How TRITON Disrupted Safety Systems & Changed the Threat Landscape of Industrial Control Systems

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so good morning to everyone and thank you for coming so before starting let me ask you a question how many of you ever hear about Triton my assumption is that everyone because they're here for the presentation so most of you most of you this is good so what we're gonna try to do today is that we are showing to you our deep analysis of the tritone malware not only how to reverse engineering the malware but we're going to show like a detailed demo but before going deep you know let me introduce myself and also the other speaker here with me so my name is Andrea Carcano actually I start to do ICS cybersecurity a long time ago I did a PhD focus on industrial control system cybersecurity at the beginning on the offensive side and then I move on the offensive side on the defensive side and that was before Saxon just to give you a little bit of timeline I were three years in a big oil and gas organization in the security of Action Center and then I found a note on my net worths the company where I work for and now I'm there as a founder and CEO I work as a security researcher at Nozomi networks I studied computer security in Italy and I'm also a member of the global shaper community thanks for joining us hi my name is marina crater field I started doing and that's a control system security together with and very long for Stuxnet and before it became cool my specialization is physical damage mostly offensive but because I also come in from academia background you can't be offensive before evers our current solution so I also designed a lot of event defensive solution I previously worked as principal analyst at fire on the ICS security and as a lead researcher Honeywell yep so thank you so now let's let's start to talk about what we're gonna present today so this is the agenda for today we will go through a general introduction explain to you how was frightened and what Triton really did so the second part of the presentation will be focus on basically try to understand how foreign actor could be art or complicated or how many resources are necessary to build an attack like Triton so that that's important right we see many presentation of other researchers trying to analyze how Triton was built so today we're gonna show that you don't need to be a government or unit you don't need to have tons of resources to build an attack like Triton so and in the third part of the presentation we will go to a real demo so we're gonna show like the attack really working as you know that tap was missing the payload we create a payload we injected the payload in a real environment and we feel now that tap was working and the last stage we do an analysis about how was the real consequences and Wow why they Triton attack didn't really work on this specific incident so but now let me let me turn the microphone to Marina for the first part so of course we we cannot proceed to Triton without introducing what I industrial control systems and safety instrumented system also because so that we all work on the same terminology and the same understanding for so systems are so industrial control system as you likely already know it's an umbrella term for specialized purpose computing system and networks for monitoring and controlling the application in the physical world and those applications could range from power generation manufacture and assembly line to build an automation and agriculture so and similarly when the attacker for example penetrated a Financial Network his goal is instill in money similarly when the attacker penetrate and even does so control network his goal his interest is in disrupting a physical application so typically industrial control systems has a corporate network they have SCADA Network they look the same but they already kind of we considered them those computing devices which already more related to the control and physical processes a typically called already operational technology nevertheless they both still compute computational devices and people who deal with them those are coming from background of computer science and as soon as we move to the physical damage into their physical application as such we already deal in completely with engineering sites so in the lower the closer we come into the physical the device is becoming more specialized computing devices and we typically know them as embedded systems and those are cyber assets which are actually embedded into the physical applications despite the systems are called cyber physical systems and subsequently this type of attacks is called cyber physical attacks so the goal of the attack is called the disruption we know that in a mass media typically this scenario will be represented as a big explosion it looks very very impressive and actually this is a photoshopped image of one of the real incidents so and the reason why this explosions are possible because cyber physical systems are inherently hazardous you have moving parts of the machinery electrical hazards flammable toxic materials fires and explosions so therefore all of this physical industrial physical applications they have a layers of protections to protect first of all humans from this hazardous situations to occur but we in general we try to protect humans environment and the machinery is such because losing the machine that is also a huge financial cost and also just part of the damage so so this is how the level so what do you know like defense-in-depth and security this is the same valid for safety so this is the levels of protection in safety so in general you start like if you start from the bottom you start you try to design the process as stable as possible as possible as such as a protist design but clearly the processes will always deviate that's why we have control loops it's the second line so we have sensors and actuators which he measures the state of the process and then they have control algorithms which we try to bring the protest with back within the normal operational envelope but the control loops also cannot continuously keep the