SPS that has a kind of privilege isolation between individual functions blocks what is the standard technology for correct calculations and I know that this automation technology is 20 years behind so if you are on it as a program you can perform everything you want you don't even need to access the other blocks I am the program I am carried out and do what I want that would be interesting to find out how the system is built to read out the other programs the best is also in the source text that is also part of the understanding of this system so what is possible we are in a system where the software is written with the complete code of the PLC to read out we did that to understand how the protocols work how they work and then we looked at the behavior of the animal portal what the animal portal does basically it is also possible to read out the other blocks via the network to read out other PLCs to send this information and also a little note about the infection of the field buses as I have taken this corner the first thing you write is a bootloader for the field bus no one wants to run with the JTEC adapter and tell them microphone in the back right is carried out by an infection control so check if you have infected the SPS because otherwise you boot them all always new and that happens when some further bands go out to refresh so it is a good question yes we do I have said that we simply download another main OB block and what the virus does before it is loaded for itself that he asks once is this block already there either he gets a error message or the answer comes yes the block is there we have also seen that when once all the PLCs were infected he did not go out again further PLC the whole thing is only a proof of concept we are quite sure how far we the code and part of this code will be published because we are aware of the problem but it is only about having that as a proof of concept that to to be able to present sensibilisation because I think that is the biggest problem so we here in the room when we come from a PC environment we are probably here at this event very clear how important it is to take care of the security of operating systems and computers in this industrial environment especially with this person who implement these systems the creators of the appropriate machines they are not aware what an excess protection means what the other protective mechanisms that exist what you should be able to do we were once at a manufacturer from the automotive sector and we talked to him about his industrial control and how he is going to deal with it from the aspect of security and he said yes of course it is the workshop network the manufacturing network is afraid of the manufacturing network so the thought was you wanted the office network to be separated from the industrial network because you were afraid that the industrial network would get into the office network you can also understand that in this industrial network there are a lot of remote accesses so every manufacturer who brings you a new machine in your company like a welding robot wants to close the maintenance contract with it to have the same remote access that is normal they don't know that as a manufacturer of their industrial network as a small and medium-sized company who is currently operating in their industrial network which of the remote accesses is actively used because pulling it out with the plug when no remote access is needed is also something that you know I have a acquaintance who got a new hall that leads light to the ceiling he can control it with his smartphone for that he connects the smartphone with a server somewhere on the internet the ceiling light connects with the server somewhere on the internet and that is then transmitted and then he can lie on the beach in Mallorca and turn on the light in a workshop I don't know, the light system cost 50,000, 60,000 euros and that is the current state there is no security sensitivity and that is why it has to go it has to go in this area to build up a certain sensitivity but I would like to ask another question we have a question from the IRC and then another one from the hall so several people want to know whether you can calculate or build a gate with it somehow how do you calculate how do you calculate it maybe you can buy cheap raspberry pies or something like that otherwise you can implement a proxy server so you can surf over it if you want to with corresponding restrictions in the speed then we have another question from Saan Mikro, left, right I had heard last time that the Honeyhead project also built Honeyheads that deal with industrial systems do you deal with it too? can you reproduce it on this emulated no, we have our knowledge there are no free available emulation there are emulators but we have not tested it on emulation another question we have another one from the hall and then another one from Signal Angel and then the time is around just one question do you have any tendencies in the industry to go over the short-signature to support the short-signature we don't have that in the PC area so I hope I hope that what we are doing actually leads to it as I said, we have a very good advice to Siemens and if this may sound a little bit rice-like or something like that we don't want to make Siemens a prank Siemens actually does a lot to make the security of these systems better maybe they are a burnt child via Stuxnet etc but short-signature with many of these industrial disorders it is currently when they are out in the field that the performance of the emulation wouldn't be enough to test the short-signature or to build broken connections that means it will probably come in the new systems in the next versions and yes, a lot has happened as I said, our worm doesn't work on the newest systems at the moment and as Siemens has secured it is also connected with security functionalities that they would have implemented there and therefore yes, a lot has happened but the big problem is that the Internet of Things is coming now the Industry 4.0 is coming now and outside there are a lot of industrial systems that are still 20, 30 years old that means it has to go to make it clear that you can't just put them on Industry 4.0 that simply doesn't work I can't have a complete network from customers to industrial control the danger is way too big that then such measures can be taken by some attackers one last short question from our Signal Angel the question is, will this feature be used actively? do you have any information if someone is doing it? we don't know I hope not thank you for the lecture Mike Brüggemann and Ralf Spennenberg