SCADA and ICS for
Security Experts:
         How to Avoid Cyberdouchery


James Arlen, CISA
Notacon 7 - Cleveland - 2010

...
Disclaimer

I am employed in the Infosec industry,
but not authorized to speak on behalf
of my employer or clients.


Ever...
Credentials
15+ years information security specialist
staff operations, consultant, auditor, researcher
utilities vertical...
1/ Stop Sounding Stupid




                          4
Scada
got
sexy




        5
Follow
the
money




         6
Who's
an
expert
now?



         7
One
time
at
security
camp


           8
Gotta
get
me
a
piece
of
that
        9
Gotta
get
me
a
piece
of
that
        10
2/ Big Things and

 
 
 Little Things



                      11
Not all ‘scada’ is SCADA




                           12
Big things:
power grid




              13
Big things:
pipeline




              14
Inter-
connected
sensors
and
controls
under
central
            15
Inter-
connected
sensors
and
controls
under
central
            16
Supervisory control and
   data acquisition



                          17
Little
Things:
chemical
plant, power
plant,
manufacturi
ng facility

               18
Little
Things:
chemical
plant, power
plant,
manufacturi
ng facility

               19
Little
Things:
chemical
plant, power
plant,
manufacturi
ng facility

               20
Little
Things:
chemical
plant, power
plant,
manufacturi
ng facility

               21
Little
Things:
chemical
plant, power
plant,
manufacturi
ng facility

               22
Little
Things:
chemical
plant, power
plant,
manufacturi
ng facility

               23
Lots of
individual
capabilities
with some
orchestrati
on

               24
Programma
ble logic
controllers




              25
Programma
ble logic
controllers




              26
Programma
ble logic
controllers




              27
Industrial control
systems/Distributed



                      28
3/ Part of a Bigger
Picture



                      29
So if you
break the
computer,
you break
everything


             30
What
happens
when Edna
falls into
the
reactant
vessel
             31
This is the data

                   32
This is the data

                   33
This is the process

                      34
This is the process

                      35
This is the process

                      36
I know you
can grok
the
protocol,
can you
break the
controls?
             37
I know you
can grok
the
protocol,
can you
break the
controls?
             38
Oh, you
forgot
about
safety



          39
Oh, you
forgot
about
safety



          40
Oh, you
forgot
about
testing



          41
Oh, you
forgot
about
testing



          42
Oh, you
forgot
about
people



          43
Oh, you
forgot
about
people



          44
What if it really is
SCADA?
                       45
Stuff
breaks




         46
All the
&*^$ing
time




          47
And it gets
fixed




              48
And it gets
fixed




              49
And you
never
noticed




          50
And you
never
noticed




          51
And you
never
noticed




          52
And you
never
noticed




          53
But...
WAIT!
What about
the Aurora
Explosion
Demo
Awesome
             54
4/ Practical Positive
Things



                        55
You can
understan
d this stuff




               56
You can
help




          57
They need
you




            58
You need
to suck it
up




             59
It's time to
learn
before
teaching



               60
It's time to
learn
before
teaching



               61
5/ You Wouldn't Believe

 
 
 Me If I Told You



                          62
The
Organizati
on is
against
you


             63
Your prima
donna
attitude is
against
you


              64
Your age is
against
you




              65
It's time to
start
hacking




               66
First you
hack the
org




            67
Then you own their asses

                           68
Then you own their asses

                           69
6/ Movies Would Have

 
 
 You Believe



                       70
It's a mad
mad
graphical
awesome
world


             71
It's a mad
mad
graphical
awesome
world


             72
It's a mad
mad
graphical
awesome
world


             73
It's a mad
mad
graphical
awesome
world


             74
It's a mad
mad
graphical
awesome
world


             75
It's a mad
mad
graphical
awesome
world


             76
It's a mad
mad
graphical
awesome
world


             77
What an afternoon at the
console really feels like
                            78
What an afternoon at the
console really feels like
                            79
What an afternoon at the
console really feels like
                            80
7/ The Media Hypes

 
 
 It As If...



                     81
82
CYB
CYB   CYB   CYB   ER
ER    ER    ER
                  CYB
CYB   CYB   CYB   ER
ER    ER    ER
                  CYB
  ...
CYB
CYB   CYB   CYB   ER
ER    ER    ER
                  CYB
CYB   CYB   CYB   ER
ER    ER    ER
                  CYB
  ...
82
There's a
hacker
behind the
bush



             83
There's a
hacker
behind the
bush



             84
There's a
hacker
behind the
bush



             85
There's a
hacker
behind the
bush



             86
There's a
hacker
behind the
bush



             87
A 14yo in
Mom's
basement




            88
A 14yo in
Mom's
basement




            89
A 14yo in
Mom's
basement




            90
L337 cadre
of soldiers




              91
L337 cadre
of
supersoldi
ers



             92
L337 cadre
of
genetically
engineered
supersoldi
ers

              93
Killer
Tubes




         94
8/ Bad Shit That

 
 