process stable and therefore there will be always an alarms and therefore we have should layer we have human operators which will intervene whenever we they basically will issue manual commands to bring the process back into the stable state and when the human operators already cannot cope anymore then they have a layer of safety systems they could be of different types that could be safety interlocks could be safety integrated system together with a control logic or it could be independent system like safety instrumented system so typically safety instrumented systems you will be using in those environments which where you could have this big explosion from the previous slide so this is independent standalone system with sensors and actuators which acts upon detecting hazardous situation and it tries to prevent it from happening so this is a lies last line of defense lust after that if safety systems were not able to prevent incident we already have an incident then the last hope is also but we already have an incident we have still can have like ruptured discs in the design of mechanical vessels for example and some release valves like mechanical valves with just like like open by their own but we already have an incident so therefore so safety instrumented systems are important and modern safety instrumented system they are software based systems it means it can be exploited therefore since they are so critical to preventing casualties for example best practices suggest and now especially in the since we know that there are threat access which targeting industrial control system there is a strong recommendation cook to keep them on a separate either on isolated isolated network or in well segregated network however they're frequently safety instrumented systems are frequently connected to the main control system basically protest control system for data exchanges and can compare data for ease of maintenance for convenience low cost like for example there was in the one of the previous year there was incident where the operators has lost entirely this years and they could quickly switch to their sis and they were more still controlling the process where the essays because they lost success Network in access to the dishes so and also whenever you have like situation of the multi-vendor so you say a main put control system and safety systems over different vendors then it's easy it did more difficult to segregate them and they typically have some connections between each other so as you could understand by now that attack on the safety system will cause the most damaging outcome possible and this was happened with Triton the attackers tried to install a remote a backdoor on the safety instrumented system on the controller so we consider it as a milestone in the ICS security clearly because you know such an attack endanger the lives of the civilians working in the in the industrial facilities so every large mass media of course public highlighted this case starting from The Wall Street Journal Washington Post and whatnot so this is something like where takes like let's say the cyber war and this blurring edge between cyber warfare and kinetic warfare surroundings to the next level because it's cyber is becoming Kinetico so in a nutshell what has happened the attacker obtained remote access to the safety instrumented engineering station with that they obtain access ability to communicators industrial controllers so and they tried to install imply to implant the controller so what does it mean so the attacker tried to inject a passive backdoor some people refer to this implant is remote access trojan but in a nutshell it's a program which sits in the controller memory and it allows the attacker to read arbitrary memory to write into the memory for example your shellcode and then execute it so basically what's happening the control is becoming your slave so your wish is my command whatever you will tell me I'll do it for you even though they can they try to implant is lives entirely in the memory because safety instrumented systems typically are like on safety controls typically never rebooted so the only persistence the Jataka actually needed to achieve is to move it into the part of the firmware which will not be a part of the memory which will not be overwritten by the overwrite of the control logic we will go through the steps through the presentation so I will not detail like right now I'll pass it now turn DRAM now I think as some of you recognized is a dis logo out there right so when I started to do research on ICS cybersecurity I didn't have all these amazing tools honestly so and you know I I know I looked young but I started a long time ago that was before stocks it were when before you know the ICS cybersecurity was a fashionable let me say so before God let me ask how many of you really did research you know before stock sent like you know 2005 2006 one two three four probably one 1% 2% in the room so you know in my experience is that when I started to do that I remember I was working for the European Commission and the goal was build a malware attack industrial control system and I of course you know I start to study I started looking for information online it was very very hard to find any type of information related to the talks I don't know for you marina or illness it was the same you know so at that time yeah there was no so much attack happening for the ICS systems and the only document which was available was me standard which I read like 10 times and there was absolutely no documentation was like no information no YouTube videos NASA and Google just did the index those files they probably were there but they get in Google was not indexed in them so for example to learn the program PLC I have to give a lot of calls to seem and asking for free classes so I was in going into the class together with teachers how to program PLC and right now so for example if you know to the virustotal you can download the engineering projects with a grief confidential you can download every single manual all the training from all like script or script whatever you call it you'll get all the trainings from all major companies