Vulnerability Analysis of 2013
SCADA issues
Amol Sarwate
Director of Vulnerability Labs, Qualys Inc.

Hosted by OWASP & th...
Agenda
SCADA components
2013 Vulnerability Analysis
Recommendations and Proposals

Hosted by OWASP & the NYC Chapter
SCADA
DCS
ICS

Hosted by OWASP & the NYC Chapter
Hosted by OWASP & the NYC Chapter
Accidents
liquid pipeline failures
http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf

power failures
http://www.nerc.com...
Vandalism
vandals destroy insulators
http://www.bpa.gov/corporate/BPAnews/archive
/2002/NewsRelease.cfm?ReleaseNo=297

Hos...
Insider
disgruntle employee
http://www.theregister.co.uk/2001/10/31
/hacker_jailed_for_revenge_sewage/

Hosted by OWASP & ...
APT
terrorism or espionage
http://www.symantec.com/content/en/us/enterprise/
media/security_response/whitepapers/w32_duqu_...
2009 - 2013 SCADA Vulnerabilities
(estimate)

Hosted by OWASP & the NYC Chapter
Components

Field

Hosted by OWASP & the NYC Chapter

Control Center
Acquisition
Convert parameters like light, temperature, pressure or flow to analog signals

Hosted by OWASP & the NYC Chap...
Conversion
Converts analog and discrete measurements to digital information

Hosted by OWASP & the NYC Chapter
Communication
OPC

ICCP

ControlNet

BBC 7200

DCP 1

Gedac 7020

DeviceNet

DH+

ProfiBus

Tejas

Hosted by OWASP & the N...
Presentation & Control
Control, monitor and alarming using human machine interface (HMI)

Hosted by OWASP & the NYC Chapte...
2013 Vulnerabilities by category
66%

22%
11%
0%

Acquisition

Hosted by OWASP & the NYC Chapter

Conversion

Communicatio...
Acquisition
–
–
–
–

Requires physical access
Field equipment does not contain process information
Information like valve ...
Emerson ROC800 Vulnerabilities
–
–
–
–
–

CVE-2013-0693: Network beacon broadcasts allows detection
CVE-2013-0692: OSE Deb...
Siemens CP 1604 / 1616 Interface
Card Vulnerability
–
–
–
–
–

Siemens security advisory: SSA-628113
CVE- 2013-0659: Open ...
Communication
24%

16%
12%

16%
12%

12%

4%

General

ModBus

0%
Hosted by OWASP & the NYC Chapter

DNP

C37.118

11%

4%...
ModBus Vulnerabilities
– CVE-2013-2784: Triangle Research Nano-10 PLC Crafted Packet Handling Remote DoS
– CVE-2013-0699: ...
DNP Vulnerabilities
–
–
–
–

CVE-2013-2791: MatrikonOPC Server DNP3 Packet Handling buffer overflow
CVE-2013-2798: Schweit...
Security Analysis of SCADA protocols
Modbus and DNP free tool:
http://code.google.com/p/scadascan/

0%
Hosted by OWASP & t...
SSH, FTP, TFTP, IGMP, SNMP
–
–
–
–
–
–
–
–

CVE-2013-0137: Monroe Electronics Default root SSH Key Remote Access
CVE-2012-...
Presentation & Control
31%
26%

13%
9%
5%

Generic

XSS

3%

SQL
Injection

0%
Hosted by OWASP & the NYC Chapter

5%

Data...
Presentation & Control
–
–
–
–
–
–

CVE-2013-2299: Advantech WebAccess /broadWeb/include/gAddNew.asp XSS
CVE-2013-0684: In...
Real world issues
Control system network connected to
corporate network or internet

0%
Hosted by OWASP & the NYC Chapter
...
Real world issues
No authentication
No per user authentication

0%
Hosted by OWASP & the NYC Chapter

11%

22%

66%
Real world issues
Delayed patching if any

0%
Hosted by OWASP & the NYC Chapter

11%

22%

66%
Real world issues
Default passwords
Shared passwords
No password change policy

0%
Hosted by OWASP & the NYC Chapter

11%
...
Real world issues
Systems not restarted in years

0%
Hosted by OWASP & the NYC Chapter

11%

22%

66%
Real world issues
Off-the-shelf software
Operating system, Database, Browser, Web Server

0%
Hosted by OWASP & the NYC Cha...
Real world issues
Un-necessary services

0%
Hosted by OWASP & the NYC Chapter

11%

22%

66%
Real world issues
Internal differences between IT and
SCADA engineers

0%
Hosted by OWASP & the NYC Chapter

11%

22%

66%
System Wide Challenges
SCADA system long life cycle

Long life cycle of a SCADA system

Hosted by OWASP & the NYC Chapter
System Wide Challenges
SCADA system long life cycle

Cost and difficulty of an upgrade

Hosted by OWASP & the NYC Chapter
Proposals

SCADA network auditing

Hosted by OWASP & the NYC Chapter
Proposals

Is you SCADA system exposed on
the internet?
Hosted by OWASP & the NYC Chapter
Proposals

Password policy, access control and
access roles
Hosted by OWASP & the NYC Chapter
Proposals

Are all services necessary?

