 Hey everyone, I'm Ganesh De Rajan. I work for Tipping Point, part of the DV Labs. And I'm currently researching into SCADA. So, first of all, welcome all. And is there still anybody here for Dan Kaminsky's speech? I think they should. It's in track three. So, go there. Alright, here's the agenda for today's talk. I'll be talking about general overview of SCADA first and then give you some ideas about the protocols and why do we need security in SCADA protocols and how we can secure them a little bit and about the fuzzer which is not being released. The fuzzer framework has been released but the SCADA part is not being released. Some people were pretty upset about me releasing it so I'm holding it back to it. I don't know. There are lots of talks. So, and about the basic future work and everything. Firstly, I know everybody over here knows what SCADA. Everybody's got an idea about SCADA. If not, here's the definition. And I'm just going to read it out for you guys. SCADA is the supervisory control and data acquisition. It's defined as the common process control application that collects data from sensors on the shop first or in the remote locations and sends them to the central computing management and control. And SCADA's got different definitions both in the United States, in the northern America and outside the world and as you can see those are two things. Where is SCADA mainly used? It's used in all the critical infrastructures and all the utility companies and these are all the places where you can find SCADA more regularly and some of them are really not secure and you will see why. And what is the basic infrastructure of SCADA network? We started with, I'm just going to come up from talk down where the operator of the human who looks into all the fancy GUI provided by the different vendors and then looks into it and makes the decision. And he gets to make the decision only when there are some kind of cases where there have been flags raised by the RTUs or the MTUs. And the human machine interface which is all the fancy GUI provided by the vendors. And this one interacts with the MTUs which are the master terminal units which are like one step above and they collect information from all the other remote terminal units and then see what they process the information and then raise a flag if it needs to be the kind of thing. Then the communication channel right now supposing you have a SCADA network which has got two plants one probably in the east coast and one in the west coast so it does go through the internet and some of them are like open channel like clear text kind of things good luck with that too. So and look yeah there are other SCADA networks too where it's in a smaller network like manufacturing units or those kind of things where it's all local and you have like wireless and those kind of things used there too. And the remote terminal units these are the units which basically sends out instructions to all the end nodes and gets out the sensors and they send out queries to them asking like what's the temperature that you're reading or what is the number of units that you still have those kind of things and these data are sent to the empty use and then the empty use are sending it to the HMI and the HMI processes them and then like puts it out to the human operator. This is how the traditional SCADA network used to be where like the blue line on the top that you see is like where the internet is being used ethernet is being used or like the device level network and like proprietary kind of network those kind of things and initially they all used to be like RS232 and those kind of networks and later on now it's like a little bit more internet like you see more blue lines all over the place and there are still plans which are following this kind of a network where like they have still device level network still going on in most of the places and like internet on the upper level those kind of things and this is how some of our current I think it's like the gas industries which is like most of the gas industries have like already taken up ethernet even for like the RTUs in this kind of places and in the future like you will find like all of them almost every single SCADA network being this way like with internet all over the places so like you can communicate to every single node and request information like what's the temperature or like what is like your current readings and like just shut down and like just listen to whatever the server has to say that kind of thing you can like send in all sorts of details to them why do we need security in SCADA and like initially like like Modbus was the creator in like 1970s and it's still being used widely and like the vendors they're still coming out with like new Modbus softwares and like releasing it out like those kind of things in the 1970s you can imagine how it was there and like now and there isn't much improvement done there like they used to have initially Modbus RTU then Modbus ASCII which I'll be like discussing more in detail like in the future slides and they just decided okay let's put it on TCPIP and let's communicate through the internet and they just put it up and without even giving a dime about security and those kind of things and like and they all go in clear text and like you just can communicate to every any single node over there then okay so the whole problem about having SCADA network over the internet is like it's kind of easily exposed and like if you don't have proper I'm sure like there are many people like if it's like really important infrastructure they have all sorts of defense mechanisms around it so that like people hackers don't get into it and like do anything to it but what about like the cases like well like you have like small manufacturing units, small companies they can spend tons of money on like security and like putting in all those kind of like defense mechanisms over there so they are much more wonderful to this and like there are cases where like you have like nodes which are like even though they have all the defense parameters and everything set up one or two nodes just happen to be like dangling out because like this is like such a widespread network they're like dangling out or like somebody from inside the network could as well take control of these nodes and then use them to attack the servers too so and the funny thing about Skate