 Hello, okay Everybody here How would you know? So my real name is Aaron Leverett. Most people know me as Black Swanburst or BSB I'm going to do a talk about industrial control system security. I don't expect many of you work in this space if you do then This will be very abstract And you can get more technical detail later We can hang out after the talk if you would like This is going to be a rambling crazy talk because I'm a rambling crazy person But the main thing is a good talk should be like a comment right? It should be dazzling and brilliant and over in a flash and I can't really manage the first two So I'll aim for the ladder so it's gonna move really quickly. Okay, so before I begin I'd like to have some idea of who is in the audience Who was here at EMF camp last time? All right, cool Who's here at EMF camp this time? Good just making sure you're awake Are there any other hackers in the audience in the security sense? Yes, okay, any white hats? Any black hats? Any intelligence agents? They never raised their hand. Oh, there's one excellent fantastic Okay, we'll get on with industrial control system security. So I Don't usually like to talk too much about myself But since many of you don't know me you probably want to have some idea of my credentials instead of giving you a giant CV of all the places I've worked and the hundreds of Engagements that I've done testing industrial systems. I'll just give you this picture to give you a sense I've been doing this for about two and a half years As an industrial person if you if you like what I mean by that is I've been a penetration tester and researcher for IO active for the last two and a half years before that I was doing my master's at Cambridge where I rescued 10,000 industrial systems from the internet for a laugh And before that I worked at GE energy and quality assurance testing various domain Systems so you know distribution management systems for the electric grid primarily But also other systems used in the electric sector Before that I was doing other stuff. That's not terribly interesting so I Think people should care more about infrastructure in general particularly geeks particularly emf cam I think infrastructure is really interesting. I think we all depend on it And I could make a big hand-wavy argument about things blowing up and what would happen if we didn't have water or power But I think that's all kind of a bit boring Instead what I'd rather do is encourage you to think about infrastructure care about infrastructure go and visit it Find out in your local neighborhood what's going on And one of the things that's really exciting about emf cam is you actually have that opportunity My favorite talk at the last emf camp was how we rolled out power Sanitation showers to you guys for three days Along with internet and then tore it all down and drove it away And so if you're interested in some of these things go and find out how some of it works here when I was about 14 my mother who is Loosely analogous to Sarah Connor made me build a water filter To teach me about water filtration and as much as it was like a really irritating thing to have to do as a 14 year Old like oh mom. I don't want to build a water filter I did it right and at the end I learned a lot about how to clear Sand out of the water filter and how to dry it out in the sun and make sure it didn't you know get an algae infection Or anything else and and so I encourage you to do these same sort of things and embrace some little project on infrastructure and find out more about it and Even if you're not a programmer or a hacker in a security sense You know just get interested in this stuff, right? So this is a brief tour of my kind of hell and why industrial system security is so difficult But also where it can be a really exciting and maybe some research opportunities for you so Everyone likes a good joke an optimist would say the glass is you know half full pessimist half empty But the engineer believes it's over provisioned for this particular task And I use this to illustrate the kind of people that I work with right? I do have a Bachelor's of engineering, but I'm also a computer scientist now I studied artificial intelligence and I find myself lumped into the komski camp by all of the engineers And that's okay, but when we sit down and have conversations They have a very different attitude and I'm trying to use this to to illustrate that part of what this talk is going to illustrate today is A false dichotomy that I see in the space between safety and security So what do we mean by that right? Everyone understands that safety in an industrial system is incredibly important right you're dealing with inert gases that might fill a Confined space you're dealing with flammable materials right if you're working in oil and gas with electricity, you know, there's a danger of being shocked or Providing too much electricity or bad Frequency of power to a device and burning it out in some way right with water You're dealing with large pressures and you can have a burst because of that So, but what do we mean by safety on the on the sort of computational level and it means that we don't want We don't want change on these devices without knowing about it so you don't want a firmware upgrade in the middle of Pumping water into a giant tank right because that upgrade could could leave the messages that are that are passing along that Network in a state that it continues to pump and builds up too much pressure and either burns out the pump or blows the tank in some way So we're focused on no change without permission loosely speaking Now that can be change of values But it can also be change of firmware or change of devices and there is some redundancy in these systems But from a security perspective redundancy doesn't do very much for us right because if I can compromise one switch I can compromise the other And since some of you don't work in this space that that is what I do lately I've been focusing on compromising industrial ethernet switches changing their firmware writing malicious firmwares and abusing the The firmwares to alter the traffic that's flowing across those networks Okay, so the important thing here is that safety people have an assumption and The assumption is that the the code of the firmware has not been changed Without going through proper channels because they have these processes in place and they say don't touch this device Don't change this device And no one's come to them and said okay, I changed that device then they believe it's still in the same state It was when they started In a physical world, that's a relatively good assumption. You