# On the Significance of Process Comprehension for Conducting Targeted ICS Attacks ## ABSTRACT KEYWORDS 1 INTRODUCTION _CPS-SPC’17, November 3, 2017, Dallas, TX, USA_ ----- ## 1.1 Experimental testbed **Figure 1: Network diagram of the testbed** ## 2 PRELIMINARIES **Figure 2: Constituents of cyber-physical attack** ----- ## 2.1 Points and Tags be soft or hard. A hard point denotes a physical input or output ## 3 DATA SOURCES 3.1 PLC Configuration - Core design of the operational process - Operator ability to control (manual vs. automated process - Use of sensors and actuators - Addressing schemes and data point structures - Controller-integrated safety and alert functions - Network-related information (protocols, interfaces, addresses/IDs **Figure 3: Commented PLC logic** ----- **Figure 4: Un-commented PLC logic** ## 3.2 HMI/Workstation Configuration - Operator view into the core operational process - Operator ability to control (manual vs. automated process - Operator view of sensors and actuators (including added - Addressing schemes and data point structures - HMI/controller-integrated safety and alert functions - Network-related information (including protocols, interfaces, **Figure 5: HMI GUI** **Figure 6: View of the control logic tags on the HMI** ----- **Figure 7: View of HMI configuration file in HEX editor** ## 3.3 Historian Configuration - Addressing scheme and data point structure - Data points of importance to decision makers **Figure 8: Historian GUI** **Figure 9: Historian configuration file open in text editor** - Network-related information (including protocols, interfaces, ## 3.4 Network Traffic ----- **Figure 10: Traffic between HMI and PLC** - High-level data flows (e.g. networked systems interactions) - Granular system-system data requirements (e.g. functional - Operational process behaviour (e.g. which process data passed - Numerical process data, status of equipment, alarms, etc. ## 3.5 Piping and Instrumentation Diagram **Figure 11: P&ID of the testbed** - Complete design of the operational process - Detailed list of the operational equipment, its type and sizes - Mechanical equipment (which is often not included in con ## 3.6 Other (Policies, Procedures, Reporting Functions, System/Component Constraints, etc.) ----- **Figure 12: Example of the static EtterCap filter** ## 4.2 MITM Attack on the HMI ## 3.7 Attacker Goal 4 NETWORK BASED MITM ATTACK 4.1 Network/Device Enumeration ----- ## 4.3 Replay Attack on the RTU 4.4 Control Request Injection **Figure 13: Example of the replay script in Python** **Figure 14: Example of the command injection script in** **Python** ----- SPI I2C ## 5 HOST BASED MITM ATTACK 5.1 Pin Control Attack **Pin Multiplexing. System on Chips (SoCs) usually employ hun-** **Pin Configuration. Embedded SoC I/Os (e.g. ARM, MIPS, or** configure pins that are to be used for reading values into input mode, and pins that are to be used for controlling/writing values to _output mode. The PLC usually configures its pins by first mapping_ MMC JTAG Multiplex Pin **Figure 15: Pin multiplexing on SoC** **Figure 16: Mapping of a physical I/O memory to a virtually** **mapped I/O** ## 5.2 MITM using Pin Control **PLC runtime privilege. In recent years multiple works have** **Knowledge of the physical process. Based on our previously** **Knowledge of the PLC and mapping between I/O pins and** **the logic. The PLC type will allow an attacker to understand where** GPIO ----- **Figure 17: Request to provide virtual addresses of all digital** **I/O interfaces** **Figure 18: List of all virtually mapped I/O interfaces and** **their ranges** ## 5.3 Process Manipulation using Pin Control Attack **Multiplexing the ultrasonic pin. We first start by multiplex-** writing a zero value to the analogue pin multiplex pin (system wide **Sending command to open Valve 3 and Start Pump 1. After** ## 6 SUMMARY AND CONCLUSIONS ----- ## REFERENCES Programmable Logic Controller Rootkit via Pin Control Attack. Black Hat Europe 2014. On Emulation-Based Network Intrusion Detection Systems. In Research in _Attacks, Intrusions and Defenses. Springer, 384–404._ [3] Michael J Assante and Robert Lee. 2015. The Industrial Control System Cyber Kill _Chain. Technical Report._ [4] Dillon Beresford. 2011. Exploiting Siemens Simatic S7 PLCs. In Black Hat USA. [6] Jonathan Butts and Sujeet Shenoi. 2013. Critical Infrastructure Protection VII. verification independent of pin multiplexing change. In Computer Communication _and Informatics (ICCCI), International Conference on. 1–6._ [11] Benjamin Green, David Hutchison, Sylvain Andre Francis Frey, and Awais Rashid. research. In SERECIN. [12] Benjamin Green, Marina Krotofil, and David Hutchison. 2016. Achieving ics resilience and security through granular data flow management. In Proceedings _of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. ACM,_ trial Control Systems Testbed for Security Research. In 10th USENIX Workshop _on Cyber Security Experimentation and Test (CSET 17). USENIX Association._ impact of social engineering on Industrial Control System security. In Proceedings _of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy._ [15] ICS-CERT. 2012. ABB AC500 PLC Web Server Buffer Overflow Vulnerability. [16] ICS-CERT. 2012. Schneider Electric Modicon Quantum Vulnerabilities (Update [17] ICS-CERT. 2014. Schneider Electric Modicon Quantum Vulnerabilities (Update _Emerging Technologies & Factory Automation (ETFA), 2015 IEEE 20th Conference_ _on. IEEE, 1–8._ [23] Robert M Lee, Michael J Assante, and Tim Conway. 2016. Analysis of the cyber _[attack on the Ukrainian power grid. Technical Report. http://www.nerc.com/pa/](http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC)_ In Advances in Computer, Information, and Systems Sciences, and Engineering. _Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security_ _Research 2014. BCS, 30–42._ Payload Generation for Programmable Logic Controllers. In Proceedings of the _2012 ACM Conference on Computer and Communications Security (CCS ’12). ACM,_ grammable Logic Controllers. In HotSec. Construction of an Industrial Control System Testbed. In PGNET. 151–156. [[30] PLCScan. 2013. PLCScan - PLC Devices Scanner. (2013). https://code.google.](https://code.google.com/p/plcscan/) of the smart grid with incomplete information. IEEE Transactions on Smart Grid _Attacking fieldbus communications in ICS: Applications to the SWaT testbed. Cryp-_ -----