 Actually Happened



                          95
Not
necessarily
public
news.



              96
9/ What Could Have

 
 
 Saved It



                     97
Superheroe
s




             98
Superheroe
s, Ninjas




             99
Superheroe
s, Ninjas
and Pirates




              100
Following
Instruction
s




              101
Or, not sucking at
implementation
                     102
Or, doing
what
you're told




              103
Or, stuff
that has
nothing at
all to do
with
computers

             104
10/ What You Can Do -

 
 
 Little Picture



                        105
Learn

        106
Stop listening to
"experts"
                    107
Modest
changes,
massive
results



           108
11/ What You Can Do -

 
 
 Big Picture



                        109
Stop
feeding the
trolls




              110
Avoid
being ‘that
person’




              111
Press for
sane
acquisition
s



              112
Study past
success




             113
Study past
success




             114
Q&A
      @myrcurial
myrcurial@myrcurial.com




                          115
Credits, Links and
Notices
      http://myrcurial.com and
Me:                              http://cyberdouchery.com
      ...
Upcoming SlideShare
Loading in...5
×

Notacon 7 - SCADA and ICS for Security Experts

941

Published on

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product fixes SCADA. And because they don't know what the hell they're talking about -- 'fake it till ya make it' doesn't work -- they're making all of us look stupid.

Attendees will gain a practical level of knowledge sufficient to keep them from appearing foolish should they choose to opine on any of the various real issues stemming from Industrial Control or SCADA systems. Attendees will also feel embarrassed for something they've said, empowered to call out charlatans, and much less worried about cyberhackers unleashing cyberattacks which cybercause cyberpipelines and cybermanufacturing plants to cybergonuts and cybertakeovertheplanet using cybercookiesofdeath.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
941
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • [twitter]http://myrcurial.com/N7/SCADA-N7.001.png[/twitter]
  • [twitter]http://myrcurial.com/N7/SCADA-N7.002.png[/twitter]
  • [twitter]http://myrcurial.com/N7/SCADA-N7.003.png[/twitter]
  • This ISN’T a talk about SCADA so much as it is a talk about TALKING ABOUT SCADA.
    [twitter]http://myrcurial.com/N7/SCADA-N7.004.png[/twitter]
  • Around 2005, and almost all of a sudden, the infosec industry noticed SCADA. And immediately started identifying it as a market.
    [twitter]http://myrcurial.com/N7/SCADA-N7.005.png[/twitter]
  • Of course, the simplest explanation is always the most likely. In this case, it was all about the money - there were regulators starting to breathe heavily (NERC 1200, ISA99)
    [twitter]http://myrcurial.com/N7/SCADA-N7.006.png[/twitter]
  • And because a packet is a packet is a packet, there were suddenly a million security experts who were also scada experts. Let’s not even get started on the four letter security religion people and how they jumped on this one.
    [twitter]http://myrcurial.com/N7/SCADA-N7.007.png[/twitter]
  • At this point, I was working in control systems security -- electricity in particular and as much as I could, I spent as much free time as possible pointing out these flawed responses to a very real problem.
    [twitter]http://myrcurial.com/N7/SCADA-N7.008.png[/twitter]
  • And then the swarm of consultants and infosec dudes and even a few dudettes showed up and started telling me everything they “knew” about control systems security.
    [twitter]http://myrcurial.com/N7/SCADA-N7.009.png[/twitter]
  • They tied a nice little bow on my problems, and told me they could fix it - just a few blinky lights and a few more shiny things and I was going to be fine.
    [twitter]http://myrcurial.com/N7/SCADA-N7.010.png[/twitter]
  • I told you we were going to talk ABOUT SCADA systems. Here’s the short form. LANGUAGE is important - specificity is something that engineers really enjoy. They’re kind of like car people -- and our industry has been using words like “synchro-mesh transmission” to describe “derrailluer”
    [twitter]http://myrcurial.com/N7/SCADA-N7.011.png[/twitter]
  • Between the experts pontificating and the media eating it up, well.
    [twitter] http://myrcurial.com/N7/SCADA-N7.012.png[/twitter]
  • HIghly distributed systems used to control geographically dispersed assets (water supply systems, oil and gas pipelines, electrical powergrids, railways, etc.
    [twitter]http://myrcurial.com/N7/SCADA-N7.013.png[/twitter]
  • HIghly distributed systems used to control geographically dispersed assets (water supply systems, oil and gas pipelines, electrical powergrids, railways, etc.)
    [twitter] http://myrcurial.com/N7/SCADA-N7.014.png[/twitter]

