The PLC / Level 1 device has taken a beating at S4, most notably at S4x12 with Project Basecamp. In fact, after the huge number of vulns at S4x13 we started turning away the poor code quality & insecure by design sessions as old news.
At S4x17 and S4x18, the tide began to turn with the introduction of signed firmware, secure ICS protocols and some evidence the vendors efforts to implement a security development lifecycle (SDL) was making a difference. And now we are pleased that S4x19 will show next level work on both offensive and defensive PLC security.
PLC Endpoint Protection
Anti-virus, application whitelisting and other host based protection is used to protect ICS PC’s, but endpoint protection on PLC’s is almost nonexistent. Perhaps this will soon change. We scheduled two sessions back-to-back Tuesday (Day 1) afternoon on Stage 2 that are certain to be favorites amongst the uber-technical S4 attendees. They both, inspired by what was seen in Triton, are pulling apart and inspecting ladder logic to detect malicious logic payloads and theoretically not load it in the PLC, but they are doing it in different ways. First up is David Atch who will be applying a symbolic execution approach. This will be followed by Reid Wightman & Jimmy Wylie looking at it with a program analysis and decompilation technology approach.
Persisting In Level 1
Because there is little endpoint protection, minimal security monitoring and minimal forensic evidence at Level 1, it can be a great place for attack code to live and persist in an attack on ICS. Elisa Costante will be on Stage 2 on Day 1 with Persisting in Level 1: The Building Is Alive. This session looks at and demonstrates an attack on a building automation system with emphasis on hiding evidence of the attack and persisting, potentially even during and after incident response. Of course there will be new vulns identified and exploits demonstrated as well in this session.
Roee Stark will present PLC’s: Backdoors in Disguise on Wednesday (Day 2). Roee looked at the PLC’s ability to attack other cyber assets rather than the process it is involved in monitoring and controlling. And he did this using the capabilities of a very popular PLC, not new attack code he loaded on the PLC. Of course, there will be vulns.
Designing the PLC
Almost all of the major ICS vendors now support and actively encourage deploying the workstations and servers in a virtualized environment. So the logical next step would be to virtualize the PLC or controller. Yet I’ve been chasing this session for the last two S4 events without success. Found it for S4x19 with Austin Scott presenting The Virtualized PLC on Stage 2 on Thursday (Day 3). He highlight the benefits and challenges of virtualization and PLC’s. Importantly he will go over the actual use of virtualized PLC’s at a large North American Refinery.
Also on Day 3 on Stage 2 will be Jon Taylor on Hardware Based Integrity capabilities and use in Level 1 devices. His focus is on implementing very simple and minimal Trusted Execution Environments (TEE) in ARM processors.
We will be highlighting groupings of S4x19 sessions in a weekly blog post on this site. There are many more Level 1 sessions on the agenda, that fit in other categories.
Make sure you check out the full S4x19 agenda and register asap to get the best price and get a Full Ticket if you want to see these technical talks on Stage 2.