Laboratory environment for offensive practices in industrial networks

At present, when programming Programmable Logic Controllers (PLCs), if the equipment is not physically available, simulation software such as PLCSim or OpenPLC can be used. These are capable of importing the code created in the manufacturer's "IDE'' and emulating the behavior of the PLC. The versatility of these simulators will allow to exemplify most of the functions that the controllers have. But when simulating industrial networks these softwares are quite poor or lack such functionality. It is true that there are solutions that could approach reality, creating virtual machines with NodeRED and VirtualmakTCP or even with TIA Portal in the case of Siemens. However, in offensive practices where we have to analyze open source and proprietary communication protocols, or even different firmware versions in the same device, it is essential to have the physical equipment.

This post describes the design and construction of a low-cost educational board at an early stage, oriented to Siemens products and based on the standards of their exams to perform offensive practices. The equipment built at the date of publication of this post has 12 indicator lights that can be used to indicate the status of the control outputs, an "industrial traffic light" style beacon, a Human Machine Interface (HMI) system, a Siemens S7-200 with its Ethernet adapter module and a switch. A terminal block with 48 extra connectors for future upgrades is also included, and there is enough room to add more devices.

Introduction

For several years, the development of process control has led to the development of production tasks based on automation systems. For which in many occasions it is necessary a study, where prototypes are developed prior to the construction of a real system.

J. Figueiredo, M. Ayala Botto, “Automatic Control Strategies Implemented on a Water Canal Prototype”, IFAC Proceedings Volumes, Volume 38, Issue 1, 2005, Pages 22–27

In these prototypes, the main process parameters of interest, such as temperatures, pressures, levels, flows, concentrations, etc., are continuously monitored. These values can be adjusted so that the tasks are performed automatically, turning on valves, pumps, heaters, motors, relays, among others.

This performed within a laboratory in an educational environment, taken to a security context will allow students to not only broaden their experience in designing, building and monitoring equipment, but also how to secure, upgrade and protect it.

On the other hand, it is possible to connect the board to industrial simulation software to see the results in a didactic way without having to build a prototype in the garden of our homes or incur expenses.

Let's suppose an example: A student, after "listening" to the communication protocol, manages to keep a session started and change the state of one of the PLC outputs. Let's imagine that in a real implementation that output corresponds to a valve that pours liquids into a tank. Imagining it is easy, but "seeing" it creates a real sense of the danger of such a state change and we can appreciate it thanks to simulators such as Factory I/O or Machine Simulator.

On the left of the image we can see a graphical interface device (included in the physical board) with the intention that the student can interact directly with it. And next to it the event-based simulator, remember that this does not simulate communication between members of the industrial network, only their events, i.e. the software inputs are physically connected to our PLC, either by network or by a specialized adapter.


Detail of the simulator interface. This is connected via usb to the Host where the simulator runs. Its inputs (the green terminals) are connected directly to the output of our PLCs.
Some authors suggest that the methodology of study is increasingly oriented towards confronting students with problems that are closer to reality, so that they can adapt better and better to the dynamics of current technological changes. Due to the above, several institutions in the world have opted for the development of remote laboratories, where it is possible to perform experiments at a distance, avoiding the student to be exposed to dangerous situations and at the same time providing the necessary guidance. Similarly, virtual laboratories offer similar conditions to the remote ones, with the advantages that they are based entirely on software, which implies: augmented reality, computational dynamics, virtual worlds, etc. On the other hand, the constant search to optimize resources has generated the construction of prototypes using low-cost components, which are increasingly efficient and reliable.


As we can see in this image, by combining the hardware of this laboratory plus the simulation software we can have several complete production lines in a single classroom.

General Equipment Characteristics

As mentioned in the first section of this post, the equipment built is based on Siemens products. In the following table we can see the details, in blue are the elements already assembled in the project, while in gray the missing ones are detailed. We also made an average of the costs based on several websites and expressed in dollars so that this information lasts over time.

Many of these devices can be obtained second hand at almost 50% of their value (this is only useful for educational environments, since these devices guarantee a correct operation within a period of time imposed by the manufacturer, using them outside these margins in a real industrial environment would not comply with safety standards).

