SCADA HackingSCADA Hacking
Industrial Scale FunIndustrial Scale Fun
Jan SeidlJan Seidl
$ whoami$ whoami
AboutAbout
Full Name: Jan SeidlFull Name: Jan Seidl
Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Jan...
0x0 What is SCADA?0x0 What is SCADA?
0x1 Where is SCADA?0x1 Where is SCADA?
0x2 Why SCADA?0x2 Why SCADA?
0x3 Misconception...
What is SCADA?What is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paul...
What isWhat is NOTNOT SCADA?SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
What isWhat is NOTNOT SCADA?SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
What isWhat is NOTNOT SCADA?SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
What is SCADA?What is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paul...
What is SCADA?What is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paul...
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Pa...
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Pa...
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Pa...
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Pa...
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Pa...
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Pa...
Where is SCADA?Where is SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Pa...
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazi...
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazi...
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazi...
Why SCADA?Why SCADA?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazi...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Misconceptions and RealityMisconceptions and Reality
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Industrial ProtocolsIndustrial Protocols
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Pentesting SCADA systemsPentesting SCADA systems
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Confer...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Industrial MalwaresIndustrial Malwares
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 ...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Solutions for ICS SecuritySolutions for ICS Security
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Co...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Researching SCADAResearching SCADA
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – Sã...
Attack DemonstrationAttack Demonstration
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/201...
Questions?Questions?
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2013 – São Paulo, Brazi...
Thanks for your time!Thanks for your time!
SCADA Hacking – Industrial Scale Fun. SEIDL, Jan
Hackers 2 Hackers Conference/2...
Upcoming SlideShare
Loading in...5
×

SCADA hacking industrial-scale fun

11,640

Published on

Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil

Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ

Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y

Published in: Technology, Business
1 Comment
14 Likes
Statistics
Notes
  • Free Download : http://gg.gg/114bb
    Hi I just wanna share something to you guys..
    I am using a great tool, as of now it is still
    working perfect.. you can download the full file
    for free here
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
11,640
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
880
Comments
1
Likes
14
Embeds 0
No embeds