Networks is like the protocols like Modbus and all like you just send an instruction to what it's going to like send back a response to and like it doesn't matter like it doesn't it's not going to verify like if you're like the legitimate server who's sending it out or like are you a legitimate client who is sending out this instruction so you just send a reboot command to like the server the server just goes blindly reboots you don't have to authenticate or do anything of that sort and yeah there's this one example that I'd like to give which is like you have like company A and company B who are like doing the same thing say Dell and HP and HP wants to take over Dell and one easy way to do is like take control of the Skata system burn down all their servers saying the temperature reading is say like at 68 for the server rooms just provide false data over there saying it's 68 while all the servers are burning down over there and by that like the entire structure of the company is gone like all the data is lost but without even having to like hack into like every single computer and like taking it down that kind of thing so it's much more simpler to hack it down if there isn't proper defense mechanism around it yeah current security scenarios are like poor authentication and verification of the client nodes like I told you before like you can send out instructions to the server or like the servers you can pretend to be the server and send out instructions to the client and say like do this and like it's just blindly going to do it like protocols like Modbus and DNP3 whereas like in ICCP we have to do a little bit more jazz of like doing like the entire authentication portion and then like doing like the connection like the three-way connection and then like going about doing the hacking over there so I will explain those two I mean all the three of them where like how those connections and everything works and like you can see those things too and like most of them are like running on like really old Windows platform or like Linux platform and there are like so many platform-based vulnerabilities which still can be exploited too there are like cases where like you go about where you go like exploit like some known vulnerabilities some zero days or like even like some old ones because half the systems are not being able to like what do you call they are not able to patch them up because of they need to have like maximum uptime because the moment the server goes down they have to like do all sorts of maintenance things and everything which takes a lot of time and they are kind of like a little bit hesitant about it so and most of them have the belief that like ah nobody's going to hack into these kind of small manufacturing things and it depends like if you're really small nobody even gives a damn about it and like if you as you grow up that's when people start caring I'm like if you're in the manufacturing plant or something like between two companies I'm like for example I'm not marketing for anybody by the way so yeah and if you really want to like take over one company instead of the other one like they themselves could do such kind of an activity to like take down the other one then yeah like like you see like the vendors believe they think nobody's going to hack into my network and my network is the safest one of all the kind of thing I guess so hmm and attack scenarios so the one of them will be like providing false status so supposing you in a water plant you have water sensors which basically looks for like the if there's any pollutants being added into the water and if you can fudge that data which is going back to the servers saying like no there's no pollutants over there and like you put in like some kind of pollutants into the water and like that entire thing gets distributed to everybody's house and like you drink you fall sick you die that kind of thing that's an easy way to kill people like you rather than like going blowing you having a nuclear bomb going and obviously denial of service attacks is like very possible like unlike like our regular computers like if you can like crash a computer it's just like one computer is just being crashed I mean maybe if it is server then it's just one server that is crashed and like probably those computers underneath those servers being the ones that have been crashed but think about in a SCADA system like if you can crash all these sensors by like just sending out a broadcast command to like these kind of things they are going to screw your entire critical infrastructure over there so that is one scary thing I mean like even a small crash on these servers could affect the entire country or like the manufacturing plants the SCADA system and of course all the protocol anomalies who are the vendors who are not following the RFCs you can use the fuzzer to basically like find out those things and you can help them help the vendors patch those vulnerabilities and fix those things too. Here are the past some of the past articles, news articles that were out about the SCADA attacks one of them was in Washington Post about like Al Qaeda having a control over one of the power plants but it was reported in Washington Post there right there and there's the second one which is with like Bowden from I think New Zealand or Australia one of those two countries where he got fired as a contractor and he knew how exactly those control systems work and he basically took over this one control system and said like if you don't give me my jaw back or whatever pay me a ransom I'm going to introduce pollutants into your drinking water and like cause like a countrywide thing which is like serious thing and I think they gave him a jaw back or something or like they took him down I don't know what happened to that and there was a slammer worm which affected one of the nuclear power plants and it was like the security defenses were down for a while and there's this gas pipeline thing and again like this particular dude he got hold of the gas power plants and they took him down within 24 hours so there are attacks which are going on and it's you know like some people are aware of the security and like the need for security in these places and they work on those securities and I think everybody else should consider the same thing the security in these things and it's been around for a really long time it's not