on industrial equipment so you now have so much learning materials which was not available before yeah Eunice was for you also the same I was the last one between you because when I started we were I was a planning of stuff to do we had to play without and for example Chardon or other frameworks they were really lots of stuff for have a let's say a good starting point in this field so this is great and why were I like in this line why were I like in this topic well I think you stopped it because as you can imagine so they attack on the strike control system I become more sophisticated but the skills that you really need for build an attack are you know at the end lower because now you can find tons of information online you know even the try to model that we're here to you know analyze today you you can find it online now so you know maybe not like in most common website but is there so mainly the skills that you you require are are less so here in this in these slides we will analyze we will see the number of vulnerability discover in in the last period in the last ten years and as you can see in the last years you know the growth of the number of vulnerability discovered is growing exponentially so and and that is not because you know the system are becoming less secure in the last few years but it's just because now the community is very active now you can you can feel that everyone so probably some of you are working for you know industrial control system you know organization some of you are researchers some of you are working for vendors but now you know the topic is very hot and and is growing and actually because the systems are never been of course we know they never been designed with the security in mind so of all so all low-skill researchers who just stunned start and vulnerability research they start with the ICS because it's easier so for example one of our dearest friends irene Leverett when he wanted to learn how is it web exploitation he started wasn't are still switches to exploit in and build web servers because well that's where all the vulnerabilities are so that was his first yeah so now we we talk at the beginning so one of the goal of this facility where all this presentation was show to you what an actor really have to do if you want to build an attack like triton what are the step that you need to follow if you want to build an attack like like triton so first step you need to gather intelligence you need to gather information so that's the first step so i don't know how many of you but usually i never read a manual in the past i never read a manual of every single product I start to read a manual when I start to you know to be a focus on cyber security because inside the manual you can find tons of information so that's the first starting point if you want to attack any type of system so the second the second things is the build a shopping list if you really want to attack an industrial control system you need to know exactly an industrial control system for all the different point of view so build a shopping list with all the things that you need so second reverse engineering as soon as you have all the odorous engineering as soon as you have all the components of course reverse engineering is very important not only about the software and the hardware but also about the protocols because you need to understand how to communicate with the controller you know as many of you knows there is a dedicated protocols for industrial control system some of them are proprietary some of them are open but you know the most important things is that you need to understand that protocol so now let's start from the first point to gathering information so as I mentioned at the beginning reading the manual is very very important right inside the manual you can find tons of information and how you will find a manual of such such a system right so is a system not easy in theory to find you cannot be run in your shop and basically by you know one click on next system how you can find it so and if you if you ever look online in any families even website like a marketplace you cannot imagine how many information innominate is you can find related to ICS controllers so that's just an example you need that reconyx manual and you don't know anyone for Schneider you know that you don't know how to get it you can get it aligned with it with a small investment so and why is important I don't want to you know deep dive on on all the documentation that you can read and download it but that is there for example an important piece if you ever need a reverse engineering of a malware you know that you need to understand you know for which microprocessor was compiled that specific piece of software if you need to do a reverse engineering so where do you find that information do you need to open up like the physical hardware and try to identify which microcontroller or which CPU they have it no you just find it on the manual so it's pretty it's pretty easy so and the third point is which other resources you can use in order to find for example the engineering toolset so as you know every single device like like a controller they need to have an engineering tool set so the engineering station and in general engineering to set that's very useful because you usually need to build like a like a program and download the program inside the controller that basically that program explain to the controller how to act you know in the field so and where you can find that tools so if you can start with from you know basic channel link it in maybe you have a friends that have that you know engineering toolset you you can ask to the asset owner if you if you know an asset owner that I have that software or you you can look online and again you will find a lot of interesting resources that I give you that that software so for example in this case so for every the full complete to set engineering toolset for you know talk with the tree connect system if you go on this Chinese website I don't know how many of you recognize it but is very famous on China is Alibaba for three dollars and we try it right just coreos we try it for $3 you know they