No announcement yet.

Jimmy Wylie - Analyzing PIPEDREAM: Challenges in testing an ICS attack toolkit.

  • Filter
  • Time
  • Show
Clear All
new posts

  • Jimmy Wylie - Analyzing PIPEDREAM: Challenges in testing an ICS attack toolkit.

    Jimmy Wylie - Analyzing PIPEDREAM: Challenges in testing an ICS attack toolkit.

    Jimmy Wylie, Principal Malware Analyst II , Dragos, Inc., He/Him

    Presentation Title: Analyzing PIPEDREAM: Challenges in testing an ICS attack toolkit.
    Length of presentation: 45 minutes

    Identified early in 2022, PIPEDREAM is the seventh-known ICS-specific
    malware and the fifth malware specifically developed to disrupt
    industrial processes. PIPEDREAM demonstrates significant adversary
    research and development focused on the disruption, degradation, and
    potentially, the destruction of industrial environments and physical
    processes. PIPEDREAM can impact a wide variety of PLCs including Omron
    and Schneider Electric controllers. PIPEDREAM can also execute attacks
    that take advantage of ubiquitous industrial protocols, including
    CODESYS, Modbus, FINS, and OPC-UA.

    This presentation will summarize the malware, and detail the
    difficulties encountered during the reverse engineering and analysis
    of the malware to include acquiring equipment and setting up our
    lab. This talk will also release the latest results from Drago's lab
    including an assessment of the breadth of impact of PIPEDREAM's
    CODESYS modules on equipment beyond Schneider Electric's PLCs, testing
    Omron servo manipulation, as well as OPC-UA server manipulation.
    While a background in ICS is helpful to understand this talk, it is
    not required. The audience will learn about what challenges they can
    expect to encounter when testing ICS malware and how to overcome them.

    Jimmy Wylie is a Principal Malware Analyst at Dragos, Inc. who spends
    his days (and nights) searching for and analyzing threats to critical
    infrastructure. He was the lead analyst on PIPEDREAM, the first ICS
    attack "utility belt", TRISIS, the first malware to target a safety
    instrumented system, and analysis of historical artifacts of the
    CRASHOVERRIDE attack, the first attack featuring malware specifically
    tailored to disrupt breakers and switchgear in an electric
    transmission substation.

    Jimmy has worked for various DoD contractors, leveraging a variety of
    skills against national level adversaries, including network analysis,
    dead disk and memory forensics, and software development for detection
    and analysis of malware. After leaving the DoD contracting world, he
    joined Focal Point Academy, where he developed and taught malware
    analysis courses to civilian and military professionals across the
    country. In his off-time, Jimmy enjoys learning about operating
    systems internals, playing pool, cheap beer, and good whiskey. He can be found on Twitter @mayahustle.


    Security Research: CODESYS Runtime, a PLC control framework by Alexander Nochvay, Kaspersky ICS-Cert:

    CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations by Dragos, Inc:

    TRISIS Malware: Analysis of Safety System Targeted Malware by Dragos, Inc:

    Analyzing TRISIS:

    Omron 1S-series with Built-in EtherCat Communications User's Manual:

    Cybersecurity Guidelines for EcoStruxure, Machine Expert, Modicon and
    PacDrive Controllers and associated Equipment. User Guide, by Schneider Electric
    https://download.schneider-electric....Name=EIO000000 4242.00.pdf&p_Doc_Ref=EIO0000004242

    The fall of CODESYS, Alexander Nochvay:

    Broken Rungs: A look at popular ladder logic runtime privileges, Reid Wightman and Jimmy Wylie:

    Last edited by number6; June 20, 2022, 18:07.