SlideShare a Scribd company logo

Master Serial Killer - DEF CON 22 - ICS Village

Download as PPTX, PDF
Chris Sistrunk
Chris Sistrunk

Updated slides on Master Serial Killer from Adam Crain and Chris Sistrunk's research on ICS Protocol Vulnerabilities called Project Robus, the Aegis Fuzzer, and mitigations of these vulnerabilities.

Software
1 of 56
Master Serial Killer Chris Sistrunk PE, Mandiant Adam Crain, Automatak
About Us Chris Sistrunk, PE • Electrical Engineer • SCADA Expert • Loves Security • DNP3 Member • Button Pusher Adam Crain • Software Engineer • OSS Advocate • openDNP3 Author • DNP3 Member • Code Monkey
How I Audit SCADA systems http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
ICS/SCADA Security • ICS/SCADA lags IT by 10-15 years • 708 SCADA-related vulns on OSVDB.org since 2011. “Like kicking a puppy” • Positive vs. Negative Testing: The front yard is mowed, but the back yard is overgrown.
Software Testing
When you scan ICS with nmap
SCADA Protocol Vuln Research We chose to focus on popular SCADA protocols Fuzzers did exist, but only tested server side Serial had not been fuzzed before (that we know of) We chose to use Responsible Disclosure • Inform the vendor, then ICS-CERT, DNP3 UG • Worked with the vendor to help them replicate and begin further negative testing
Project Robus • Latin for “bulwark” • Started in April 2013 • 24 advisories / 30 tickets • 22 DNP3, 1 Modbus, 1 Telegyr 8979 www.automatak.com/robus www.automatak.com/aegis
Fuzzing Master Stations • Referenced in Nat’l SCADA Test Bed reports but no data available • Wurldtech & Spirent (Mu Dynamics) don’t fuzz the master side of ICS protocols…………..yet Master Slave
Fuzzing Master Stations DNP3 Application Function Code 0x82 • If the Master Station has Unsol enabled, it must accept messages from its RTUs at any time • Design of System must be fine tuned...or else DNP3 Outstation Unsolicited Response Storm • If the Master parser has problem with one message, you can imagine the problems with many many messages
Serial Fuzzing All the security focus has been on ethernet networks, but many ICS, especially SCADA, still utilize serial networks. • DNP3 is same! (unlike Modbus) • Impact to NERC/CIP v3 & v5 Physical Security (discuss later) • Pole-mounted RTUs • PQ Meters, etc
DNP3 (IEEE 1815-2012) Primer DNP3 is a SCADA protocol used by almost all of the electric utilities and some water in North America, Australia, and the UK. Created in 1990s and turned over to DNP3 UG in 1993. One of the few ICS protocols that has secure auth. SCADA Master RTU with I/O
Breaking Down DNP3 TCP 20000 TCP 19999 (TLS) UDP 20000 Ref from IEEE Std 1815-2012
Courtesy of
Vendor Response Matrix ICS-CERT Adv Company Protocol Bug Fix Days Advisory ICSA-13-161-01 IOServer DNP3 4/24 5/24 30 6/10/2013 ICSA-13-213-03 IOServer DNP3 5/1 7/20 80 8/1/2013 ICSA-13-219-01 SEL DNP3 5/1 5/30 29 8/7/2013 ICSA-13-226-01 Kepware DNP3 4/24 6/18 55 8/14/2013 ICSA-13-234-02 TOP Server DNP3 4/24 6/18 55 8/22/2013 ICSA-13-240-01 TMW DNP3 4/24 6/17 54 8/28/2013 ICSA-13-213-04A Matrikon DNP3 4/24 6/17 54 8/29/2013 ICSA-13-252-01 Subnet DNP3 4/24 8/30 128 9/9/2013 ICSA-13-282-01 Alstom DNP3 4/24 6/4 41 10/21/2013 ICSA-13-297-01 Catapult DNP3 4/24 10/1 160 11/22/2013 ICSA-13-297-02 GE IP DNP3 Self Report 10/1 n/a 11/22/2013 ICSA-13-337-01 Elecsys DNP3 9/12 11/4 53 12/3/2013 ICSA-13-346-02 Cooper OPC DNP3 7/31 None ∞day™ 12/12/2013 ICSA-13-346-01 Cooper/Cybectec DNP3 5/1 12/12 225 12/12/2013 ICSA-13-352-01 Novatech DNP3 5/1 9/5 127 12/18/2013 ICSA-14-014-01 Schneider DNP3 8/6 8/23 17 1/14/2014 ICSA-14-100-01 IOServer Modbus 2/6 3/4 26 4/10/2014 ICSA-14-154-01 COPA-DATA DNP3 Self Report using Aegis! n/a 6/3/2014 ICSA-14-196-01 Subnet TG8979 4/18 6/18 61 7/31/2014
