Monday, September 26, 2016

Project APT: How to Build an ICS Network and Have fun at the Same Time

The Industrial Control System (ICS) security team at Talos frequently see requests from peers and from students on how to build an ICS test lab. After all, the best way to learn is to get some equipment and learn with good old-fashioned hands-on tinkering. Unfortunately, many frame their test lab inquiries based on more traditional IT standards and network topologies. This is an easy error to make. After all, we can all generally name the components of a modern IT network - workstations, servers,switches, routers and firewalls for example. It’s easy to fall back on things for which we are most familiar.  It’s only natural. It would be easy to assume building an ICS network is just assembling the usual suspects of ICS equipment, and soon you will have an ICS test lab.

The truth is, nothing is atypical with industrial control system networks. Understanding industrial control systems and how they work together to deliver a process is not an easy thing. An electrical utility and an oil refinery may make use of the exact same ICS equipment in completely different environments and configurations, which effectively makes understanding implementation difficult. With such a diversity of industries and verticals, it can be difficult to even find a starting point much less procure (often expensive) equipment to start a proper ICS test lab. 

Members of the ICS team (Joe Marshal, Patrick DeSantis II & Carlos Pacho) were challenged with this problem by Talos senior leadership, and were told to find a way to build a ICS test lab. No easy task! As it turns out, the answer was easy, but the road to get there would not be.


Project Advanced Persistent Thirst


After much deliberation and research, the team decided to build a test lab that combines our love of hacking and libations. Thus, Project APT was born. We would create an ICS actuated fluid dispersal system (read: Kegerator), capable of dispensing fluid either automatically or manually as determined by the process. And ‘process’ is the key word here! As you look upon our work, understand we knew what process we wanted to create before we started to purchase equipment. As you build your own test labs, understand what the end goal is before you obtain equipment - as the process will define what you equip your test lab with. In our case, our process was the automated pouring of beer out of a kegerator. Insofar as we can tell tell, we’re the first to ever attempt a pure ICS automated keg pouring for refreshing SCADA beer.

This is our test lab, Advanced Persistent Thirst.



The Guts of APT




At the heart of our process control network (PCN), is an Allen-Bradley MicroLogix 1400 Programmable Logic Controller (PLC). The PLC processes the logic which is executed for beer pouring.This in turn connects to our industrial unmanaged switch which creates a simple but effective PCN. Controlling external access we have a Moxa wireless access point configured to allow remote connectivity to the PCN.

Up Top




Our Human Machine Interface (HMI) is an Allen-Bradley PanelView 800. It runs a custom GUI that allows our custom designed nozzles to dispense beer at a touch. Notice that we have two nozzles, ideal for multiple container support and fluid dispersal. After several design iterations and many engineering challenges, we had a custom tap tower designed in CAD and then 3D-printed it. It allows for both beer shanks/nozzles, and for our linear solenoids to actuate the beer taps to the open position. The ‘muscle’ pushing our taps open are linear 68 oz. push solenoids, which are connected to a unique assembly that allows for lateral connection to a ball joint on the tap handle, which allows for smooth operation and optimal beer flow. The taps are self retracting, as linear solenoids typically only actuate in one direction (in this case, pushing taps open).

The PCN



As process control networks go, Project APT is simple and effective. Only once process is executing, and the logic it requires to operate is uncomplicated - and was intended to be so. The open secret of Project APT is that our PCN is hackable. Vulnerable conditions exist on all devices within our PCN, that, if an attacker were to exploit, would stop our process. These vulnerable conditions aren’t necessarily 0-days or even deliberately designed exploits - an attack could be as devastating as overwriting firmware, to as simple as creating a denial of service condition on the HMI or PLC. And this is the dirty secret of ICS - while designed to be robust for process driven reliability, ICS devices can be very fragile against many cyber attacks (or even benign IT processes). Compounding the fragility of ICS devices, many operational technology (OT) networks are often very ‘flat’ and unsegmented, and usually connected to more modern information technology networks to support business processes. Project APT mimics that, and painfully demonstrates what happens when your ICS devices are attacked - your process is stopped, and in our case, the pint glasses stay empty. 






On The Road



Once we created APT, we realized we could make a great ICS challenge for others to try - we bolted on a Moxa Wireless AP - and a Rockwell Stratix 5950 Industrial Firewall to provide protection and segmentation. This allowed us to create a great ICS hacking challenge - could someone figure out ICS protocols and actuate a beer tap without touching the HMI? To find out, we took Project APT on the road! We recently presented our kegerator in Louisville Kentucky, at DerbyCon 6.0. 


The convention was a fantastic success for Advanced Persistent Thirst - our presentation was well received. Over the course of the weekend we let conference attendees hack our kegerator - and it was a tough challenge!

Conference goers busy hacking APT!

To hack an ICS network, you really need to do your homework! Understanding process control networks and manipulating PLC’s requires dedication and time. We had many attendees try, and had four successful conference goers hack APT to wireless actuate our kegerator! A big congrats to Andrew, Jonathan, Nick, and Jared for being the first to crack the tough challenge of hacking Advanced Persistent Thirst! For their efforts they earned a well deserved congrats, and the much coveted Talos challenge coins.



If we bring Advanced Persistent Thirst to a conference near you, we hope you’ll hack it and maybe pour yourself a beer. Thank you to everyone who came to us and complimented us on our project, and showed an interest in learning about ICS and how we put our project together. We appreciated all the kind words and interest, and hope we inspired others to learn about ICS.


from Project APT: How to Build an ICS Network and Have fun at the Same Time

No comments:

Post a Comment