Series of articles：
0x00 Industrial hacker level definition
Due to the particularity of the production environment, equipment application scenarios, and object-oriented in the industrial environment, the peripheral equipment surrounding it also has a basic form that is completely different from traditional networks. Therefore, while studying industrial security, we cannot use traditional Thinking to understand it in the network environment, we need to understand it from a higher dimension. Industrial hackers can be divided into three levels, as follows:
Junior industrial hackers: I don’t know what industrial environment and equipment are, but they have network knowledge and traditional network security attack capabilities. Such hackers can also cause serious consequences.
Intermediate industrial hackers: Have a certain understanding and study of industrial equipment and industrial protocols, and can use the vulnerabilities of industrial protocols to launch targeted network attacks. Such as controlling PLC start and stop, industrial blackmail, etc.
Advanced industrial hackers: understand industrial protocols, understand the processes in specific industrial environments, and be able to implement highly concealed attack methods for specific businesses, such as Stuxnet in Iran.
Introduction of 0x01 Experiment Box
As shown in the figure above, the experiment box provides demonstrations of three attack methods, denial of service, command attack, and data tampering. The three attack methods actually correspond to the three levels of industrial hackers: elementary, intermediate, and advanced. These three levels of attack are from shallow to deep. In.
Denial of service, like traditional Internet attacks, is essentially caused by the flaws of the TCP/IP protocol itself. As long as the standard TCP/IP protocol is used, it will face such attacks. This attack does not require industrial background and knowledge. Traditional hackers can do it. Therefore, when industrial equipment needs to access the Internet, its safety protection measures need to be further considered.
0x02 actual combat demonstration
In the previous articles, we talked about the use of a set of industrial control attack framework (ISF) developed by ourselves, and how to add attack scripts to this set of attack frameworks, and demonstrated the process of ISF cracking Siemens S7-300 password by way of example. There are many rich functions for the ISF industrial control attack framework, such as PLC program injection, PLC proxy, etc. You can study by yourself.
Today we will modularize cyber attacks and integrate them into our attack framework ISF, use ISF plus cyber attack modules to attack the target device, observe the changes of the target device, and finally analyze the harm caused by this attack. , We have to learn from it, what methods should be adopted to better protect industrial equipment.
In this example, the HMI is the display screen (operation screen) of the experiment box, which has some simple industrial simulation environments built-in, such as marquee, traffic lights, power plants, water storage tanks, etc. When operating the “start” or “stop” operation on the relevant interface of the HMI, the HMI will send the relevant instructions to the PLC, and then the PLC will execute the program instructions according to the instructions and return the instructions to the HMI for display execution.
If the equipment in the industrial environment (including but not limited to HMI, PLC, etc.) is subjected to a denial of service attack, the communication between them cannot be normal, then it will lead to unimaginable consequences, such as not receiving control commands, receiving errors Instructions, received malicious instructions, etc. Any incorrect instruction in the industrial environment may lead to serious consequences, which should be paid attention to. Below we use a simple example to show the impact of denial of service attacks on the communication between HMI and PLC.
0x03 attack principle analysis
As mentioned above, there are many forms of denial-of-service attacks. Bandwidth usage and server resources are full, resulting in failure to respond to normal network requests. In order to make the experiment simple and clear, we can send a large amount of garbage data to the target network, block the normal communication between HMI and PLC, and make the “traffic information light” invalid.
The method used is the same as before. We integrate the written script into the ISF framework and load the denial-of-service attack script through the ISF to achieve the demonstration effect of suspending the “traffic information number”.
HMI: Human-computer interaction interface, which is the small screen in the experiment box mentioned in the previous articles. It is used to simulate the operation screen in the industrial environment and industrial operation equipment (such as traffic lights, water storage tanks, etc.).
PLC: Logic controller. Programs are written in PLC to control traffic lights and water tanks in HMI.
A network attack is a malicious attacker sending a large amount of malicious data to the target PLC and HMI, making the normal communication between the PLC and HMI impossible, causing the HMI to fail to receive, or receiving wrong instructions, and causing serious consequences.
0x04 defense plan
Network attacks are divided into many types, including network bandwidth occupation, resource occupation, insecure protocol occupation, etc. In the face of many different network attack behaviors, we first need a capability that can effectively detect it, and secondly, we can reject malicious traffic. attack.
At present, I have a complete solution. Collect full traffic data through a collector + factory-level platform + big data platform, and then use big data + artificial intelligence to correlate and analyze the logs generated by the target. Unearth abnormal traffic. In the end, feedback will be given in a variety of ways, such as email, SMS, or automatic handling. Give industrial control security a pair of visible eyes, and make industrial control security visible.