PT-DTS SCADA Security using MaxPatrol


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PT-DTS SCADA Security using MaxPatrol

  1. 1. Securing ICS/SCADA systems
  2. 2. Agenda Positive Technologies Company overview ICS/SCADA security myths Positive Research on SCADA Security MaxPatrol for SCADA Positive Services for SCADA Questions?
  3. 3. Positive Technologies Company overview
  4. 4. About Positive Technologies 10+ Years of experience 300+ Employees Offices • London, UK • Moscow, Russia • Seoul, Korea • Tunis, Tunisia • Rome, Italy 1000+ Customers & Partners globally Partnerships with major software vendors
  5. 5. Positive Technologies Focus MaxPatrol - Vulnerability & Compliance Management System Positive Services – a unique team of experts in practical security Positive Research – one of the biggest research centers in Europe Positive Hack Days – the annual information security international Forum
  6. 6. Positive Services We conduct more than 20 large-scale penetration tests each year We perform a consistently high volume of web application security assessments Security assessment • Penetration testing • Infrastructure analysis • Custom applications assessment Security management processes • KPI development • Technical standards and compliance • Audit & IT security risks of business processes
  7. 7. Positive Research Center One of the biggest security research labs in Europe • 100+ new 0-day vulnerabilities discovered per year • Our research is used by key industry bodies We help global IT players to secure their products We are involved in the development of industry standards Our portal – a leading Eastern European security portal
  8. 8. Positive Hack Days Forum 2012 1,500 Participants 6 Tracks 10 Workshops 8 Challenges Hacking CTF Contest Keynote by Bruce Schneier
  9. 9. Telecoms & hi-tech Our Customers Government agencies Banking & Finance
  10. 10. Our Customers Industrial enterprises Energia Space Corporation Tactical missiles corp. Sukhoi (aircraft building enterprise) Magnitogorsk Iron & Steel Nizhnekamsk (Petrochemicals) AEP (Nuclear Technologies)
  11. 11. ICS/SCADA Security Myths
  12. 12. Why should we care about SCADA security? SCADA network is isolated and is not connected to other networks, all the more so to Internet MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it HMI has limited functionality and does not allow to mount attack …
  13. 13. PT security assessment experience 100% of tested SCADA networks are exposed to Internet/Corporate network Network equipment/firewalls misconfiguration MES/OPC/ERP integration gateways HMI external devices (Phones/Modems/USB Flash) abuse VPN/Dialup remote access 90% of tested SCADA can be hacked with Metasploit Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…) Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…) Standard bugs (patch management, passwords, firewalling, application vulnerabilities)
  14. 14. PT security assessment experience 70% of HMI/Engineering stations are also used as desktops Kiosk mode bypass (Secret) Internet access games/”keygens”/trojans and other useful software Overall SCADA security level = Internet security in the beginning of XXI century VS
  15. 15. Positive Research on ICS/SCADA Security
  16. 16. Activities in 2012 SCADA Security in Numbers – research on ICS/SCADA attack surface SCADA applications security assessment – deep analysis of different automation systems Security Hardening guides development – security configuration guides and benchmark checklists for SCADA Community collaboration
  17. 17. SCADA Security in Numbers Deep technical analysis of ICS/SCADA attack surface (2005 – August 2012) Statistics of Vulnerabilities and Exploits • Vulnerabilities in PLC/SACDA/MES systems • Risks and exploits • Vulnerability management effectiveness • Attack vectors and impact SCADA in the Internet • Analysis of SCADA systems exposed to the Internet • Distribution by vendor • Security level
  18. 18. N of Vulnerabilities/Year
  19. 19. Risk level by vendor
  20. 20. Risk level (%)
  21. 21. N of Exploits/Year
  22. 22. % of Exploits
  23. 23. SCADA applications security assessment Deep technical analysis of different automation systems • Siemens automation solutions  SIMATIC WINCC  S7 PLCs  TIA Portal • Wonderware InTouch • … Methodologies • BlackBox Penetration testing/fuzzing • Web Application code review • Firmware reversing and static analysis • Forensic analysis
  24. 24. SCADA applications security assessment: Results >50 vulnerabilities detected • Client-side (XSS, CSRF etc) • SQL/XPath injections • Arbitrary file reading • Username/passwords disclosure • Weak encryption • Hardcoded crypto keys • … Results • Partially fixed by vendors • Assessment and fixing roadmap with Siemens Product CERT 50 is a quarter of currently known SCADA vulnerabilities!
