25
The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research Air Force Institute of Technology Center for Cyberspace Research Stephen Dunlap Jonathan Butts, PhD PLC Code Protection

PLC Code Protection

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Air Force Institute of Technology

Center for Cyberspace Research

Stephen Dunlap

Jonathan Butts, PhD

PLC Code Protection

Page 2: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

What’s the Story?

Page 3: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Tactical Questions

Page 4: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Requirements

•  Helpful:

Resources

Page 5: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Static Analysis

Device? We don’t need no stinkin device…

Page 6: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Hardware Analysis

But I’ll take it if I can get it…

Page 7: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Dynamic Analysis

I don’t always do dynamic analysis, but when I do, I use JTAG…

Page 8: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Let’s Do This

Attacks Need:

Triggers

Payloads Deployment

Page 9: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Page 10: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Hook regularly executed function •  Count executions

Time Bomb

Jump Instruction before modification

After modification

Page 11: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Time Bomb Cont.

Store a counter in memory

Load counter and subtract

Test for zero Continue operation if greater

Page 12: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Hook jump table for CPU mode change •  Keep track of changes for specific sequence

Logic Bomb

RUN

REM RUN

REM PROG

PROG

Page 13: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Hook CIP command handler jump table

Remote Commands

Page 14: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Check for custom service and instance

Remote Commands Cont.

Page 15: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Page 16: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Endless loop causes recoverable fault •  Fault shutdown routine

Soft DoS

Page 17: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Write value to flash •  Fault if value exists

Persistent DoS

•  Exploit Flash Writing Function •  R0 – Destination address •  R1 – Source Address •  R1 – Data Length

Flash end address

Page 18: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Where to From Here?

•  Traffic Modification •  Modify CIP values •  Propagation

•  Persistence •  Implant in bootloader •  Ignore firmware updates •  Modify version number

Page 19: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Page 20: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Pivoting Through Firewall

Page 21: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Pivoting Through Router

Page 22: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Pivoting Through Router

Page 23: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Implications

•  Vendor agnostic •  Expensive devices not needed •  Supply chain •  Cost of entry

•  Team composition: Two guys •  Time: Approx 3 months •  Money: $3,500

NATION STATE NOT REQUIRED

Page 24: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Protection Mechanisms

•  Vendor •  Digital Signatures •  Trusted Platform Module

•  Integrator •  Source Verification •  Access Control •  Configuration Management

•  Asset Owner •  Deep Packet Inspection •  Data Diodes •  Configuration Management

Page 25: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Thank You


SABMILLER PLC JSEALPHA CODE: SAB ISSUER CODE… · sabmiller plc jsealpha code: sab issuer code: sosab isin code: gb0004835483 not for release, publication or distribution, in whole

SABMILLER PLC JSEALPHA CODE: SAB ISSUER CODE… · sabmiller plc jsealpha code: sab issuer code: sosab isin code: gb0004835483 not for release, publication or distribution, in whole

Documents
Telecommunications Consumer Protection Code

Telecommunications Consumer Protection Code

Documents
Data Protection Code v1.3

Data Protection Code v1.3

Documents
MSP Code Protection Features

MSP Code Protection Features

Documents
TRANSMISSION GRID CODE - lewa.org.ls GRID CODE ... 7.8 Transmission Line Protection Requirements ... 7.14.1 Protection against Lightning Over voltages.

TRANSMISSION GRID CODE - lewa.org.ls GRID CODE ... 7.8 Transmission Line Protection Requirements ... 7.14.1 Protection against Lightning Over voltages.

Documents
Plant Protection Code Ver 7.0

Plant Protection Code Ver 7.0

Documents
automation programming in plc code

automation programming in plc code

Documents
PLC Error Code Table -

PLC Error Code Table -

Documents
WinCC Professional PLC Code Display

WinCC Professional PLC Code Display

Documents
Personal Data Protection Code

Personal Data Protection Code

Documents
Plant Protection code

Plant Protection code

Documents
consumer protection code 2012.pdf

consumer protection code 2012.pdf

Documents
HDL SOURCE CODE PROTECTION

HDL SOURCE CODE PROTECTION

Documents
Fall Protection Systems Latchways Plc James Sainsbury

Fall Protection Systems Latchways Plc James Sainsbury

Documents
DCC plc Supplier Code of Practice

DCC plc Supplier Code of Practice

Documents
GDPH4279FSA - GlaxoSmithKline plc GSK - Financial · PDF fileGlaxoSmithKline plc (GSK) ... GlaxoSmithKline plc (GSK) - Financial and Strategic Analysis Review Reference Code: ... Ratio

GDPH4279FSA - GlaxoSmithKline plc GSK - Financial · PDF fileGlaxoSmithKline plc (GSK) ... GlaxoSmithKline plc (GSK) - Financial and Strategic Analysis Review Reference Code: ... Ratio

Documents
Fault Detection and Protection of Induction Motors Using PLC

Fault Detection and Protection of Induction Motors Using PLC

Documents
BANKING CONSUMER PROTECTION CODE...BANKING CONSUMER PROTECTION CODE - 3 - February 2013 PART 1: INTRODUCTION 1.1 Financial Consumer Protection in KSA SAMA is …

BANKING CONSUMER PROTECTION CODE...BANKING CONSUMER PROTECTION CODE - 3 - February 2013 PART 1: INTRODUCTION 1.1 Financial Consumer Protection in KSA SAMA is …

Documents
Code of Conduct - English - InterContinental Hotels Group PLC

Code of Conduct - English - InterContinental Hotels Group PLC

Documents
Plant Protection Code (Version 3.0)

Plant Protection Code (Version 3.0)

Documents
Pixel PLC Code-2

Pixel PLC Code-2

Documents
NAMUR PLC Digital Input With Fault Protection and

NAMUR PLC Digital Input With Fault Protection and

Documents
& PLC AAPPENDIXPPENDIXPPENDIX E CODE …... PLC Error Code TablesMicroLogix 1100, 1400 ... A–2 EA-USER-M Hardware User Manual, ... PLC-496 Error code 0xaaaaaaaa returned from PLC

& PLC AAPPENDIXPPENDIXPPENDIX E CODE …... PLC Error Code TablesMicroLogix 1100, 1400 ... A–2 EA-USER-M Hardware User Manual, ... PLC-496 Error code 0xaaaaaaaa returned from PLC

Documents
SABMILLER PLC JSEALPHA CODE: SAB ISSUER CODE: SOSAB · 11/11/2015  · sabmiller plc jsealpha code: sab issuer code: sosab isin code: gb0004835483 not for release, publication or

SABMILLER PLC JSEALPHA CODE: SAB ISSUER CODE: SOSAB · 11/11/2015  · sabmiller plc jsealpha code: sab issuer code: sosab isin code: gb0004835483 not for release, publication or

Documents
[EMC] Source Code Protection

[EMC] Source Code Protection

Technology
PLC Error Code Table

PLC Error Code Table

Documents
IS-2309- Lightning Protection Code

IS-2309- Lightning Protection Code

Documents
Standard Protection Code Andsafety Rules

Standard Protection Code Andsafety Rules

Documents
Transformer Protection - PLC

Transformer Protection - PLC

Documents
Fuzzy Code Plc

Fuzzy Code Plc

Documents