like SCADA network has just come in like yesterday or today I'm like it's been there for like few decades now so it's like high time like we consider security into these networks and keep going on these are all the few protocols that you can see which are like kind of like what do you call it's with a standard which people can use around and there are like so many other protocols which are like very proprietary so companies think that like if I have a proprietary protocol like people won't know my protocol details so they won't hack into my network that kind of a belief there are like few companies with that kind of a belief but it's kind of like the time frame that it's required and like the interest for that particular hacker to know how much time it's going to take for him to hack into those kind of things and these protocols I'm just going to like discuss about Modbus UNP3 and ICCP and I am working on OPC now and some of the IEC standards too so probably in the future works for this so stepping into the first protocol Modbus and it's like one of the most simplest protocol it's very easy to implement and the open source code for Modbus protocol is already out there and you can just I mean that's how most of the companies are developing with Java code for like Modbus I think it's called Jmod and you can just go download it and like you can start your new company for like pro saying like I'm a skater software provider and like start selling the product all that you got to do is like create a fancy GUI for that particular protocol and then like start selling your product and it's pretty easy to get it so and it was developed in 1970s and late 1970s and it's been sticking around and initially it was developed for the RTUs and then like and now it's been like used widely on the internet too. If you see this is the protocol detail the first two bytes are the transaction ID these are on every single transaction with a unique client node and the second two bytes are like the protocol identifier they're always null so if you see like the highlighted portion down there like the first two I've just kept it as nulls which is like the transaction ID the second two nulls are basically the Modbus protocol identifier which is 0 0 0 and the next two bytes is the length byte which is like six bytes even though you have like two bytes for length you can the maximum allowed length for a Modbus protocol is only 254 so if you see any length byte which is like greater than 254 bytes there itself you can notice that there's an attack or somebody's trying to like fudge around with your data that kind of thing and almost I'll show you like how many queries are there almost like all the queries they have a length of only 06 so that's an easy way to like if you're writing like an IDSE kind of a filter or something that you can just mention the length has to be just 06 not more than 06 and the next one byte is like the OA which is like the unit identifier which uniquely identifies every single node like I told you there can be maximum of 200 sorry I'm where I select maximum of 254 nodes that's the maximum connection that each RTU can handle and the next by the next few bytes are basically all the what do you call the 08 is like the diagnostic mode I will explain that again like in the next slides and the next two bytes are like the sub function codes and final last two bytes are the data bytes here's the function code list these are all the things that your server is going to do like if you send like 01 like it's going to ask the server to read the code status and send you back the response for that particular thing and if you see like like the hex 11 value which is like the report slave ID so if you're like trying to do an enumeration of your network all you got to do is like report slave ID report slave ID and like get all their IDs and like there were details about that particular nodes that's like kind of like mapping of your enumerating your network right over there there's some instructions which like the hex 09, hex 08 those are all like more of a proprietary kind of thing and even the hex 12 value and there are like other stuff which can be like really bad too there's a like supposing you have an ongoing communication going on like one particular easy way to like just stop the communication from happening is to like reset the communication every time which is the hex value 13 yeah so you can just do those kind of simple things which are like very easy to do but which can prove like lot more damage for us in the longer run kind of thing yeah if you've seen the previous slide I didn't have 08 and because 08 is the diagnostic mode and they take a sub function code as well and these are all the following sub function code and one the interesting thing will be like the second one which is like the restart communication option so you can just keep on sending restart communication and is there a reboot command here no that's in DNP 3 yeah so there's a reboot command there and you don't want to be seeing any data any instruction which is like above 16 over there clearly it's not like meant to happen there right now at least at this point of time going on to the next protocol which is DNP 3 which is distributed network protocol 3 and it's mainly and widely used in all the utility companies and here's the architecture for the first two bytes is always a sync bytes 64 and the next byte is like the length byte and again here like the data packet cannot be more than actually like the length over here mentions the entire data which can be like maximum of 250 but there's a funny thing happens in DNP 3 protocol where like after every 16 byte of data there's a 2 byte of CRC added to it and they have a different kind of CRC it's called CRC DNP 3 and I have that one implemented too if someone requires that and it's kind of available outside too and the next one is the link control which is anxious that like your communication is going on fine and the destination address source address and the CRC and the data here are some of the internal indication flags that DNP 3 follows so which can be used against or in favor these are like initial these are like every single bit over there like it's a 2 byte thing and like just keeping one by one but like you can find out all the information about the server or the time that was started and everything and like I was explaining in the