DeepSec 2022 Talk: Faking at Level 1 – How Digital Twins Save Your PLCs – Thomas Weber
Every year, many big and small incidents in industrial environments, like power plants, factories, or food supply, find their way into newspapers. All those affected industries are backed by highly branched and historically grown Operational Technology (OT) networks. A sizeable portion of such incidents would have been avoidable, if network segmentation was done correctly and patches for user devices (not always possible in OT) were installed.Despite such known problems, that also lead to the compromise of traditional IT networks, a bunch of unknown vulnerabilities are unfortunately also present in OT infrastructure.
OT in modern factories contains of networked (and smart) devices, especially on level 1, also called the control level, of the Purdue model. Devices, like PLCs, industrial router/switches, data diodes, and more, cannot be easily tested if they are in use by the factory. Therefore, solutions for classification and monitoring from different vendors are in use to not put the running infrastructure at risk. These non-intrusive ways for getting a picture about the running infrastructure only give a partial overview of the vulnerability landscape of the OT network but cannot detect unknown vulnerabilities.The testing of such expensive devices instead of using them is often not desired because of the price, and spare items must be available, which is the reason those devices can’t be touched too.
For this reason, digital twins – in terms of virtualization – from the devices in the factory should be created for pen-testing purposes. These twins can be built with different tools (open source/ closed source) and have been used for identifying 0-days during an ongoing research project. After the creation, the virtual appliances were connected to form a full fletched OT network, to imitate a real industrial environment. Testing these virtual appliances does not harm the real infrastructure, but provides a lot of valuable information about the systems in scope.
This was tested in practice during engagements and has been recreated and edited for a talk which also includes vulnerabilities that were discovered during such a test setup.
We asked Thomas a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- OT pen-testing can be perilous, especially on Purdue Level 1
- Scanning in such networks can cause a service disruption of the whole OT infrastructure
- Digital twins of the firmware from Level 1 devices (PLCs, RTUs,…) can be used to copy devices and infrastructure
- Pentesting such digital twins would not cause any outage
- Such technique can be beneficial for pen-testers and for OT infrastructure operators
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I’ve got a lot of experience in pen-testing embedded devices (hardware & firmware) and work with the digital twins of the firmware for over four years. A lot of these devices are in use within OT environments on all levels as infrastructural elements, but especially on Purdue Level 1. To make the most of the knowledge about the digital twin of the firmware, I used it to test critical devices like PLCs that are used in OT infrastructures – and I wanted to share this knowledge with the community as a talk.
Why do you think this is an important topic?
I think it’s important because society highly depends on critical infrastructure (Industry 4.0) and should take care of it to avoid future attacks.
Is there something you want everybody to know – some good advice for our readers, maybe?
Do have a closer look at digital twins in the future! They can help with so many applications.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
The field of embedded / IoT security will continue to grow – more Jobs, more IoT devices. The skill-set electrical/computer engineering and IT security will be in high demand.
Thomas is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT and wrote many security advisories in the past. Besides his past employment, he developed an emulation system for firmware in the course of scientific work. In the past, he spoke at conferences like HITB, BlackHat, IT-SECX, HEK.SI and OHM(international).