CompTIA Pentest+ PT0-002 – Section 15: Attacks on Specialized Systems Part 2
March 7, 2023

144. Embedded Systems (OBJ 3.5)

In this lesson, we’re going to start talking about some embedded system vulnerabilities. Because we talked about the fact that a lot of these devices that we connect to the internet as part of the internet of things at large, do have embedded operating systems, like Linux or Android or other things like that. Now, when we talk about an embedded system, this is a computer system that is designed to perform a specific and dedicated function. Now, oftentimes when we talk about an embedded system, we’re talking about things, more in the manufacturing space or automation space. So we might have a micro controller in a medical drip system that it has one job, it’s to measure the amount of volume of fluid that goes through that machine and into your IV, so you can give the patient what they need. You might have another one for a control system, at a water treatment plant. And its responsibility is to make sure that water is flowing through at a certain rate, and they’re going to open or close valves to make sure we maintain that amount of flow through the system. This is the idea of an embedded system. And it can be a very, very simple device. Or it can be fully complex and have a full operating system like Linux or Android, being use to run these type of systems. It just depends.

Now, in this particular lesson, I’m going to focus more on the specific embedded systems that have a single function, and they have their own dedicated operating system or microprocessors to do that function. For instance, at my house, I have a smart meter. So if I go out to my side of my house, I can look at the electric meter on my house and it’ll tell me how many kilowatts per hour I am using and how much I’ve used over time. Now this information is connected to the internet, so that the power company doesn’t have to send somebody to my house to read this meter once a month. Instead, it’s all done electronically now. They do this by using cellular modems and it connects to the cellular network, back over the internet, to their headquarters into their servers, to feed in the data of what we’ve used for power consumption. If you look at your meter at your house, you probably have something that looks pretty similar. Now these types of embedded systems are considered static environments, where frequent changes are not made or allowed. So when’s the last time you upgrade the software on your electric meter, for instance? You probably never have. And the power company, probably doesn’t do it very frequently either. That’s the idea of these embedded systems.

They are a very stripped down system that is made to do one purpose and one purpose only. And by doing that, that helps them become more secure, because they don’t have a lot of extra code. But if the original code wasn’t made in place, in a good state, it makes it hard to do updates, because these things aren’t built to be able to get frequent software. Because of this, embedded systems, often have very little support for identifying and correcting security issues. You can’t call up the power company and tell them to come secure your meter. That’s just not part of what they’re going to do for you. They’re going to do it the way they want to do it, because it’s their device. And often if you have an embedded system inside your factory or inside your plant, if you are a manufacturing area, you’re going to have limited support from that manufacturer. And so this is an area, where you really want to get all these devices onto a separate network and not have them connected back to the internet at large or this could be a big area of vulnerability for you. Now, when we talk about embedded systems, there’s a term called PLC, which is a programmable logic controller. This is a type of computer that’s designed for deployment in an industrial or outdoor setting. And it can automate and monitor mechanical systems. Now, when you think about a PLC, I want you to think of something like manufacturing, that’s going to open or shut a valve to let more or less water come in. That’s the idea of a PLC. It is a programmable logic controller. Now these PLCs run on firmware, because, again these are embedded systems. So the firmware, which is software to chip can be patched and reprogrammed to fix vulnerabilities when they occur. But again, there’s a very specific process and there’s usually limited support for the manufacturer. It’s not like Microsoft, where they’re going to give you a patch every Tuesday. With these PLCs, you might get a patch every six months or a year or two years. There’s usually a very long time in between patches. Now, another way we can do this is using what’s called a system-on-chip. This is another form of embedded systems. This is where a processor integrates the platform functionality of multiple logical controllers onto a single chip. So instead of having all these big PLCs all over the place, we can get all that down to one single chip. Now this system-on-chip can be very power efficient and therefore they’re often used with smaller devices that need to have an embedded system.

So if I need to create something that’s going to have an embedded system and be very small that can fit in my pocket, that would usually use something like a system-on-chip. If you’re using something like a Roomba or robot vacuum cleaner, those use a system-on-chip type of mentality, because they try to get all that information put onto a single chip. ‘Cause again, it takes up less space and therefore you can leave more room for the functioning parts you need such as the vacuum. Now, the other thing we want to talk about is some of these operating systems they use. So there’s this thing known as an RTOS, which is a real-time operating system. Now this is a type of operating system that prioritizes deterministic execution of operations and this will help us to ensure consistent response for time-critical tasks. Now think about this. If you’re running something that has to open or shut a valve inside of a nuclear plant, can you have the ability for that to be offline at any time? Probably not, right? Well, that’s the idea of where we would use an RTOS, a real-time operating system. This is because a lot of our embedded systems typically, can’t tolerate reboots or crashes.

