SCADA hacking industrial-scale fun

  • 8,689 views
Uploaded on

Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil …

Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil

Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ

Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Free Download : http://gg.gg/114bb
    Hi I just wanna share something to you guys..
    I am using a great tool, as of now it is still
    working perfect.. you can download the full file
    for free here
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
8,689
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
617
Comments
1
Likes
7

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SCADA HackingSCADA Hacking Industrial Scale FunIndustrial Scale Fun Jan SeidlJan Seidl
  • 2. $ whoami$ whoami AboutAbout Full Name: Jan SeidlFull Name: Jan Seidl Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Janeiro, RJ – Brazil Work:Work: ● CTO @ TI SafeCTO @ TI Safe ● OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash ● Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl Features:Features: ● UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!) ● Python and C loverPython and C lover ● Coffee dependentCoffee dependent ● Hates printers and social networksHates printers and social networks ● Proud DC Labs ResearcherProud DC Labs Researcher SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 3. 0x0 What is SCADA?0x0 What is SCADA? 0x1 Where is SCADA?0x1 Where is SCADA? 0x2 Why SCADA?0x2 Why SCADA? 0x3 Misconceptions and Reality0x3 Misconceptions and Reality 0x4 Industrial Protocols0x4 Industrial Protocols 0x5 Pentesting Scada systems0x5 Pentesting Scada systems 0x6 Industrial Malwares, the cyberweapons0x6 Industrial Malwares, the cyberweapons 0x7 Solutions for Industrial Control Systems Security0x7 Solutions for Industrial Control Systems Security 0x8 Researching SCADA0x8 Researching SCADA 0x9 Modbus Attacks Demonstration0x9 Modbus Attacks Demonstration 0xA Questions?0xA Questions? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil AgendaAgenda
  • 4. What is SCADA?What is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 5. What isWhat is NOTNOT SCADA?SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Programmable-Logic Controllers (PLCs)
  • 6. What isWhat is NOTNOT SCADA?SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Remote Terminal Units (RTUs)
  • 7. What isWhat is NOTNOT SCADA?SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Supervisory Control and Data Acquisition Control devices, safety devices, electric/electronic devicesControl devices, safety devices, electric/electronic devices Single-box solution/applicationSingle-box solution/application Not just a user interfaceNot just a user interface
  • 8. What is SCADA?What is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Supervisory Control and Data Acquisition
  • 9. What is SCADA?What is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Supervisory Control and Data Acquisition CollectsCollects data anddata and controlcontrol field equipmentfield equipment SavesSaves historical datahistorical data Forwards data to other devices or systemsForwards data to other devices or systems ProvidesProvides seconds-precisionseconds-precision measurementsmeasurements
  • 10. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 11. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  • 12. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  • 13. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  • 14. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  • 15. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  • 16. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  • 17. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 18. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Do we really need computers for this? Equipments rely onEquipments rely on very quick response timesvery quick response times Huge amount of dataHuge amount of data needs to be collectedneeds to be collected Hundreds, thousands of devices need to be controlled at same timeHundreds, thousands of devices need to be controlled at same time Operation is almostOperation is almost never interruptednever interrupted
  • 19. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Can you imagine if something goes... wrong? Russian hydro plant accident kills 12
  • 20. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Can you imagine if something goes... wrong? Chemical plant explosion leaves 5 missing, 15 injured in China
  • 21. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Can you imagine if something goes... wrong? Hundreds of tons of toxic waste were dumped into one of the German rivers after the serious accident at a local chemical plant.
  • 22. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 23. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Do automation guys think they are in danger?
  • 24. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil First, the misconceptions... ““SCADA networks are isolated andSCADA networks are isolated and cannot becannot be accessedaccessed over the Internet”over the Internet”
  • 25. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil First, the misconceptions... ““We use proprietary/custom systems, protocolsWe use proprietary/custom systems, protocols and equipment, thus weand equipment, thus we cannot be hackedcannot be hacked””
  • 26. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil First, the misconceptions... ““HMI/some-control-software has limitedHMI/some-control-software has limited functionality and/or restrictions so it cannot befunctionality and/or restrictions so it cannot be abused”abused”
  • 27. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And my opinion on this...
  • 28. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality... All industrial networks are connected somehowAll industrial networks are connected somehow to the Internet or corporate networkto the Internet or corporate network Integration software (ERP/MES), Phone/Modem/3G abuse, Equipment misconfiguration (switches, routers, firewalls), removable media abuse, remote access (VPN, RDP, VNC)
  • 29. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality... Most networks are operated by automation staffMost networks are operated by automation staff with no or low IT knowlegdewith no or low IT knowlegde Commit security abuses/incidents, unsafe computer operation posture [games, internet browsing, downloading stuff], careless about infosec, just want the job done
  • 30. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality... Most networks and servers areMost networks and servers are managed by IT staffmanaged by IT staff Low to no knowledge about industrial protocols, attack impacts, software operation, overall ICS security, commit several mistakes configuring equipment
  • 31. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality... 99,9% of plants can be easily hacked99,9% of plants can be easily hacked Common OS (Windows, Linux...) Common/open protocols (HTTP, Telnet, Modbus) All the same common bugs from IT: weak/hardcoded passwords, silly application vulns, unpatched stuff
  • 32. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality...