Vendor Response • Most of the vendors were very pleased • A few were not >> head in the sand • Some had never done negative testing • Nearly all devices and hosts with DNP3 were affected, so it was an industry-wide wakeup call.
White Noise Fuzzing #1 random == really “dumb”
Template (mutational) Fuzzing
Generational “Smart” Fuzzing
Multi-field Anomalies
Generational == most vulns!
The Aegis ICS Fuzzing Framework • We decided that we needed to release our fuzzing framework tool as open source. • Open source security tools have a proven track record of raising security (hello MSF!) • We do encourage people to join our efforts to add more protocols to Aegis
Aegis Specifics • Version 0.1.x in Scala www.scala-lang.org • Current version (private release) in C# • Protocol boundary conditions • Abstracts physical layer • Combines aspects of generation and mutation • Repeatable random seeds • ~500,000 test cases with one seed
Test DNP3 Message (DL, TL, or AL) Request Link States Link Status x Num Test Cases Request Response x Num Retry (10) Fuzzer Test Flow
I 0x0564 U... Y U NO 0x0564 ME BAK ?!
Combinatorics val nums = List(1, 3) val colors = List(“red”,”green”) // repeat the reversed string num times def combine(i: Int, s: String) = List.fill(i)(s.reverse).mkString val result = Cartesian.Transform(colors,nums)(combine) What is result?
Lazy Generator // val nums = List(1, 3) // val colors = List(“red”,”green”) > result.foreach(println) der derderder neerg neergneergneerg
{ frames } = f (byte,Type) {byte} = f (bool, bool, int) {Type} = f (.....) { true, false } { true, false } { 0, 1, 63 } ........................... Fuzzing is O(2n)
Generators can get large! { test cases } ● Many function codes ● Many objects ● Header types ● Many field values
Types of Vulnerabilities
FA 82 00 00 01 00 02 00 00 00 00 FF FF FF FF Unsolicited Response Group 1 Variation 0 Sizeless?! 4 byte start/stop 0 4294967295 ● infinite loop ● missing data ● integer overflow? ● accepts broadcast Vuln #1
DD 82 00 00 0A 02 01 00 00 FF FF UNSOL Group 10 Variation 2 Binary Output Status 2 byte start/stop 0 65535 ● infinite loop ● missing data ● unexpected data ● integer overflow? Vuln #2
05 64 06 44 64 00 64 00 FF F2 C0 1D 0A 1 byte payload 100 100 ● transport header only ● unhandled exception unconfirmed user data CRC CRC FIR / FIN SEQ = 0 Vuln #3
Recorded Demos Video 1: a DNP3 outstation -application layer object fuzzing Video 2: a DNP3 master -unsolicited application layer fuzzing
Vuln #4 (TMW integration) DD 82 00 00 0C 01 00 00 01 rnd(11) rnd(11) Unsolicited Response Control Relay Output Block 1 byte start/stop CROB #1 CROB #2 ● buffer overrun ● not malformed! ● unexpected objects ● accepts broadcast
Vuln #5 (TMW integration) FA 82 00 00 02 02 01 01 00 FF FF Unsolicited Response Group 2 Var 2 (event) 2 byte start/stop 1 65535 ● stable infinite loop ● max range - 1 and no data ● accepts broadcast
Using Aegis
So easy…Twitter can do it
Examples Run 10 link layer test cases starting at #123 $ aegis-console -mid dnp3 -pid lfuzz -start 123 -count 10 Unsolicited response fuzzing of a master listening on default port 20000 with master address of 0 and an outstation address of 1 $ aegis-console -mid dnp3 -pid aufuzz -dest 0 -src 1 -master -listen Outstation link layer fuzzing test case #100 only $ aegis-console -mid dnp3 -pid lfuzz -start 100 -count 1 Outstation application object fuzzing against 192.168.1.55:20001 with default addressing $ aegis-console -mid dnp3 -id aofuzz -host 192.168.1.55 -port 20001
