 Let's start a warm applause for the presenters. Hi, I'm Tiffany Rad and this is Teague Newman. We're really glad to be back in Berlin, Germany. We were here last year. Last year I was here in this room presenting about data havens and jurisdiction hopping. And after that I had a different kind of project I wanted to work on. We had a bit of an inspiration looking at... Everyone knows what Stuxnet is and this isn't a presentation about Stuxnet. A lot's been said about that already. But this Stuxnet was an inspiration, so to speak, for the work that we did. And we apologize that the slides don't seem to be working, but we hope it is because we really would like to show you the demo with our programmable logic controller we have. So when we get to that, maybe the slides will be working. It's toward the end anyway. What we're going to do is talk about SCADA systems and PLC vulnerabilities and correctional facilities. Now, we kind of focus this research amongst correctional facilities. However, we'll talk about at the end how this is really any type of facility that has programmable logic controllers or SCADA, and if that's connected to the internet, that kind of work that we've done. It applies to that as well. We're going to discuss modern prison design. And my father, John Straux, has designed hundreds of security designs for federal prisons and jails. He couldn't be here in Germany today, but he's on Skype. So we might lift up the laptop and turn it on so you can see all of you just briefly. But we're looking at him right now. He's on in Washington, DC right now. We're trying to get audio from him. Yeah, we're going to try to get some audio so you can ask him some questions. We're going to theorize possible attack vectors, explain ladder logic. So if you're going to be doing any research with programmable logic controllers, we're going to tell you how cheap it was for us to do this. We got our equipment off eBay, and ladder logic is a pretty easy programming language to learn. And we're going to recommend some solutions because that's really the reason that we did this type of research. I am so glad to be back here at CCC. This has been an awesome experience being here. We just kind of got off the plane from DC, but that's where our research was based pretty much in his basement. And I am also a computer science professor at the University of Southern Maine, and I teach information security, ethics, and law. So I teach my students about how to do stuff and then really the ramifications of how we do it and why we do it. I've studied a lot of different places. I spread out my educational background amongst universities in Europe as well, so I had a really good time doing that, and that's why I love coming back here. We've done this presentation at DEFCON this year, and that's my demo. Well, that's really about me. I'm going to introduce my father because you're not going to be able to see or hear him at the moment, he's the senior principal of Strokes LLC. He has been doing this type of work where he gets paid to break into places so other people can't break into places. He's been doing that for a long time, like 30 years, I think, or longer. He's probably going to say it's longer, but if any of you have seen the movie Sneakers that came out in 1992, that movie was based on my father and his company, and we still continue to do that. I mean, I grew up in a household really where we had like lockpicks and different kinds of fun stuff. We'd learn how things were vulnerable to breaking and then try to engineer better solutions. So that's how I got into what I do now. So let me let Teague introduce himself, and eventually I hope the slides come up so you get to have more visuals. Is this Mike Worken? Can everybody hear me? All right. So I am Teague Newman. I'm just a professional pen tester. I also do some instructing for core security technologies, but really, I just like to break stuff. So that's what I do. All right. Another person who's on our team who couldn't be here today because no one knows who he is. He is Dora the SCADA Explorer. He's a really good exploit writer, and he lives in Columbia, Maryland. Works for a private company there. And when we came in with our idea, he's like, yeah, I can do that in a really short period of time. And we'll tell you at the end how easy it was to really write this exploit. This is not a trade or what a lot of things you've heard in the media from programmable logic controller manufacturers. This is not a difficult type of project to do. And it's the type of thing that we're hoping gets their attention. This is about getting the attention of manufacturers. Hey. While we did use the PLC we had was Siemens, the type of exploit we wrote is not, it could work on any type of programmable logic controller. It doesn't have to do particularly with Siemens. So we came into this with the idea that the red team always wins. So blue team, they have to safeguard against half a million different things. We just have to find one. So we decided to present about this so that wardens in these correctional facilities would know about the problem because you can't really fix it unless you know about it. And also to kind of help these places get some funding to fix it if necessary as well. And once people understand what exactly is possible rather than telling them, hey, don't touch that computer. When you tell them, hey, don't touch that computer because all the inmates might walk out, then they understand. And when we're talking about fixes and funding, this is not an expensive fix to at least get the remedial measures in place. It's about training. When we did our tour, and we'll show you some pictures of what we did, what we saw. But one thing we did see the jealousy, a picture of is that one of the prison guards was there checking email and on Twitter and stuff like that from the control room