  • Used where centralized data acquisition and control are critical or practical to overall system operation
    [twitter] http://myrcurial.com/N7/SCADA-N7.015.png[/twitter]
  • Used where centralized data acquisition and control are critical or practical to overall system operation
    [twitter] http://myrcurial.com/N7/SCADA-N7.016.png[/twitter]
  • When you’re talking about LARGE systems that are GEOGRAPHICALLY distributed and used for huge control undertakings like this... that’s scada.
    [twitter] http://myrcurial.com/N7/SCADA-N7.017.png[/twitter]
  • Control Systems (CS) are used to control manufacturing processessuch as electric
    power generation, oil and gas refineries, and chemical, food, and automotive
    production.
    [twitter] http://myrcurial.com/N7/SCADA-N7.018.png[/twitter]
  • Control Systems (CS) are used to control manufacturing processessuch as electric
    power generation, oil and gas refineries, and chemical, food, and automotive
    production.
    [twitter] http://myrcurial.com/N7/SCADA-N7.019.png[/twitter]
  • Control Systems (CS) are used to control manufacturing processessuch as electric
    power generation, oil and gas refineries, and chemical, food, and automotive
    production.
    [twitter] http://myrcurial.com/N7/SCADA-N7.020.png[/twitter]
  • Control Systems (CS) are used to control manufacturing processessuch as electric
    power generation, oil and gas refineries, and chemical, food, and automotive
    production.
    [twitter]http://myrcurial.com/N7/SCADA-N7.021.png[/twitter]
  • Control Systems (CS) are used to control manufacturing processessuch as electric
    power generation, oil and gas refineries, and chemical, food, and automotive
    production.
    [twitter] http://myrcurial.com/N7/SCADA-N7.022.png[/twitter]
  • Control Systems (CS) are used to control manufacturing processessuch as electric
    power generation, oil and gas refineries, and chemical, food, and automotive
    production.
    [twitter] http://myrcurial.com/N7/SCADA-N7.023.png[/twitter]
  • CSare integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated sub-systems that are responsible for controlling the details of a localized manufacturing process
    [twitter] http://myrcurial.com/N7/SCADA-N7.024.png[/twitter]
  • Usually found in a designated critical infrastructure sector, a control system is a
    collection of devices or components working together for a common process, controlled by
    a master entity that can direct, regulate, and refine the behavior of those devices or
    components through observations and commands.
    [twitter] http://myrcurial.com/N7/SCADA-N7.025.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.026.png[/twitter]
  • Usually found in a designated critical infrastructure sector, a control system is a
    collection of devices or components working together for a common process, controlled by
    a master entity that can direct, regulate, and refine the behavior of those devices or
    components through observations and commands.
    [twitter] http://myrcurial.com/N7/SCADA-N7.027.png[/twitter]
  • These smaller and “contained” entities are the control systems -- they are generally PROCESS oriented. And we need to talk about them as separate entities. THERE ARE WAY MORE OF THESE THAN THERE ARE SCADA SYSTEMS.
    [twitter] http://myrcurial.com/N7/SCADA-N7.028.png[/twitter]
  • This is the problem -- more than anything -- this incredible lack of understanding.
    [twitter] http://myrcurial.com/N7/SCADA-N7.029.png[/twitter]
  • It doesn’t matter here whether we’re talking about SCADA or Control Systems... The computers are NOT that which is controlled - - And just like in so many other aspects of infosec - they are NOT the reason that YOU are involved.
    [twitter] http://myrcurial.com/N7/SCADA-N7.030.png[/twitter]
  • “What happens when Edna falls into the reactant vessel” -- Just as you’d expect. The system STOPS. This is EXACTLY what happens when the computer breaks.
    [twitter] http://myrcurial.com/N7/SCADA-N7.031.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.032.png[/twitter]
    Protocols (partial list)
    E/IP
    DH+
    ProfiBus
    ANSI X3.28
    BBC 7200
    CDC Types 1 and 2
    Conitel 2020/2000/3000
    DCP 1
    DNP 3.0
    Gedac 7020
    ICCP
    Landis & Gyr
    8979
    OPC
    ControlNet
    Tejas 3 and 5
    Modbus
    TRW 9550
    UCA
  • [twitter] http://myrcurial.com/N7/SCADA-N7.033.png[/twitter]
    Protocols (partial list)
    E/IP
    DH+
    ProfiBus
    ANSI X3.28
    BBC 7200
    CDC Types 1 and 2
    Conitel 2020/2000/3000