Further Aegis Development • In addition to DNP3 protocol, we’ve added Modbus and Telegyr 8979 (serial only) protocol modules to the framework. • Migrated from scala to C#. • Added a GUI • Working with vendors and other trusted researchers.
New Aegis Demo --- module: dnp3 - Test routines for the DNP3 protocol --- Procedure ids: link Fuzzing of the link layer (masters or outstations) transport Fuzzing of the transport function (masters or outstations) requests Fuzzes the application layer with malformed and unexpected requests (outstation) unsol Fuzzes the application layer with malformed and unexpected unsolicited responses (master) octetunsol Reports large numbers of 0-length octet string headers via unsolicited mode (master) octetwrite Writes large numbers of 0-length octet string headers (outstation) randrequest Fuzzes the application layer with semi-random requests (outstation) randunsol Fuzzes the application layer with semi-random unsolicited responses (master) -dest <arg>(1024)[0, 65535] link layer address of the target -src <arg>(1)[0, 65535] link layer address of the fuzzer -master <arg>(False) set the link-layer master bit for master fuzzing -retries <arg>(10)[1, none] Number of link status retries -timeout <arg>(1000)[10, none] Read timeout in milliseconds -health <arg>(LinkStatus) Type of health check to use [linkstatus, resetlink] --- module: modbus - Test routines for the Modbus protocol --- Procedure ids: request Sends malformed or unexpected requests at a Modbus slave
ICS/SCADA Defense
ICS/SCADA Defense Network Security Monitoring (do it now!) • Bro, SNORT, Wireshark can parse DNP3 & Modbus! • Deep packet inspection firewalls • Full packet capture (even serial) – 1TB y’all • Use Security Onion to monitor ICS networks http://www.liquidmatrix.org/blog/2014/07/01/is-there-a-cuckoo-in-your-control-system/ tl;dr ≥1 person, Security Onion, and an ICS Honeypot
ICS/SCADA Defense • Install patches – not quite like IT • Robust device & network configuration • Disable unused ports, protocol function codes • Whitelist apps and even traffic • DNP3 Secure Authentication v5 & TLS • Signed software/firmware
Physical Security 3/8” Mesh ASTM Grade 6 Buys extra time
What’s different about Robus? SCADA Vulns reported for a while now Adam and I aren’t security researchers • He’s a software geek…I’m an engineer • Our skills complemented each other • Both experts in DNP3 protocol, but from different angles
Some theories Why did the industry move instead of ignore? • I was an end user and we really cared! • Not just a wham-bam researcher • Respectful, tactful, responsible • We released our tool …………we weren’t going away
I’m still more worried about…
SHODAN Probably default configs • Many similar responses • Same DNP Addresses python shell >>> " ".join("%02x" % ord(i) for i in "DNP3 paste from shodan”) Unsolicited Response with Binary and Analog Data Class 1/2/3/0 Poll!!! https://ics-radar.shodan.io/ https://maps.shodan.io/
Conclusions • DNP3 is not a special case, other protocols same fate Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP… • Early testing both slave/server AND master/client sides of protocols are important! • Compliance != Security, but the culture is important • Don’t have to be a nation/state or large firm to do this • A few good folks can make a difference in the industry
Questions? @jadamcrain @chrissistrunk