on the computer that controls the PLC. So that takes training. I mean, that's not expensive fix to try to fix that up. So why don't you tell me the story of Christmas Eve? Hi. So basically at one point, John was called by the warden of a prison and it was on Christmas Eve and there existed a problem. All the doors had come open on death row. So this was interesting. Clearly it was not supposed to happen. It's theorized that maybe because of Christmas time, there was different power draws. Well, what it really came down to is there were a couple of different parts that were out of spec and something was leaking voltage that it shouldn't have and all the doors flew open on death row. The thing to remember about this is people on death row, they don't really have anything to lose. So it's extremely dangerous. So it started with Stuxnet and actually it started the conversation with a Stuxnet researcher here in Germany and another in the United States who actually they've taken apart the code, figured out how it works. So when I talk with them, I said, you know, what would happen if we could have something like Stuxnet on something else? You know, everyone knew it was possible. So we're like, well, let's see if we can do a proof of concept for that. So Stuxnet for correctional facilities. What if someone wrote a virus or worms similar to that as we mentioned, pop all the doors open on death row. And actually, since we've done this presentation, we did this at DEF CON. People have come up to us and said, I can't tell you who I am or where I work, but I just want to say this is really a problem and I'm glad you're talking about it because this guy was saying, and many have said I have clearance, I can't really go public with this, but I'm glad someone is because this is the type of vulnerability that people have known about for like 20 years. Finally, there's some other independent security researchers who are getting this out in the open and telling people if you work at these facilities, if you do this type of research, get the word out that this needs to be corrected. So introduction to correctional facilities and security designs. My father usually does this part, but we're going to split this up. Understanding really what a vulnerability is, you got to understand not just the technology like how to do ladder logic for the PLC. It's about the design of the prison. So we're going to talk to you about some modern prison design. And he, as I mentioned, his movie and the work he did was inspiration for the movie sneakers. He contributed a lot to the writing of that, how the sneaks, the break-ins occurred, and he does this for a living, which is quite fun. I'm sure many of you do, too. So that's excellent. So... All right, so with Stuxnet, it was directed against the somatic software. Supposedly Microsoft released some patches that would have covered this. It was the computer was compromised, and then because of that compromise, the somatic software was taken advantage of. So now it's all about the PLCs, and at the end we're going to discuss more about this, too. It's not just correctional facilities. We're talking about power grid, pipelines, water systems, both for the dirty water and the clean water. And also a new kind of research discovery vulnerability we found is with HVAC systems, heating and air conditioning. Well, it might be like, oh yeah, what's the big deal again? You just crank up the heat on some building. But if you think about it, where the servers are for companies and stuff like that, when it has SCADA or PLCs controlling the type of the temperature, you could do a lot of damage. Yeah, so this encompasses a lot of stuff. A lot more than when we first started the project. It was really eye-opening when we started talking about this, how many people have said, hey, there's this other thing. So we're learning a lot more about it as well. So one of the initial things is most people didn't really realize that PLCs were in correctional facilities because the average person doesn't really know how a correctional facility is designed. So we're going to put out some definitions here. So a prison is a state or federal facility. This is like long-term confinement, typically over a year. A jail is typically a confinement of under a year, like leading up to trial, potentially or for smaller crimes. Just because it's a jail does not mean that you may not have big criminals in there. You may have murderers in jail awaiting a trial to then be transferred to prison. All right, so in the United States, there's about 117 correctional facilities federal. There's about 1,700 prisons and 3,000 jails. About 160 of those are operated by private companies. So most will actually use PLCs as well, except for the smaller facilities that it's not necessary. Just some pictures of John in correctional facilities. Doing the design, and he gets to actually sit in. There was one night tour that was a high-security prison with, it was quite interesting. But here he talks about, this is what it looks like. And so when we did our tour, the central hub, really the brain of the jail is in the control room. You can get into the control room, like a physical access or electronic access from the outside isn't controlled. This is the type of work that we can do. This is typically how prisons are laid out though. There are a hub and spoke design where central control is in the middle and then all the housing units will spawn off of that. In central control, it's also worth taking note of that the equipment room, where the PLCs, the servers, et cetera, that's usually attached to central control in the facility that we went to. It was actually underneath it. You had to go down a hatch through the floor to get down to the rack room. So this is what it would look like, just an overhead satellite view. There could be hundreds of cells. This is basically