SlideShare una empresa de Scribd logo

PLC Code Protection

Digital Bond
Digital Bond
1 de 25
Descargar para leer sin conexión
Air Force Institute of Technology The AFIT of Today is the Air Force of Tomorrow. PLC Code Protection Center for Cyberspace Research Stephen Dunlap Jonathan Butts, PhD CCR - The Center for Cyberspace Research
What’s the Story? The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
Tactical Questions The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
Resources The AFIT of Today is the Air Force of Tomorrow. •  Requirements •  Helpful: CCR - The Center for Cyberspace Research
Static Analysis The AFIT of Today is the Air Force of Tomorrow. Device? We don’t need no stinkin device… CCR - The Center for Cyberspace Research
Hardware Analysis The AFIT of Today is the Air Force of Tomorrow. But I’ll take it if I can get it… CCR - The Center for Cyberspace Research
Dynamic Analysis The AFIT of Today is the Air Force of Tomorrow. I don’t always do dynamic analysis, but when I do, I use JTAG… CCR - The Center for Cyberspace Research
Let’s Do This The AFIT of Today is the Air Force of Tomorrow. Attacks Need: Triggers Payloads Deployment CCR - The Center for Cyberspace Research
The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
Time Bomb The AFIT of Today is the Air Force of Tomorrow. •  Hook regularly executed function •  Count executions Jump Instruction before modification After modification CCR - The Center for Cyberspace Research
Time Bomb Cont. The AFIT of Today is the Air Force of Tomorrow. Store a counter in memory Load counter and subtract Test for zero Continue operation if greater CCR - The Center for Cyberspace Research
Logic Bomb The AFIT of Today is the Air Force of Tomorrow. •  Hook jump table for CPU mode change •  Keep track of changes for specific sequence RUN REM PROG PROG REM RUN CCR - The Center for Cyberspace Research
Remote Commands The AFIT of Today is the Air Force of Tomorrow. •  Hook CIP command handler jump table CCR - The Center for Cyberspace Research
Remote Commands Cont. The AFIT of Today is the Air Force of Tomorrow. •  Check for custom service and instance CCR - The Center for Cyberspace Research
The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
Soft DoS The AFIT of Today is the Air Force of Tomorrow. •  Endless loop causes recoverable fault •  Fault shutdown routine CCR - The Center for Cyberspace Research
Persistent DoS The AFIT of Today is the Air Force of Tomorrow. •  Write value to flash •  Fault if value exists •  Exploit Flash Writing Function •  R0 – Destination address •  R1 – Source Address •  R1 – Data Length Flash end address CCR - The Center for Cyberspace Research
Where to From Here? The AFIT of Today is the Air Force of Tomorrow. •  Traffic Modification •  Modify CIP values •  Propagation •  Persistence •  Implant in bootloader •  Ignore firmware updates •  Modify version number CCR - The Center for Cyberspace Research
The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
Pivoting Through Firewall The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
Pivoting Through Router The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
Pivoting Through Router The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
Implications The AFIT of Today is the Air Force of Tomorrow. •  •  •  •  Vendor agnostic Expensive devices not needed Supply chain Cost of entry •  Team composition: Two guys •  Time: Approx 3 months •  Money: $3,500 NATION STATE NOT REQUIRED CCR - The Center for Cyberspace Research
Protection Mechanisms The AFIT of Today is the Air Force of Tomorrow. •  Vendor •  Digital Signatures •  Trusted Platform Module •  Integrator •  Source Verification •  Access Control •  Configuration Management •  Asset Owner •  Deep Packet Inspection •  Data Diodes •  Configuration Management CCR - The Center for Cyberspace Research
Thank You The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research

Recomendados

Eagle Eye - BLDC Powered Quadcopter
Eagle Eye - BLDC Powered QuadcopterEagle Eye - BLDC Powered Quadcopter
Eagle Eye - BLDC Powered QuadcopterAvinash Chandra
 
Apk 分析工具整理
Apk 分析工具整理Apk 分析工具整理
Apk 分析工具整理Pu Lee
 
Swift + GraphQL
Swift + GraphQLSwift + GraphQL
Swift + GraphQLSommer Panage
 
20180309 DLIもくもく会 Deep Learning on AWS
20180309 DLIもくもく会 Deep Learning on AWS20180309 DLIもくもく会 Deep Learning on AWS
20180309 DLIもくもく会 Deep Learning on AWSYasuhiro Matsuo
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 

