Tweet
Jimmy Wylie - Analyzing PIPEDREAM: Challenges in testing an ICS attack toolkit.
Jimmy Wylie, Principal Malware Analyst II , Dragos, Inc., He/Him
Presentation Title: Analyzing PIPEDREAM: Challenges in testing an ICS attack toolkit.
Length of presentation: 45 minutes
Demo
Identified early in 2022, PIPEDREAM is the seventh-known ICS-specific
malware and the fifth malware specifically developed to disrupt
industrial processes. PIPEDREAM demonstrates significant adversary
research and development focused on the disruption, degradation, and
potentially, the destruction of industrial environments and physical
processes. PIPEDREAM can impact a wide variety of PLCs including Omron
and Schneider Electric controllers. PIPEDREAM can also execute attacks
that take advantage of ubiquitous industrial protocols, including
CODESYS, Modbus, FINS, and OPC-UA.
This presentation will summarize the malware, and detail the
difficulties encountered during the reverse engineering and analysis
of the malware to include acquiring equipment and setting up our
lab. This talk will also release the latest results from Drago's lab
including an assessment of the breadth of impact of PIPEDREAM's
CODESYS modules on equipment beyond Schneider Electric's PLCs, testing
Omron servo manipulation, as well as OPC-UA server manipulation.
While a background in ICS is helpful to understand this talk, it is
not required. The audience will learn about what challenges they can
expect to encounter when testing ICS malware and how to overcome them.
SPEAKER BIO
Jimmy Wylie is a Principal Malware Analyst at Dragos, Inc. who spends
his days (and nights) searching for and analyzing threats to critical
infrastructure. He was the lead analyst on PIPEDREAM, the first ICS
attack "utility belt", TRISIS, the first malware to target a safety
instrumented system, and analysis of historical artifacts of the
CRASHOVERRIDE attack, the first attack featuring malware specifically
tailored to disrupt breakers and switchgear in an electric
transmission substation.
Jimmy has worked for various DoD contractors, leveraging a variety of
skills against national level adversaries, including network analysis,
dead disk and memory forensics, and software development for detection
and analysis of malware. After leaving the DoD contracting world, he
joined Focal Point Academy, where he developed and taught malware
analysis courses to civilian and military professionals across the
country. In his off-time, Jimmy enjoys learning about operating
systems internals, playing pool, cheap beer, and good whiskey. He can be found on Twitter @mayahustle.
REFERENCES:
Security Research: CODESYS Runtime, a PLC control framework by Alexander Nochvay, Kaspersky ICS-Cert:
https://ics-cert.kaspersky.com/media...Codesys-En.pdf
CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations by Dragos, Inc:
https://www.dragos.com/wp-content/up...verride-01.pdf
TRISIS Malware: Analysis of Safety System Targeted Malware by Dragos, Inc:
https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf
Analyzing TRISIS:
https://www.dragos.com/resource/analyzing-trisis/
Omron 1S-series with Built-in EtherCat Communications User's Manual:
https://assets.omron.eu/downloads/ma..._manual_en.pdf
Cybersecurity Guidelines for EcoStruxure, Machine Expert, Modicon and
PacDrive Controllers and associated Equipment. User Guide, by Schneider Electric
https://download.schneider-electric....Name=EIO000000 4242.00.pdf&p_Doc_Ref=EIO0000004242
The fall of CODESYS, Alexander Nochvay: https://www.youtube.com/watch?v=CISXXFfhU08
Broken Rungs: A look at popular ladder logic runtime privileges, Reid Wightman and Jimmy Wylie:
https://www.youtube.com/watch?v=TcQzqIUaahw
[]
Jimmy Wylie, Principal Malware Analyst II , Dragos, Inc., He/Him
Presentation Title: Analyzing PIPEDREAM: Challenges in testing an ICS attack toolkit.
Length of presentation: 45 minutes
Demo
Identified early in 2022, PIPEDREAM is the seventh-known ICS-specific
malware and the fifth malware specifically developed to disrupt
industrial processes. PIPEDREAM demonstrates significant adversary
research and development focused on the disruption, degradation, and
potentially, the destruction of industrial environments and physical
processes. PIPEDREAM can impact a wide variety of PLCs including Omron
and Schneider Electric controllers. PIPEDREAM can also execute attacks
that take advantage of ubiquitous industrial protocols, including
CODESYS, Modbus, FINS, and OPC-UA.
This presentation will summarize the malware, and detail the
difficulties encountered during the reverse engineering and analysis
of the malware to include acquiring equipment and setting up our
lab. This talk will also release the latest results from Drago's lab
including an assessment of the breadth of impact of PIPEDREAM's
CODESYS modules on equipment beyond Schneider Electric's PLCs, testing
Omron servo manipulation, as well as OPC-UA server manipulation.
While a background in ICS is helpful to understand this talk, it is
not required. The audience will learn about what challenges they can
expect to encounter when testing ICS malware and how to overcome them.
SPEAKER BIO
Jimmy Wylie is a Principal Malware Analyst at Dragos, Inc. who spends
his days (and nights) searching for and analyzing threats to critical
infrastructure. He was the lead analyst on PIPEDREAM, the first ICS
attack "utility belt", TRISIS, the first malware to target a safety
instrumented system, and analysis of historical artifacts of the
CRASHOVERRIDE attack, the first attack featuring malware specifically
tailored to disrupt breakers and switchgear in an electric
transmission substation.
Jimmy has worked for various DoD contractors, leveraging a variety of
skills against national level adversaries, including network analysis,
dead disk and memory forensics, and software development for detection
and analysis of malware. After leaving the DoD contracting world, he
joined Focal Point Academy, where he developed and taught malware
analysis courses to civilian and military professionals across the
country. In his off-time, Jimmy enjoys learning about operating
systems internals, playing pool, cheap beer, and good whiskey. He can be found on Twitter @mayahustle.
REFERENCES:
Security Research: CODESYS Runtime, a PLC control framework by Alexander Nochvay, Kaspersky ICS-Cert:
https://ics-cert.kaspersky.com/media...Codesys-En.pdf
CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations by Dragos, Inc:
https://www.dragos.com/wp-content/up...verride-01.pdf
TRISIS Malware: Analysis of Safety System Targeted Malware by Dragos, Inc:
https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf
Analyzing TRISIS:
https://www.dragos.com/resource/analyzing-trisis/
Omron 1S-series with Built-in EtherCat Communications User's Manual:
https://assets.omron.eu/downloads/ma..._manual_en.pdf
Cybersecurity Guidelines for EcoStruxure, Machine Expert, Modicon and
PacDrive Controllers and associated Equipment. User Guide, by Schneider Electric
https://download.schneider-electric....Name=EIO000000 4242.00.pdf&p_Doc_Ref=EIO0000004242
The fall of CODESYS, Alexander Nochvay: https://www.youtube.com/watch?v=CISXXFfhU08
Broken Rungs: A look at popular ladder logic runtime privileges, Reid Wightman and Jimmy Wylie:
https://www.youtube.com/watch?v=TcQzqIUaahw
[]