transport layer byte like this transport layer happens in the data in the data portion like it's like the first byte in the data portion is always the transport layer byte which says like if the first bit is set it means it's like the first packet of the communication if the second bit is set it's the last packet if both of them is set then it's like the only packet and the next 6 bits are used for like the sequence number in the first byte then these are all the application layer and the DNP 3 like I was telling you about like 2 CRC bytes after every 16 bytes going on to the next protocol which is like ICCP and the other interesting thing about DNP 3 was like DNP 3 was formed not exactly out of urgency or something they wanted to have a protocol for all the utility companies and while IEC was ICCP was being formulated so it was like just like a quick thing that they wanted to pull out from like they took all the readily available things for like the IEC 60870 standards and then they used it up for the DNP 3 protocol over here and that's how DNP 3 was formed and it was initially developed for the US and then I think it just spread around going on to the next one is like ICCP ICCP was mainly developed so it can be like used in the WAN network and they so ICCP was developed mainly for like all the WAN networks and if you see like they're like they take into account like many of the security issues over here where in like you can have like all the initial like they have like their own layers after the entire ICCP IP some communication is done where like they have like their communication request and then there's like the transport and I'll explain those things in the some coming slides and there's like bilateral communication table which like every time you make a request to the particular server it sees like is this client authenticated enough to have these kind of data is it like a read write or like execute data privilege only or he has no access to it and based on those privileges that access to the particular client is provided or denied then the application control session service element it's like it used to like associate more connections so like the these the ICCP on since it's being like used at the higher level of the control systems it's going to be like having more connections and it's like built for using in the WAN so here's the protocol protocol summary of how ICCP looks like the different layers like the second one is like the connection and I'll just go into it this is TVKT and like if you see in this protocol it's just got four bytes over there the first byte is the version byte it's always O3 second byte has to be null the next two byte has to be the length bytes how could someone mess up this well there's a big vulnerability on it which has been like disclosed on and one company who implemented this was being used by so many other companies and they're all vulnerable to it but it's been patched and it's all secure by now I hope all the clients have also updated so here's the simple structure and then like following these two these four bytes is the CRTP the CRTP is like the connection oriented transport protocol and this the initial connections are like this by the way like they are all connected together I just didn't have a space so like I had to break it up this way so the first byte is like the total length of the CRTP then the PDU type which is like which says it's connection request or connection conform and those are the two hex values that it has to go take into there and like the destination reference source reference and like the class options then next three things that you see the the value C1 in the first one makes it like it's like a source t-sap that it's requesting for and like the parameter length you say like 12 and then like you have like 12 bytes of data over there in the source t-sap so that's how the length varies and C2 and C0 is for the destination and then the total size of the TPDU sorry TPDU yeah that's right then this is like the data transfer portion of the CRTP like initially after like the TPKT is done then like we have like the CRTP connection request and the connection conform once those two are done then we have like the data transfer portion of it which is like pretty lightweight again like it's just three bytes value the length of the data that is going to follow and then the TPTU value the data transfer which is going to be like hex byte one and has to take the value f0 and then like you have like the the number of this one is it just says if it's like the last data unit or like the initial one that kind of thing and then like if you see the highlighted portion again it's like C2 which is like the length and f0 for the data transfer and 80 which says like if it is like the first or the last packing sorry then this is like again like the next one which is like the disconnect request at the end when you want to like terminate the request sir we have again like the length the disconnect request which is like one byte which has to be value 80 and then like the destination reference source reference and the cost so here's the other thing like if you are taking down an ICCP server then you might want to like make sure like your the cost is like put in like a something value which is like not suspicious the last byte in that one is like 81 which means like it's due to congestion over there in the other end that like the server is going down right now or is it like if it is 80 then it's like normal cost so like the server is going down because of normal cost so these are all the things that people need to like look into it so and not expose these kind of details out now moving on into the fuzzer so it's named Sully it's named because of that guy from Monsters Inc and I've never seen well it was Aaron's idea to name it Sully and I thought it was like really thing because he is fuzzy so what is the scale of fuzzer detect it directs all the protocol anomalies if they are not implemented to the RFC standards those kind of things then if there is an unauthorized communication going on like some of the the byte values that you're not supposed to see which goes in through the wire those things are all determined by this and then the possible denial of service attacks which can be created by crashing the server by sending in false status those kind of things and these are all the protocols that I'll be