send you the completely tool set for you know for basically talk with the tree connects station and and was not that complicated and you know they even have more than one right you know they have many so that is you know how you basically can obtain you know the software necessary to talk with the tree connect system so another important piece is the femur so as we know this specific specific controller are not running over Linux or over Windows but they have the own femur and it's very important to get that femur because you need to understand how the femur is built if you need to find a zero-day vulnerability is very important to you know know that femur some of the other researcher in the community published a very interesting research on how to get the femur by open up the hardware so they basically open physically the tree connects controller and they extract the femur that's what's very interesting the skills required for doing that is very high and the risk is also high because if you if you make any mistake you need basically to destroy you you risk to destroy the hard work so that's one option to get the femur but you know as an actor you always want to try to be smart so a way to find an actor for example is inside in this case inside the tree conic software there was basically already inside as a set here you can see a set of all the different femur version of all the all the different version so there is probably ten different version and so that's what's perfect so no hardware acting was necessary was easy downloaded and you know for us was easy to analyze it so third part is on the on on the shopping list is related to by the physical equipment you really want to build an attack like that you need to get familiar with your physical system so how you can buy a really three connect station where do you find a real tree connect station and again if you look at the marketplace doesn't matter if you don't have the direct contact with the vendor if you look at kid plays you can find a lot lots of interesting material online so here is just an example all the piece that you need for build your your own base the tree connects station for four tests all this type of equipment and as you see the investment is is not that crazy you know even if you ask an approval of that budget if you want to build your laboratory in your company you know it's not crazy probably you know your CIO or your seaso probably will approve about it like that so you know that's just an example for sure it's not so I so many articles say many articles saying for build a malware like that you need like like a high investment in terms of time in terms of resources and also economic resources but I don't think is the case so that is an example so the tour the third part that is very important is their reverse engineering so Yunus okay let's have some fun guys so first of all how many of you have already played with this engineering software it's quite a view no one that's good okay so we started to focus our attention on the main engineering software that is the tree station one one to one version for paul 9.0 and we started to focus on the different deals and files that you can find inside of it and if you just look at the image you can see that from the description of each file you can just extract rather lots of information so you can let's say reduce the scope and analyze the necessary files that you think more useful for your human goal one other example is we focus our attention on these particular configuration files that if you just parse it properly you can obtain all the different models that can work in a trickiness controller ok so just some information that you can extract quite a bit easily or other information that we were able to extract from the engineering software are also based on the the concept of the user credential that are related to each project so each project is related to specific default credential but you can also and obviously those credential you can find it in the in the main in in the menu and the manual sorry and you can also change this default credential with custom ones if you have several operators that's working group you can split the project based on on their needs and as soon as you try to log inside one of those project with the wrong username or password obviously you will come up with this error message that you're not authorized to open this project because user name is not present inside a project but what if there's a way very quick here so that's what's an important finding of our research was never disclosed until until today so we are disclosing that also in according directly we designer is not really true but if you started reverse engineering as we did basically we'd enta fight that it was end users embedded inside the system this is a super admin users that basically have the ability to show a very nice interesting menu inside a try station and that's is the menu you know you you can see how it's called the menu so you just need to know that user in that password and basically you become a super admin of the try station and even if you have any type of project protected by password with that user you you will get all the information you need to have a debugging message as you know with this menu called backdoor you can basically see all you know you can basically activate and in the Bakke message any message very useful you know if you are an actor so just to be clear there was no connection between the Triton malware and this menu so there is no connection all the knowledge that we see we didn't find any connection and it proved that the attacker knew about these these users but but of course as you can imagine as an actor now you you know many of the information so we decided to down disclose the name of the user just to don't give information to eventually actors that tomorrow want to do some bad stuff on our safety system and this is just an example right about how many information you can get if you are that user and if you activate a couple of that flag that you see in the backdoor manual you can get tons of information that are very useful for for the intelligence of building that