can keep your eyes on things But in the digital world, that's not always true, right? In particular, I find that the hardware and the firmware don't support these features, right? So I can do say an MD5 or shot 256 check on a firmware but the Device itself in an industrial system doesn't always do those checks on its own, right? Okay, so what about the the security culture? We run around like our heads are on fire and we panic and we tell everybody to patch stuff because they're using tell nut And that's sometimes a little bit unfair especially in a working operational environment We make safety people crazy because we're asking them to change things that are already functionally safe and and the fact that they've had to go through months of Proving to some auditor that this is functionally safe means that when they update it They have to go through that whole process of six months of proving it again And that can be deeply deeply frustrating for them So the assumption on the security person's part is that it has it has been changed unless you prove It hasn't been changed right someone has altered the firmware when you weren't looking or you weren't paying attention And you need to consistently verify that the firmware of some device Has not been changed now you could also talk about this in terms of protocols It doesn't have to be the firmware right the the traffic on the wire can be altered as well And you want some sort of cryptographic assurance that it hasn't been altered now Because I've worn this preposterous moustache today. I'm going to demonstrate this in the most ridiculous way I possibly could With a with a car trick So to prepare for this trick We'll need to set you know the deck in advance get some people to inspect it get some people to help me out In verifying the condition of this particular deck. I Know you guys I should probably not start at this end because I know these guys So I'm gonna go over here and and at the end of the end of the talk I'm gonna need 11 people to help me out for this So hopefully you're gonna be willing to volunteer and come forward because if you all just stand back there It's gonna be very very awkward So anyways, let's make sure this is a real deck of cards and it's shuffled and it's different So we're gonna use this as a demonstration of you know firmware Being altered which I don't know like I say at the bottom is a terribly shoehorned metaphor But it gives me an excuse to be strange in the middle of my talk So I'm gonna set this aside right here on this top at and it's your job to watch this deck of cards And be sure that it doesn't change order somehow during the during the rest of the talk. Can everyone see that? Okay, okay, so this photograph I took while I was on holiday and I think it demonstrates pretty much One of the conflicts between safety and security now I realized that you probably can't see this very well So I'll point out some of the details But take a look carefully right this is This is a medical device for helping restart a heart first aid right safety first But it does have an access code down the side I don't know if you can see these buttons along the side here and written on top of that device is the access code To 888 I guess so that people can get hold of this device whenever something is happening Now this is by the side of a port up in Scotland So presumably the access code is there to keep people from stealing it right But it's like the security people and the safety people haven't worked together They haven't thought about this in advance And so you just have to post up the access code on the top And I find that really frustrating because safety people are intelligent interesting people right security people intelligent interesting people But they're kind of at odds with each other all the time because of this culture clash And I don't think the culture clash actually exists It's just that the technologies that have been put in place have been put in place without communication between the two sides of the equation and They've been encouraged to think about it this way because the features of these devices Don't support safety the way it needs to be so as a good example of this Do we need an access code on this at all an access code is actually completely ridiculous The whole point of this device is that it's available to you in an emergency so the access code is Getting in the way of being used quickly right so maybe what we should be focusing on in this particular case Logging detection incident response and maybe even some sort of tracking device So someone does steal it you can try and recover it or even just CCTV putting a CCTV camera over this So if someone uses it for the wrong purposes, you can record the event and report it to the police or do something And this is my point like this this false dichotomy of safety versus security needs to stop And we need to kind of collaborate in this sense So one of my favorite concepts is passive safety Now I know everyone in here has spent hundreds of hours working with liquid fluoride thorium reactors I myself have also logged zero hours on one of these reactors But I was I was given this as an example like I was told to read up on these by a mentor of mine And he said to me that you know one of the interesting things in these reactors is this sense of passive safety, right? so The reacting vessel and the salts that are reacting with each other decay naturally and stop reacting on their own Which is very useful because you have to maintain the reaction to keep things going But the main thing is that it has a freeze plug in the bottom of this reactor And you have to apply energy to this freeze plug You have to continually cool this freeze plug and if you don't if you don't apply energy then it sort of melts away and everything drains into a heat sink and Drainage tank underneath the reactor and the reaction sort of slows all on its own and everything decays to a safe state, right? And I find this really really interesting fascinating principle if you apply energy or apply x continually to this thing then when it does fail it fails into a safe state and I'm kind of curious would it be possible to use this passive safety concept in a security sense Can we continually apply some cryptographic principle and when the system fails it fails safely and it fails securely? I'm not sure but that's why I'm talking to you people. You're filled with ideas and you're here for EMF camp for exactly that reason so Kernel attestation, right? This is one of the things we could use in industrial systems where the kernel Continually attests to the fact that it hasn't been altered