    DCP 1
    DNP 3.0
    Gedac 7020
    ICCP
    Landis & Gyr
    8979
    OPC
    ControlNet
    Tejas 3 and 5
    Modbus
    TRW 9550
    UCA
  • [twitter] http://myrcurial.com/N7/SCADA-N7.034.png[/twitter]
    Mapping from the data to the process is HARD. There’s hours/days/weeks/months/YEARS of programming effort there. The protocol bitstream is just that -- a bitstream.
  • [twitter] http://myrcurial.com/N7/SCADA-N7.035.png[/twitter]
    How do you know which device does what?
  • You need to find or see the mapping... not just the raw protocol data. One without the other isn’t terribly useful. Oh, I’m not kidding myself - there are some SERIOUS rockstar protocol reverse engineers out there. There are even some process reverse engineers. In all likelihood, you can BREAK the computer, but can you MAKE the computer do your bidding?
    [twitter] http://myrcurial.com/N7/SCADA-N7.036.png[/twitter]
  • And guess what - you’re in a position to break part of it.... can you break all of the additional controls that have been emplaced? ALL OF THEM?
    [twitter] http://myrcurial.com/N7/SCADA-N7.037.png[/twitter]
  • BULL. SHIT.
    [twitter] http://myrcurial.com/N7/SCADA-N7.038.png[/twitter]
  • There’s a whole additional system under local control THAT IS NOT PART OF THE SCADA OR ICS/DCS system which keep equipment from going all Skynet/Terminator
    [twitter] http://myrcurial.com/N7/SCADA-N7.039.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.040.png[/twitter]
  • So say that you manage to screw up the process -- the batch you were messing with... it hits the garbage pretty hard.
    [twitter] http://myrcurial.com/N7/SCADA-N7.041.png[/twitter]
  • Because the organization cares enough to ensure that it only sends the right product out the door.
    [twitter] http://myrcurial.com/N7/SCADA-N7.042.png[/twitter]
  • The most interesting part is that NONE of these systems are actually autonomous - they are all predicated upon having a human element - an operator, a controller, an organic mental component...
    [twitter] http://myrcurial.com/N7/SCADA-N7.043.png[/twitter]
  • Partly because of liability issues and partly because Bags of Mostly Water are still much better at in-situ problem solving than any of the future silicon masters currently are.
    [twitter] http://myrcurial.com/N7/SCADA-N7.044.png[/twitter]
  • Alright. So you’re a super-hacker. YOU busted the SCADA system. You pwnd them good.
    [twitter] http://myrcurial.com/N7/SCADA-N7.045.png[/twitter]
  • Well... here’s the thing. They plan for that to happen. Most systems can handle two simultaneous failures without skipping a beat.
    [twitter] http://myrcurial.com/N7/SCADA-N7.046.png[/twitter]
  • Because we’re sorta used to it.
    [twitter] http://myrcurial.com/N7/SCADA-N7.047.png[/twitter]
  • Wires come down, and they get repaired.
    [twitter] http://myrcurial.com/N7/SCADA-N7.048.png[/twitter]
  • pipelines break for all kinds of reasons - and they get repaired.
    [twitter] http://myrcurial.com/N7/SCADA-N7.049.png[/twitter]
  • And nine hundred and ninety nine times out of a hundred... well, more like 99,999 out of 100,000.... you don’t feel it at all.
    [twitter] http://myrcurial.com/N7/SCADA-N7.050.png[/twitter]
  • You’ve still got a cozy little house.
    [twitter] http://myrcurial.com/N7/SCADA-N7.051.png[/twitter]
  • No one is wandering the streets looking for flesh to feed on.
    [twitter] http://myrcurial.com/N7/SCADA-N7.052.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.053.png[/twitter]
  • Yup, under very controlled circumstances, with some modest efforts, and a known target surface (relatively turn key systems -- little to no customization) it is possible to make things go BANG. Suggesting that your garden variety NOTACON or DEFCON type hacker can achieve this in an afternoon is... well. Crap.
    [twitter] http://myrcurial.com/N7/SCADA-N7.054.png[/twitter]
  • Make sure to go all kind of drifty -- notice SOMETHING in the audience and kinda “Snap” for the next slide.
    [twitter] http://myrcurial.com/N7/SCADA-N7.055.png[/twitter]
  • All of you are perfectly smart. You’ve just got to pay attention and focus and HEY, SQUIRREL!!!!
    [twitter] http://myrcurial.com/N7/SCADA-N7.056.png[/twitter]
  • Since you’ve solved all of your organizations security problems, you’ve got time.
    [twitter] http://myrcurial.com/N7/SCADA-N7.057.png[/twitter]
  • Between the warring factions of business/asset owners, traditional IT departments and control systems IT departments...
    [twitter] http://myrcurial.com/N7/SCADA-N7.058.png[/twitter]
