 was the stupid idea of switching to emulated PLCs and everyone was like why would you use a PC? That's stupid. You got a whole new class of bugs that you didn't have before. Well, it was a question of time. Now we have a whole new class of bugs right on the PLC. And our next two speakers will be presenting a worm that is living on such Siemens PLCs. It doesn't need any PC or x86 architecture to spread. It just, well, numbs away on your infrastructure while you're watching. Please give a warm welcome and applause to Mike Bruggemann and Ralf Spannenberg. Yes, hello. Sorry for the technical problems. We all had to fight with different aspect ratio screens. The laptop has the wrong aspect ratio. The slides are a bit smaller that way. I hope everybody can see everything. First, I'll do the introduction. My name is Ralf Spannenberg. Next to me is Mike Bruggemann, Hendrik. The third speaker unfortunately couldn't come because he was ill. So he'll probably watch us from home during live stream. We are a small company. One or the other might know us. I've written books earlier. I've written, in the last years, we were changed from the classical training and nowadays we do a lot of helping, especially about the security, classic Linux security, but also resistance analyzing or pen testing around debating systems and industrial communication and RFID transponders where a different employee will talk about that tomorrow with me and that's about us. What are we going to talk about? We are talking about industrial controlling. One and a half years ago, we chose a family and because it was interesting to us, Mike wrote a bachelor thesis about that two years ago now and it was a small and cheap control system. It was the S7500. You can buy these devices for 150 euros. Nothing great. I think too expensive. The systems are half depending on the model about a bit of RAM, a bit of ROM or persistent storage flash. All have an Ethernet connection port and we chose the module with the firmware version 3. Siemens fairly publishes new firmware versions and they will be programmed with Tia portal in the version 11, which is for those who have programmed the most version of the, the latest version of the step seven software and we looked at that and we tried to find loopholes and weak points and write programs that allow to show design problems, especially about the networks with which the networks are built and to understand that I want to give you some background information about the PLC because it's completely different than what you know from a modern computer. The PLC comes with software or the PLC, come with a firmware from the manufacturer and all manufacturers are the same in that view and the user writes a piece of software that controls the system and takes over the system controlling. Maybe a traffic light control or the control of a centrifuge or a climate control or anything and how does that work internally? The systems always work cyclic, so in in circles the firmware reads the inputs and outputs, we'll see how an PLC looks like, we've seen them here, it will read the internet outputs, it will run one circle of the program and then it will do some cleanup steps, communicates with the outside world with the user and then the next program cycle starts. It's running cyclic, we don't have an object oriented programming, we have no great control to stop these cycles, to change how these cycles are going as always, one cycle that is used. The maximum cycle time is around 150 milliseconds, once this cycle works longer they assume it's an error and behave differently and sometimes they stop, that depends on how they are programmed. To understand how the programming works that will be programmed in blocks. It's a language that is usual from those programming systems, they are programming blocks which are entrances to the program that is run. Maybe you like the main function of C where you start the program, then there are function blocks which is probably like a class with exactly one method. There are also functions, the difference between functions and function blocks is that a function block has some semi-persistent storage. If a function is called in one cycle, everything is deleted for the next cycle, whereas a function block does have some local storage. For example, how many cycles it has been run in, it's the difference between a function and a function block. Functions and function blocks are written by the user, the manufacturer usually brings some of his own functions, probably similar to a library, a programming interface, and there are system function blocks and system functions. Additionally, you can also use a database, sort of a binary block, this memory that you can access where you can store arbitrary data, and that's comparable to global memory and that's called a data block. It's programmed using a variety of languages, there's a variety of languages available for programming a PLC that depends on the origin for example, so people who use electronics will use a diagram and then you have like a graphic representation of the program and that results in the software that you can directly flash to the PLC. So you have like a diagram that says if there's one on this input and one on this input, then the output will also be one. And you can also do it in a classical programming language, it's called structure text, this is what we did because the other it was kind of weird for us, so we don't have any experience with that, but there's really good reasons to use the other approach and all the different vendors seem to use a similar approach here. So what did we want to do or what did we do? We created a worm and what's the special thing about a worm? We know worms from the PC world. The special thing about this worm is that this worm after we infected a PLC, we can disconnect the computer and the worm will without further interaction spread to the other PLCs. It will find the PLCs, attack them and then copy itself to the PLC and as soon as it's written to the other PLC, it will activate itself and then start attacking other PLCs from there. And we're going to make a demonstration and we're going to show that the worm keeps spreading and that's obvious if you think about it because they're just computers, they're just PCs where your program is running. So it's probable that this is going to work with any PLCs. It of course depends on the vendor. If there are any defense