Recommended

Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 

Recommended

Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2David Spinks
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overviewpgmaynard
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentationguest85a34f
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
Mental Relaxation
Mental RelaxationMental Relaxation
Mental RelaxationBOL Advisory Group
 

More Related Content

What's hot

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!EnergySec
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overviewpgmaynard
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentationguest85a34f
 

What's hot (20)

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentation
 

Viewers also liked

Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
Are You a Serial Killer?
Are You a Serial Killer?Are You a Serial Killer?
Are You a Serial Killer?slrevare
 
Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015Benjamin Benifei
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Serial Killers Psychology Presentation
Serial Killers Psychology PresentationSerial Killers Psychology Presentation
Serial Killers Psychology PresentationPietro Solda
 

Viewers also liked (8)

Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
Mental Relaxation
Mental RelaxationMental Relaxation
Mental Relaxation
 
Are You a Serial Killer?
Are You a Serial Killer?Are You a Serial Killer?
Are You a Serial Killer?
 
Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015
 
What is pentest
What is pentestWhat is pentest
What is pentest
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Serial Killers Psychology Presentation
Serial Killers Psychology PresentationSerial Killers Psychology Presentation
Serial Killers Psychology Presentation
 

Similar to Master Serial Killer - DEF CON 22 - ICS Village

BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdfBRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdfssusercbaa33
 
FPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchFPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchYutaka Yasuda
 
Pipeline hazards in computer Architecture ppt
Pipeline hazards in computer Architecture pptPipeline hazards in computer Architecture ppt
Pipeline hazards in computer Architecture pptmali yogesh kumar
 
UGM 2015: X1149 workshop
UGM 2015: X1149 workshopUGM 2015: X1149 workshop
UGM 2015: X1149 workshopInterlatin
 
Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam McConnell
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoTran Thanh Song
 
Wireless Troubleshooting Tips using AirPcaps DFS Module Debugging
Wireless Troubleshooting Tips using AirPcaps DFS Module DebuggingWireless Troubleshooting Tips using AirPcaps DFS Module Debugging
Wireless Troubleshooting Tips using AirPcaps DFS Module DebuggingMegumi Takeshita
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadBrain IoT Project
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSVipin Varghese
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarEtienne Leduc
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2Lori Head
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 

Similar to Master Serial Killer - DEF CON 22 - ICS Village (20)

BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
Ethernet basics
Ethernet basicsEthernet basics
Ethernet basics
 
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdfBRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
 
FPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchFPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow Switch
 
Pipeline hazards in computer Architecture ppt
Pipeline hazards in computer Architecture pptPipeline hazards in computer Architecture ppt
Pipeline hazards in computer Architecture ppt
 
UGM 2015: X1149 workshop
UGM 2015: X1149 workshopUGM 2015: X1149 workshop
UGM 2015: X1149 workshop
 
Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
 
Wireless Troubleshooting Tips using AirPcaps DFS Module Debugging
Wireless Troubleshooting Tips using AirPcaps DFS Module DebuggingWireless Troubleshooting Tips using AirPcaps DFS Module Debugging
Wireless Troubleshooting Tips using AirPcaps DFS Module Debugging
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDS
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection Webinar
 
Thesis
ThesisThesis
Thesis
 
Thesis
ThesisThesis
Thesis
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
200-301-demo.pdf
200-301-demo.pdf200-301-demo.pdf
200-301-demo.pdf
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam Dumps
 

More from Chris Sistrunk

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Chris Sistrunk
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookChris Sistrunk
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeChris Sistrunk
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachChris Sistrunk
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridChris Sistrunk
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteChris Sistrunk
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisChris Sistrunk
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityChris Sistrunk
 

More from Chris Sistrunk (11)

Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
BSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security PlaybookBSidesAugusta 2022 - The Power of the OT Security Playbook
BSidesAugusta 2022 - The Power of the OT Security Playbook
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
BSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next DecadeBSidesHSV 2020 - Keynote - 2030: The Next Decade
BSidesHSV 2020 - Keynote - 2030: The Next Decade
 
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management ApproachS4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
S4x20 - Tuning ICS Security Alerts: An Alarm Management Approach
 
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the GridDerbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
Derbycon 8 - We Are the Artillery: Using Google Fu to Take Down the Grid
 
BSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - KeynoteBSidesJackson 2017 - Chris Sistrunk - Keynote
BSidesJackson 2017 - Chris Sistrunk - Keynote
 
Advanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat AnalysisAdvanced Persistent Dads - Threat Analysis
Advanced Persistent Dads - Threat Analysis
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS security
 
Dolla Dolla Bump Key
Dolla Dolla Bump KeyDolla Dolla Bump Key
Dolla Dolla Bump Key
 

Recently uploaded

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 

Recently uploaded (20)

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 

Master Serial Killer - DEF CON 22 - ICS Village

  • 1. Master Serial Killer Chris Sistrunk PE, Mandiant Adam Crain, Automatak
  • 2. About Us Chris Sistrunk, PE • Electrical Engineer • SCADA Expert • Loves Security • DNP3 Member • Button Pusher Adam Crain • Software Engineer • OSS Advocate • openDNP3 Author • DNP3 Member • Code Monkey
  • 3.
  • 4. How I Audit SCADA systems http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
  • 5. ICS/SCADA Security • ICS/SCADA lags IT by 10-15 years • 708 SCADA-related vulns on OSVDB.org since 2011. “Like kicking a puppy” • Positive vs. Negative Testing: The front yard is mowed, but the back yard is overgrown.
  • 7. When you scan ICS with nmap
  • 8. SCADA Protocol Vuln Research We chose to focus on popular SCADA protocols Fuzzers did exist, but only tested server side Serial had not been fuzzed before (that we know of) We chose to use Responsible Disclosure • Inform the vendor, then ICS-CERT, DNP3 UG • Worked with the vendor to help them replicate and begin further negative testing
  • 9. Project Robus • Latin for “bulwark” • Started in April 2013 • 24 advisories / 30 tickets • 22 DNP3, 1 Modbus, 1 Telegyr 8979 www.automatak.com/robus www.automatak.com/aegis
  • 10.
  • 11. Fuzzing Master Stations • Referenced in Nat’l SCADA Test Bed reports but no data available • Wurldtech & Spirent (Mu Dynamics) don’t fuzz the master side of ICS protocols…………..yet Master Slave
  • 12. Fuzzing Master Stations DNP3 Application Function Code 0x82 • If the Master Station has Unsol enabled, it must accept messages from its RTUs at any time • Design of System must be fine tuned...or else DNP3 Outstation Unsolicited Response Storm • If the Master parser has problem with one message, you can imagine the problems with many many messages
  • 13. Serial Fuzzing All the security focus has been on ethernet networks, but many ICS, especially SCADA, still utilize serial networks. • DNP3 is same! (unlike Modbus) • Impact to NERC/CIP v3 & v5 Physical Security (discuss later) • Pole-mounted RTUs • PQ Meters, etc
  • 14. DNP3 (IEEE 1815-2012) Primer DNP3 is a SCADA protocol used by almost all of the electric utilities and some water in North America, Australia, and the UK. Created in 1990s and turned over to DNP3 UG in 1993. One of the few ICS protocols that has secure auth. SCADA Master RTU with I/O
  • 15. Breaking Down DNP3 TCP 20000 TCP 19999 (TLS) UDP 20000 Ref from IEEE Std 1815-2012
  • 17. Vendor Response Matrix ICS-CERT Adv Company Protocol Bug Fix Days Advisory ICSA-13-161-01 IOServer DNP3 4/24 5/24 30 6/10/2013 ICSA-13-213-03 IOServer DNP3 5/1 7/20 80 8/1/2013 ICSA-13-219-01 SEL DNP3 5/1 5/30 29 8/7/2013 ICSA-13-226-01 Kepware DNP3 4/24 6/18 55 8/14/2013 ICSA-13-234-02 TOP Server DNP3 4/24 6/18 55 8/22/2013 ICSA-13-240-01 TMW DNP3 4/24 6/17 54 8/28/2013 ICSA-13-213-04A Matrikon DNP3 4/24 6/17 54 8/29/2013 ICSA-13-252-01 Subnet DNP3 4/24 8/30 128 9/9/2013 ICSA-13-282-01 Alstom DNP3 4/24 6/4 41 10/21/2013 ICSA-13-297-01 Catapult DNP3 4/24 10/1 160 11/22/2013 ICSA-13-297-02 GE IP DNP3 Self Report 10/1 n/a 11/22/2013 ICSA-13-337-01 Elecsys DNP3 9/12 11/4 53 12/3/2013 ICSA-13-346-02 Cooper OPC DNP3 7/31 None ∞day™ 12/12/2013 ICSA-13-346-01 Cooper/Cybectec DNP3 5/1 12/12 225 12/12/2013 ICSA-13-352-01 Novatech DNP3 5/1 9/5 127 12/18/2013 ICSA-14-014-01 Schneider DNP3 8/6 8/23 17 1/14/2014 ICSA-14-100-01 IOServer Modbus 2/6 3/4 26 4/10/2014 ICSA-14-154-01 COPA-DATA DNP3 Self Report using Aegis! n/a 6/3/2014 ICSA-14-196-01 Subnet TG8979 4/18 6/18 61 7/31/2014