  25. 25. Security Hardening guides development Technical guides for built-in and external security features Useful for configuration management and security assessment First public release - Siemens SIMATIC WinCC • To be: • TIA Portal • HMI Kiosk Mode • Intouch
  26. 26. Community collaboration Collaboration with Siemens Product CERT and other vendors Reports on security conferences
  27. 27. MaxPatrol for SCADA
  28. 28. MaxPatrol in Figures checks of known vulnerabilities systems to work across configuration parameters new 0-day vulnerabilities per year 30,000+ 1,000+ 5,000+ 100+
  29. 29. MaxPatrol – An All-in-One Solution
  30. 30. MaxPatrol Highlights Password Policy Audit Malware Detection Integrity Monitoring Sensitive Data Detection Agentless & low-privileged Assessment Web-Application Security
  31. 31. Our approach Defense in Depth strategy  Network Layer  OS and DBMS  SCADA/HMI/PLCs  MES/ERP Compliance management support
  32. 32. Network Layer Vulnerabilities checks of different platforms • Cisco, Juniper, Check Point, Arbor, Huawei, Nortel, Alcatel Configuration analysis • Authentication checks • ACLs analysis • Special checks of industrial protocols configuration (Cisco Connected Grid, etc)
  33. 33. OS and DBMS Exhaustive vulnerability and configuration analysis Operating Systems: Windows, Mac OS X, Linux, IBM AIX, HP- UX and Oracle Solaris Databases: Microsoft SQL, Oracle, IBM DB2, PostgreSQL, MySQL and Sybase Offline USB/CD Scanner • Useful for HMI/SCADA audits • Not require network connections • Full-featured reporting with MaxPatrol Server
  34. 34. SCADA/HMI/PLC Support of automation protocols • ModBus/S7/DNP3/OPC Vulnerabilities checks of PLC/SCADA/MES Predefined (Safe mode) assessment for SCADA Configuration check of SCADA HMI Kiosk mode checks Mobile/Wireless/Internet access Software whitelist/blacklist Antivirus/HIPS checks
  35. 35. MES/ERP Best among vulnerability and compliance assessment of ERP system Support of SAP Netweaver and Oracle EBS • Complete analysis on OS/DBMS/Application levels • Black box and White box vulnerability checks • SAP Notes and OEBS patches checks • Configuration analysis • SAP Security Guide compliances
  36. 36. NERC Critical Infrastructure Protection Compliance CIP-002-1: Critical Cyber Asset Identification • Hardware and software discovery, network and system asset inventory CIP-003-1: Security Management Controls • Built-in configuration compliance checklists, automated vulnerability assessment CIP-005-1 Electronic Security Perimeter(s) • Control network security via network scan configuration checks
  37. 37. NERC Critical Infrastructure Protection Compliance CIP-007-1 Systems Security Management • Automated assessment of security controls (antivirus, SIEM, Firewall, etc.) CIP-008-1 Incident Reporting and Response Planning • Control of risky configurations and compromise detection
  38. 38. Key Features: Flexibility & Integration Asset Management Help Desk Ticketing Risk Management Patch Management SIM/SIEM IPS and WAF Penetration Testing NAC/NAP
  39. 39. Positive Services for SCADA
  40. 40. Positive Services ICS Infrastructure Security Audit Complex assessment of technical and organizational security means. From PLC to ERP. From Pentest to Checklists. SCADA application security assessment Deep technical inspection of SCADA security on Network/OS/Database and Application levels. Security policy and configuration checklist development Vulnerability and compliance management process implementation
  41. 41. Resume Positive Technologies approach Research: to understand vulnerabilities and to find new Audit: to discover risks and select countermeasures Automate: vulnerability and compliance management with MaxPatrol Control: security process efficiency Consolidate: vendors, researchers and customers to create safe ICS/SCADA infrastructure and solutions
  42. 42. Thanks! Question?