  • But. Remember, you’re not the expert. Suck it the heck up. Buy some people some coffee.
    [twitter] http://myrcurial.com/N7/SCADA-N7.059.png[/twitter]
  • EVEN though it feels disingenuous, become the student first, the teacher later.
    [twitter] http://myrcurial.com/N7/SCADA-N7.060.png[/twitter]
  • Show a willingness to be the friend, the person who UNDERSTANDS that everyone is a unique and special person.
    [twitter] http://myrcurial.com/N7/SCADA-N7.061.png[/twitter]
  • Ok. Here’s some things that I’ve discovered in my time as a control systems security dude.
    [twitter] http://myrcurial.com/N7/SCADA-N7.062.png[/twitter]
  • Unions. Really. Woodshed talks down on the loading dock.
    [twitter] http://myrcurial.com/N7/SCADA-N7.063.png[/twitter]
  • Hey, we’re in infosec, we all think we’re rock stars... right?
    [twitter] http://myrcurial.com/N7/SCADA-N7.064.png[/twitter]
  • The VAST majority of the people that I’ve met in the control systems world would be perfectly happy with good ole 8-bit computers that knew their place in the world. You ARE the age of their kids, and therefore, you are a kid.
    [twitter] http://myrcurial.com/N7/SCADA-N7.065.png[/twitter]
  • Yeah, you know you wanna.
    [twitter] http://myrcurial.com/N7/SCADA-N7.066.png[/twitter]
  • UNDERSTAND the organization -- what the moving pieces are... look outside the IT department... shadow a few of the “workers” -- it’s a system like any other. Get all “Mitnick-y”
    [twitter] http://myrcurial.com/N7/SCADA-N7.067.png[/twitter]
  • the doors begin to open... you’re starting to get things done.
    [twitter] http://myrcurial.com/N7/SCADA-N7.068.png[/twitter]
  • Because hey... you can learn anything fast -- you’re an infosec rockstar. Make THEM change to suit the needs of the almighty altrusim -- KTLO, hold the Zombies at bay.
    [twitter] http://myrcurial.com/N7/SCADA-N7.069.png[/twitter]
  • Just for review... because, believe it or not... you need to TEAR DOWN each of these preconceptions before you can build up what the glory of a real console feels like.
    [twitter] http://myrcurial.com/N7/SCADA-N7.070.png[/twitter]
  • And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
    [twitter] http://myrcurial.com/N7/SCADA-N7.071.png[/twitter]
  • And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
    [twitter] http://myrcurial.com/N7/SCADA-N7.072.png[/twitter]
  • And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
    [twitter] http://myrcurial.com/N7/SCADA-N7.073.png[/twitter]
  • And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
    [twitter] http://myrcurial.com/N7/SCADA-N7.074.png[/twitter]
  • And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
    [twitter] http://myrcurial.com/N7/SCADA-N7.075.png[/twitter]
  • And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
    [twitter] http://myrcurial.com/N7/SCADA-N7.076.png[/twitter]
  • And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
    [twitter] http://myrcurial.com/N7/SCADA-N7.077.png[/twitter]
  • Of course, you can have all different kinds of user interfaces...
    [twitter] http://myrcurial.com/N7/SCADA-N7.078.png[/twitter]
  • And since you’ve got nothing but time... you’ve reviewed all of the log files...
    [twitter] http://myrcurial.com/N7/SCADA-N7.079.png[/twitter]
  • And you’re just tired of doing the same ole same ole.... AND YOU”RE LOOKING IN THE WRONG PLACE FOR THE WEIRDNESS. Your effectiveness is in the toilet. Get your shit together.
    [twitter] http://myrcurial.com/N7/SCADA-N7.080.png[/twitter]
  • Everyone sing along... CYBER CYBER CYBER CYBER CYBER CYBER CYBER CYBER
    [twitter] http://myrcurial.com/N7/SCADA-N7.081.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.082.png[/twitter]
  • because there’s hackers everywhere
    [twitter] http://myrcurial.com/N7/SCADA-N7.083.png[/twitter]
  • and they buy things from Jinx - official shwag dealer at defcon.
    [twitter] http://myrcurial.com/N7/SCADA-N7.084.png[/twitter]
  • And every few months, the same stories pop up.
    [twitter] http://myrcurial.com/N7/SCADA-N7.085.png[/twitter]
  • [twitter] http://myrcurial.com/N7/SCADA-N7.086.png[/twitter]
  • And they just love trotting out these stories... kinda like the local news stations... “EXCESS DI-HYDROGEN OXIDE CAN KILL YOU... AND IT”S EVERYWHERE!!!!!!! MORE NEWS TONIGHT AT ELEVEN ON ACTION ONE NEWS!!!!!!!!”
    [twitter] http://myrcurial.com/N7/SCADA-N7.087.png[/twitter]
  • Of course none of the 14 year olds I know (or was) are interested in world domination. They’re hormonally driven.