And they have to have these response times that are predictable within milliseconds. So if I’m building something that’s going to run parts of an airplane, that’s going to help my autopilot fly, and with the autopilot needs to make adjustments on the wings every a couple of milliseconds. Well, that is something that we would want to use in real-time operating system for. We can’t use a standard window system for that. It’s just not fast enough or powerful enough and it’s subject to rebooting or crashing and security patches and all that other stuff. So RTOS, when you hear that term, think about this as the type of operating system that’s often used with embedded systems, especially in critical applications. Now, the last thing I want to talk about is an FPGA, which is a field programmable gate array. This is a type of processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture. So if I’m going to use something like a system on a chip, that is going to be programmed by the manufacturer and whatever it’s programmed to do, that’s what it’s going to do. But with a field programmable gate array, I as the customer can actually program what I want it to do. This is really useful if I have a more generic function like open and shut a valve, but I need to tell it what time I want it to do it. Or if I want to tell it how many seconds it should be open for and how many seconds it should be closed for. Those are things I can program in using a field programmable gate array. Now the end customer here has the ability to program these things by configuring the programming logic. And we can do this to run a specific application instead of using an application-specific integrated circuit. Like I was talking about a system on a chip design would. When you burn a system on a chip, that is the program you’re going to have. When you’re dealing with a field programmable gate array, you have the ability to change that.

145. ICS and SCADA Devices (OBJ 3.5)

In this lesson, we’re going to discuss industrial control systems and supervisory control and data acquisition systems, known as ICS and SCADA. In general, most of us work in IT which is information technology. Now, information technology includes our standard Windows computers, our servers, our networks, our cloud platforms and things like that. When we start talking about ICS and SCADA, though, we’re moving into the world of OT, operational technology. Now operational technology is a communications network that is designed to implement an industrial control system rather than our traditional business and data networking systems. When we’re dealing with ICS and SCADA, we’re not going to be focused on end user machines or Windows 11 Workstation, for example, sitting on our networks. Instead, with OT, we’re going to be using technology and computers do something in the physical world, like open or shut a valve like you might do in a manufacturing plant, create power generation in an electrical power plant or turn lights on or off and things like that. Now, when you look at operational technology, it does look different than our other typical information technology networks. For example, here’s what OT looks like with a big cabinet with dials and gauges and buttons that reference what is happening in the real world. If I want to open or shut a different valve or turn on or turn off a different pump, I would push the buttons on that diagram in front of the cabinet instead of something like using a Windows machine and using commands like start open valve and pressing Enter.

Now, this isn’t to say you can’t connect a Windows machine and use them as a digital interface into the world of OT, because you can. But in general, when you think of OT, I want you to be thinking about technology that interacts with the real world. A lot of operational technology can just be done in a manufacturing plant using systems like this, and you don’t even need to have a regular computer. But if you want to use a Windows computer and control these operational technology networks, you can do that, and you can integrate IT with OT. But again, you don’t have to. Now, in the world of operational technology, we have two main types of systems. We have industrial control systems and supervisory control and data acquisition systems. First, we have industrial control systems.

Now, an industrial control system, also known ICS, provides the mechanisms for workflow and process automation by controlling machinery using embedded devices that are designed to perform a specific and dedicated function. ICS is heavily used to control real world devices and critical infrastructure, things like power suppliers, water suppliers, healthcare services, telecommunication and natural security services. If you interconnect more ICSs together, you can actually create a distributed control system or DCS. Now, when you’re dealing with industrial control systems, you have to prioritize availability and integrity over confidentiality. Now, in the IT world, we usually focus on the CIA triad, and we start thinking about that all three things are really important with confidentiality being a strong contender for first place. But in the world of operational technology, confidentiality is actually the least important of the three components. Availability is paramount, and it’s that way for a good reason. Let’s think about the purpose of operational technology and what it was originally designed to do in manufacturing. It was all about maximizing the efficiency of our manufacturing plants. After all, anytime that plant was down, the organization is not making money. So for them, availability is everything. Also back then, the manufacturing plants didn’t connect to the internet and the entire network was located within the walls of the factory.

So we had that physical boundary to provide us some level of confidentiality. This meant that confidentiality wasn’t a big deal, and we didn’t have to think about having to build that into our networks. This is because we trusted the people who were working in our factories. Now let’s take a look at another good example of ICS that’s used on a daily basis all over the world. Here we have a US Navy warship. This is a great example, because it can contains multiple ICSs that are focused on different things. Because essentially, that ship is a city at sea. Now, remember when you hear ICS, this is essentially just a network that measures embedded devices. On that ship, there’s a power plant that creates the electricity. There’s an equivalent of a factory with all the machines needed, create thrust and turn that propeller and move the ship through the water. There’s a telecommunications backbone for voice and video that’s going throughout the entire ship. There’s waste and water treatment facilities on board. Everything those sailors need to survive for months at a time is on that ship, and it’s all being controlled by ICS and embedded devices. Now to interconnect all these industrial control systems, ICS uses a communication technology known as fieldbus.

