Bricks-in-the-Loop Scott M Thompson, CACI, Inc. S tarting - - PowerPoint PPT Presentation
Bricks-in-the-Loop Scott M Thompson, CACI, Inc. S tarting Programming in BAS IC at 13. Helped stand up Cyber National Mission Force (CNMF). Worked with NS A, US CYBERCOM, and Air Force Cyber. MS in Cyber Forensics. 26 years
S
tarting Programming in BAS IC at 13.
Helped stand up Cyber National Mission Force (CNMF). Worked with NS
A, US CYBERCOM, and Air Force Cyber.
MS
in Cyber Forensics.
26 years of Navy experience as a S
ystems Engineer. Gas Turbines, Diesel Engines, Fuel and Water S ystems, Power Distribution.
Hacked in 300 Baud …
Phone Phreak.
S cott M. Thompson – ICS / S CADA S ystems Engineer, CACI, Inc. scott.thompson@ caci.com 832-570-5758
3
90th Cyber Operations S quadron at Joint Base S an Antonio accelerates global vigilance, reach, and power by rapidly developing cyber capabilities to achieve military obj ectives across all domains. Our vision is to rapidly weaponize cyberspace in support of Air Force, j oint, and Inter-agency partners to further U.S . interests. We employ more than 250 active duty, civilian, and contract personnel to meet engineering challenges. Our BIL model is under the modeling and simulation flight, which provides synthetic environments for mission rehearsal, concept exploration, and capability assessments. We are also known as Distributed Mission Operations Center-Cyber (DMOC-C) to support maj or exercises with modeling and simulation tools for realistic training.
Operational Technology (OT) is hardware and software that detects or causes a change through the direct monitoring and/ or control of physical devices,
processes, and events in the enterprise.
Information technology (IT) is the use of computers to store, retrieve, transmit, and manipulate data, or information, often in the context of a business or other enterprise. IT is considered to be a subset of information and communications technology (ICT).
5
According to S ymantec, Internet of Things (IoT) attacks increased 600% between 2016 and 2017.
A DHS / US
containing ICS/SCADA data in an effort to be able to cripple the energy sector in Europe and North America.
Hacker methodologies now include using OT as a means of gaining access to IT as OT is normally an easier target:
IT network, where the attacker installed ransomware on critical municipal file servers.
casino IT network. The casino’s high-rollers list was stolen.
6
Technology (OT) defense to Air Force Cyber Protection Teams in a rich, vivid, and lucid environment.
and S CADA technologies at a low cost by maximizing the use of open-source technologies and protocols and commercial-off-the-shelf hardware.
integrated into the 90 COS slice environment.
ICS / S CADA challenges that are faced by the Air Force.
(IOT).
Brick Model of Blue AFB Bricks-in-the-Loop at DEFCON 27
TERMINOLOGY and ICS BAS ICS
An Industrial Control S ystem (ICS ) is a generic term used to describe any system that gathers information on an industrial process and modifies, regulates, or manages the process to achieve a desired result.
Distributed Control S
ystems (DCS )
S
upervisory Control and Data Acquisition S ystems (S CADA)
Process Control S
ystems (PCS )
Emergency Management S
ystems (EMS )
Automation S
ystems (AS )
S
afety Instrumented S ystem (S IS ) All of these systems are considered Industrial Control S ystems.
Brick Type PLC Modular PLC Remote Telemetry Unit (RTU) with GSM Communications
We have done research on different HMI software and hardware during the last year. One device, in particular, stood out:
▪
Hard-coded HTTP authentication credentials.
▪
Arbitrary JavaS cript execution via HTTP upload.
▪
Hard-coded user credentials.
▪
Privilege escalation via misconfigured / usr/ sbin/ useradd binary Lesson Learned: Carefully research your ICS / S CADA devices in a test bed before they are installed in your production
astounding.
ACDC Trailer (From DARP A Proj ect) DIN Cabinet Terminal Blocks DIN Rail Modular PLC Power Supplies (24, 36, 48V)
Hey dudes, let me know what’s going
I want to know: Valve Position (O:0) Pump S tatus (O:8) Pressure (Rn:0) Level (Rn:1) Flow (Rn:2).
Ok, here’s my status: O:0 = True (Valve is Open) O:8 = True (Pump is On) Rn:0 = 45 (Pressure S ensor) Rn:1 = 17 (Level Sensor) Rn:2 = 60 (Flow Sensor)
Larry… here’s your updated display of what’s going on out
And PLC reports …. I’m going to record those readings for posterity! I’ m cool like that.
Hey dudes, let me know what’s going
I want to know: Valve Position (O:0) Pump Status (O:8) Pressure (Rn:0) Level (Rn:1) Flow (Rn:2).