  • 18. Vendor Response • Most of the vendors were very pleased • A few were not >> head in the sand • Some had never done negative testing • Nearly all devices and hosts with DNP3 were affected, so it was an industry-wide wakeup call.
  • 19. White Noise Fuzzing #1 random == really “dumb”
  • 24.
  • 25. The Aegis ICS Fuzzing Framework • We decided that we needed to release our fuzzing framework tool as open source. • Open source security tools have a proven track record of raising security (hello MSF!) • We do encourage people to join our efforts to add more protocols to Aegis
  • 26. Aegis Specifics • Version 0.1.x in Scala www.scala-lang.org • Current version (private release) in C# • Protocol boundary conditions • Abstracts physical layer • Combines aspects of generation and mutation • Repeatable random seeds • ~500,000 test cases with one seed
  • 27. Test DNP3 Message (DL, TL, or AL) Request Link States Link Status x Num Test Cases Request Response x Num Retry (10) Fuzzer Test Flow
  • 28. I 0x0564 U... Y U NO 0x0564 ME BAK ?!
  • 29. Combinatorics val nums = List(1, 3) val colors = List(“red”,”green”) // repeat the reversed string num times def combine(i: Int, s: String) = List.fill(i)(s.reverse).mkString val result = Cartesian.Transform(colors,nums)(combine) What is result?
  • 30. Lazy Generator // val nums = List(1, 3) // val colors = List(“red”,”green”) > result.foreach(println) der derderder neerg neergneergneerg
  • 31. { frames } = f (byte,Type) {byte} = f (bool, bool, int) {Type} = f (.....) { true, false } { true, false } { 0, 1, 63 } ........................... Fuzzing is O(2n)
  • 32. Generators can get large! { test cases } ● Many function codes ● Many objects ● Header types ● Many field values
  • 34. FA 82 00 00 01 00 02 00 00 00 00 FF FF FF FF Unsolicited Response Group 1 Variation 0 Sizeless?! 4 byte start/stop 0 4294967295 ● infinite loop ● missing data ● integer overflow? ● accepts broadcast Vuln #1
  • 35. DD 82 00 00 0A 02 01 00 00 FF FF UNSOL Group 10 Variation 2 Binary Output Status 2 byte start/stop 0 65535 ● infinite loop ● missing data ● unexpected data ● integer overflow? Vuln #2
  • 36. 05 64 06 44 64 00 64 00 FF F2 C0 1D 0A 1 byte payload 100 100 ● transport header only ● unhandled exception unconfirmed user data CRC CRC FIR / FIN SEQ = 0 Vuln #3
  • 37. Recorded Demos Video 1: a DNP3 outstation -application layer object fuzzing Video 2: a DNP3 master -unsolicited application layer fuzzing
  • 38. Vuln #4 (TMW integration) DD 82 00 00 0C 01 00 00 01 rnd(11) rnd(11) Unsolicited Response Control Relay Output Block 1 byte start/stop CROB #1 CROB #2 ● buffer overrun ● not malformed! ● unexpected objects ● accepts broadcast
  • 39. Vuln #5 (TMW integration) FA 82 00 00 02 02 01 01 00 FF FF Unsolicited Response Group 2 Var 2 (event) 2 byte start/stop 1 65535 ● stable infinite loop ● max range - 1 and no data ● accepts broadcast
  • 42. Examples Run 10 link layer test cases starting at #123 $ aegis-console -mid dnp3 -pid lfuzz -start 123 -count 10 Unsolicited response fuzzing of a master listening on default port 20000 with master address of 0 and an outstation address of 1 $ aegis-console -mid dnp3 -pid aufuzz -dest 0 -src 1 -master -listen Outstation link layer fuzzing test case #100 only $ aegis-console -mid dnp3 -pid lfuzz -start 100 -count 1 Outstation application object fuzzing against 192.168.1.55:20001 with default addressing $ aegis-console -mid dnp3 -id aofuzz -host 192.168.1.55 -port 20001