No notes for slide

SCADA hacking industrial-scale fun

  1. 1. SCADA HackingSCADA Hacking Industrial Scale FunIndustrial Scale Fun Jan SeidlJan Seidl
  2. 2. $ whoami$ whoami AboutAbout Full Name: Jan SeidlFull Name: Jan Seidl Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Janeiro, RJ – Brazil Work:Work: ● CTO @ TI SafeCTO @ TI Safe ● OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash ● Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl Features:Features: ● UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!) ● Python and C loverPython and C lover ● Coffee dependentCoffee dependent ● Hates printers and social networksHates printers and social networks ● Proud DC Labs ResearcherProud DC Labs Researcher SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  3. 3. 0x0 What is SCADA?0x0 What is SCADA? 0x1 Where is SCADA?0x1 Where is SCADA? 0x2 Why SCADA?0x2 Why SCADA? 0x3 Misconceptions and Reality0x3 Misconceptions and Reality 0x4 Industrial Protocols0x4 Industrial Protocols 0x5 Pentesting Scada systems0x5 Pentesting Scada systems 0x6 Industrial Malwares, the cyberweapons0x6 Industrial Malwares, the cyberweapons 0x7 Solutions for Industrial Control Systems Security0x7 Solutions for Industrial Control Systems Security 0x8 Researching SCADA0x8 Researching SCADA 0x9 Modbus Attacks Demonstration0x9 Modbus Attacks Demonstration 0xA Questions?0xA Questions? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil AgendaAgenda
  4. 4. What is SCADA?What is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  5. 5. What isWhat is NOTNOT SCADA?SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Programmable-Logic Controllers (PLCs)
  6. 6. What isWhat is NOTNOT SCADA?SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Remote Terminal Units (RTUs)
  7. 7. What isWhat is NOTNOT SCADA?SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Supervisory Control and Data Acquisition Control devices, safety devices, electric/electronic devicesControl devices, safety devices, electric/electronic devices Single-box solution/applicationSingle-box solution/application Not just a user interfaceNot just a user interface
  8. 8. What is SCADA?What is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Supervisory Control and Data Acquisition
  9. 9. What is SCADA?What is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Supervisory Control and Data Acquisition CollectsCollects data anddata and controlcontrol field equipmentfield equipment SavesSaves historical datahistorical data Forwards data to other devices or systemsForwards data to other devices or systems ProvidesProvides seconds-precisionseconds-precision measurementsmeasurements
  10. 10. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  11. 11. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  12. 12. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  13. 13. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  14. 14. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  15. 15. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  16. 16. Where is SCADA?Where is SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil What kind of cool stuff do they control?
  17. 17. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  18. 18. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Do we really need computers for this? Equipments rely onEquipments rely on very quick response timesvery quick response times Huge amount of dataHuge amount of data needs to be collectedneeds to be collected Hundreds, thousands of devices need to be controlled at same timeHundreds, thousands of devices need to be controlled at same time Operation is almostOperation is almost never interruptednever interrupted
  19. 19. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Can you imagine if something goes... wrong? Russian hydro plant accident kills 12
  20. 20. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Can you imagine if something goes... wrong? Chemical plant explosion leaves 5 missing, 15 injured in China
  21. 21. Why SCADA?Why SCADA? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Can you imagine if something goes... wrong? Hundreds of tons of toxic waste were dumped into one of the German rivers after the serious accident at a local chemical plant.
  22. 22. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  23. 23. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Do automation guys think they are in danger?
  24. 24. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil First, the misconceptions... ““SCADA networks are isolated andSCADA networks are isolated and cannot becannot be accessedaccessed over the Internet”over the Internet”
  25. 25. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil First, the misconceptions... ““We use proprietary/custom systems, protocolsWe use proprietary/custom systems, protocols and equipment, thus weand equipment, thus we cannot be hackedcannot be hacked””
  26. 26. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil First, the misconceptions... ““HMI/some-control-software has limitedHMI/some-control-software has limited functionality and/or restrictions so it cannot befunctionality and/or restrictions so it cannot be abused”abused”
  27. 27. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And my opinion on this...
  28. 28. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality... All industrial networks are connected somehowAll industrial networks are connected somehow to the Internet or corporate networkto the Internet or corporate network Integration software (ERP/MES), Phone/Modem/3G abuse, Equipment misconfiguration (switches, routers, firewalls), removable media abuse, remote access (VPN, RDP, VNC)
  29. 29. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality... Most networks are operated by automation staffMost networks are operated by automation staff with no or low IT knowlegdewith no or low IT knowlegde Commit security abuses/incidents, unsafe computer operation posture [games, internet browsing, downloading stuff], careless about infosec, just want the job done
  30. 30. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality... Most networks and servers areMost networks and servers are managed by IT staffmanaged by IT staff Low to no knowledge about industrial protocols, attack impacts, software operation, overall ICS security, commit several mistakes configuring equipment
  31. 31. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality... 99,9% of plants can be easily hacked99,9% of plants can be easily hacked Common OS (Windows, Linux...) Common/open protocols (HTTP, Telnet, Modbus) All the same common bugs from IT: weak/hardcoded passwords, silly application vulns, unpatched stuff
  32. 32. Misconceptions and RealityMisconceptions and Reality SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil And now comes reality...
  33. 33. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  34. 34. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Current common market protocols CIP – Common Industrial Protocol, Ethernet/IP Profinet, S3/5/7 CC-Link Modbus
  35. 35. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Very simple plaintext protocolVery simple plaintext protocol Created in the 70s by ModiconCreated in the 70s by Modicon Used by many vendorsUsed by many vendors