    [twitter] http://myrcurial.com/N7/SCADA-N7.088.png[/twitter]
  • The conservatives want you to think of evil brown people.
    [twitter] http://myrcurial.com/N7/SCADA-N7.089.png[/twitter]
  • But really, it’s middle aged white guys that are the hackers --- so easy a white guy can do it.
    [twitter] http://myrcurial.com/N7/SCADA-N7.090.png[/twitter]
  • This story in the news Wednesday -- Booz Allen Hamilton is being paid has now landed the contract to build the Air Force’s cyberwar control center. For a measly $14.4 million in taxpayer money, the outfit will help build a new cyberwar bunker for the U.S. Cyber Command, a wing of the Air Force.
    Additionally, Booz Allen Hamilton won another contract for $20 million to “foster collaboration among telecommunications researchers, University of Maryland faculty members and other academic institutions to improve secure networking and telecommunications and boost information assurance,” Washington Technology reports. While that might sound like a lot of money to set up a mailing list and a wiki, please don’t be cynical. Undoubtedly, McConnell’s crack team of consultants are providing the researchers with around-the-clock bodyguards and state-of-the-art bullet-proof monitors.
    [twitter][/twitter]
  • Of course, this is what we’re all APT fraid of.
    [twitter][/twitter]
  • And it’s right up near this as likely.
    [twitter][/twitter]
  • And well... you know the internet is out to get you.
    [twitter][/twitter]
  • [twitter][/twitter]
  • [twitter][/twitter]
    Lack of security policy specific for control domain
    • SCADA network separated only by VLANs and
    rudimentary ACLs
    • No change management policy
    • Physical security policy richly enforced (but OPSEC
    does not accommodate for access past defences)
    • No Security Agreement (SA) with vendor, no SA
    with contractors
    Vendor default accounts and passwords have not been
    changed
    • Guest accounts still available
    • No mechanism for schedule in place for
    updates/upgrades
    Primary HMIs do not require
    username/password to get control
    • HMIs may be secured physically but not
    electronically
    • VNC enabled EWS
    LOTS of “shared” networks... internet access from HMI stations
    Internet access TO HMI stations
    “Run your process from your blackberry!”
    Absence of testing of core OS
    – Standard SCADA builds are rare (unused SW remains on systems)
    – No testing in place for remaining applications
    • Many insecure applications within key control servers
    – To aid in operator boredom
    – To aid in operator net access
    – To aid in data manipulation
    • Assessments discovered rogue applications trying to call
    home
    – Hostile ICMP payloads
    – Covert channel over DNS
    Vendor access (direct via VPN) into control network
    • Access to main switch is by unsecured telnet, and main
    switch gives all access to all comms
    – Switches use default access credentials
    – Traffic is not filtered by port (i.e. port filtering is not enabled
    • No encryption or authentication on the control network
    • Dynamic ARP is used with no ARP monitoring
    • Firewalls have some interesting rules, sometimes very
    simple:
    # $fwadd-rule "allow udpfrom _any_ to _any_ 0-65535"
    # $fwadd-rule "allow tcpfrom _any_ to _any_0-65535"
    Vendor provides turnkey solution in each
    customer location
    • Commonality among deployments
    –Same remote access mechanism
    –Same username/password
    –Same technology (brand, device, etc.)
    –Same addressing schema
    –Same vulnerabilities
    PLCs unknowingly have embedded web
    servers
    • PLCs have embedded webserver enabled
    • Data used as a significant step in
    enumeration
    • Compromised embedded servers allow
    attacker to gain highest trust level
    Basic flaws in programming can be
    discovered and leveraged
    • Vendors (proprietary) are very vulnerable
    Least privilege
    Least privilege
    Buffer overflows
    Buffer overflows (stack and
    (stack and
    heap)
    heap)
    Setuid
    Setuiderrors
    errors
    Race conditions
    Race conditions
    Poor cryptography
    Poor cryptography
    Hard coded IP space
    Hard coded IP space
    RPC/DCOM
    Telnet
    Telnet
    GUI
    GUI
    Password use/storage
    Password use/storage
    File Access
    File Access
    X
    X-
    -windows
    windows
    rsh
    rsh(instead of
    (instead of ssh
    ssh)
    )
    sprintf
    sprintf /
    / strcpy
    strcpy
    Accept all multicastRPC/DCOM Accept all multicast