showing you what some of the control panels will look like. This is pretty much like the one we saw in our, and you'll see later in our photos. But this is a photo my father took of a prison he designed a long time ago. What does an electronic security system for a prison look like? As we went through, it has a control center, which is the brain for the system. Their servers are there, obviously. It also monitors and controls other things within the prison like video. So if you can get access to the control computer, you can see some stuff that's going on with the video as well. Note that the duress alarms, some of those things are also going to be included in there. Yeah, and in our demo, we were able to open up, simulate, open up all the prison doors, but yet still suppressing the alarm, suggesting that the doors have been opened. So the guard would see the doors are still closed, but actually they're open. And we'll show that in the demo. And the fences as well. For some of these facilities we theorized, we could open up the doors all the way out to the gate. I mean, all the way. This is interesting, though, there. You see the car and the RF link. So some of these cars that patrol the perimeter of these facilities will actually have on board a type of computer that's monitoring, typically the intrusion detection system on the fence line. And they will have the ability sometimes to actually, you know, send information back to central control via RF, not always encrypted. So that's another attack vector. And these are all controlled by the PLCs. So, and there's the PLC rack. You probably can't see that from back there, but these slides we're going to give to the conference so you all can look at them later too. So the other things that we found out that ways of getting into the control center, if you can't physically get in, like we were thinking of attack vectors similar to what we'd seen, potentially with Stuxnet with USB drive. But we found that, for instance, some facilities have like a McDonald's in the prison, and that's connected to the internet. And we found that it was called a commissary so that people that are there can get there. But they would order food and stuff like that. And so if that had an outside link, to get into the prison, we found out that the commissary was also connected to the control computer so you could just kind of hop through. It shouldn't have been designed like that, but it is. So this is just showing you what other things could be controlled in there, you know, showers, phones, etc. So this is basically just a diagram of how the PLC works. You know, it's basic in and out. It's basically multiplexing. All right, so there are a ton of manufacturers of PLCs. So these are just some of the common ones. PLC FACs, they can communicate via different methods. So you can have serial connections, you know, so Modbus, Lawn Works, Backnet, DF1, others. Also clearly Ethernet, you know, they're sticking these on the LAN as well. So there's different ways to program them. Ladder logic is probably the most common because it's easiest. It's just, you know, it's designed for someone who's not a computer programmer to be able to use. It's just linear, straight through. If this, then that, just like a ladder. All right, so within a large facility, these PLCs, they may monitor thousands of points. Because remember, it's not always so like with a prison door. It can be controlling the solenoid that controls the lock state. So is it locked or unlocked? But then it's also going to monitor the door so like with the sliding door. How far open or closed is that door? Things like that. This is schematic. On this particular one, you can monitor up to 34 points on that door. So this is kind of where we get into how PLCs were implemented as well. A lot of times they were implemented to cut down on hardware costs, i.e., you know, conduit and actual wiring. So you can run all these wires back to central control from every single point. Or you can, you know, run them to a PLC and run one wire from a PLC back to central control. That's the 34 points that he spoke of. With a schematic, we'll look for that. Also note here, the thing that we're pointing out is... You can't read it so well, we'll read it. Yeah, it says speed reducing. But the motors on the doors, you can control those and control the speed of it. So you could crank it up and turn it on and essentially blow out the motors on the doors so the doors are no longer functional at all. So it's called a cascade program. So the doors don't all open up or slam once. Yeah, it's... So what we're showing here is the perimeter fences. They have intrusion detection systems on the fences. All right, so now we'll look at some of the vulnerabilities. We can open doors and gates, cause phase lock sliders to go out of phase. And so as Tig mentioned, if you can remove the program for the cascade, the speed of the door, you can break the door. So when you open it and slam it, those locks, they're done for the whole prison. And one of the things we could do that we theorized in ATAC is say there's a witness in another cell block that someone wouldn't want to testify in a criminal case. So we figured out you could also lock down entire housing units for the whole prison and prison fires happen quite often. A lot of prisoners like their mattresses on fire. Mattress fires. Yeah, and it's pretty common. So they need to get all the prisoners out. And one of the things they do with that is that some of the doors used to slam shut behind people. But now the slam door locks is something that can only be manually unlocked with a key. So we talked about that. You can release all the cell blocks, lock them all down. Let me just go through that part. Go ahead. All right. So a lot of the ideas that we were met with with this are that, yeah, this isn't that big of a problem because