and that certain properties are maintained One of the big problems with this in practice is the massive overhead of messages in the constant sending of messages back and forth across a network Sometimes that would violate our real-time constraints for example But it's still an interesting idea and I feel it's just pushing on to the edge of that passive safety passive security kind of Concept we have a big problem with patching because of the safety problems that we discussed earlier in the industrial systems world I know for for a fact having studied a bunch of these systems And reading other people's white papers on the subject that it can take 18 months before they even want to apply a security patch To some of these devices including Windows NT and Windows XP machines Not only that It's 18 months before they start the process and then sometimes six months to get the paperwork in order to actually be able to apply the patches I've found a number of you know zero-day vulnerabilities in industrial Ethernet devices Mainly switches like I say that's my passion at the moment mostly because PLC's and RT's and so on it already done But my point is whenever I find those I go through a coordinated disclosure process, which is very painful. I can assure you and Even once I've got the patch in place with the vendor which you know takes three to six months I can be pretty certain that when I go to do pen tests on these devices I'll still be able to use the vulnerabilities that I found for another two years, right? Because it takes that long to roll the patches out So I'd like to move towards a model of continual patching, you know, certainly with a Linux machine on most occasions you can Update, you know all of your sources bring in all the new code and the security updates And you don't have to reboot your machine every time you do it, right? So I find it a little bit ridiculous that if we can do that with a Linux machine that they you know These other devices are using embedded Linux most of the time and somehow they need to reboot every time you apply some patches So maybe we could move past that right firmware checking cryptographic checking of firmwares It's okay when you find it. I very rarely find it, but when you do find it It's typically a cryptographic checks on essentially a hash, right? And so that hash is checked when the device boots up If you're lucky or when the update is rolled out, but it's not necessarily checked the rest of the time So all you have to do is play with the time of check time of use the talk to up there So I make sure that when the firmwares is booted up it hashes correctly and then afterwards I switch the firmware and it runs, you know, whatever I want, right? So we'd like to move away from that sort of model of firmware integrity Detection and response I think is more useful in some ways than Focusing on the firmwares and the idea of sensor fusion with trust levels. Okay. I'll come back to that a little bit later Okay, so if any of you study in this field, I advise you to take a picture of this now These are the protocols you'll get to have a chance to look at these are Mostly unauthenticative protocols and mostly protocols without any integrity Which is really disturbing because this is controlling your industrial infrastructure Go and look them up find out for yourself. You don't need to be a hacker to check that all on your own We have real-time constraints in these systems What I mean by that is a message might need to get from one device to another in milliseconds or microseconds to guarantee some safety Condition this makes the cryptography in this environment very very difficult Because we have to do the cryptographic computations within that time scale And also we usually have some, you know, resource constraints memory processing entropy and random number generation these kinds of problems Key management is also a nightmare The thing I find most often these days is hard-coded cryptographic credentials whether they're used for SSH or SSL There's a big movement to wrap TLS or SSL around every industrial system protocol Which means all of these different devices need to have different keys and we need to manage them How do you do that in a real-time sense? It's quite a challenging problem if you're interested in cryptography You can go that direction and study some of that Okay, I think threshold cryptography is far more interesting Does anyone here know what a zero-knowledge proof is? Excellent one Okay, two zero-knowledge proof. No Three, okay, so zero-knowledge proof. I Think they're really interesting the basic idea is let's say I know something and I want to prove to you that I know this thing But I don't want to reveal to you the thing that I improve it This is the simplest example. I could find my favorite personal example involves The graph three coloring problem and proving the isomorphism of the graph or the solution for the graph But let's just stick to this simple one for the moment Let's say Alice has two cups and wants to claim that they both contain the same amount of marbles and then Bob wants to verify this Then Alice can offer two buckets that also contain a number of marbles and Bob can choose which cup gets poured into which bucket Right and then Bob can count both buckets and make sure that they both match And in the process of choosing which cup goes into which bucket if we assume that they were different and not actually the same That Alice is lying to us then and that Alice had sort of rigged the buckets down below so that they would match up Then there's a 50% chance of him having chosen the wrong buckets and that coming out All right, so I don't know if you can see this down here at the bottom of step three But you can have a 50% confidence for the first game 75% confidence for the second game and 95% confidence after the fifth game that they do indeed contain the same marbles So this is loosely speaking how interactive zero-knowledge proof systems work And my argument is that you can embed this into some of the industrial systems protocols Because the first five messages that are exchanged in an industrial system protocol are not usually that important and some of the Sessions are maintained for years at a time So you would slowly be building confidence and you would only perform sensitive operations Once you had built confidence to a level that you're comfortable with so far I haven't seen many people explore this idea, so I'm encouraging you to think about it In a presentation about six months ago I asked the vendors of these systems if they would commit to a six-month average patch time and I specify Average because some