  • Really. All of that stuff is real, seen it with my own eyes.
    [twitter][/twitter]
  • Of course.
    [twitter][/twitter]
  • [twitter][/twitter]
  • If we had any real “lateral thinkers” in the mix...
    [twitter][/twitter]
  • But none of this is rocket science. In many repects, the control systems industry is living in the past - following the minimums of a modern hardening guideline would be good -- even though you’d likely seriously break the thing you were trying to fix.
    [twitter][/twitter]
  • it’s just SUCK.
    [twitter][/twitter]
  • And the machines only do as well as their masters.
    [twitter][/twitter]
  • And the industry cannot seem to keep up with it’s own awesome. You can operate an HMI from your blackberry, and at the same time, they can’t fix the basics.
    [twitter][/twitter]
  • [twitter][/twitter]
  • I cannot stress this point enough. become an infovore - consume knowledge - RTFM
    [twitter][/twitter]
  • Generally speaking, someone who says they are an expert REALLY isn’t. Especially if they are really REALLY proud of being an expert.
    [twitter][/twitter]
  • Project timelines are REALLY long, make little changes at the beginning.
    [twitter][/twitter]
  • [twitter][/twitter]
  • [twitter][/twitter]
    People who are putting themselves ‘out there’ as the mouthpieces... even the ones with actualy (albeit aged) cred... if your bullshit meter is going off, make sure other people know that. It’s on YOU to help catch and ?persecute? the charlatans out of out bidness. Call a Cyberdouche a Cyberdouche.
  • [twitter][/twitter]
    You are not Zero Cool, Neo, The Plague, QQQQ John Travolta’s character, or any other uber 733t dude-ette. Impress with persuasion and humility rather than wearing your bravado and hackerdouchery. Also, shameless self-promotion -- please see my previous talk on the subject.
  • be the water drops. add requirements to the procurement process -- boil the frog. Also -- get to know your procurement people -- make friends EVERYWHERE.
    [twitter][/twitter]
  • The overwhelming, vast, unbelievably dense history that we have as an industry is rich with comparable situations, problems found and solved, learn from them...
    [twitter][/twitter]
  • Once upon a time, computers did what they were supposed to do. Help us to get there again.
    [twitter][/twitter]
  • Thank you all so much for listening to me rant, I’m here for the rest of the day and tomorrow. Ask me anything and I’ll try to answer.
    [twitter][/twitter]
  • Dave Anderson, Mark Fabro, Jake Brodsky, Ron Southworth, Marcus Sachs, Chris Jager, Bob Radvanovsky and Joe Weiss
    [twitter][/twitter]
  • Transcript of "Notacon 7 - SCADA and ICS for Security Experts"