model so now let me say of course we are working you know in collaboration with Schneider and and is it very important to say first of all there was no connection between the attack and the and these finding that we found so these users is active and hidden until the version four point nine point zero of the Triton software that's an official statement from now is neither illiterate that basically they claim that you know from the version point one was public in the manual busy you know that these users was there and and an interior in the lastest version of the three station software the users is not anymore there we didn't test it but you know that is what you know it's neither the clear about the specific users so now let's try to move very quick on the last point that is the reverse engineering of the of the protocol you know we we talk about how to gather information we talk about how to buy the equipment we talk about how to do the reverse engineering of the of the tree station software needed for communicated with the tree connect system the last point is that we need to understand the protocols so do the reverse engineering of the protocol yeah Emily we need to be able to speak the same language of our target okay so for doing the reversal genome or the protocol mainly if it is a proper tree once you can have to approach you can start from Ground Zero and lucio had in Rudy table and use a washer stuff like that and trying to understand each bit the meaning of each bite or you can also hear following a more smarter way so you can focus on some of the dealers that are present inside the work station and I don't want to too much because so far I and other guys they already they ready done an amazing job on understanding the similarities that you can find from him for example the strings that you can find in the one of the DLL and come the similarity that you can find in one of the scripts of the Triton so they clearly extracted those information from this type of DLL and files in general so you can extract lots of information and obviously also here you have to reduce the scope because the final the final goal is not to have a complete protocol parser but to have the necessary understanding for developing your model and based on all that information we were able to develop our own on this sector so it's already available on github so feel free to improve it don't let it play with it you can do it whatever you want it's and based on that knowledge that we gained so far why we were trying ok what we're trying to understand some part of the protocol we also to develop a tree connects on a part that we are going to disclose after this day so you will find more information when you try it when you try to yourself so I don't want to spend too much time on how these script works because I want to give you I want to give you all the fun for for trying to understand how it works but mainly it can gives you a lot information it can be quite to be useful for several reasons so before we move to the most important demo how attract title works and how the damaging payload could look like very quickly what are the what it consists for so the typical implant it is multi stage so there are at the beginning in the first stage which is argument set in shellcode that attack is making sure that they're in the right version of the firmware which is a vulnerable version and there able to operate in the controller memory they can execute in the second stage they actually they escalate privileges so that they will be able to write actually back door into the memory and they actually corrupt the memory to make sure that they change all the pointers to the right places and the suit stage is a big norwich size and this is where the incident was uncovered and the fill as the force / Lord according to the public source a citizen might missing payload which was like the damaged pillow it was never introduced by the attacker so in the first stage the attacker searches the RAM um the memory until it find the control program status structure and actually in that structure the controller the attacker is looking for the F start field and try to change its its value and it's actually could be any value and as soon if the attack is successful they understand that they in the right version of the firmware so this is how it looks like when you look at this at the protocol layer so the attacker searching for that F stat field and the default value is actually zero and then the attacker is trying to change that value into 384 and it's a random number it could be any number it just with that the attacker is declared that they are in the right memory and they can be executing in the memory so the short stage is the second stage is injected so so in this part so basically what important to know that injected main they actually injected together in the following structures you see on the slide and the injectors are specifically is also looking for the Machine state register which is specific to this PowerPC processor architecture and with that he'll attack us trying to escalate privileges by writing specific value into specific locations and the attacker mr. Scalli privileges so that it could actually right I mean it's basically relocate I mean into the specific firmware memory where they did not have rights to right and as you can see that I mean is between two values one two three four and five six seven eight nine eight the attackers need these numbers to find the I mean in the memory during the injection and then to relocate it into we're into the safer part of the memory so and then with that the attacker they're in backdoors becoming part of the firmware it's actually reacts to get in peace status function cord code and so basically the attacker is modifying the handler of this function code of this mean of this if a function call so that it will be pointing to the imine to the backdoor it's also patches the memory so that because there is continuous modification whether in memory firmware and on the flash drive is the same so it patches so that this verification will be always successful so the attacker obviously so the causal that tried to mind where