these are not connected to the internet. And actually that was one of the things that we thought of as well. Initially going into this, our assumption was that when we saw these in place, they wouldn't be connected to the internet. They would be air gapped. And that actually wasn't the case. And so we actually validated that ourselves. But after we did this talk at DEF CON, Idaho National Laboratories back in the U.S., went and validated not only our research, but in fact that approximately three or 400 facilities that they looked at, every single one of them was connected to the internet. And these are not just correctional facilities that they looked at, all types of facilities. Other than that, someone else also, when we first were doing our research, said, well, it's not really possible. This is very unlikely. Sure, when you get out of the cell, you still got to get past the guys with the guns, whether you cause mayhem or not by opening up all the doors. But there have been a lot of prison breaks recently, like Charles Manson got cell phones smuggled in twice. So a lot of these people have had helicopter escapes. So there are a lot of unlikely scenarios. We thought that this actually is quite likely compared to the helicopter escapes that have been successful. What was the statistic was? I think it was like within the last 20 or 30 years, John will correct me at the end here, whatever it was. So I mean, this is unlikely, but flying a helicopter into a prison and taking somebody out is also unlikely. Well, in the past 20 or 30 years, it's actually been attempted eight times. Six out of eight, it was initially successful. They got away with the person they went to get. Now, they ended up getting caught later. But I mean, that's highly unlikely that someone will get a helicopter and fly it into a prison. So this is unlikely, but we still think it's probably more probable than a helicopter escape. So I mentioned what the exploit can do. I'm going to be going through some of these slides quickly to make up for some time that we lost at the beginning. So infection vectors from within without, like I mentioned, getting a USB drive into the control room might be harder. We were able to go right into the control room with someone we knew who was correctional. Actually, he was just a law enforcement officer who got us in. So he gave us the tour. We were able to take pictures. That was very good for the research. It was nice that he was telling us, we're glad you're doing some stuff. We need some help here. So law enforcement officers in the guards who work in these prisons, a lot of them recognize there are some holes in the security. So they were glad that someone could do presentations about it. So they helped us a lot. You know, it's interesting too. So like we said, we assumed to find these not connected to the Internet, but they were. In the event that they are not connected to the Internet, say maybe in another country, you know, over here, Stuxnet still proved to us that even if a device is not connected to the Internet, you still can breach it. There is the human factor, right, via your USB keys or whatever. So an example is when we took a look at the security equipment room, we went down the hatch to go look at this stuff and we were escorted. Well, when we walked down there, there were two unattended contractors working on the video over IP with no escort. And there was a third guy that was with them coming and going as he pleased. So, I mean, it clearly is still possible. If that was an air gap system, there was still people in there unattended with access to it that, you know, you supposedly trust. And I mentioned the commissary. That's one of the few weaknesses that we found that the commissary wasn't really supposed to be connected to the control room, but it was. So what kind of badness is possible that we were able to do? Open all the doors, cause chaos, murder could occur inside. So that was the one we just suggested that open all the doors. We've gotten a lot of interesting requests since we did these presentations. I mean, really, everything from Git mode, like we had some guy in prison in California and we said we can't just, you know, we didn't, one of the things about the exploit that if anyone has any questions we can talk to you about, we didn't release the exploit to anyone, not to the US government, not to any independent researchers. We held onto this because we figured this was one that was rather risky. And it was, but it was pretty easy to create. So that's why we're doing this presentation is for awareness, but not to release this exploit because of the opening door potential released from prison. Unlikely yes, but this is where the, this is the helicopter statistics for that. But close all the doors. Like I said, this happens often where there are people from different cases, trials, competing witnesses, or this is the type of thing where, yeah, you could lock down an entire housing unit and during a fire and that would mean the guards and the prisoners would perish. So the prisoners would be locked in. All right, here's the part that I know a lot of you are waiting to hear. How much did this cost us to do and how long did it take? $2,500, mostly in legit licenses, which was for the software. We bought the somatic software, but it was also available on Pirate Bay. But we just didn't go that route because I'm also an intellectual property attorney and we wanted to just purchase the software so we could, so I could do this presentation. All right, so just a couple of notes on that. So the first thing we did is we kind of researched widely used PLCs. That's in particular why we decided to go with Siemens. We're not picking on Siemens. We just know that they were widely used in our talk. You know, it can be interpreted that is, you know, more viable not just in prison facilities but wherever else