A Diet of Poisoned Fruit: Designing Implants and OT Payloads for ICS Embedded Devices

Download Slides

Watch Video

In this talk we aim to shed some light on the process, efforts and challenges of constructing implants for ICS embedded devices and operational technology (OT) payloads for carrying out cyber-physical attacks. We will present the steps required to engineer a cyber-physical attack and illustrate them with example implementations of different attack routines including I/O spoofing, attack progress measurement, alarm relaxation & suppression as well as anti-forensics, implant stability and persistence measures.

In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting Schneider Electric Triconex safety controllers at a petrochemical plant in Saudi Arabia, potentially in order to cause physical damage. The framework included a multi-stage payload consisting of an installer and a backdoor implant for execution of additional code at a later point in time. What was missing, however, is the so-called Operational Technology (OT) payload implementing the actual logic that would aid in carrying out a cyber-physical attack.

While it is well known that ICS devices and software are often insecure by design and the manners in which attackers typically penetrate control networks have also been extensively discussed, what happens after their compromise is little understood. Despite being integral to carrying out a successful cyber-physical attack, ICS device implants and OT payloads (especially those operating at levels 0 and 1) are generally understudied, which hinders estimations on the complexity and development cost of ICS offensive capabilities as well as hardening, forensics and detection efforts.

In this talk we aim to shed some light on the process, efforts and challenges of constructing such implants and OT payloads. We will present the steps required to engineer a cyber-physical attack and illustrate them with example implementations of different attack routines including I/O spoofing, attack progress measurement, alarm relaxation & suppression as well as anti-forensics, implant stability and persistence measures.

About the Speakers

Jos Wetzels

Jos Wetzels is an independent security researcher with Midnight Blue specializing in embedded systems security across various domains ranging from industrial and automotive systems to IoT and networking equipment. He previously worked as a researcher at the Distributed and Embedded Security group (DIES) at the University of Twente (UT) where he developed exploit mitigation solutions for constrained Industrial Control Systems (ICS) used in critical infrastructure, performed various security analyses of state-of-the-art network and host-based intrusion detection systems and has been involved in the AVATAR research project regarding on-the-fly detection and containment of unknown malware and Advanced Persistent Threats. He has assisted teaching hands-on offensive security classes for graduate students at the Dutch Kerckhoffs Institute for several years.

Marina Krotofil

Marina Krotofil is an experienced ICS/SCADA professional, who spent almost a decade on offensive Industrial Control Systems (ICS) security: discovering and weaponizing unique attack vectors, engineering damage scenarios and understanding attacker techniques when exploiting ICS. Marina offensive security skills serves her well during forensic investigations, ICS malware analysis and when engineering defenses. She previously worked as a Principal Analyst and Subject Matter Expert in Cyber-Physical group at FireEye (USA), Lead Cyber Security Researcher at Honeywell (USA) and as a Senior Security Consultant at the European Network for Cyber Security (Netherlands). Between her industrial positions, Marina joined academia to pursue doctoral degree and teach security courses at Hamburg University of Technology, Germany. She authored more than 20 academic papers and book chapters on ICS security and is a frequent speaker at the leading security events around the world. She holds MBA in Technology Management, MSc in Telecommunication and MSc in Information and Communication Systems.