Ok, here’s my status: O:0 = True (Valve is Open) O:8 = True (Pump is On) Rn:0 = 45 (Pressure Sensor) Rn:1 = 17 (Level Sensor) Rn:2 = 60 (Flow Sensor)
Larry… here’s your updated display of what’s going on out
And PLC reports …. I’m going to record those readings for posterity! I’m cool like that.
ROGER THAT, LARRY! I’ll have the RTU shut the valve!! ..Larry Sips coffee and hits a button… “Have the RTU shut the valve!” I S AW THAT AND I’ M RECORDING THAT! At time 0605, valve on RTU was ordered closed by Larry.
RTU, shut the valve! O:0 = F ALS E! …no one ever prints around here... And I do color and everything! I’m
entering sleep mode.
Sure… whatever you
MODBUS, I don’t care. I’ll do anything that anyone wants… OK, made that change.
2 4
▪
4 vital 480V buses supplied by commercial power that supply the:
1. Runway, Taxi, and Approach Lights 2. Combined Air Operations Center/ Comm S quadron 3. Tower and Air Traffic Control 4. Airfield Operations
▪
A Commercial power bus (12.75KV) and an UPS
power bus.
▪
S upervisory control that automatically starts emergency generators when commercial power is lost.
▪
Traffic lights
▪
Fuel Farm
CAOC/ Comms S quadron Airfield Operations Tower/ Air Traffic Control Runway, Taxi, Approach Lights Headquarters Bldg
2 5
myBOX provides HMI service over the
cenarios are built using myDesigner software. The HMI (Master) speaks with the PLCs (S laves) using MODBUS / TCP protocol.
DC Power S upply
UniPi PLC controls the traffic light simulation. BitS cope Blade Rack allows deployment
common DC source. S erves additional traffic lights and the fuel farm. Desktop server provides the IT network, the Air Force’ s S LICE virtual environment. 4 PLCs (Raspberry Pi computers) for S upervisory Control of the base’ s electrical distribution. myBOX by myS CADA technologies.
26
BIL Base Functionality
ICS/SCADA Petting Zoo
We go beyond the Raspberry Pi and bring in PLCs from leading manufacturers (S iemens, Allen Bradley, Honeywell, etc) to both control the environment and allow teams to explore the nuances of industrial control devices from different companies.
S ecurity Cameras and S ystems Low Power RF/ Building Automation Weather, Water, and Irrigation Fire Alarms and S uppression Fuel Operations
BIL provides a cyber-physical interface that helps cyber defense forces with Exposure, Orientation, and Training in Industrial Control S ystems (ICS ).
Electrical Distribution
2 8
tart simple and build complexity as you go.
information out there. Pass on what you learn.
proj ect.
young students or employees.
T WA Y to learn ICS / S CADA is to build it yourself.
which works great for programming ladder logic.
understanding how PLCs work. Also assists you in understanding S CADA and interfacing with your customer.
ultimate tool in creating your own unique ICS / S CADA environments.
Breadboards and small electrical components are the ultimate development tools for connecting your Raspberry Pi or other device with the physical world.
PLENTY of GREAT documentation using the Google or searching the Y
Design proj ects that are simple at first, increase complexity as you become more proficient.
S
stuff.
Raspberry Pis are only $35 a piece and require a $10 MicroS D Card. This essentially amounts to a $45 PLC.
OpenPLC also supports the PiXtend, UniPi Industrial Platform, and Arduino.
Virtualize to fill in the pieces! OpenPLC will run as a “ softPLC” on Linux and Windows. My S
At 90 COS , we chose myBOX and myPRO by myS CADA.
Using their myDES IGNER software, we can spin up HMIs very quickly.
Historian services are wrapped into the myPRO product.
About $2000 (non-recurring).
Full video tutorials and online support.
Network it all together. Our environment does well with older CIS CO 3750 and 3550 switches.
Learn the protocols!! Modbus and DNP3 are both supported by OpenPLCProj ect. Those are two of the most common and two of the easiest to learn.
BREAK IT! After you break it, find new ways to break it.
Hook in your weapons system and tune it to ICS / S CADA protocols. Find ways to detect/ stop your attacks.
pymodbus – https:/ / pypi.org/ proj ect/ pymodbus: Python library for
building Modbus clients and servers. GREAT for learning the protocol and conducting attacks on Modbus.
BACpypes – https:/ / github.com/ JoelBender/ bacpypes: A BACnet
application and network layer written in Python for daemons, scripting, and graphical interfaces. WELL DOCUMENTED!
Contact me if you need help or additional resources.