they contain terms of debugging messages which shows that the attacker tried so many ways to inject that backdoor and they were into the firmware and they were often unsuccessful and they had in debugging message for every unsuccessful basically for every edge case so this is how it looks like when you execute the Tritons so now we move to the dam on Triton in action and how many of you remember that after Stuxnet a couple of company was showing their experiment with balloon to explode the balloon anybody remembers yes so we just to kind of compare the Stuxnet and in the owner Stuxnet we decided to go with the same experiment so this is our test but how it looks like we mainly have our tree connects controller so a low-density chassis with the necessary models and we have also our terminal panel that is directly connected to the mercial connector and at the same time is connected to the fill device that and this time is a compressor that is connected to a balloon and has to control the inflation deflation phase okay so the safe logic it is inside the controller is is many many created by the simple counter that has to control and check when when I have to inflate the air inside the balloon and when you have to deflate so the safety the safety value is the one that the counter is is a rich D value 28 the inflation phase is it hands and it's not the deflation phase okay so what if we were able to change that counter with a huge negative number so that it never reach or it took too much to reach the value of 10 to 28 and it will start the process so in this case as soon as we're saying you know is a basic example but that's actually show you how the safety system is is are important and which type of information I basically they are protecting or which type of the process are protecting so and and and of course you know you need to imagine that the balloon could be any type of other critical system that can create a huge damage as marina say that the beginning remember the safety system is the last barrier that you have on a critical infrastructure if you're able to up the safety system you're done there is no any other limitation on on prevent and disaster completely great definitely so we have our first setup do so this is the engineering engineering software so the first thing that we are going to do is to upload this logic this safe logic inside the controller and at the same time we let's suppose different attacker is sniffing your network so it is it has already food and study network and it's able to sniff your your the process of the upload of the other prog or the program or let's suppose if an attacker has already been able to enter inside your engineering software and extract directly from that from that ET program okay so this is what we are going to do and base for example on the detector to be able to to develop we can focus our attention on that specific program so that we can extract that program and doing for analysis so doing fertilize and find a way for corrupt the entire process what is the lesser learn here that is very important the lesser learn is that if you are an attacker you need to understand the program right you need to find a way to to get the program to understand the logic exactly so now let's start to speak some powerpc okay so we have the the the target program we can dissect it with EDA and based on all the information that we gain so far from the manuals etc we can we can dissect and analyze the program in a let's say in a friendly way so if you remember sorry unison beginning we basically show how much was important in a manual to identify the microcontroller that is the key information because now we can reverse engineering the software that was uploaded you know thanks to specific software because we know exactly for which microcontroller was compiled that program I was a dream so now that we were able to understand the exact offset in memory where that the variable the counter is located we can here you can see the injection phasor our injection phase of the malware and we have to take in consideration the that information that we were able to to gain previously okay so as soon as we completely inject the malware inside the controller yeah this is the real injection of the frightened and as you can see you can see a lot of the bugging messages that's it keeps a track of the status of the injection okay so and as soon as we we have our malware inside you can inside the controller we can we can try to disrupt the industrial process so firstly we will run the program from our engineering software and we firstly run and see how it works properly okay so how it works the normal problem ok so here we are connecting to the controller and we are running the program inside of it and on the other part of the screen you will see an intermittent sorry we are also watching that specific offset of the of the memory so that we can we can check the value of the counter and you can see that this is the the normal process so the inflation of the year and the deflation phase and the value of the counter is normally and in the range that we specified in the project okay so from from now there's nothing not a stranger from the engineering software you can also monitor in the value of the counter directly from the software itself as you can see so all it's so normal not nothing nothing strange and as you can see as we as we watch the value is acting always so what if we start to change that value with a huge negative negative number okay so now we are ready to run our our script so use the property of the malware for changing that value and as soon as we change that value as you can see on the under on the second terminal you you will definitely see the change of the current value that is a huge negative huge negative value okay and this is for continuing the inflation phase for the last last last time okay so we if we find out that this is really a die-hard balloon so you have to we have to accelerate a little bit of process so but the meaning is simple okay so and the meaning and also the consequences are simple because at the end we will have an explosion or yet okay and the magical how hard was that