mechanisms, for example Siemens does have a defense mechanism that can prevent this. But the default setting, especially when you look at these older devices, those are two-year-old and so you have to enable those. And if you don't enable the setting, then you have the problem we're going to show. So what kind of worm do I need to write? It needs to discover its targets. It needs to spread. So it needs some kind of mechanism to spread and it needs to be able to activate itself on the target system and then we maybe want to do something with the worm. So there needs to be some payload, some malware. I'm not going to tell you what we did. We're going to look at it later. So this is the background and now I'm going to give the mic to Mike and he's going to continue. Thank you very much, Ralph. If we want to find targets, we have to have a sign which we didn't discover other PLCs and with Siemens. That's the port 102. It's always open. The user cannot lock it down and if we find somewhere in an open port 102, it's highly likely to be in Siemens PLC. And the idea we had was to implement a port scanner in the language, the structured text language and there are two functions about that. One opens, peels TCP connections and the other one closes it back down and here is a documentation. You can see up here in the interchase function that creates everything where we have parameters and we can ask whether the connection was successful and down here we have the target destination and the port. So from IT, you would expect that we call the function and once it's ready, it returns with a... I was successful in creating this connection or there's an error message. It did not work. But with PLCs, it's a bit different. You remember we have a cycle time from 150 milliseconds which we mustn't over this step. So this method is as a crown. So with every cycle, we run over this complete construct, start at the top, call this function and with every cycle we ask, did you manage it? Did you manage it now? And if it has, we change to a different place in the program code where it will continue to run the virus of the code. A problem that we have is that there is no timeout in this function. So we will never know if there is maybe no target at all. So we have to implement that ourselves. It's quite easy. We just count the circle. How often did this method run? And at a certain stage, in this case 200, that won't work, we'll stop the connection. Important is to understand that even if the connection was not created and the function that stopped the connection will return with an error message, I wasn't able to create one, but we'd still have to close it down because otherwise in the background, it will always try to create this connection. So after having found a target or not, we can count up the IP address, just the last byte to the top. We always scan a 24, session 24 network for PLCs. We can also have something different like a list of targets or complete subnets or several subnets. You can scan that. What about the target finding algorithm? So you can find a target with these two methods. And the next thing we would have to look at, how can we put the worm onto a PLC? How do we download the program? And for that, one has to understand that the program download usually happens via TCP with these PLCs. And if it's their functions to create a connection, there is a connection to read or to receive. And so we decided, why don't we implement in this program that protocol? We usually put updates or update the PLCs with. The challenge was to understand the protocol, which runs the download. We have a protocol stack and the bottom there is TCP IP. Above that, there are two more protocols, which I'm not going to talk about. It's documented in the internet. If you're interested, you can read it there. And in the top, a Sieben COM plus, we call it, that's the interesting one, that's the one that runs the download. It's a binary program, it's proprietary, so we don't know anything about that. There is no official documentation by Siemens. It differentiates a lot from the previous protocol, like the Sieben 7300 or 400. And the latest version, it has already been changed. And at the moment, the virus will not work on the latest firmware versions. However, there are the same features. The program transfer, we have to start and stop the transfer. And there are also other features, like the change of input and outputs over the network connection. I will talk about the protocol. So here's just a wire shark recording of the first messages from the TIA portal, from the development environment. And it basically just says, hi, I'm the TIA portal and I just want to talk to you. And you see how it's structured. You have two protocols I'm not going to talk about. And then there's always 72. And then there's a version number marked in green. And then depending on the version of the PLC, it's one, two, or three. Then there's a length field that, you know, from other network protocols. And afterwards, there's a boundary marker that says here's the end of the frame. If the end frame is missing, then we know there's more data. And there's a type, for example, the request or an answer. There's a few zero bytes. And then there's a subtype that describes the further structure of the message. And there's also a sequence number. And if you look at the message, there are a lot of bytes missing. And if you look at those, then you find A3. They're sometimes grouped. And we thought those are kind of suspicious. So we looked at it. And the A3 always starts a so-called attribute block, which itself has this structure. So you see there's an ID that describes which kind of value it represents. And then there's a zero, which we don't really know what it means. And then there's a data type. In this example, it's a string. And then the length and then the actual value that's supposed to be transmitted. The numbers are somewhat strange. If you look at the protocol and try to understand it, then the lengths don't match. Because the numbers are represented in a weird way. The 81, for example. And then you look at it. The first bit is set, which means there will be another byte following. So the number of the lengths is variable. And once you understood this, then you can understand the protocol pretty good. And that's important for the basic understanding. So you can change information later. And now we look at the second