    1. 1. SCADA and ICS for Security Experts: How to Avoid Cyberdouchery James Arlen, CISA Notacon 7 - Cleveland - 2010 1
    2. 2. Disclaimer I am employed in the Infosec industry, but not authorized to speak on behalf of my employer or clients. Everything I say can be blamed on great food, mind-control and jet lag. 2
    3. 3. Credentials 15+ years information security specialist staff operations, consultant, auditor, researcher utilities vertical (grid operations, generation, distribution) financial vertical (banks, trust companies, trading) some hacker related stuff like game show host, etc. 3
    4. 4. 1/ Stop Sounding Stupid 4
    5. 5. Scada got sexy 5
    6. 6. Follow the money 6
    7. 7. Who's an expert now? 7
    8. 8. One time at security camp 8
    9. 9. Gotta get me a piece of that 9
    10. 10. Gotta get me a piece of that 10
    11. 11. 2/ Big Things and Little Things 11
    12. 12. Not all ‘scada’ is SCADA 12
    13. 13. Big things: power grid 13
    14. 14. Big things: pipeline 14
    15. 15. Inter- connected sensors and controls under central 15
    16. 16. Inter- connected sensors and controls under central 16
    17. 17. Supervisory control and data acquisition 17
    18. 18. Little Things: chemical plant, power plant, manufacturi ng facility 18
    19. 19. Little Things: chemical plant, power plant, manufacturi ng facility 19
    20. 20. Little Things: chemical plant, power plant, manufacturi ng facility 20
    21. 21. Little Things: chemical plant, power plant, manufacturi ng facility 21
    22. 22. Little Things: chemical plant, power plant, manufacturi ng facility 22
    23. 23. Little Things: chemical plant, power plant, manufacturi ng facility 23
    24. 24. Lots of individual capabilities with some orchestrati on 24
    25. 25. Programma ble logic controllers 25
    26. 26. Programma ble logic controllers 26
    27. 27. Programma ble logic controllers 27
    28. 28. Industrial control systems/Distributed 28
    29. 29. 3/ Part of a Bigger Picture 29
    30. 30. So if you break the computer, you break everything 30
    31. 31. What happens when Edna falls into the reactant vessel 31
    32. 32. This is the data 32
    33. 33. This is the data 33
    34. 34. This is the process 34
    35. 35. This is the process 35
    36. 36. This is the process 36
    37. 37. I know you can grok the protocol, can you break the controls? 37
    38. 38. I know you can grok the protocol, can you break the controls? 38
    39. 39. Oh, you forgot about safety 39
    40. 40. Oh, you forgot about safety 40
    41. 41. Oh, you forgot about testing 41
    42. 42. Oh, you forgot about testing 42
    43. 43. Oh, you forgot about people 43
    44. 44. Oh, you forgot about people 44
    45. 45. What if it really is SCADA? 45
    46. 46. Stuff breaks 46
    47. 47. All the &*^$ing time 47
    48. 48. And it gets fixed 48
    49. 49. And it gets fixed 49
    50. 50. And you never noticed 50
    51. 51. And you never noticed 51
    52. 52. And you never noticed 52
    53. 53. And you never noticed 53
    54. 54. But... WAIT! What about the Aurora Explosion Demo Awesome 54
    55. 55. 4/ Practical Positive Things 55
    56. 56. You can understan d this stuff 56
    57. 57. You can help 57
    58. 58. They need you 58
    59. 59. You need to suck it up 59
    60. 60. It's time to learn before teaching 60
    61. 61. It's time to learn before teaching 61
    62. 62. 5/ You Wouldn't Believe Me If I Told You 62
    63. 63. The Organizati on is against you 63
    64. 64. Your prima donna attitude is against you 64
    65. 65. Your age is against you 65
    66. 66. It's time to start hacking 66
    67. 67. First you hack the org 67
    68. 68. Then you own their asses 68
    69. 69. Then you own their asses 69
    70. 70. 6/ Movies Would Have You Believe 70
    71. 71. It's a mad mad graphical awesome world 71
    72. 72. It's a mad mad graphical awesome world 72
    73. 73. It's a mad mad graphical awesome world 73
    74. 74. It's a mad mad graphical awesome world 74
    75. 75. It's a mad mad graphical awesome world 75
    76. 76. It's a mad mad graphical awesome world 76
    77. 77. It's a mad mad graphical awesome world 77
    78. 78. What an afternoon at the console really feels like 78
    79. 79. What an afternoon at the console really feels like 79
    80. 80. What an afternoon at the console really feels like 80
    81. 81. 7/ The Media Hypes It As If... 81
    82. 82. 82
    83. 83. CYB CYB CYB CYB ER ER ER ER CYB CYB CYB CYB ER ER ER ER CYB 82
    84. 84. CYB CYB CYB CYB ER ER ER ER CYB CYB CYB CYB ER ER ER ER CYB 82
    85. 85. 82
    86. 86. There's a hacker behind the bush 83
    87. 87. There's a hacker behind the bush 84
    88. 88. There's a hacker behind the bush 85
    89. 89. There's a hacker behind the bush 86
    90. 90. There's a hacker behind the bush 87
    91. 91. A 14yo in Mom's basement 88
    92. 92. A 14yo in Mom's basement 89
    93. 93. A 14yo in Mom's basement 90
    94. 94. L337 cadre of soldiers 91
    95. 95. L337 cadre of supersoldi ers 92
    96. 96. L337 cadre of genetically engineered supersoldi ers 93
    97. 97. Killer Tubes 94
    98. 98. 8/ Bad Shit That Actually Happened 95
    99. 99. Not necessarily public news. 96
    100. 100. 9/ What Could Have Saved It 97
    101. 101. Superheroe s 98
    102. 102. Superheroe s, Ninjas 99
    103. 103. Superheroe s, Ninjas and Pirates 100
    104. 104. Following Instruction s 101
    105. 105. Or, not sucking at implementation 102
    106. 106. Or, doing what you're told 103
    107. 107. Or, stuff that has nothing at all to do with computers 104
    108. 108. 10/ What You Can Do - Little Picture 105
    109. 109. Learn 106
    110. 110. Stop listening to "experts" 107
    111. 111. Modest changes, massive results 108
    112. 112. 11/ What You Can Do - Big Picture 109
    113. 113. Stop feeding the trolls 110
    114. 114. Avoid being ‘that person’ 111
    115. 115. Press for sane acquisition s 112
    116. 116. Study past success 113
    117. 117. Study past success 114
    118. 118. Q&A @myrcurial myrcurial@myrcurial.com 115
    119. 119. Credits, Links and Notices http://myrcurial.com and Me: http://cyberdouchery.com and sometimes http:// liquidmatrix.org/blog All of you, My Family, Friends, Jeff Moss (for demanding this talk) Kaospunk, Froggy, Tyger and the Thanks: Notacon Awesome Team. Mentors/Luminaries: D. Anderson, M. Fabro, J. Brodsky, R. Southworth, M. Sachs, C. Jager, B. Radvanovsky and J. Weiss (all from whom I twitter, fast music, caffeine, my lovely borrowed material) Inspirati wife and hackerish children, blinky on: lights, shiny things, modafinil & altruism. http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ 116

    ×