The design of the unit was made in such a way that the different digital input and output signals are available on connection terminals inside the cabinet. In this way the student is able to propose different configurations of operation of the equipment in a simple and fast way.

Design and Construction

In order to facilitate the explanation of the design and construction of the equipment, it was divided into three fundamental blocks: Door, cabinet and interior. These are described below.

Door

As mentioned above, the equipment was built using a metal cabinet. This has in its front part a door with the equipment and necessary components, 12 22 mm indicator lights that use 24 volts of direct current to operate, with which you can indicate states or stages in a control sequence. Siemens mp 277 touch of 8 inches was also incorporated. In a next stage, 16 push buttons will be added to simulate actuators.

Cabinet

With a size of 50 cm x 60 cm x 20 cm on its right side will be implemented to future banana terminals where the output signals of the controller are available and where the input signals will be connected to it. These terminals use a voltage level of 24 volts for digital signals and a range of 0 to 10 volts for analog signals and can be connected to the push buttons or pilot lights installed on the door as required.


Reference image of a similar solution carried out at the Universidad Autónoma Metropolitana. From Azcapotzalco
The entire cabinet is located on a structural iron support raised 85 cm above ground level. On the other hand, under the equipment there is a 220 volt interlock AC power connector that feeds the entire system. Likewise, an Ethernet Jack connector category 5e will be implemented, through which the communication with external equipment is made. On the other hand, an industrial "traffic light" beacon was installed on the upper part to simulate emergency situations.


Interior

Inside the panel there is a thermistor, which offers protection to all the elements of the equipment in case of an erroneous connection. In addition, as previously mentioned, a Siemens PLC model S7-226 is installed, and there is enough space to add the remaining ones. On the left side of the following image we will see the current status of the project, while on the right side we will see a representation of the result we expect to obtain.


Implementations and practical exercises

In the following table we can see the device, protocol and firmware we are looking for to carry out the investigations.

A good starting point to obtain the necessary knowledge before starting our research can be the official Siemens exams, as they offer step-by-step manuals detailing the wiring, protocols, software, etc. Part of this project was born with the idea of replicating the SITRAINtraining stations.

Both models and firmware versions were chosen based on a list of known vulnerabilities, for more technical details I invite you to read this POST where a real attack is technically addressed. As a reference in the following diagram we can see a timeline where product releases, exploits and firmware patches are located.

Conclusion

We explained in this post the design and construction at an early stage of a didactic support equipment for offensive practices on Programmable Logic Controllers, their protocols and software. It could be considered a great investment for individuals, educational environments, or for complete Red Team/Blue Team teams to develop solutions for their customers.

Although the construction of the equipment is still in process in a first stage was able to deliver satisfactory results, the reduced cost compared to other solutions and the practicality it brings along with the simulators gives a competitive advantage when undertaking an OT solution, and not only meets the need for safety practices or programming, but could also correct entire production lines making them more efficient just by simulating them, from the comfort of our homes.

References and Bibliography

• L. R. Vega González, "Engineering education in the global context: proposal for engineering education in the first quarter of the 21st Century", Engineering, Research and Technology, Volume 14, Number 2, April-June 2013.


• Veljko Potkonjak, Michael Gardner, Victor Callaghan, Pasi Mattila, Christian Guetl, Vladimir M. Petrović, Kosta Jovanović, "Virtual laboratories for education in science, technology, and engineering: A review," Computers & Education, Volume 95, April 2016.


• A. Gómez Espinosa, P.D. Lafuente Ramón, C. Rebollar Huerta, M.A. Hernández Maldonado, E.H. Olguín Callejas , H. Jiménez Hernández , E.A. Rivas Araiza, J. Rodríguez Reséndiz, "Design and Construction of a Didactic 3-DOF Parallel Links Robot Station with a 1-DOF Gripper", Journal of Applied Research and Technology, Volume 12, Issue 3, June 2014.


• Serna M. Edgar, Polo José Antonio, "Logic and abstraction in engineering education: a necessary relationship", Engineering, Research and Technology, Volume 15, Number 2, April-June 2014.