  • 33. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 34. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Current common market protocols CIP – Common Industrial Protocol, Ethernet/IP Profinet, S3/5/7 CC-Link Modbus
  • 35. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Very simple plaintext protocolVery simple plaintext protocol Created in the 70s by ModiconCreated in the 70s by Modicon Used by many vendorsUsed by many vendors
  • 36. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus No authenticationNo authentication ++ No encryptionNo encryption ++ No validationNo validation == HA-HA security levelHA-HA security level
  • 37. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Common architectureCommon architecture
  • 38. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Protocol strucutureProtocol strucuture Standard port tcp/502
  • 39. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Protocol strucutureProtocol strucuture
  • 40. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Function CodesFunction Codes
  • 41. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Function Codes (the ones we care)Function Codes (the ones we care) Read/Write Coils and Registers (Mess up stuff) [lots] Read/Write File records [20, 21] Device Fingerprinting & Diagnostics [43,17,8] + modbus supports user-defined functions!
  • 42. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 43. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Important NoteImportant Note When you run tests against an industrial control system unexpected things may happen. And they happen almost every time.
  • 44. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 45. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Important NoteImportant Note Do not test LIVE systems. Never. Ever.
  • 46. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / DiscoveryScanning / Discovery Some tools available: plcscan – Scans s7comm & modbus devices https://code.google.com/p/plcscan/ modscan – Scans modbus devices https://code.google.com/p/modscan/ Nmap – Famous network scanner http://nmap.org/
  • 47. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / Discovery (cont.)Scanning / Discovery (cont.) Metasploit Modules auxiliary/scanner/modbus/modbus_findunitid auxiliary/scanner/modbus/modbusdetect
  • 48. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / DiscoveryScanning / Discovery PLCscan
  • 49. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / DiscoveryScanning / Discovery Nmap – modbus-discover.nse
  • 50. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / DiscoveryScanning / Discovery Modbus Diagnostic Function code (0x2B, 43) VendorName, ProductName, ModelName, ProductCode, MajorMinorRevision
  • 51. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data ManipulationData Manipulation Opensource ICS protocol libraries Modlib – Scapy Extension [python] https://www.scadaforce.com/modbus Pymodbus – Module [python] https://github.com/bashwork/pymodbus Modbus-cli – Gem [ruby] https://rubygems.org/gems/modbus-cli S7comm – Library [C,C++,C#,Delphi,Pascal,Perl,VB(A)] http://libnodave.sourceforge.net/ OpenDNP3 – Library [C++] https://code.google.com/p/dnp3/
  • 52. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data Manipulation (cont.)Data Manipulation (cont.) Metasploit Modules auxiliary/scanner/modbus/modbusclient auxiliary/admin/scada/modicon_command auxiliary/admin/scada/igss_exec_17 auxiliary/admin/scada/multi_cip_command
  • 53. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data ManipulationData Manipulation Reading and Writing data modbus-cli <https://rubygems.org/gems/modbus-cli> R: modbus read <IP> <ADDR> <QTY> W: modbus write <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>] pymodclient <https://github.com/jseidl/pymodbuscli> R: pymodbuscli -f read_register -h <IP> <ADDR> <QTY> W: pymodbuscli -f write_register -h <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>] Modbus
  • 54. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data ManipulationData Manipulation Metasploit Modules (not on official tree yet) simatic_s7_300_command.rb / simatic_s7_300_memory_view.rb / simatic_s7_1200_command.rb S7Comm https://github.com/d1n/s7-metasploit-modules
  • 55. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Sniffing TrafficSniffing Traffic Native Wireshark dissector Modbus
  • 56. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Sniffing TrafficSniffing Traffic Opensource Wireshark dissector plugin <http://sourceforge.net/projects/s7commwireshark/> SIEMENS S7comm
  • 57. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 58. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial SabotageIndustrial Sabotage
  • 59. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage Discovered July 2010 Targets Siemens WinCC systems Targets specific PLC models 100KLOC (thousands of lines of code)
  • 60. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage Sabotages centrifuges causing malfunction or destruction Allegedly a sabotage plan from USA and Israel against Iran's nuclear program
  • 61. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered- wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=2
  • 62. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage http://www.cbsnews.com/8301-205_162-57592862/nsa-leaker-snowden- claimed-u.s-and-israel-co-wrote-stuxnet-virus/
  • 63. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage http://www.symantec.com/connect/blogs/w32stuxnet-dossier
  • 64. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage Exploits five vulnerabilities (of which four are 0-day)... LNK File Bug – Initial Infection via USB drives/removable media http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx Printer Spooler – Spreading http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx Server Service (SMB) – Spreading http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx Keyboard layout file – Privilege escalation Task Scheduler – Privilege escalation … and then installs a rootkit :)
  • 65. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage Which can only be installed because Stuxnet has stolen valid digital certificates. From Realtek and Jmicron.