bugs are really thorny and really difficult and I asked them if I come to you as an outsider and I produce You know something I consider to be a failure in security terms or an exploit for one of your products Will you patch within six months and this is the response I got in fact? I didn't even make this picture. This is this is a fan picture sent to me after that presentation If you want to see the video, there's a nice awkward two-minute silence after I ask that question to Six or seven of the big companies who build these systems Okay, so this is about what you can do and I'm a speed very quickly through it because I'm running out of time What could you do on the host scale? You can do better firmware verification? If you're interested in that sort of thing here, you can focus on that non disruptive patching technologies and techniques in memory patching for example Safe and secure defaults I in fact, I haven't put formal methods analysis in here But one of the interesting things you can do with OCaml these days is draw the model from the implementation and then do Formal methods verification of the code in a sort of backwards way to make sure that it's not going to violate your safety constraints, right? Build for internet security, even though theoretically there's are always deployed on private networks I always find that a little bit funny because like I said earlier, I rescued 10,000 from the internet as part of my master's thesis focus on forensics and supporting Detection technologies incident response and detection technology. So on the network scale There's a lot of protocol work that could be doing we could be adding cryptography to these protocols adding integrity to these protocols Non replay is another important cryptographic property that we want in this place And also another thing that I think is very interesting is there's some people doing Sanity checking of the process value is to make sure they obey the physics You know a vessel can't heat up faster than the convection rate of the material that it's made from if it is You've probably got a you know a sensor error So you can do a lot of interesting work verifying the process data itself without doing any cryptography at all At the system scale I would say we could do with some experiments with engineers understanding of trust remember earlier I was talking about threshold cryptography And fusion of sensor values and their trust relationship What happens if you have some sensor values coming from this field over here that have no Cryptographic integrity and you have some other from over here that that do how do you display those on a screen to a user to let Them make decisions and know these might be false. These are probably accurate I think there's some interesting psychological research that could be done there without even necessarily building an industrial system, right? Use alarms and anomaly detection in concert with safety people develop real-time key management strategies at the site scale Stop dividing safety and security people put them together in a room and let them actually get Requirements from the vendor to build the system differently. So avoid this false dichotomy and really ask the people present Why not, you know, what are the safety properties? You need to be sure have not been altered and what are the security properties that you need to be Sure are in place Build an incident response plan test security during factory acceptance testing and site acceptance testing write security Requirements for the vendors and get them to stick to them And then another thing I think that would be interesting for any of you Just as citizens of the world who depend on infrastructure is to learn about five industrial system security incidents I do another talk about ten Industrial system incidents that occurred before Stuxnet Everyone talks about Stuxnet, but no one talks about the really boring attacks that occurred before that and there's over 200 of them in a database So these things do happen and we should prepare as a society for them At the nation scale examine showdown results for vulnerable critical national infrastructure Like I said, that was my thesis very effective people are continuing that work to this day Which is great for me because I can go and do other things study the falling cost of finding these vulnerable systems and participate with some of these other organizations such as a Nissan and Here in the rest of the world if you're kind of a post nationalist like myself You know respond to the reports of other countries about attackers coming from your country Run honeypots and catch badness and just generally do research and try and help us out It's your infrastructure regardless of whether you're interested in cryptography or industrial systems or anything else Agitate agitate agitate ask the boards what they're doing about security reduce your own infrastructure debts consider, you know, there's people talking about making 300 watt wind generators, which isn't very much It's like a couple laptops and your phone and some other stuff But you know, they're gonna build them from 3d printers and you can fit them in your backpack Why not experiment with some of these tools and reduce your own infrastructure debts? The main thing here at EMF invent some decentralized microgrid micro infrastructure tools and disruptive technologies and I guess it's about time We get back to this so I'm gonna need 11 people could I have 11 volunteers? Okay Now Was this deck of cards altered during the talk did anyone walk up and change the deck of cards? It might have been Which is my proof entirely right? Let's see if I can actually do this Everyone hold your cards to your chest think about your card. Let me see if I can get all of these and then go have a beer I Have to admit at this point in the performance. I sometimes wonder what would happen if I didn't get these but just a thought If I name your card, please set the card back on the deck and walk back into the audience Let's see here the ten of clubs The oh, this is interesting. We've got some sevens We've got the seven of hearts seven of spades seven of diamonds two of clubs ace of hearts Let's see the Five of spades The three of diamonds the six of clubs Three of hearts and the eight of spades Thank you. I hope you enjoyed this talk I know it was a little bit random if you're interested in these subjects and you want to get down into the deep technical details I have some firmware files I have some p-caps come find me and some of the other hackers and we can talk about industrial control system security and I hope you enjoyed the moustache. I certainly do