these Siemens are used. It's not a particular tack on Siemens. Our attack vector, it's basically would work on anything that was set up the same way. So one note is we went to eBay. We looked it up and we bought a kit for $500 US. We could have got it cheaper if we wanted to spend an extra day or two to order each piece individually. Then after that immediately we went, looked on the internet. I was able to find the software on the internet within about 15 minutes. So like Tiffany said, we went and bought it but the idea is we had heard initially after Stuxnet people saying, no, you need to be a country to be able to do this kind of research. You need to have an extremely fancy lab. No, you don't. We did it essentially for $500 plus the 2000 for the software. Now if somebody malicious was doing this, they could buy the hardware for $500 and then go acquire the software on the internet. So it really does not take a nation state. This is not a huge funded project. I mean, it's a few hundred dollars and some motivation people could do this. Another researcher who has done some work in this is Dylan Beresford and he did some interesting exploits that showed about the buffer overflow. For our code it was really a buffer overflow stack and about 30 lines of code. That's not a lot. I mean, even my students in CS don't ever write buffer overflows. They're capable, the advice is capable of buffer overflows but we found that and that's the vulnerability that I believe Dylan found as well. Basically what we're looking at there in particular is we took a look at the publicly available exploits and did a code review and another presentation but essentially what they are is most of these exploits are under a hundred lines of code. That's including comments and ASCII art and shell code. So here's a picture of the super expensive lab. That's a computer on my desk and the PLC is in the bottom right corner there. That's it right there. Software box up in the top left. Spindle and CDs. This is as simple as ladder logic is. If you understand logic gates, you can program in this. We have a programming experience. We have no SCADA PLC background so it was a project we didn't know would be this quick but it really only took us about two months. Once we came up with the idea to look at the vulnerability we were able to find someone who would give us a tour of a prison to kind of validate, yes, this stuff is in correctional facilities. Then we went home and we started putting together the project and our exploit writer got on this and it was about two months. Seriously, one of the hardest parts was trying to figure out what kind of software we needed. If you go look at that software, there's about 80 different versions of it. That was one of the most difficult ones. Clearly, there are a bunch of SCADA exploits public and there have been more. Actually, since these stats originally came out. Luigi, he's pretty well known for doing this. Initially, it was like last March or April. He released 34 zero-day proof of concepts in one day and since then, I believe there's been probably close to 30 or 50 more that he's released. Then obviously, you can find some of these in Metasploit, Xploit DB, and then there is commercial pieces of software that do have them. Core Impact Pro, Canvas, there's a SCADA pack for Canvas as well. You can find these as well. Do we talk about showdown? Yeah, well, showdown is kind of not exactly the same but it was interesting. One of the things that we did is we took a look at all these exploits that were out there and we started searching on showdown for banners. For those of you that don't know, showdown basically is an archive of banners of everything that's on the Internet. We started looking out there and looking up keywords like SciTech and Sematic and things like this. We actually were able to find these systems live on the Internet via showdown that were susceptible to these exploits that you could cross-reference on Xploit DB or within Metasploit or whatever. This is not just a guess. They are out there. There has been talks about that as well. US cert about a week ago actually finally released an advisory saying, hey, these things are on the Internet. After people have been saying it now for years, they are there. Our attack vector, it was somewhat similar to Stuxnet. When we were in the prison facility, clearly we saw the people going in and out. We also saw a lady that was running the correctional facility checking her Gmail and Twitter on the machine that controlled the doors. We took it for granted that that machine had been compromised. This particular exploit was not a remote exploit because there were plenty of attack vectors there. We figured it was a logical assumption that we could make. We also, because of Stuxnet, it is a valid theory. She actually told us too that the guys that worked the late night shift, they have been looking at all these images and videos really late at night because they are bored. Now the computers are running really slowly and we don't really know why. Yeah, so admission of infection on the machine as well. Actually, what we did is we went in there. We took for granted that machine had been compromised. Then we migrated into the process. It was either controlling, monitoring, or programming the PLCs. Then we actually started accessing its DLLs that it had loaded up. We started issuing the commands directly across ourselves. More of an attack vector than an exploit. This is why we said it would be universal because anything that operates via that fashion, you migrate into that chunk of software and then you start accessing its libraries. At that point you are making the software do what it's supposed to do. It's issuing the calls out. Then the only thing we did is when it would send back the notifications, we'd just throw them out. So it would say unlock the door and it