balloon definitely we discover late okay so this is this is a possible consequence of an attack but we have to prevent these type of issues before being able to protect him yeah Thank you Thank You Eunice thank you for the demo so as you can see here that's was a really injection so we was like just the payload injected in a real malware and we basically we basically show demo now let me go a little bit quick here so what we did also we we try basically we realize that we gain a lots of knowledge as a researcher about this malware so we decide to inject to actually publish to some of the things that that we did so here you can find you know three main tools so one is the passivity sector so how to basically discover if there is a triton infection you know happening so the second the second part is is something that we developed all three nouns but also Schneider for all his users is publishing a specific tool active to identify if your tree Connect system is infected and and the third one is a non import to actually simulate an entire tree Connect system download it play with it please please feel free to you know improve it or just contact us if you want to know any other information but everything is is public on on on Gita so very quick on the detection so the detection phase basically is based on the fact that they try to Mallory is adding a specific signature I don't want to enter the indie details but you know is is adding a specific signature on the payload when when is basically uploading in cell phone on the on the tree connect system and basically we can identify we know how that tree that the center is calculated and we can identify it so but if you download Wireshark and you play with it you will see basically you know we actually publish it on how to identify it so now to summarize let me leave the stage to marina well quickly you probably notice that we just try to follow the attacker steps about like how would we build an exploit like Triton and we extensively tested it it works like magic so we had as our model we had a singular main processor in any industrial facility we'll have a triple redundancy the malware works so it's not clear why they might where has failed and then we develop a lot of tools to decide the protocols to detect the malware and so interesting was of course is also to understand why the malware could possibly like no matter well we're talking about right my attacker has failed to inject the triton and so there could be multiple reasons but one of the possible reasons is that they actually were not able to deal with the multiple with the plurality of main processors so one of the big part so try cone X is a very complex from where there is a lot of firmwares inside of other firmware so there are a lot of smaller parts of the firmware like one of them is LS X and it is actually patented technology this LS x firmware is actually responsible for taking the control program from the engineering station pass it to two other main processors it executes control logic and it's also responsible for for synchronization and for voting for consistency between three main processors it's a patented technology and it appears so for example the attack as you consider have been a lot of debugging messages and the attacker was able to basically they studied every single possible case what could go wrong there was not a single debugging message related to monitoring consistency between three main processors this is likely because that would require so much more additional engineering effort and maybe there was a misjudgment how much they need to reverse engineer versus fly implant stability so to conclude like while like possible attacks objectives like clearly it's just for simple sub shutdown it is too expensive exploit you would never do that physical damage most likely the attacker wanted to probably interest suppress safety actions during the actual damage attack it could be also what we call like hacking Olympics is it like tracks capabilities can I do it in a live environment is you can see things in life environments can go wrong it could be also live drill it could be like one of the possibilities extortion because like if you also introduced already as a force payload into the track one controller and even if you later lose your remote access to the controller that payload can be triggered at the rent on time and then you go to the victim and say hey something goes wrong in your facility I can fix it for you and then it's easy could be for economic or political pressure so one of the like so basically what are the most important application implications of public could become in pub Triton code becoming public clearly it's become the motivation for other threat actors its rise the bar this move forward this red line and so on but it also the positive size that alerts industrial and critical infrastructure organizations to include safety instrumented system into the risk assessment and the most important and this is where the message which we wanted you to take home with you if that the moment is now to start creating auditing and forensic tools for embedded systems right now as it owners have no tools to determine is my device of potentially tampered twist there is no audited tools for that there is no forensic tools like if even if I establish that my device is probably tampered with what has happened to my device and there is no third party or company which could create those tools because all the devices are so proprietary there is such a huge diversity it's really vendors who have to create those tools we know that for example it motivate try to motivate it Schneider to develop those tools now you can download them if you legitimate a user of their like owner as a tone of the Schneider devices equipment you can download those tools but if you an asset owner go to your vendor and start this conversation right now before this month way became my scale and this was the end of our message for today thank you [Applause]

Info

Channel: Black Hat

Views: 1,701

Rating: 5 out of 5

Keywords:

Id: Hw2HclZV2Kw

Channel Id: undefined

Length: 48min 23sec (2903 seconds)

Published: Tue Jan 14 2020