  • 66. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage As if this weren't enough, it creates a peer-to-peer network of infected hosts, steals intelligence, and rootkits the PLC + project files so engineers and operators won't notice.
  • 67. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil DuQuDuQu Industrial Espionage
  • 68. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil DuQuDuQu Industrial Espionage Discovered September 2011 Possibly derived from Stuxnet Objective: backdooring and data collection Targets ICS software and hardware vendors
  • 69. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil DuQuDuQu Industrial Espionage Uses one Microsoft vulnerability Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (BID 50462) Does not replicate on its own Has also stolen signed certificates
  • 70. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Flame / SkywiperFlame / Skywiper Industrial Espionage
  • 71. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil FlameFlame Industrial Espionage Discovered ~May 2012 Mostly seen in middle-east About 20mb in size Has LUA plugin support Around 20 extension modules
  • 72. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil FlameFlame Industrial Espionage Fingerprints countermeasure software/adapts to evade it Multiple encryption levels SQLite databases for storing collected data Propagates similar to Stuxnet (LNK+Spooler)
  • 73. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil FlameFlame Industrial Espionage Record Skype Conversations Keylogging + Screenlogging Network Sniffer Bluetooth scanning and compromise Most affected countries: Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
  • 74. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil GaussGauss Industrial Espionage
  • 75. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil GaussGauss Industrial Espionage Discovered ~August 2012 Flame+Banking+Nasty Stuff Same infection schemes as Stuxnet & Flame Has encrypted payload that is only run under certain circumstances
  • 76. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil GaussGauss Industrial Espionage Steals passwords and cookies from browser Collects and reports system configuration Infects other removable media Enumerates files and directories
  • 77. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil GaussGauss Industrial Espionage Steals banking credentials from middle-east banking systems Steals information from social networks, instant messaging and email accounts
  • 78. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 79. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil First of AllFirst of All There is no single-box solution. Sorry :(
  • 80. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Security is not only on your hosts but also networks and personnel First of AllFirst of All
  • 81. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil You need the best solution for each area. Each vendor has expertise in its own area and probably won't master all of them at the same time. First of AllFirst of All
  • 82. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Embrace good and old defense in depth model so...so... Photo credit: Sentrillion
  • 83. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Embrace good and old defense in depth model so...so... Photo credit: Sentrillion Locks, cameras etc Firewalls, IDPS, Data diodes Segmentation, VLANs, port-mirrored IDS WAFs, strong architechture Encryption and access control Whitelisting software, HIDPS, central logging
  • 84. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Network SegmentationNetwork Segmentation ISA/99 Zones and Conduits Model
  • 85. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Network SegmentationNetwork Segmentation Proper DMZ Model
  • 86. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs Commercial Solutions Tofino Security Appliance SIEMENS Scalance S
  • 87. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs Commercial Solutions Firewall Industrial Protocol Enforcer VPN Centralized Management
  • 88. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs OpenSource Solutions
  • 89. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil SNORT SCADA IDS RulesSNORT SCADA IDS Rules http://www.digitalbond.com/tools/quickdraw/ http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html Initially compiled by Digital Bond Many rules already on SNORT main repository Additional rules are easy to write
  • 90. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil ModbusModbus Snort IDS rules
  • 91. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Ether/IPEther/IP Snort IDS rules
  • 92. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil DNP3DNP3 Snort IDS rules
  • 93. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data DiodesData Diodes Allow traffic to flow only in one direction Enforced by hardware Photo-resistor on one end, Photo-transmitter on other As it depends on hardware, no open-source solution yet :( Can be enforced via firewall but not with same efficiency
  • 94. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data DiodesData Diodes Commercial Solution
  • 95. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil White-listing SoftwareWhite-listing Software Anti-virus, seriously? CEBIT 2013 Workshop: Anti-virus are an efficient solution for industrial network protection? (short answer: no) http://slidesha.re/17AwTEd
  • 96. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil MonitoringMonitoring ICS networks and hosts generally operate in regular and predictable manners. Simple monitoring and plotting can help detect anomalies when they happen [White paper] Detecting problems in industrial networks though continuous monitoring http://slidesha.re/17JyVSu
  • 97. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil MonitoringMonitoring • $ nmap –sV 192.168.1.1 • Communications interception (ARP Poisoning)
  • 98. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil MonitoringMonitoring • Denial of Service • • Malware infection
  • 99. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil MonitoringMonitoring • Unauthorized Modbus traffic
  • 100. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Educate your usersEducate your users Your users don't really know the impact of using a 3G modem to check their personal email or Facebook wall Even less that they can ruin plant's processes by clicking on a link sent by that hot girl he's chatting with for weeks
  • 101. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Never forget what your usersNever forget what your users mean to your securitymean to your security
  • 102. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 103. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil ALWAYS REMEMBER!!!!ALWAYS REMEMBER!!!! Do not test LIVE systems. Never. Ever.