would usually tell the people at the control center, okay, the door is unlocked. Well, unlock the door, throw the alarms and notifications out so that the guy at the control center is sitting there. He thinks everything is locked and okay. Meanwhile, the end state of the actual device is open. Yeah, actually, so we're going to run it off this computer. We're going to attempt to do a video switch here, so let's get that over a little if you could. We have some audio with it. I'm not sure you're going to be able to hear it, so we're going to narrate what you're seeing in the demo that we did. You can hear my audio. That's good. I can hear the audio too, so check this out. All right, so this is our exploit writer talking. All right, so what we see in the middle here, this is our PLC. The switches on the bottom represent the actual lock control themselves, so either a physical mechanism or the software changing the state. The LEDs on the right side of this which is represent their state, so that would be if the switch is actually physically on or off. Okay, so I'm going to pause it right here and talk for a second. I'm flipping. They're hard to see in the video, but there are physical switches on this bottom side that I'm flipping, so that would be like the guard at the control center hitting a button lock or unlock, and then you see the LEDs on the top, which would indicate the end physical state, so the LEDs on the top are like the door there, so when you hit lock, the door locks. When you hit unlock, the door locks. The LEDs you see at the top represent the actual lock state, so like a secondary sensor that's telling you is this lock actually locked or what state it currently is in. As you see, switching back and forth, the LEDs update to show that status. Now on the software, you basically have all of the internal states, again, of the same things. You can see the lock controls and the lock states themselves, and in the software the LEDs are the column with the true and false are the state of the switches and the lock states where they currently are. So once again, you'll see the same things occurring there. A bank of the ones at the top will indicate if the switch is flipped or not, and then the ones at the bottom will indicate what's actually going on at the door. Alright, so once we actually start running the exploit, not exploit, the interpreter script, we're going to basically migrate into the controls and the communications part of the software that handles communications with the... Actually if you want to look at the PLC real quick, it's about to trigger and there they go. And as you can see in the software itself, the state of... So you can see all the switches were still physically flipped there and showed as doors were locked, but the end state, they all went off. The switches are still currently turned on. Basically, yeah. So now if you notice the software, everything still reads as we flip the switches and the end state is all locked as well. As to where clearly all the lights went off. They were not locked anymore. So that is the demo of it there. We'll switch back to my machine at the end so you can ask some questions to John as well, since we do have the audio and video working. Alright, so other facilities at risk, as we discussed, and you may have heard in the news, a water facility, a water treatment facility in Texas that someone named the prof, the professor, Sirius prof, figured out how to get into the SCADA system, well through SCADA, get into the systems there and potentially change some of the settings at that facility. And it's theorized one of the ways you could have done this is similar to this. Transit, as many of you, some of you may know, maybe not many of you know, but a lot with transit is also controlled with PLCs, which is one of the other reasons that we didn't want to do the proof of concept with that. We thought that this was a lot safer to do that. So food, drug and chemical manufacturing, and I mentioned the HVAC system. This is a new kind of vulnerability that we recently found within the past couple of weeks. So we didn't talk about this at DEF CON. So, yeah, I mean, it was commonly known that, you know, this stuff affects power and water and that's, you know, really what we'd heard after last night, but as you can see, it does affect many more areas than you'd initially think. Like, you know, I'm sure there's even areas that we haven't thought of. And there's an up-close picture of that. So that's actually what the PLC looks like. So now you can see those switches on the bottom that we're flipping. This is from the correctional facility that we toured. I'm just going to go through these quickly because either of the photos that we took in the previous video, the remediation clearly used device for its intended purpose. If that machine controls the doors in your prison facility, you probably shouldn't be using Twitter on it. Proper network segmentation as well. I mean, really, you should isolate that chunk of the network that, you know, that's occurring on that land where all these PLCs are at. They shouldn't touch another one. Physical media, physical access, actually explain to people who are using it why that's in place. Like, you know, don't say, don't do that. Say, look, if you do this, there's the possibility that all these doors could fly open and all the prisoners could rush you. So... And one of the other things that we wanted to mention for the Federal Bureau of Prisons in the U.S. is that a lot of these designs happened before a lot of these vulnerabilities were known. So I believe that they are updating their security now and their network segmentation after our presentation and the work we did became public. But a lot of these facilities are really old. So back then, it's kind of like, now we're like, yeah, that's obvious, but back then they didn't know. So in