like discussing about and again I'm telling you like I'm not releasing the tool right now because of few requests so this is the fuzzer's main component the initialize thing is just initializes the blocks Sully is basically a block based fuzzer so it all takes in values which are in blocks and like I told you like since if you look at the PDU over here like it all has like the length byte which is just one byte and then the PDU type which is one byte those kind of things so like you just put in blocks over there and like add up your own fuzzes and the primitives basically oh sorry the pet RPC is used for the communication between like the VMware image and like your base host that kind of thing and then the primitives primitives is the one like where like supposing if it is like an integer value then like we mentioned it's like s underscore int and go on with those things or like if it is a character or like a word short word all those kind of blocks are like already predefined over there so like with all the fuzzing test cases is built into it then sex.py is the Sully's exceptional handle the different agents over here the agents are like one of the neatest things about this particular fuzzer and I'm sure like Perum and Aaron they worked their asses out on building this and it was like network monitor which makes sure like all the connections is fine and then like logs up all the pcaps and everything so like if one particular thing crashed the server you don't have to like redo the entire thing to do it so you can just collect the pcap and see what particular value was it and like you can keep on running that this one then there's a process monitor which sees like if the process got killed or like the CPU usage of the process suited up those kind of things and the most elegant thing about the Sully fuzzer is like the VM control so if you're running on a VM where image your entire the test case like the software application over there and like you're like sending out all your test cases from your base host and like at one particular time it crashes so there are cases like there were some softwares that we tested not the skater softwares but other softwares that we tested when it crashed even like a reboot of the image didn't give us back the this one what do you call it a good working condition of that one so we had to go all the way back to like the known good state and with VM where image it's VM where it's like really amazing how they can do it and then like it just like reverts back to the last known good state and then like keeps running the test cases again here's the general architecture of the Sully framework like there's a data generation portion like the big gray box over there and then the session controls and it does all the blocks basically and the graphing of it and the other good thing about it is like it looks when since it's all graph based so we can like see like at which point like the decision was made into go into different places and like sees what other options can be given to it so like the what do you call it what other options can be given to go into different code paths and it covers like more it's more of like it covers like the entire code base of the software so which makes it much more useful and finding out like if there are any bugs in like different portions of the software rather than a traditional one where you just say like okay this is the software implemented for Modbus so you just check for like these controls where it's not bothered about like the other other operations like which might be like an added advantage of the things so the first one is like the web of the the Sully fuzzer how it looks and the side one is like the book that Peram has written on this not just Sully but like all the fuzzing and everything if you want more information on Sully here's the code snippets of like all the protocols that I've just discussed like the first one is basically like the initialize and all the things have to have an initialize then there's the static portion which is like over here like the transaction ID sorry I'm just keeping it static because I don't care if like the transaction ID goes about like if you want like change it you can like use it like a string or like care and like short word and then like fuzz that transaction ID as well and then like there's like the length byte and then the protocol identifier protocol identifier and then the length byte again like the length is also like since it's a block based fuzzer so if you're adding more data in like the in-between portion like the size will automatically increase the size and like fuzz it on that basis too so this is just an easy reference with the protocol over there and the DNP3 code snippet is somewhere like this where you have like the first two bytes which is like the sync bytes then like the static length this one I've done it with a static length so I haven't included any of the values over there in the below then the DNP3 uses a special CRC like I told you so you have to follow that particular thing and this is TPKT which is again like just simple thing which is like just four bytes value and you can fuzz in like every single thing and CRTPE and more okay I can show you the demo this software I just like downloaded like the demo version of the software and like the first software that I found and then install it and like I'm just ran the fuzzer yeah sorry I can disclose that sorry and I'm like holding on I'm like really like working on this one the response no Sali is released yeah Sali is released just the SCADA portion of the Sali fuzzer like all the test cases and everything those are not being released because I'm like Sali has been like mainly developed by Pedram so it's his tool and like he is releasing it and the fuzzer portion of it is not being released if you don't have to reverse engineer it you can build your own if you can read the architect I'm like how the protocol works so whatever the work I did cannot be released because I don't want to fall into anything so I attached the debugger to it and I hope it works okay I know I think the internet is not there connection yeah I've turned off my wireless so I was hoping my VM network was connected and it is there you go oh yeah no I'm sorry I opened up the port here so I opened up the port for this pretty this port is open I can just show you that so if you see the port fire