  • 43. Further Aegis Development • In addition to DNP3 protocol, we’ve added Modbus and Telegyr 8979 (serial only) protocol modules to the framework. • Migrated from scala to C#. • Added a GUI • Working with vendors and other trusted researchers.
  • 44. New Aegis Demo --- module: dnp3 - Test routines for the DNP3 protocol --- Procedure ids: link Fuzzing of the link layer (masters or outstations) transport Fuzzing of the transport function (masters or outstations) requests Fuzzes the application layer with malformed and unexpected requests (outstation) unsol Fuzzes the application layer with malformed and unexpected unsolicited responses (master) octetunsol Reports large numbers of 0-length octet string headers via unsolicited mode (master) octetwrite Writes large numbers of 0-length octet string headers (outstation) randrequest Fuzzes the application layer with semi-random requests (outstation) randunsol Fuzzes the application layer with semi-random unsolicited responses (master) -dest <arg>(1024)[0, 65535] link layer address of the target -src <arg>(1)[0, 65535] link layer address of the fuzzer -master <arg>(False) set the link-layer master bit for master fuzzing -retries <arg>(10)[1, none] Number of link status retries -timeout <arg>(1000)[10, none] Read timeout in milliseconds -health <arg>(LinkStatus) Type of health check to use [linkstatus, resetlink] --- module: modbus - Test routines for the Modbus protocol --- Procedure ids: request Sends malformed or unexpected requests at a Modbus slave
  • 46. ICS/SCADA Defense Network Security Monitoring (do it now!) • Bro, SNORT, Wireshark can parse DNP3 & Modbus! • Deep packet inspection firewalls • Full packet capture (even serial) – 1TB y’all • Use Security Onion to monitor ICS networks http://www.liquidmatrix.org/blog/2014/07/01/is-there-a-cuckoo-in-your-control-system/ tl;dr ≥1 person, Security Onion, and an ICS Honeypot
  • 47. ICS/SCADA Defense • Install patches – not quite like IT • Robust device & network configuration • Disable unused ports, protocol function codes • Whitelist apps and even traffic • DNP3 Secure Authentication v5 & TLS • Signed software/firmware
  • 48. Physical Security 3/8” Mesh ASTM Grade 6 Buys extra time
  • 49. What’s different about Robus? SCADA Vulns reported for a while now Adam and I aren’t security researchers • He’s a software geek…I’m an engineer • Our skills complemented each other • Both experts in DNP3 protocol, but from different angles
  • 50. Some theories Why did the industry move instead of ignore? • I was an end user and we really cared! • Not just a wham-bam researcher • Respectful, tactful, responsible • We released our tool …………we weren’t going away
  • 51.
  • 52. I’m still more worried about…
  • 53.
  • 54. SHODAN Probably default configs • Many similar responses • Same DNP Addresses python shell >>> " ".join("%02x" % ord(i) for i in "DNP3 paste from shodan”) Unsolicited Response with Binary and Analog Data Class 1/2/3/0 Poll!!! https://ics-radar.shodan.io/ https://maps.shodan.io/
  • 55. Conclusions • DNP3 is not a special case, other protocols same fate Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP… • Early testing both slave/server AND master/client sides of protocols are important! • Compliance != Security, but the culture is important • Don’t have to be a nation/state or large firm to do this • A few good folks can make a difference in the industry