Now, fieldbus is a digital serial data communication that is going to be used in operational technology networks to link different programmable logic controllers or PLCs together. A programmable logic controller is the type of digital computer that’s used in industrial settings to enable automation in assembly lines, autonomous field operations, robotics and other applications. PLCs are going to be interconnected using fieldbus with sensors, input and output devices to connect the real world with the digital world. These PLCs can be programmed to conduct an action based on an input it receives from a given sensor. Now to program these PLCs, we’re going to use an HMI or human-machine interface. A human-machine interface can be a local control panel or are a piece of software running on a regular computer. The human-machine interface is going to act as the input to the PLCs and the output for the entire system. This way, a human can quickly see and monitor what that system is doing at any given time. After all, as a human operator, I need to be able to see what the machine is doing by reading gauges or other screens as well as to be able to give input to that machine for what I want it to do. And I do this by pushing buttons, turning knobs, entering keystrokes or even using a touch screen. For example, if I worked in a hospital as a radiography technician, I might need to take some x-rays. I can have a human-machine interface that’s a flat panel screen, and I can touch it and tell the machine what I want it to do.

This way, the panel can take that information from me, send it to the machine and then take the x-ray in the case of this radiography machine. This allows the ICS and the PLCs connected to it to form a control loop, and the whole process of automation is going to be governed by some kind of control server. To program and control the PLCs, you’re going to use a special sequential control language known as ladder logic. Ladder logic is essentially a programming language that’s going to be entered into the system through the creation of a graphical diagram that consists of the circuit diagrams and the relay logic that’s going to be used in those PLCs. By creating a series of ANDs, NOTs, ORs and START/STOP conditions, we’re going to be able to do this inside the ladder logic language, and the operator can now effectively program the PLCs to provide the needed functionality. The end result looks a lot like a flow chart. But it allows for the full automation of that PLC and the interconnections to perform the work needed by those devices. As a security practitioner, you also need to be able to go back and see what has happened in these ICSs, these PLCs and these HMI devices in the event that you have some kind of data breach or incident, because these devices are prone to being attacked just like a regular computer can be.

To do this, we’re going to first look to the data historian. A data historian is a piece of software that’s going to aggregate and catalog data from all the multiple sources within your industrial control system by collecting all the event generated from that control loop. As a cybersecurity practitioner, it is important that you know where the data historian is and how you can use it in your organization, because it’s going to be very valuable information for you during an incident if your organization maintains its own operational technology networks for ICS and SCADA devices. Now, the second type of OT we need to talk about is supervisory control and data acquisition systems which known as SCADA. Now, technically, SCADA is a type of industrial control system, and it’s used to manage large-scale, multi-site devices and equipment spread over a geographic region from your host computer.

Now, this may be a bit confusing at first, so I want you to remember it this way. If you hear the term ICS, we’re talking about a single plant or system. If we’re talking about a DCS, this is a small connection of ICS systems, but still normally in one building or one facility. When you start moving into the world of SCADA, we’re talking about many different ICS and DCS plants that are all interconnected through a wide area network. Because of the wide reach of SCADA, it is normally going to be operated with a piece of software that runs on an ordinary system like Windows or Linux. This SCADA system can then gather data and manage it across all the different plant devices and all the different equipment that has embedded PLCs in those plants. To interconnect these plants in the SCADA network, you’re going to need a wide area network connection, which can be either cellular, microwave, satellite, fiber or even a VPN based LAN.

You can really use whatever you want just like when you’re designing your connections for your other networks. But you need to make sure you’re linking back all those field devices to the central SCADA server. A good example of a large-scale SCADA network is a smart meter system used by many electric companies around the world. At my home, for example, we have a smart meter that was installed by the electric company. Each month, instead of them having to come out and read my meter, that meter sends them the information over a cellular connection, and they now know how much they need to bill me.

Additionally, they can connect to my meter and monitor not just my usage, but also my up and down status, because all the houses in my area are part of this SCADA network. So by having this SCADA network, they no longer have to pay meter readers to go out and manually check the meters up every house in the city every single month. And instead, they simply use the cellular chip that’s in there to take a reading once a month and send it back over the cellular network as a text message or other data format to their SCADA server. It collates that information, passes it onto the billing system, and then I get a bill with the amount due for the electric that I use that month.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!