message. And we just sent a message. I want to talk to you. And now the PLC responds and says, yes, I want to talk to you too. And the only thing we're interested in is the 25th byte, which is a random byte. And on every connection, this is chosen randomly. And this is probably a simple replay protection. So we can't just record and then replay it to the PLC. So what we had to do is we look at the byte and then flip the first bit. So we add 80 hex. And then we have to put this on the 23rd byte position in every message that we sent. So we can just record the communication between the entire portal and the PLC. And just remember to do this step. And then we can just replay the communication and see how it reacts. So we can use this to upload software. For us, important, the download blocking message has the same structure that I just described. There's just two more important information. One is the block type. We just saw the list earlier. There's five or six different ones. And the block number, which is just some sort of memory slot. So just two memory slot one or two, whatever you want to download. And afterwards, there's lots of attribute blocks. They're pretty long. And here are some examples of the attribute blocks in one of these download block message. For example, the last modified date of the program, which languages was programmed in the code, which is what the PLC actually executes. Part of these attribute blocks are very important. For example, the code, you need the code to actually run the program. But others are just stored on the PLC so the tier program can recover it later. Even if you don't have it on your computer. So as an engineer, you can always connect to the PLC and ask it which programs are stored and you get a list including source code and everything you might want to know about it. So you can look at a few things, which might help an attacker. One of the things is the data is redundant. I already told you there's the memory slot block number one. But it's also transmitted via an attribute of its own. And this information is redundant. So the interesting question is, which one of these are actually used in the PLC or in the tier portal? And the interesting thing is that both of them are used. The PLC uses the memory block. For example, 537. And then the PLC will store it to 537. But maybe I don't change the other location. For example, I just let the value one persist and then the tier portal is going to use that. So now I can hide code on the PLC because once an engineer will have some suspicion, it will connect to the PLC, it will want to know what it does and what's stored on it. And it will get all the program blocks but has the block one twice, which of course isn't the same block because in reality it's stored somewhere else on the PLC. But the tier portal doesn't really know what to do with that and only displays one. So we can hide parts of our program on the PLC. And another thing is there's also redundancy in the code. It's stored in two variants, zipped XML on the left. And we can also see it contains commons as well. So it results in the original source code if you want to. But it also stores byte code that the PLC actually executes. And if I know how to download this, I can exchange the XML text to something random that maybe looks unsuspicious. But the reality is that the PLC executes some other code that the engineer never sees. So that's a nice feature for a worm. There's another thing you can just leave out some of the blocks. For example, the XML source code. You don't have to include it and you don't have to return that. The main thing is it reduces the amount of data that we have to download. At that point, we have understood how a message looks, how length fields work, and how we forge messages. We've managed to understand the anti-replay feature. And what we have to do is now implement the program download using the tier protocol. And that's just a bit of work we have to do. And then you download the virus. And now all the messages and the finished program is being downloaded. And we take it and store it in one of the data blocks that we have available. And afterwards, we upload it using our own tool. We can't do it with the tier portal, obviously. And then we infect the PLC, the first PLC. So it's about how to infect the first PLC. So we wrote the worm using the tire portal, wrote it to a PLC, sniffed using Wireshark, and then with the knowledge we had adapted it and then built that into our worm. And we're going to see how that works in a moment. So we have finished the first few features. So the last two are still missing. How do we activate it? We've downloaded it. But how do we actually run it? And there's a function of the PLC which helps. One of those OBs is comparable, of course, to a main function, but we can have more than one of these main functions. So the idea is to download an additional OB and the PLC sees there's another one and it executes it just after the first one. So the original software on the PLC is still running. So activation is built in. We don't have to do much. So we also have to create a payload. So we can think about what we want to do, what we want to do. Denial of service is a possibility. So we can stop the PLC. We can change the outputs. We have always the TCP function available so we can create a new connection to a CNC server. We have created a proxy. We can do whatever we want. We have the complete language available. So we have all four points and the virus should work. So we have created a demo. I will play the attacker with my laptop. We'll infect the first PLC that I'll attach to my laptop and the virus will connect itself among these PLCs. And in the end, they will all connect back to my laptop as a CNC, a command-controlled server. So once we have the image, here we have the four PLCs. These are the PLCs we can see here. We can filter it. This is how they look. We have the Ethernet part here. Here are input and outputs. And here we have 220 volts and some more input outputs. We have four of those connected together. And I'll disconnect the Ethernet part of three of those. So they are not connected anymore. So I disconnected three. The fourth one is connected to the switch up here with the laptop and Mike will now inject the worm. So the first thing I'll do is I'll start the command-controlled server which they connect themselves to. So it's now running and waiting for