Hosted by OWASP & the NYC Chapter
Proposals

Use secure protocols

Hosted by OWASP & the NYC Chapter
Proposals

Strategy for Software Update and
patching
Hosted by OWASP & the NYC Chapter
Proposals

SCADA test environment

Hosted by OWASP & the NYC Chapter
Proposals

Keep up-to-date with vulnerabilities

Hosted by OWASP & the NYC Chapter
Proposals

Apply experience from IT network
management
Hosted by OWASP & the NYC Chapter
ScadaScan
Current version
Scan network range
Works with TCP/IP
Identifies Modbus TCP slaves
Identifies DNP 3 TCP slaves

B...
Thank You
Twitter: @amolsarwate
http://code.google.com/p/scadascan/
https://community.qualys.com
Hosted by OWASP & the NYC...
Upcoming SlideShare
Loading in …5
×

Amol scadaowasp

2,582 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,582
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Amol scadaowasp

  1. 1. Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc. Hosted by OWASP & the NYC Chapter
  2. 2. Agenda SCADA components 2013 Vulnerability Analysis Recommendations and Proposals Hosted by OWASP & the NYC Chapter
  3. 3. SCADA DCS ICS Hosted by OWASP & the NYC Chapter
  4. 4. Hosted by OWASP & the NYC Chapter
  5. 5. Accidents liquid pipeline failures http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf power failures http://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf other accidents http://en.wikipedia.org/wiki/List_of_industrial_disasters Hosted by OWASP & the NYC Chapter
  6. 6. Vandalism vandals destroy insulators http://www.bpa.gov/corporate/BPAnews/archive /2002/NewsRelease.cfm?ReleaseNo=297 Hosted by OWASP & the NYC Chapter
  7. 7. Insider disgruntle employee http://www.theregister.co.uk/2001/10/31 /hacker_jailed_for_revenge_sewage/ Hosted by OWASP & the NYC Chapter
  8. 8. APT terrorism or espionage http://www.symantec.com/content/en/us/enterprise/ media/security_response/whitepapers/w32_duqu_ the_precursor_to_the_next_stuxnet.pdf Hosted by OWASP & the NYC Chapter
  9. 9. 2009 - 2013 SCADA Vulnerabilities (estimate) Hosted by OWASP & the NYC Chapter
  10. 10. Components Field Hosted by OWASP & the NYC Chapter Control Center
  11. 11. Acquisition Convert parameters like light, temperature, pressure or flow to analog signals Hosted by OWASP & the NYC Chapter
  12. 12. Conversion Converts analog and discrete measurements to digital information Hosted by OWASP & the NYC Chapter
  13. 13. Communication OPC ICCP ControlNet BBC 7200 DCP 1 Gedac 7020 DeviceNet DH+ ProfiBus Tejas Hosted by OWASP & the NYC Chapter DNP 3 ANSI X3.28 Front end processors (FEP) and protocols Wired or wireless communication Modbus TRE UCA
  14. 14. Presentation & Control Control, monitor and alarming using human machine interface (HMI) Hosted by OWASP & the NYC Chapter
  15. 15. 2013 Vulnerabilities by category 66% 22% 11% 0% Acquisition Hosted by OWASP & the NYC Chapter Conversion Communication Presentation & Control
  16. 16. Acquisition – – – – Requires physical access Field equipment does not contain process information Information like valve 16 or breaker 9B Without process knowledge leads to nuisance disruption 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  17. 17. Emerson ROC800 Vulnerabilities – – – – – CVE-2013-0693: Network beacon broadcasts allows detection CVE-2013-0692: OSE Debug port service CVE-2013-0694: Hardcode accounts with passwords Access: AV:N, AC:L, Au:N Impact: C:C, I:C, A:C – Patch available from Emerson 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  18. 18. Siemens CP 1604 / 1616 Interface Card Vulnerability – – – – – Siemens security advisory: SSA-628113 CVE- 2013-0659: Open Debugging Port in CP 1604/1616 UDP port 17185 Access: AV:N, AC:L, Au:N Impact: C:C, I:C, A:C – Patch available from Siemens 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  19. 19. Communication 24% 16% 12% 16% 12% 12% 4% General ModBus 0% Hosted by OWASP & the NYC Chapter DNP C37.118 11% 4% IGMP SNMP 22% FTP/TFTP 66% SSH/SSL
  20. 20. ModBus Vulnerabilities – CVE-2013-2784: Triangle Research Nano-10 PLC Crafted Packet Handling Remote DoS – CVE-2013-0699: Galil RIO-47100 PLC Crafted Modbus Packet Handling Remote DoS – RBS--2013--003: Schneider Electric Multiple Modbus MBAP DoS and RCE Nano-10 PLC RIO-47100 PLC 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  21. 21. DNP Vulnerabilities – – – – CVE-2013-2791: MatrikonOPC Server DNP3 Packet Handling buffer overflow CVE-2013-2798: Schweitzer Real-Time Automation Controllers (RTAC) Local DoS CVE-2013-2788: SUBNET SubSTATION Server DNP3 Outstation Slave Remote DoS CVE-2013-2783: IOServer DNP3 Packet Handling Infinite Loop Schweitzer RTAC 0% Hosted by OWASP & the NYC Chapter Matrikon OPC Server 11% 22% IOServer 66%