improved communication between IT and physical security, because especially in correctional facilities, they have a lot of technology for the security systems, but you also have the prison guards who are working there for the physical security. So connecting all this together, that's one of the two. So we're suggesting that that would help improve some of the security. You know, one of the things I'd like to point out here, too, is we found out during doing research for industrial control systems in general, that availability is typically of highest priority. Security is not always the highest priority in these systems, right? So that makes sense. You know, you have a nuclear reactor. It's really a big deal. And so one of the things we came across is the patching cycle of some of these devices is out to like six years. So patching is not always the answer. Because I mean, realistically, it is a good idea whenever possible, but what do you do? Take your nuclear reactor offline every Monday so you can patch it? I mean, it's... So, you know, that's why we're saying, pentests, see if this stuff is there, see if you are vulnerable, go along with the education, tell people how to handle this, people that are handling these devices that should be considered critical to your facility need to know the vulnerabilities. And you just enhance physical security for these rooms, like the fact that people could sometimes get tours of the control room. Glad we did for our research. But you know, in some sense, we probably shouldn't have been in there. So until the manufacturers really get their stuff up with the patches and fix some of the vulnerabilities physical security and training is really the way that you can remediate some of these risks. So acknowledgements to start to Dora, the skate explorer who may be watching now. Hey, thank you, he's awesome. And a CISO of a state who let us do this type of research. So that was a good foresight on his part. And now we found out a couple weeks ago the state's getting more funding to fix some of these problems. So that was great. And the LEOs who took us around on the tour. That was great because they we did security research, but they really didn't know really the essence of how much of the project we were going to be doing. Thanks to Core, they sent us, they paid for our travel expenses out here and all that. But this was not Core's research, but we were glad that they published our work. So here's our contact info and then after this slide what we're going to do is we'll actually swap over to the video here. We'll let John say a few things that he has to say and then we'll go into some questions as well. But if you need to get a hold of us, that's how you can do it. Anybody that's interested in pen tests or stuff like that, we can do it through Core Security. But if you have any questions for my dad about the work he does and stuff, this is the time to ask it. Yeah, so we'll swap this now. Well, he's doing that. Does anyone have any questions? And any general questions? The question was, has Siemens patched this yet? And in essence is no. But this is not because Siemens, because of anything they've done, you can't patch this. What we did in particular it's just we're using the software how it's supposed to. So that's why we really wanted to say patching isn't always the answer. We wanted to demonstrate something that didn't really have a patch so that people couldn't fall back on to that. Let me get this up here. There's my dad, John Strauss. Let me see if I can make this bigger. He's sitting in his office in the DC area. All right, so here's John. Say hi, John. Is there anything you'd like to add? Sorry, there's some latency. Can you hear us? Can you hear us, John? I expect it. I'm Berliner. Is there anything that you'd like to say before we start with the questions? Anything you'd like to add on? Not really. I think you covered it very well. Thank you, John. All right, we'll start with questions. We'll start with questions for John specifically. He did the physical and he is aware a lot of this stuff. So anybody that has physical questions, let's direct them to John right now. Questions? Other questions? Thank you. When you're able to bring a new law in the congress apartment, what will you do about the SCADA or PLC problem? About the SCADA and PLC problems in regard to... How would it be addressed via that? Well, you have some interesting stuff on the table here about pen testing tools. This is a very extreme... I know it's never... anyone who's been tried for it yet, but pen testing tools and exploits are, from what I understand, not legal in Germany unless you can show that you are a security researcher. I don't know how to define that. In fact, a lot of the work I've done, I don't know how anyone has yet defined this in Germany. The UK has some laws like that. And I see a new one coming through the EU. Well, part of the work that we do doing penetration testing, we need these exploit tools. So I'm afraid that if the EU is a law that's similar to Germany, we're going to have a lot of problems being able to really go public with the research that we've done. So I would say I hope that that law doesn't pass in the EU. And I don't want to see anything similar to that in the US. Anybody have any other questions? You said you do education to the people who actually browse Twitter and read their mail. Do you find that this actually takes, when you go six months later, have they learned and have they stopped using it? They're not using it on the internet again. So basically, some of the things that we saw, there are cheap fixes to this. So when you tell someone, you say, hey, you shouldn't be cruising this personal websites via this computer because these specific bad things can happen. They tend to understand. And then at that point, we suggest minimal things. If you don't have money