Recomendados

Eagle Eye - BLDC Powered Quadcopter
Eagle Eye - BLDC Powered QuadcopterEagle Eye - BLDC Powered Quadcopter
Eagle Eye - BLDC Powered QuadcopterAvinash Chandra
 
Apk 分析工具整理
Apk 分析工具整理Apk 分析工具整理
Apk 分析工具整理Pu Lee
 
Swift + GraphQL
Swift + GraphQLSwift + GraphQL
Swift + GraphQLSommer Panage
 
20180309 DLIもくもく会 Deep Learning on AWS
20180309 DLIもくもく会 Deep Learning on AWS20180309 DLIもくもく会 Deep Learning on AWS
20180309 DLIもくもく会 Deep Learning on AWSYasuhiro Matsuo
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Downey CHC 2015 Final
Downey CHC 2015 Final Downey CHC 2015 Final
Downey CHC 2015 Final David (Dave) Downey
 
Performance Oriented Design
Performance Oriented DesignPerformance Oriented Design
Performance Oriented DesignRodrigo Campos
 
To be smart or not to be?
To be smart or not to be?To be smart or not to be?
To be smart or not to be?Tal Lavian Ph.D.
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Net Centric Enterprise Systems
Net Centric Enterprise SystemsNet Centric Enterprise Systems
Net Centric Enterprise SystemsMark Archer
 
Play With Streams
Play With StreamsPlay With Streams
Play With StreamsTianjian Chen
 
Introduction to architecture exploration
Introduction to architecture explorationIntroduction to architecture exploration
Introduction to architecture explorationDeepak Shankar
 
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...Synchrono
 
hn_nh_2014_final
hn_nh_2014_finalhn_nh_2014_final
hn_nh_2014_finalDavid Tashji
 
Automating the cip compliance test lab
Automating the cip compliance test labAutomating the cip compliance test lab
Automating the cip compliance test labChuck Reynolds
 
Mining Assumptions for Software Components using Machine Learning
Mining Assumptions for Software Components using Machine LearningMining Assumptions for Software Components using Machine Learning
Mining Assumptions for Software Components using Machine LearningLionel Briand
 
DevOps for Developers
DevOps for DevelopersDevOps for Developers
DevOps for DevelopersWill Button
 
IPv6 Performance Revisited
IPv6 Performance RevisitedIPv6 Performance Revisited
IPv6 Performance RevisitedAPNIC
 
Webinar: Detecting Deadlocks in Electronic Systems using Time-based Simulation
Webinar: Detecting Deadlocks in Electronic Systems using Time-based SimulationWebinar: Detecting Deadlocks in Electronic Systems using Time-based Simulation
Webinar: Detecting Deadlocks in Electronic Systems using Time-based SimulationDeepak Shankar
 

Más contenido relacionado

Destacado

Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 

Destacado (7)

Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 

Similar a PLC Code Protection

Performance Oriented Design
Performance Oriented DesignPerformance Oriented Design
Performance Oriented DesignRodrigo Campos
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Net Centric Enterprise Systems
Net Centric Enterprise SystemsNet Centric Enterprise Systems
Net Centric Enterprise SystemsMark Archer
 
Introduction to architecture exploration
Introduction to architecture explorationIntroduction to architecture exploration
Introduction to architecture explorationDeepak Shankar
 
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...Synchrono
 
Automating the cip compliance test lab
Automating the cip compliance test labAutomating the cip compliance test lab
Automating the cip compliance test labChuck Reynolds
 
Mining Assumptions for Software Components using Machine Learning
Mining Assumptions for Software Components using Machine LearningMining Assumptions for Software Components using Machine Learning
Mining Assumptions for Software Components using Machine LearningLionel Briand
 
DevOps for Developers
DevOps for DevelopersDevOps for Developers
DevOps for DevelopersWill Button
 
IPv6 Performance Revisited
IPv6 Performance RevisitedIPv6 Performance Revisited
IPv6 Performance RevisitedAPNIC
 