  22. 22. Security Analysis of SCADA protocols Modbus and DNP free tool: http://code.google.com/p/scadascan/ 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  23. 23. SSH, FTP, TFTP, IGMP, SNMP – – – – – – – – CVE-2013-0137: Monroe Electronics Default root SSH Key Remote Access CVE-2012-4697: TURCK BL20 / BL67 FTP Service Hardcoded Admin Credentials CVE-2013-2800: OSIsoft PI Interface for IEEE C37.118 Memory Corruption CVE-2013-0689: Emerson RTU TFTP Server File Upload Arbitrary Code Execution CVE-2013-3634: Siemens Scalance X200 IRT SNMP Command Execution Korenix Multiple JetNet Switches TFTP Server Arbitrary File Creation RuggedCom ROX-II IGMP Packet Saturation RSTP BPDU Prioritization Weakness Korenix Multiple JetNet Switches SSL / SSH Hardcoded Private Keys 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  24. 24. Presentation & Control 31% 26% 13% 9% 5% Generic XSS 3% SQL Injection 0% Hosted by OWASP & the NYC Chapter 5% Database 5% 4% Generic Web 11% Directory & File Disclosure 22% CSRF 66% ActiveX Crypto
  25. 25. Presentation & Control – – – – – – CVE-2013-2299: Advantech WebAccess /broadWeb/include/gAddNew.asp XSS CVE-2013-0684: Invensys Wonderware Information Server (WIS) SQL Injection CVE-2013-3927: Siemens COMOS Client Library Local Database Object Manipulation CVE-2013-0680: Cogent DataHub Crafted HTTP Request Header Parameter Stack Overflow CVE-2013-0652: General Electric (GE) Intelligent Proficy Java Remote Method Invocation CVE-2008-0760: SafeNet Sentinel Protection Server HTTP Request Directory Traversal and Arbitrary File Access – CVE-2012-3039: Moxa OnCell Gateway Predictable SSH / SSL Connection Key Generation – Weidmüller WaveLine Router Web Interface config.cgi Configuration Manipulation CSRF 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  26. 26. Real world issues Control system network connected to corporate network or internet 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  27. 27. Real world issues No authentication No per user authentication 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  28. 28. Real world issues Delayed patching if any 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  29. 29. Real world issues Default passwords Shared passwords No password change policy 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  30. 30. Real world issues Systems not restarted in years 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  31. 31. Real world issues Off-the-shelf software Operating system, Database, Browser, Web Server 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  32. 32. Real world issues Un-necessary services 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  33. 33. Real world issues Internal differences between IT and SCADA engineers 0% Hosted by OWASP & the NYC Chapter 11% 22% 66%
  34. 34. System Wide Challenges SCADA system long life cycle Long life cycle of a SCADA system Hosted by OWASP & the NYC Chapter
  35. 35. System Wide Challenges SCADA system long life cycle Cost and difficulty of an upgrade Hosted by OWASP & the NYC Chapter
  36. 36. Proposals SCADA network auditing Hosted by OWASP & the NYC Chapter
  37. 37. Proposals Is you SCADA system exposed on the internet? Hosted by OWASP & the NYC Chapter
  38. 38. Proposals Password policy, access control and access roles Hosted by OWASP & the NYC Chapter
  39. 39. Proposals Are all services necessary? Hosted by OWASP & the NYC Chapter
  40. 40. Proposals Use secure protocols Hosted by OWASP & the NYC Chapter
  41. 41. Proposals Strategy for Software Update and patching Hosted by OWASP & the NYC Chapter
  42. 42. Proposals SCADA test environment Hosted by OWASP & the NYC Chapter
  43. 43. Proposals Keep up-to-date with vulnerabilities Hosted by OWASP & the NYC Chapter
  44. 44. Proposals Apply experience from IT network management Hosted by OWASP & the NYC Chapter
  45. 45. ScadaScan Current version Scan network range Works with TCP/IP Identifies Modbus TCP slaves Identifies DNP 3 TCP slaves Beta version SCADA master vulnerability scanning SNMP support HTTP support 1.0 Release User configurable signature files Authenticated support for Windows and *nix Code cleanup Hosted by OWASP & the NYC Chapter
  46. 46. Thank You Twitter: @amolsarwate http://code.google.com/p/scadascan/ https://community.qualys.com Hosted by OWASP & the NYC Chapter

×