us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-T

ICSCorsair:HowIwillPWNyourERPthrough4-20mAcurrentloopAlexanderBolshevaka@dark_k3yGlebCherbovaka@cherboffAlexanderBolshev(@dark_key)ISauditor@Ph.D.DistributedSystemsresearcherYetanothermanwearing“some-color-hat”whoami:dark_k3yGlebCherbov(@cherboff)ISauditor@InformationSecurityResearcherwhoami:cherboffDEMOTheanswerissimple:modernICSarchitectures!Q:Howthe#@$%isitpossible?!LET’STRYTOEXPLAIN•ICSstandsforIndustrialControlSystem•Today,ICSinfrastructuresarecommonlyusedineveryfactoryandeveninyourhouse,too!•ICScollectsdatafromremotestations(alsocalledfielddevices),processesthemandusesautomatedalgorithmsoroperator-drivensupervisorytocreatecommandstobesentbackAfewwordsaboutICSTypicalICSarchitectureCorporatenetworkERPMESPLC2,3…PLC1PLC7,8…FielddevicesRouters/FirewallsOPCSCADA/DCSHMIIndustrialbusLook@anymodernICSandyouwillsee:–Windows–Linux–Ethernet–HTTP–XML–DCOM–.NET–SOAP–SQLICStechnologies:looksfamiliar?Theanswerisalsosimple:deepintegrationAnddeepintegrationalwaysleadstodeeptrustQ:Howcouldthismesswork?•Low-levelprotocolsconnectintelligentfielddeviceswithPLCs,SCADAs,etc.•Mostindustriallow-levelprotocolsweredevelopedin1970-1990s•Noauthentication,Noauthorization,NocryptographyTheuppersystemdoesn’texpectanything“bad”fromafielddeviceWeakpoint:low-levelprotocolsFielddevices•HART(currentloop,4-20mA)•ProfibusDP(RS-485)•ProfibusPA(MBP)•Modbus(RS-485)•FoundationFieldbusH1(MBP)•…Fieldprotocols•HighwayAddressableRemoteTransducerProtocol•DevelopedbyRosemountinmid-1980s•Mostlyusedonpowerplants,chemicalfactories,oil&gasindustry•Physicallayer:FSK(copperwiring,4-20mAcurrentloop)•Currentlooplinelengthcanreach3km=possiblephysicalsecurityproblem•Master-slave,half-duplex,2200Hz,1200bps•NoAuthentication/Authorization/Cryptography(*wired)HARTHARTFSKExampleofFSKtransmission•Developedattheendof1970s•WidespreadstandardforICSdevicecommunication•Onlowerlevels,worksoverRS-485•Upto240devicesonthesamenetwork•Inmostcases,noAuthentication/Authorization/CryptographyModbus•TIA-485-A–“standarddefiningtheelectricalcharacteristicsofdriversandreceiversforuseinbalanceddigitalmultipointsystems”•Upto35Mbpsona10mline,upto100Kbpsona1200m(maximumlinelength),usuallyhalf-duplexRS-485•SupportedbySiemens,replacementforoldfieldprotocols•ProfibusDP(overRS-485,upto12Mbps)•ProfibusPA(MPB)•Hybridmediumaccessmethod,usingtokenandmaster-slaveschemeProfibus•Industrialmodemsareexpensiveand,ingeneral,requirespecificsoftware•Mostdevicesarenoisyandboundbystandards(“nomorethan2mastersonline!”)•WouldbecooltohaveanautonomousdevicethatcanbepoweredfromthedatalineitselfandremotelycontrolledWhydoweneedyetanothertool?Firsttry:HRTShield•ArduinoshieldforHART•Pros:–Arduino–Easeofuse•Cons:–Arduino–Power–Noisy–Protocolspecific–Exposedtovoltageburstsindataline–Hardtoextend•Supportforthemostusedlow-levelindustrialprotocols,likeModbus,Profibus,HART•PowerfulmicrocontrollerwithsupportforDSPextensions•USB•On-boardpowercircuitthatcanbeconnectedtousualindustrialpowerlinevoltages•Datalineisolation(opto-,electromagnetic-,…)•Extensionsforremotecontrolviawireless(Bt,Wi-Fi,…)•AbilitytoextendboardtosupportotherindustrialprotocolsWhatdoweneed?ICSCORSAIRFirstprototype•DS8500asHARTmodem•Powersupplywith78xx•Dual-channeloptoisolatorsforRS-485Prototypev.0.02•PassiveBPFforHART,modemembeddedintoMCU•PowersupplycircuitrebuiltwithTSR-1•ADM2486asRS-485isolatedtransceiverPrototypev.0.03•MCUupgradedtoCY8C34*•ActiveBPFinsideMCU•MurataPowerNMR100CaspowerisolatorPrototypev.0.03.1•CY8C38*compatible•HARToutOpAmpmovedintoMCU•TME0505S1351aspowerisolatorF4UCorsair–WWIIUSAF&RAFfighter,scout,fighter-bomber,417mph,armedwithguns,rocketsandbombs.Inservicetillthe1980sWhydidwecallitICSCorsair?ICSCorsairboardHARTmodeminsideMCU(a)demodulator(b)modulatorChoosingMCU:PSoC3•USB•ADC,DAC,OpAmps,Comparators,Integratorsinside•PLDs(ProgrammableLogicalBlocks)tocreatecustomdigitalperipherals•ChoicebetweenCY8C3446PVI-076(cheaper,50Mhzfrequency)andCY8C3866PVI-021(67MHzfrequencyandinternalDigitalFilterBlock)•Binaryconfigurationmode•Textconfigurationmode•HARTFSKmode•RS-485mode(Modbus/Profibus)•Changemodewith0x1B0x6B0x43modenumberinASCII(Alt+MShift+CMode)OperationmodesBinarycommandsCommandsyntaxDescription0xFEmodeSetsdefaultstartmode:0x00–binary,0x01–text,etc.0xFDUSBEnableUSBatstartup:0x00–disable,0x01–enable0xFBXBEEinitstringslist0xFCInitializationstringslistforXBEEslot.Eachstringinlistsstartswith0xBE,thenstringtype;the‘s’(0x73)isacommandforsendingstringtothecard,itstarts1-bytestringlengthandthen255-maxbytesstring;the‘d’(0x64)isadelaycommand,thefollowingbyteisthenumberofsecondsfordelay0xFAmodeSwitchtomode:0x00–binary,0x01–text,e.t.c.0x85speedconstantPresetsthespeedofRS-485port.Speedconstantisthenumberofspeedpreset0x8Eon/offSetstheRS-485terminationresistoron(0x01)oroff(0x00)•YoucancontrolICSCorsairremotely,viatheXbeeexpansionslot•Bluetooth,Wi-FiandRF(UART)cardssupportedRemoteaccessviaXBeeslotBluetoothWi-FiRFExpansionslotforICSCorsairPins:I2C,SIO,4GPIO,IDAC/VDAC,ADC,3.3V,5V,Isolated5VandGND,GND•ICSCorsairmayworkasstandaloneHART/RS-485mod