Webinar: Detecting Deadlocks in Electronic Systems using Time-based Simulation
Webinar: Detecting Deadlocks in Electronic Systems using Time-based SimulationWebinar: Detecting Deadlocks in Electronic Systems using Time-based Simulation
Webinar: Detecting Deadlocks in Electronic Systems using Time-based SimulationDeepak Shankar
 
Abstractions for managed stream processing platform (Arya Ketan - Flipkart)
Abstractions for managed stream processing platform (Arya Ketan - Flipkart)Abstractions for managed stream processing platform (Arya Ketan - Flipkart)
Abstractions for managed stream processing platform (Arya Ketan - Flipkart)KafkaZone
 
Customer Interaction Center™: What You Need to Know About Resilience/Disaster...
Customer Interaction Center™: What You Need to Know About Resilience/Disaster...Customer Interaction Center™: What You Need to Know About Resilience/Disaster...
Customer Interaction Center™: What You Need to Know About Resilience/Disaster...Avtex
 
Zentech Manufacturing Capabilities
Zentech Manufacturing CapabilitiesZentech Manufacturing Capabilities
Zentech Manufacturing CapabilitiesTransline Technology
 
Lessons Learned from Using Spark for Evaluating Road Detection at BMW Autonom...
Lessons Learned from Using Spark for Evaluating Road Detection at BMW Autonom...Lessons Learned from Using Spark for Evaluating Road Detection at BMW Autonom...
Lessons Learned from Using Spark for Evaluating Road Detection at BMW Autonom...Databricks
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래NAVER D2
 

Similar a PLC Code Protection (20)

Downey CHC 2015 Final
Downey CHC 2015 Final Downey CHC 2015 Final
Downey CHC 2015 Final
 
Performance Oriented Design
Performance Oriented DesignPerformance Oriented Design
Performance Oriented Design
 
To be smart or not to be?
To be smart or not to be?To be smart or not to be?
To be smart or not to be?
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Net Centric Enterprise Systems
Net Centric Enterprise SystemsNet Centric Enterprise Systems
Net Centric Enterprise Systems
 
Play With Streams
Play With StreamsPlay With Streams
Play With Streams
 
Introduction to architecture exploration
Introduction to architecture explorationIntroduction to architecture exploration
Introduction to architecture exploration
 
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...
How OrbitalATK is Leveraging the IIoT and Visual Factory Technology to Drive ...
 
hn_nh_2014_final
hn_nh_2014_finalhn_nh_2014_final
hn_nh_2014_final
 
Automating the cip compliance test lab
Automating the cip compliance test labAutomating the cip compliance test lab
Automating the cip compliance test lab
 
Mining Assumptions for Software Components using Machine Learning
Mining Assumptions for Software Components using Machine LearningMining Assumptions for Software Components using Machine Learning
Mining Assumptions for Software Components using Machine Learning
 
DevOps for Developers
DevOps for DevelopersDevOps for Developers
DevOps for Developers
 
IPv6 Performance Revisited
IPv6 Performance RevisitedIPv6 Performance Revisited
IPv6 Performance Revisited
 
Webinar: Detecting Deadlocks in Electronic Systems using Time-based Simulation
Webinar: Detecting Deadlocks in Electronic Systems using Time-based SimulationWebinar: Detecting Deadlocks in Electronic Systems using Time-based Simulation
Webinar: Detecting Deadlocks in Electronic Systems using Time-based Simulation
 
Abstractions for managed stream processing platform (Arya Ketan - Flipkart)
Abstractions for managed stream processing platform (Arya Ketan - Flipkart)Abstractions for managed stream processing platform (Arya Ketan - Flipkart)
Abstractions for managed stream processing platform (Arya Ketan - Flipkart)
 
Customer Interaction Center™: What You Need to Know About Resilience/Disaster...
Customer Interaction Center™: What You Need to Know About Resilience/Disaster...Customer Interaction Center™: What You Need to Know About Resilience/Disaster...
Customer Interaction Center™: What You Need to Know About Resilience/Disaster...
 