  • 104. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Gather documentationGather documentation Most protocols (even proprietary ones) have documentation available on-line Get it from manufacturer website or just freaking google it.
  • 105. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Gather documentationGather documentation DNP3 Primer http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf Modbus Specification http://www.modbus.org/specs.php
  • 106. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Sniff master-slave communication with WiresharkSniff master-slave communication with Wireshark
  • 107. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed Buy from manufacturer (expensive, sometimes impeditive) Buy from e-bay (quite easy) Real, hardware-based
  • 108. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed http://www.ebay.com/sch/i.html? _trksid=p2050601.m570.l1313.TR0.TRC0.Xs7-300&_nkw=s7- 300&_sacat=0&_from=R40 Real, hardware-based
  • 109. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed http://www.ebay.com/sch/i.html?_odkw=s7- 300&_osacat=0&_from=R40&_trksid=p2045573.m570.l1313.TR3.TRC1.A0.Xwago+ 750&_nkw=wago+750&_sacat=0 Real, hardware-based
  • 110. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed Emulated, software-based Fully programmable Available in many programming languages Self-contained solutions available
  • 111. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed Emulated, software-based Pymodbus library https://github.com/bashwork/pymodbus/blob/master/examples/common/synchro nous-server.py # initialize data store = ModbusSlaveContext( di = ModbusSequentialDataBlock(0, [17]*100), co = ModbusSequentialDataBlock(0, [17]*100), hr = ModbusSequentialDataBlock(0, [17]*100), ir = ModbusSequentialDataBlock(0, [17]*100)) context = ModbusServerContext(slaves=store, single=True) # initialize the server information identity = ModbusDeviceIdentification() identity.VendorName = 'Pymodbus' identity.ProductCode = 'PM' identity.VendorUrl = 'http://github.com/bashwork/pymodbus/' identity.ProductName = 'Pymodbus Server' identity.ModelName = 'Pymodbus Server' identity.MajorMinorRevision = '1.0' # run the server you want StartTcpServer(context, identity=identity, address=("localhost", 5020))
  • 112. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed Emulated, software-based ModSak (commercial with free trial) http://wingpath.co.uk/modbus/modsak.php
  • 113. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get some ICS software from vendorsGet some ICS software from vendors Vendors often have trial versions on their sites You might have to ask them for a copy They might not like it what you'll be using it for Be brave. Don't desist.
  • 114. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scan the crap out of itScan the crap out of it Use network and software vulnerabilities scanners heavily, don't mind if sometimes devices go crazy but do one at a time or you may DOS your device For both equipment and software
  • 115. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Fuzz'em until smoke comes outFuzz'em until smoke comes out Create fuzz model files based on documentation See how they handle malformed data For both equipment and software
  • 116. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Fuzz'em until smoke comes outFuzz'em until smoke comes out Peach fuzzer For both equipment and software http://peachfuzzer.com/
  • 117. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Fuzz'em until smoke comes outFuzz'em until smoke comes out Modbus PIT file for Peach Fuzzer (WIP) For both equipment and software https://github.com/jseidl/peach-pit/blob/master/modbus/modbus.xml
  • 118. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Fuzz'em until smoke comes outFuzz'em until smoke comes out ROBUS & AEGIS Project For both equipment and software http://www.automatak.com/aegis/ & http://www.automatak.com/robus/
  • 119. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Set up a honeypotSet up a honeypot Put it faced over to the internet and learn from other attackers (caution! risky!)
  • 120. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Set up a honeypotSet up a honeypot “The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module and a CP 443-1 which would be needed in a real setup to provide network connectivity.” https://github.com/glastopf/conpot Conpot – SCADA/ICS Honeypot
  • 121. Attack DemonstrationAttack Demonstration SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  • 122. Questions?Questions? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Please, don't be shy!
  • 123. Thanks for your time!Thanks for your time! SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Hope you enjoyed it! @jseidl jseidl@wroot.org http://wroot.org https://github.com/jseidl http://www.slideshare.net/jseidl http://www.linkedin.com/in/janseidl