connections. The next step I've written a small script which initiates the infection of the first PLC. So I enter the IP address of the first PLC. You have to know that one. So it runs now. The PLC has already switched down. The virus is updated now and the PLC is running again now. We see no difference from the program. This lights. So the original program is continuing to run although the virus is active by now. So the command-controlled server should have a connection now. Yes, the first PLC has connected back to it. Now we disconnect the laptop. The laptop is disconnected and reconnect the second PLC. I hope we didn't wait too long. So we'll see the first one to connect the second. It will be switched off. The second PLC. It's just a matter of time. I will see it's turn off. The lights are stopped blinking and the virus is uploaded and it's running again. So the one we have infected initially and to see that that's not the one that's doing all the following infection. I'll disconnect it. It doesn't have any network connection anymore and I'll connect the other two. So the one that has already spread to the second of the first one is already off. It's running again. So the one on the bottom right has to come. We have spaced the IP address so that we have some time between them. It just worked. So we know how long the worm is scanning. So I hope it'll just work. There it's off. 100 milliseconds and they're spaced 50 milliseconds and it's running again. So now all four of them are infected. So I'll connect these and the laptops are in a few seconds. They should all connect to our command and control server. The first one. The second one. The others may have been already been there. There we are. There are all four of them. Now we have a connection to the command and control server in the background while the light is running. So maybe let's just stop all of the lights. Was it zero or one? Let's try out. They are stopped. Let's turn off the light. Turn and make it dark. Let's turn on one light. Oh, that's it. Then we could use that as a flashlight. Yes, what else can we do? So the command and control server can do some things. Mistyped. There is an M missing. That's the excitement when you're in front of here. So the one at the top is running. So that one's working again. I think that's the one that has digital input outputs. The others have relays. So we have two different models, different firmware stands versions. So all versions one, two, three. The version four we'll talk about in a second. Can we show anything else? Ah, yes, the proxy. So I don't know who was the blackhead last year or watched the show. Some have showed that you can implement a proxy, a socks proxy on one of the older machines. So we have developed the same. If someone else can do it, we can do so too. So we can also run an end map scan and see that the parts are scanned. So the PLT is running the scan. There's the socks proxy and it will run the network scan because the connection is connected back to us. So you can also run through an ad firewall so we can get it out of the network behind through the proxy. That's also working great. Another thing here, the protocol that's running here by Siemens is to this point is not documented, nor is there any open source solution we know of or any software we know of where we can create these functions. So Mike mostly just tried to figure out how it works, which bytes and which bits in the system will switch and especially the number. There is another byte and the number itself is only seven bits. It has needed a lot of time to really understand that. So you want to turn it off now and now they're really off and they're turned off in a way that pulling the plug is not going to work. It's not going to be enough. So now they're all turned off and I turn the power back on but we see there's only the LEDs are still too off so it's not enough to just remove the power. It's a feature. Note that we did not have to use any vulnerability. Everything is by design. The protocol enables us to in the default setting. It doesn't give us any opportunity or doesn't have any protection. You can turn it on but in the default setting it's off so someone has to use its Tia portal on a programming PC or if they have a web server enabled then you can use that to re-enable them. Okay so this is enough for our demonstration. So we go back to the slides. Of course it's interesting to see what the PLC actually did to influence the but the warm did to influence the PLC. So it uploaded another main block which means you have to stop the program which of course is also locked and depending how this machine is controlled then of course this is going to be very noticeable. So an alarm might go off or if it you can improve that by not uploading a new main block but extending an existing block which is also a feature of the Siemens PLC. You can manipulate running programs during runtime without stopping them so you have to implement in the virus of course download the running program download it and then manipulate it and then upload it back but it's technically possible. Of course it needs a bit of RAM 38 kilobytes of RAM and 220 kilobytes of persistent memory that we needed which is a lot because it's 77 percent of the smallest model but that's of course because we have a lot of features in the control server. If we know exactly which malware we want to execute then we can reduce that by a noticeable amount and of course we have to keep remembering the cycle time. Right now we need about seven milliseconds which is about what we expect. All of the functions that I explained are asynchronous asynchronous and how do you remove the worm. The easiest way is to do a factory reset. All the users applied program is being deleted or you just override the block the OB that the warmer stored this is not going to be enough to remove the worm and of course the TIA portal sees the virus we see different blocks right here. It's the original program from the engineer and then he can ask which what is currently stored in the PLC and currently now is everything is green but down here we see the circle has changed not something has been added so we can use that to to hide it using the techniques I already explained but another way would be to change the attribute blocks so if you have some strange values in there then the TIA portal is going to crash and there's no way to and the engineer doesn't have