tool which is like the Modbus port which is open right now yeah so these are all the fuzzing test cases that are going over there right there if you see if you saw in the background it just crashed and I'm not disclosing anything else about that sorry and these are all the different file like as I explained before like if you see it clearly like the first two bytes with the transaction ID the second two bytes of the protocol identifier which is now the next two bytes of the length which has to do with the particular length of the protocol and then there's the OD is the unit identifier then the next one is like the diagnostic mode the 08 and the following is like the sub function code which is like the reserved or under sub portion and then like the other data portion which all there so there's a huge bunch of things so you don't know which one crashed it so sorry so that was it and if you do find bugs in let me just finish with my slides sir so I would recommend being responsible in your disclosures please don't go and hack into anybody's SCADA systems and please don't cause them a lot of trouble and we being as part of tipping point we do by vulnerabilities and you get paid for it too and we do a lot of responsible disclosures where like we talk to the clients and like we make sure you are I mean like the vendor is not being exploited in the meantime and then like since our IPS contest like we can write the signatures for it for like at least our own clients sorry I have no clue sir I have no clue sir conclusions isn't it and everybody wants to make money right and I was releasing it for free and like now even I'm not doing that the tool okay you can try talking to the ZDI program and see what it's like and the conclusion is basically the basic SCADA network architecture that I discussed to you guys and like the why we need securities over there and like SCADA protocol details that I gave you in the further details so if you want to build up not just for SCADA for any of the reasons you can do it and the black hat slides for like the Sully Fuzzer is also out there so you can use that one as a better guide too future future work will be like to have like more SCADA protocols and like two way fuzzings supposing like in the case of ICCP where you send connection request and then like send in all the first data and then like pretend to be like the guy who sent back the connection response and then like yes and we do have ASN1 decoder in Sully too let me just and these are all the references that I have and those architecture slides I got from someone I don't know who so that's why I don't know and acknowledgments for these guys yes sir it's I am not from that community so it's like it's like mostly like the literal thing and like I know like there's so many companies who just go out and like build softwares release it right there they just want to get into the market as soon as possible rather than like wait for like all the entire testing of their own products yes sir well what if there are cases where like say there are people who do patch their systems right there are people who patch their systems regularly patch too we can do it the vendors have to do it so if you do find some yeah they will say like the vendor was not safe or something like the place where it was implemented they didn't do a proper job it's always going to be like one person kicking the other person's back that kind of a thing so just let me finish yes I'm like that's how it is there are people but the good thing is like at least now the skater vendors there are many people who go about patch their system like more than us I think US cert has been like hitting the hammer I think they got like a steel hammer a little bit no I don't know at least like they seem to have more advisories out there I'm like I'm sure like all the smaller skater vendors they don't even give a damn because they say like we don't have such a big customer base like we are just going to like sell our products to like these small manufacturing units those kind of things it's like those small manufacturing units in the later years when they big become big and they're still using these softwares that's when they're like much more exposed like when you're small nobody cares once you start growing that's when people start noticing you and start trying to attack you that's true but like most of the cases is like they want to say like we support this protocol we support this protocol so like their data sheet becomes bigger and like they can like sell their product that's how they try to do money so the first thing will be much more useful like in the case like where like the vendor wants to test his protocol before releasing it out to the you know like I don't think they're going to raise their hand over here and say like I'm a vendor over here of skater to respond to the other one some of the skater networks don't even have a firewall in it so yeah there's a guy who's interested in that right now yes sir yes yeah I know like I really appreciate like some of the vendors they like they've been notified about the vulnerability they go about patching it and sending out new updates right there and ICCP was one of them take a bushy is another one like they all do this kind of work and like it's like people the people are taking interest like it's just like the rest I'm like they're like so many small vendors who don't give a damn about it I'm like and those small vendors are like the cheaper ones which are being used in like all the smaller networks maybe like all the major critical infrastructures they pay big money for like the big vendors and like just because they have this brand name over there they use that kind of thing but even they are wonderful but like but there are like protocols which have been implemented which are allowed to travel through wireless too so no I haven't I'm just looking at the protocol stack right now and I haven't had chance to like go inside like the real thing and like do it and like I don't intend to do it either like into like a real control system and like screw up somebody's network I don't want to do that I don't want to be part of it yes sir so the Sully was like the base framework so the framework is built and like I used my scripts for all the SCADA protocols so yes we are they are already out do you want to buy us yes sir buy new ones it's going to be freaking exciting