Zentech Manufacturing Capabilities
Zentech Manufacturing CapabilitiesZentech Manufacturing Capabilities
Zentech Manufacturing Capabilities
 
Lessons Learned from Using Spark for Evaluating Road Detection at BMW Autonom...
Lessons Learned from Using Spark for Evaluating Road Detection at BMW Autonom...Lessons Learned from Using Spark for Evaluating Road Detection at BMW Autonom...
Lessons Learned from Using Spark for Evaluating Road Detection at BMW Autonom...
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래
 

Más de Digital Bond

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service HardeningDigital Bond
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSDigital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Digital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Digital Bond
 

Más de Digital Bond (20)

The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICS
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)
 

PLC Code Protection

  • 1. Air Force Institute of Technology The AFIT of Today is the Air Force of Tomorrow. PLC Code Protection Center for Cyberspace Research Stephen Dunlap Jonathan Butts, PhD CCR - The Center for Cyberspace Research
  • 2. What’s the Story? The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
  • 3. Tactical Questions The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
  • 4. Resources The AFIT of Today is the Air Force of Tomorrow. •  Requirements •  Helpful: CCR - The Center for Cyberspace Research
  • 5. Static Analysis The AFIT of Today is the Air Force of Tomorrow. Device? We don’t need no stinkin device… CCR - The Center for Cyberspace Research
  • 6. Hardware Analysis The AFIT of Today is the Air Force of Tomorrow. But I’ll take it if I can get it… CCR - The Center for Cyberspace Research
  • 7. Dynamic Analysis The AFIT of Today is the Air Force of Tomorrow. I don’t always do dynamic analysis, but when I do, I use JTAG… CCR - The Center for Cyberspace Research
  • 8. Let’s Do This The AFIT of Today is the Air Force of Tomorrow. Attacks Need: Triggers Payloads Deployment CCR - The Center for Cyberspace Research
  • 9. The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
  • 10. Time Bomb The AFIT of Today is the Air Force of Tomorrow. •  Hook regularly executed function •  Count executions Jump Instruction before modification After modification CCR - The Center for Cyberspace Research
  • 11. Time Bomb Cont. The AFIT of Today is the Air Force of Tomorrow. Store a counter in memory Load counter and subtract Test for zero Continue operation if greater CCR - The Center for Cyberspace Research
  • 12. Logic Bomb The AFIT of Today is the Air Force of Tomorrow. •  Hook jump table for CPU mode change •  Keep track of changes for specific sequence RUN REM PROG PROG REM RUN CCR - The Center for Cyberspace Research
  • 13. Remote Commands The AFIT of Today is the Air Force of Tomorrow. •  Hook CIP command handler jump table CCR - The Center for Cyberspace Research
  • 14. Remote Commands Cont. The AFIT of Today is the Air Force of Tomorrow. •  Check for custom service and instance CCR - The Center for Cyberspace Research
  • 15. The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
  • 16. Soft DoS The AFIT of Today is the Air Force of Tomorrow. •  Endless loop causes recoverable fault •  Fault shutdown routine CCR - The Center for Cyberspace Research
  • 17. Persistent DoS The AFIT of Today is the Air Force of Tomorrow. •  Write value to flash •  Fault if value exists •  Exploit Flash Writing Function •  R0 – Destination address •  R1 – Source Address •  R1 – Data Length Flash end address CCR - The Center for Cyberspace Research
  • 18. Where to From Here? The AFIT of Today is the Air Force of Tomorrow. •  Traffic Modification •  Modify CIP values •  Propagation •  Persistence •  Implant in bootloader •  Ignore firmware updates •  Modify version number CCR - The Center for Cyberspace Research
  • 19. The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
  • 20. Pivoting Through Firewall The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
  • 21. Pivoting Through Router The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
  • 22. Pivoting Through Router The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research
  • 23. Implications The AFIT of Today is the Air Force of Tomorrow. •  •  •  •  Vendor agnostic Expensive devices not needed Supply chain Cost of entry •  Team composition: Two guys •  Time: Approx 3 months •  Money: $3,500 NATION STATE NOT REQUIRED CCR - The Center for Cyberspace Research
  • 24. Protection Mechanisms The AFIT of Today is the Air Force of Tomorrow. •  Vendor •  Digital Signatures •  Trusted Platform Module •  Integrator •  Source Verification •  Access Control •  Configuration Management •  Asset Owner •  Deep Packet Inspection •  Data Diodes •  Configuration Management CCR - The Center for Cyberspace Research
  • 25. Thank You The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research