PLC Code Protection

25
The AFIT of Today is the Air Force of Tomorrow. CCR - The Center for Cyberspace Research Air Force Institute of Technology Center for Cyberspace Research Stephen Dunlap Jonathan Butts, PhD PLC Code Protection

description

 

Transcript of PLC Code Protection

Page 1: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Air Force Institute of Technology

Center for Cyberspace Research

Stephen Dunlap

Jonathan Butts, PhD

PLC Code Protection

Page 2: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

What’s the Story?

Page 3: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Tactical Questions

Page 4: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Requirements

•  Helpful:

Resources

Page 5: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Static Analysis

Device? We don’t need no stinkin device…

Page 6: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Hardware Analysis

But I’ll take it if I can get it…

Page 7: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Dynamic Analysis

I don’t always do dynamic analysis, but when I do, I use JTAG…

Page 8: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Let’s Do This

Attacks Need:

Triggers

Payloads Deployment

Page 9: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Page 10: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Hook regularly executed function •  Count executions

Time Bomb

Jump Instruction before modification

After modification

Page 11: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Time Bomb Cont.

Store a counter in memory

Load counter and subtract

Test for zero Continue operation if greater

Page 12: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Hook jump table for CPU mode change •  Keep track of changes for specific sequence

Logic Bomb

RUN

REM RUN

REM PROG

PROG

Page 13: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Hook CIP command handler jump table

Remote Commands

Page 14: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Check for custom service and instance

Remote Commands Cont.

Page 15: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Page 16: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Endless loop causes recoverable fault •  Fault shutdown routine

Soft DoS

Page 17: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

•  Write value to flash •  Fault if value exists

Persistent DoS

•  Exploit Flash Writing Function •  R0 – Destination address •  R1 – Source Address •  R1 – Data Length

Flash end address

Page 18: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Where to From Here?

•  Traffic Modification •  Modify CIP values •  Propagation

•  Persistence •  Implant in bootloader •  Ignore firmware updates •  Modify version number

Page 19: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Page 20: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Pivoting Through Firewall

Page 21: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Pivoting Through Router

Page 22: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Pivoting Through Router

Page 23: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Implications

•  Vendor agnostic •  Expensive devices not needed •  Supply chain •  Cost of entry

•  Team composition: Two guys •  Time: Approx 3 months •  Money: $3,500

NATION STATE NOT REQUIRED

Page 24: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Protection Mechanisms

•  Vendor •  Digital Signatures •  Trusted Platform Module

•  Integrator •  Source Verification •  Access Control •  Configuration Management

•  Asset Owner •  Deep Packet Inspection •  Data Diodes •  Configuration Management

Page 25: PLC Code Protection

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research

Thank You


Plant Protection Code Ver 7.0

Plant Protection Code Ver 7.0

MSP Code Protection Features

MSP Code Protection Features

Transmission Planning Code - National Grid plc

Transmission Planning Code - National Grid plc

SABMILLER PLC JSEALPHA CODE: SAB ISSUER CODE… · sabmiller plc jsealpha code: sab issuer code: sosab isin code: gb0004835483 not for release, publication or distribution, in whole

SABMILLER PLC JSEALPHA CODE: SAB ISSUER CODE… · sabmiller plc jsealpha code: sab issuer code: sosab isin code: gb0004835483 not for release, publication or distribution, in whole

Standard Protection Code Andsafety Rules

Standard Protection Code Andsafety Rules

DCC plc Supplier Code of Practice

DCC plc Supplier Code of Practice

Fuzzy Code Plc

Fuzzy Code Plc

Honeywell ControlEdge PLC - · PDF fileinvestment protection and easier maintenance, and ... troubleshooting allows early startup. ... Honeywell ControlEdge PLC

Honeywell ControlEdge PLC - · PDF fileinvestment protection and easier maintenance, and ... troubleshooting allows early startup. ... Honeywell ControlEdge PLC

Our Code of Ethics - National Grid plc

Our Code of Ethics - National Grid plc

Personal Data Protection Code

Personal Data Protection Code

Telecommunications Consumer Protection Code

Telecommunications Consumer Protection Code

SABMILLER PLC JSEALPHA CODE: SAB ISSUER CODE: SOSAB · 11/11/2015  · sabmiller plc jsealpha code: sab issuer code: sosab isin code: gb0004835483 not for release, publication or

SABMILLER PLC JSEALPHA CODE: SAB ISSUER CODE: SOSAB · 11/11/2015  · sabmiller plc jsealpha code: sab issuer code: sosab isin code: gb0004835483 not for release, publication or

NAMUR PLC Digital Input With Fault Protection and ...

NAMUR PLC Digital Input With Fault Protection and ...

Data Protection Code v1.3

Data Protection Code v1.3

Edge Protection Code of Practice

Edge Protection Code of Practice

Elementis PLC Code of Business Conduct and Ethics

Elementis PLC Code of Business Conduct and Ethics

Backplane Power Protection in PLC Systems

Backplane Power Protection in PLC Systems

PLC Error Code Table -

PLC Error Code Table -

IS-2309- Lightning Protection Code

IS-2309- Lightning Protection Code

PLC Error Code Table

PLC Error Code Table