SCADACS is an organizational unit of the Secure Identity Research Group (AGSI) at Freie Universität Berlin, led by Prof. Volker Roth. It comprises research assistants and students of AGSI and student volunteers, some of which are also part-time employees of security consulting firms.
Our research is directed at measuring and visualizing the attack surface of cyber-physical systems, detecting and analyzing attacks on these systems, developing interim protection mechanisms, and designing architectures for secure cyber-physical systems.
We educate ourselves about the technology and best practices of industrial automation so that we can help securing cyber-physical systems against attacks. Through teaching courses and training we pass our experience to students and future security professionals.
All SCADACS members work on internal projects meant to expand our capability to analyze and modify industrial protocols and systems. Through collaboration and joint projects with industry and security consulting firms, we strive to transfer our experiences into practice.
Unseen and unnoticed by most, cypher-physical systems enable much of our modern society. From manufacturing to utilities to modern building management, all of these systems are combinations of computers, sensors and actuators that have a concrete impact on the world we perceive and live in. Many of these systems are accessible over the Internet and they are targets of attacks [1, 2]. The trend towards interconnecting these systems will grow as we move towards greater integration and “smart” production. In rushing towards “Industry 4.0”, there is a clear risk that, once again, technology is put into place without proper design of protection mechanisms. However, the future consequences will likely be more severe than they are already today.
Internet search engines often stumble upon cyber-physical systems not meant to be accessible to unauthorized parties. Left shows a particular flavor of industrial systems, geo-located on a map of European countries. The data was obtained from the SHODAN search engine. However, contemporary search engines miss part of the story because they do not speak industrial protocols such as modbus and s7comm.
We have developed a versatile high-speed scanner and search engine for industrial systems which is able to uncover and query industrial systems that are under the radar of contemporary public search engines. Systems found in this fashion are particularly vulnerable because industrial protocols typically do not enforce access controls. Consequently, adversaries can often obtain full control over these systems and other devices connected to them.
Equipped with the rights tools to find and access ICS, adversaries can download and analyze the code on a programmable logic controller (PLC). Adversaries can then analyze and modify the code and load it back onto the PLC in order to perform sabotage. This process can be performed online or it can be automated by means of malware that infects engineering workstations, similar to Stuxnet.
An old NSA quote says “Attacks only get better, not worse.” And so do tools that support attacks. It would be foolish to assume that sophisticated attacks will remain the privilege of a few skilled people or state actors. Criminal markets have emerged that leverage economies of scale. Where there is a demand for tools to attack cyber-pysical systems, someone will eventually provide the tools and services to monetize them.
Our Industrial Risk Assessment Map project is meant to visualize the attack surface based on the input of search engines for cyber-physical systems (CPS) and to communicate the threats of attack automation. Cyber-physical systems can be selected according to various geographic and system-specific criteria. Individual systems can be matched against vulnerability databases and if an exploit is available, it is conceptually easy to launch an attack with a single press of a button.
Companies are often oblivious to the fact that their ICS are Internet-facing. We have seen cases were ICS were reachable behind firewalls. Companies need to re-architect their networks to adapt to the risk. In order to protect TIA engineering workstations (EWS) against PLC malware, we have developed a Trusted Guard system. The Guard is plugged in between an EWS and the industrial network, and it intercepts PLC code en route from the EWS to the PLC. Using a trusted display, engineer can verify independently that the code is free of malicious modifications, by comparing it visually to a prior version. Turning a key while holding a button allows the upload to proceed whereas just turning the key aborts the upload. The Guard would have been effective against Stuxnet.
SCADACS runs a hacking lab equipped with EWS, PLCs and miniature models of industrial production systems. All members have access to the lab so that they can continuously educate and train themselves. We offer interested students a practical introductory course on SCADA/ICS systems on an annual basis. At the beginning participants learn how to program these systems from the perspective of an engineer. Then we show how ICS systems can be compromised and develop countermeasures to prevent this.