any ability to check what program what device is actually doing so let's talk about protection now how to protect yourself from that so that's a big question there's different possibilities how how you could implement this one of them would be not to connect them to network in the first place but other than that the intent of things with the old version of those PLCs that's just not a good idea and the those that are just two years old I'm counting as old here so it's just a bad idea and in addition to the worm that we've shown you we did find real vulnerabilities for several of the vendors so that allowed us to crash the system or do other things that's not just Siemens it's all the vendors have those problems and especially the older systems and the vendor response is really terrible so we had really good contact with Siemens we tell them there's a vulnerability and they react in a reasonable amount of time and try to fix it and patch it and then they also see the problems and they actually have improved in their newer models but other vendors such as Mitsubishi took half an hour half a year just to contact Mitsubishi and then we contacted them using the ICS cert in the in the USA and we sent them a curl call that could be used to just do the attack and then we were asked to to send them all the information which tools we used and how we can can replicate it and we said well there's the curl call that's all you need to know and then it took another four months until they said yeah we're going to patch it but there's not going to be any update for the old systems so it's just going to be patched with the ones that are going to be bought from now on so they are very similar to those PLCs we have here I have integrated ethernet and they may control something in your house maybe a climate and that's of course problematic and many of the vendors try to protect their systems and the firmware version that we have here does have some sort of access protection and we can we have two different versions here write only on read write and this is going to protect from the warm so I'm not going to be able to replace the program on the PLC so just by turning on the write protection I can't copy a program to the PLC and I can I can still read it but I can't and I can of course change the input outputs but I can't change the program so what are we going to do to improve the security so first of all this of course should be enabled by default and the users should be notified that these features exist so we need awareness for the users of those PLCs and so they need to be aware that what they have is really small PC which has the same problems that any PC has so we're trying to solve those for the last 25 30 years in the PC world in this case the firewall might be another layer so we were connected to the PLC so simply by disallowing this on the firewall this would improve the situation now I said another then another question would be are other vendors also affected so what do we need we need of course ethernet connection and we need to be able to to have a way to upload the program via TCP and then we need programmable TCP function on the PLC itself so some of the vendors Siemens Mitsubishi Snyder those are the gray ones are those that are that have a ethernet connection or provide one as a additional accessory and that do have TCP function in their PLC language there's only the movicon easy which is something very small and all the others those are the ones that do have TCP functions in their programming language in essence all those variants do have the possibility to implement one of those a warm that attacks another PLC from the PLC whether it's in fact possible we don't know but what we do know is that the s7 300 and 400 should be really easy because those protocols are well understood and the access protection is available but if it's turned off of course what we also know is that the 1500 and the version 4 it does not work the protocols have changed and they just look different and the big problem is we can't just so I do have 1200 and I just use version 4 that just doesn't work it's hardware version 3 so I can't install that so I have to buy new PLCs which is maybe part of their business model I don't know but you maybe not it may not be possible to do a firmware upgrade if you don't buy the newer hardware so what we're going to do in the future is we're going to look at different vendors we have one from Mitsubishi we do have one or two from Schneider Electric and what will be really interesting is we only looked at ethernet and those of you who really use those machines they know that the PLCs internally use a lot of field bus communication so maybe one acts as a gateway between the gateway and the between the field bus and the ethernet system so it would be interesting to infect the gateway for example with one of the software that we wrote and the infection would propagate using field bus I don't know if that works but I don't know but this is what we're going to look at in the future and that's all I have to say for today and we will be open to questions thank you very much for the great talk and the demagod was with you if you have any questions please stand up behind the microphones do we have a question from the internet yes we do we have a number of questions from the internet many are about the protection things can you just switch can you switch the security features on and off could you connect them from behind the wall from the device itself and do all connections that have deactivated that by default yes I don't know whether that's with all of them they see through semen that's like that the standard connection they are not activated and yes I know they can be deactivated by the protocol but I do need the password for that so I can just directly use the password so it's protected by a password and the programmer has to have its own possibility to switch them off so the protections feature can be switched off by the over the protocol so the question left have you looked whether the crash is exploitable can you connect from the plc to the laptop of the internet with the programmer no we have not looked at that you can always just look at one thing at the time do we have any additional questions yes signal angel question from the internet how can you connect to the network of the plcs do you do I have to be there and connect with my laptop or is there internet