Conference:  Defcon 31

Authors: David Pekoske Administrator, Transportation Security Administration (TSA), Jen Easterly Director, Cybersecurity and Infrastructure Security Agency, Kevin Collier NBC

2023-08-01

Just like there's more than one way to peel a banana, there’s more than one way to protect a computer network from being pwned. Cyber threats against America’s pipelines, railroads and aviation system are increasing, and the Transportation Security Administration – with support from the White House, the Cybersecurity and Infrastructure Security Agency and Congress – is hacking traditional cybersecurity policy to improve resiliency for the growing connected transportation sector. How? TSA isn’t telling regulated parties exactly the ways they should secure their own systems. Instead, the agency is asking them to produce and provide plans for ensuring they protect their critical assets. America’s adversaries are sophisticated, and TSA needs help from the hacking community to think creatively about future attacks, to identify new vulnerabilities, and to provide innovative new ways of measuring success. This talk will tell you what TSA is seeing, gives you a chance to offer us advice, and to learn specific ways in which you can contribute to new projects. Because always in motion the future is.

Conference:  Black Hat Asia 2023

Authors: Jos Wetzels

2023-05-11

In OT networks, it is common knowledge that Purdue Reference Model Level 1 (L1) devices such as PLCs and RTUs are notoriously insecure. Regardless, L1 devices that sit at the intersection of multiple, mixed networks (Ethernet, Industrial wireless, Fieldbus, etc.) are often still treated as security perimeters without the corresponding hardening and risk profiles that would be accorded to multi-homed workstations in a similar position. In this talk we will examine *deep lateral movement* in OT networks, looking at various TTPs attackers can deploy to move through the networks of embedded devices that exist at the lowest levels. We do so for two reasons: 1) Crossing underexamined security perimeters, 2) Achieving granular control over OT systems to enable complex attacks. After all, even full control over central SCADA systems doesn't immediately grant attackers the ability to deliver arbitrary cyber-physical impacts. Control systems are engineered to be robust and resilient and don't come with easy "blow me up" buttons on the HMI. So in order to achieve certain impacts, attackers will need to both inhibit Safety Instrumented System (SIS) response functions as well as overcome functional and safety limitations present in controllers and field devices themselves. Achieving these kinds of effects might require attackers to move *through* L1 devices and deeply into nested device networks or across restricted interfaces between the Basic Process Control System (BPCS) and SIS or 3rd party package units (PUs) - such as non-routable, point-to-point links and certain gateways. Contrary to common misconception - and some vendor and standards guidance - we will show that such restricted links do not offer sufficient segmentation by themselves. In addition, we will show that with deep lateral movement, an attacker can achieve effects - such as bypassing firmware safety limits on setpoint interfaces - that change an asset owner's view of risk and consequences. We will illustrate the above by means of a Proof-of-Concept multi-stage attack chain against a demo setup modeled after a real-world movable bridge control system. In the demo, achieving physical damage to the bridge requires gaining full access to both control and safety systems across a restricted gateway and point-to-point link architecture. The attack chain incorporates several N-day vulnerabilities (NUCLEUS:13 and Urgent/11) tailored against Wago and Allen-Bradley systems as well as two 0-day vulnerabilities allowing for an authentication bypass and subsequent stealthy RCE on Schneider Electric Modicon PLCs. In addition to outlining target system firmware internals and describing the implants we developed to achieve footholds for lateral movement on these systems, we will provide mitigation and DFIR practitioner advice for defensive purposes.