to redo your entire network, unplug the keyboard and monitor from that computer. It's very simple solutions that are effective. That's not the complete answer. But that will inhibit somebody from accidentally infecting it. So yeah, we have seen positive things come out of this. It has been about six or eight months now. We have seen good changes that are in effect. One of the things that's been interesting is when we did this type of research, where our treatment facilities, for instance, came to us and said, hey, we'd like you to look at our networks. What do you think? Is this vulnerable? So what we found, though, that was quite shocking to us in the industry is we found that while we're do pentesting independent security consultants, we were competing with the FBI for projects. Now this kind of blew my mind how the U.S. federal government will come in when a company has a breach and they don't just do incident handling, they'll say, hey, we'll do all this consulting for free. So, that wasn't me. Oh, did someone leave their phone up here? We were just really surprised to find that the FBI all come in and do it for free. So if you're an independent security consultant in the U.S., you're competing with the U.S. government for work. And how do you compete with free? So that was an interesting revelation we had on doing this project. Any other questions? I've read news articles that mention that in some prisons, they're piloting programs where prisoners have, like, computer terminals in their cell. And, you know, they can buy, like, the right to browse the Internet sometimes. And I've heard that some of them are, like, writing their own attack vectors, like, getting by the censorship and looking at porn. Do you know anything about that? Or if those can interact with the SCADA systems? All right. So what we've seen here like this, we've seen a similar instance. However, it was, they actually were air-gapped. They weren't going out to the Internet. They were able to take browser circumvention features. The particular one that I'm familiar with, it was Internet Explorer. And they found out that after they opened up, essentially, hundreds of tabs, if they'd be able to circumvent, you know, what was blocking them. In those instances that we've seen, the network segmentation was done correctly. So it was not an attack vector via that method. They essentially used what they used the terminals for most of the time, were visitation. So that family did not have to come to the actual facility to visit them. The family would go to a remote facility and they'd set up a video conference between the remote facility and where the prisoner was at. That's how I've seen it. I haven't seen anything else. I think something that a number of us have been wondering is that we have considered the ethical implications of improving the security of U.S. prisons where, you know, death row exists, people get killed. Have you thought of this or not? We considered the ethical implications of, I think that in some facilities, we had a guy come up to us and said that he worked in a super max facility, which is the ones that are underground. Some people that have, I mean, it's some pretty bad stuff that they go down underground for that stuff. What we were concerned about is that someone did say that, you know, this was vulnerable, that super max facility was vulnerable to this type of attack and it's someone who worked with the IT Networks there. So that's we thought that this would be a good idea to do this type of research to kind of protect some citizens from this type of stuff happening. Last three questions. So what's the best way to break out of jail? We get a lot of these email requests. The question was what's the best way to break out of jail? I don't know. At the beginning you were saying that you also could attack, for instance, data centers with the cooling. How bad can you go? Would you really be able to shut down the data center room machines? Yeah, we think so. Yeah, in the event okay, so this is talking about heating and air conditioning. This PLC is due, actually, to interface with these systems. Yeah, if you got a hold of the PLC you could turn off the AC. The server room would heat itself up or you could turn on the heat in there and possibly, you know, computers get too hot to shut down and sometimes they break. Yeah, and some other researchers have done, I think it was Dylan's work where you can actually you can take control of the PLC and shut it down in the period of time it takes to get back up. Sometimes you have to have someone manually go there and do it. So in that period of time, if it's even 30 minutes you could do a lot of damage to a data center with a lot of servers in there. Last question. Okay, so I understand your main solution to the problem is to educate the people on how to use the computers. This basically protects against dump people doing dump stuff. But what is this low-page low-wage guards paid basically nothing for working there and getting paid by other people for doing bad stuff? I mean, if the vulnerability vulnerability exists, they can inject some code which works months or years later. So I think educating dump people isn't the real problem for people planning helicopter-style attacks. Exactly, it is. Well, the initial thing is really your typical layer defense, right? The immediate thing is to educate to remove those accidental vectors and then you do the typical things that you do. Isolate physical access to that machine. Restrict physical media. Proper network segmentation. You know, air-gapping. Things like that to make it extremely hard. You will always have some attack vectors there, so you can limit them through the use of all these different things implemented. You shouldn't just educate. You should do everything. But you can educate immediately and cheap. So that's why that was the initial.