so one idea might be I sell a new machine and I sell something I connect another machine which has the warm pre-installed on the plc and it's connected to the network that way so I don't have to really have physically access to it I just have to have one infected sps in the system in the industrial system and that can be a component in a machine or a device that is by the manufacturer or during the transportation has been infected Mike at the front left I would have a question about the programs running on them are there any privilege systems between the different program blocks in any plc which is the standard technology in laptops or normal computers and I know that the industry the system is 20 years old we haven't noticed anything so far so once you're there as a program you can run anything you want to you don't need to look at the other blocks anyway I am the program I'm running and I do whatever I want to so it might be interesting to look how the device is run to read at the source code of the other programs to which could help you understand the system yeah that's no problem Mike has written software that he can read the code of the plc over the internet and we use that to understand how the protocols are working and we have looked at the usage of the PR project portal and look at what it's doing and with that we can read the other blocks and read the other plc's and collect those information another small information about the infection of a field bus how I understand the system the first thing you do is write a boot loader for the field bus devices nobody wants to use the j-tech adapter to the microphone is there an infection control do you look if the infection is already controlled so otherwise they will reboot again and again so that would be surprising if only cranes crash and the conveyor belt work yeah that's a good question yes we do that I have just another main object block we download and what the virus does before it downloads itself is to ask is this block already used and either it has an error message or there's the answer yes it's there and then it'll just stop the infection so if we saw it once all the plc's have been infected they are not disconnected so all of that is just a proof of concept so we aren't sure how far we want to publish some of the code anyway it's a future point so because we know that's the problem at the moment this is the proof of concept to show others that there are these problems so that's one of the biggest problems here those in the room here if we come from the pc area so especially here we know really well how good important security of the systems and the software especially in the industrial systems they implement these systems they create you of these machines who write the programs they usually don't know what excess protection is what all the other protection methods mean they sometimes exist and what should be allowed and what's possible to do and we talked with the car manufacturer and they talked him how he works with the security and he says of course that's the the network is changed from the office we are afraid of the fabrication network so the idea there was we don't want the we want to protect the office network from the industrial network so because they were afraid the industrial network connects to the mailware on the home network of the office network so every connector every company who enters a new machine to the network wants to have access to the network to continue his maintenance program so they know that and as a runner of the the network you don't know who is in that network at all which of the connections are used at the moment because turn plugging off the this will not be used and won't work so i know somebody who has created a new hall and he can change the LED light on the smart phone the smart phone is connected with the server somewhere in the internet the network also connects it to that server and it creates in meyaka he can turn on and off the light in a company hall the light system probably cost 50 60 000 euros so that's the security sensibility is not available there or hardly known so we have to talk about the security in that area so any other questions there's another question from irc and one from the hall so several people want to know whether you could do distributed connection or your connections the connection you probably could buy raspberry pi cheaper than that otherwise it's a proxy server you could implement that you could implement conserve for that no problem um with the normal problems with the speed another question from the hall uh i recently read that the ever honey project had honey nets with the industrial project have you asked that could you emulate it no as far as we know there is no emulation available there are emulations but they are not free any further questions one more from the hall and one from the signal angel and then the times over just another question about the future our tendons to do code signing maybe somewhere in the future to protect to implement we don't have any the pc area so why i mean i hope i hope that what we do here is going to work towards that so we know semen's pretty well and if we from time to time maybe we don't want to put semen's on the uh stocks semen's does a lot to try and protect the security of these systems but they're also a burned uh child during because of statinates but otherwise it's code signing many of these industrial systems is those that are in the field the computational power is just not there to check the signature or to actually implement a encrypted connection so that maybe will come in the future systems or a lot happens our worm does not work at the moment on the latest systems but and semen's promised us that that some of that is due to security implementations they have on that on them but yeah yes something happens it's getting better but the large problem is the internet of things is arriving now industrial 4.0 arrives now and there are a lot of industrial systems that have 20 or 30 year old sbs so we have to make sure that they cannot just be used in the industry 4.0 nowadays with those because the danger is far too large that those functions can be used abroad so another short question from the signal angel yes the question is is this feature used actively is there do you know whether anybody uses it we don't know that i hope not you have been listening to plc blaster this talk was