{"id":8738,"date":"2021-05-06T01:49:56","date_gmt":"2021-05-05T23:49:56","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=8738"},"modified":"2023-05-11T03:04:37","modified_gmt":"2023-05-11T03:04:37","slug":"nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/","title":{"rendered":"Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS D1T1 - Nakatomi Space: Lateral Movement As L1 Post-Exploitation In OT - Jos Wetzels\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/0b87g3tY6bY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D1T1%20-%20Nakatomi%20Space%20-%20Lateral%20Movement%20as%20L1%20Post-Exploitation%20in%20OT%20-%20Jos%20Wetzels.pdf\">PRESENTATION SLIDES (PDF)<\/a><\/p>\n<hr \/>\n<p style=\"text-align: justify;\">In OT networks, it is common knowledge that Purdue Reference Model Level 1 (L1) devices such as PLCs and DCS controllers are notoriously insecure. Regardless, L1 devices that sit at the intersection of multiple, mixed networks are often still treated as security perimeters without the corresponding hardening and risk profiles that would be accorded to workstations in a similar position.<\/p>\n<p style=\"text-align: justify;\">Low-level RCE capabilities on such L1 devices can give attackers the ability to cross security perimeters in interfaced Basic Process Control System (BPCS)\/Safety Instrumented System (SIS) architectures or perform detailed manipulation of equipment in fieldbus networks nested behind PLCs in order to bypass interlocks and safety constraints that would otherwise mitigate attacks restricted to manipulation of the L1 device itself.<\/p>\n<p style=\"text-align: justify;\">In this talk, we will present an overview of different real-world BPCS\/SIS architectures and 3rd party package unit setups and enumerate relevant lateral movement options at the lowest Purdue levels. <strong>We will illustrate some of these TTPs with an in-depth discussion and demonstration of a multi-stage exploit chain incorporating previously undisclosed authentication bypass and RCE vulnerabilities against a fully patched, widely used PLC in a realistic setup<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Finally, we will provide hardening suggestions to restrict attacker lateral movement at the lowest Purdue levels.<\/p>\n","protected":false},"template":"","class_list":["post-8738","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES (PDF) In OT networks, it is common knowledge that Purdue Reference Model Level 1 (L1) devices such as PLCs and DCS controllers are notoriously insecure. Regardless, L1 devices that sit at the intersection of multiple, mixed networks are often still treated as security perimeters without the corresponding hardening and risk profiles that would [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-11T03:04:37+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/\",\"name\":\"Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2021-05-05T23:49:56+00:00\",\"dateModified\":\"2023-05-11T03:04:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/","og_locale":"en_US","og_type":"article","og_title":"Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT - HITBSecConf2023 - Amsterdam","og_description":"PRESENTATION SLIDES (PDF) In OT networks, it is common knowledge that Purdue Reference Model Level 1 (L1) devices such as PLCs and DCS controllers are notoriously insecure. Regardless, L1 devices that sit at the intersection of multiple, mixed networks are often still treated as security perimeters without the corresponding hardening and risk profiles that would [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-11T03:04:37+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/","name":"Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2021-05-05T23:49:56+00:00","dateModified":"2023-05-11T03:04:37+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/nakatomi-space-lateral-movement-as-l1-post-exploitation-in-ot\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"Nakatomi Space: Lateral Movement as L1 Post-Exploitation in OT"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/8738"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=8738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}