  36. 36. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus No authenticationNo authentication ++ No encryptionNo encryption ++ No validationNo validation == HA-HA security levelHA-HA security level
  37. 37. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Common architectureCommon architecture
  38. 38. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Protocol strucutureProtocol strucuture Standard port tcp/502
  39. 39. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Protocol strucutureProtocol strucuture
  40. 40. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Function CodesFunction Codes
  41. 41. Industrial ProtocolsIndustrial Protocols SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Modbus Function Codes (the ones we care)Function Codes (the ones we care) Read/Write Coils and Registers (Mess up stuff) [lots] Read/Write File records [20, 21] Device Fingerprinting & Diagnostics [43,17,8] + modbus supports user-defined functions!
  42. 42. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  43. 43. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Important NoteImportant Note When you run tests against an industrial control system unexpected things may happen. And they happen almost every time.
  44. 44. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  45. 45. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Important NoteImportant Note Do not test LIVE systems. Never. Ever.
  46. 46. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / DiscoveryScanning / Discovery Some tools available: plcscan – Scans s7comm & modbus devices https://code.google.com/p/plcscan/ modscan – Scans modbus devices https://code.google.com/p/modscan/ Nmap – Famous network scanner http://nmap.org/
  47. 47. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / Discovery (cont.)Scanning / Discovery (cont.) Metasploit Modules auxiliary/scanner/modbus/modbus_findunitid auxiliary/scanner/modbus/modbusdetect
  48. 48. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / DiscoveryScanning / Discovery PLCscan
  49. 49. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / DiscoveryScanning / Discovery Nmap – modbus-discover.nse
  50. 50. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scanning / DiscoveryScanning / Discovery Modbus Diagnostic Function code (0x2B, 43) VendorName, ProductName, ModelName, ProductCode, MajorMinorRevision
  51. 51. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data ManipulationData Manipulation Opensource ICS protocol libraries Modlib – Scapy Extension [python] https://www.scadaforce.com/modbus Pymodbus – Module [python] https://github.com/bashwork/pymodbus Modbus-cli – Gem [ruby] https://rubygems.org/gems/modbus-cli S7comm – Library [C,C++,C#,Delphi,Pascal,Perl,VB(A)] http://libnodave.sourceforge.net/ OpenDNP3 – Library [C++] https://code.google.com/p/dnp3/
  52. 52. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data Manipulation (cont.)Data Manipulation (cont.) Metasploit Modules auxiliary/scanner/modbus/modbusclient auxiliary/admin/scada/modicon_command auxiliary/admin/scada/igss_exec_17 auxiliary/admin/scada/multi_cip_command
  53. 53. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data ManipulationData Manipulation Reading and Writing data modbus-cli <https://rubygems.org/gems/modbus-cli> R: modbus read <IP> <ADDR> <QTY> W: modbus write <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>] pymodclient <https://github.com/jseidl/pymodbuscli> R: pymodbuscli -f read_register -h <IP> <ADDR> <QTY> W: pymodbuscli -f write_register -h <IP> <ADDR> [<VAL1>,<VAL2>,<VAL3>] Modbus
  54. 54. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data ManipulationData Manipulation Metasploit Modules (not on official tree yet) simatic_s7_300_command.rb / simatic_s7_300_memory_view.rb / simatic_s7_1200_command.rb S7Comm https://github.com/d1n/s7-metasploit-modules
  55. 55. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Sniffing TrafficSniffing Traffic Native Wireshark dissector Modbus
  56. 56. Pentesting SCADA systemsPentesting SCADA systems SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Sniffing TrafficSniffing Traffic Opensource Wireshark dissector plugin <http://sourceforge.net/projects/s7commwireshark/> SIEMENS S7comm
  57. 57. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  58. 58. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial SabotageIndustrial Sabotage
  59. 59. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage Discovered July 2010 Targets Siemens WinCC systems Targets specific PLC models 100KLOC (thousands of lines of code)
  60. 60. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage Sabotages centrifuges causing malfunction or destruction Allegedly a sabotage plan from USA and Israel against Iran's nuclear program
  61. 61. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered- wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=2
  62. 62. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage http://www.cbsnews.com/8301-205_162-57592862/nsa-leaker-snowden- claimed-u.s-and-israel-co-wrote-stuxnet-virus/
  63. 63. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage http://www.symantec.com/connect/blogs/w32stuxnet-dossier
  64. 64. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage Exploits five vulnerabilities (of which four are 0-day)... LNK File Bug – Initial Infection via USB drives/removable media http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx Printer Spooler – Spreading http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx Server Service (SMB) – Spreading http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx Keyboard layout file – Privilege escalation Task Scheduler – Privilege escalation … and then installs a rootkit :)
  65. 65. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage Which can only be installed because Stuxnet has stolen valid digital certificates. From Realtek and Jmicron.
  66. 66. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil StuxnetStuxnet Industrial Sabotage As if this weren't enough, it creates a peer-to-peer network of infected hosts, steals intelligence, and rootkits the PLC + project files so engineers and operators won't notice.
  67. 67. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil DuQuDuQu Industrial Espionage
  68. 68. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil DuQuDuQu Industrial Espionage Discovered September 2011 Possibly derived from Stuxnet Objective: backdooring and data collection Targets ICS software and hardware vendors
  69. 69. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil DuQuDuQu Industrial Espionage Uses one Microsoft vulnerability Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (BID 50462) Does not replicate on its own Has also stolen signed certificates
  70. 70. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Flame / SkywiperFlame / Skywiper Industrial Espionage
  71. 71. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil FlameFlame Industrial Espionage Discovered ~May 2012 Mostly seen in middle-east About 20mb in size Has LUA plugin support Around 20 extension modules
  72. 72. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil FlameFlame Industrial Espionage Fingerprints countermeasure software/adapts to evade it Multiple encryption levels SQLite databases for storing collected data Propagates similar to Stuxnet (LNK+Spooler)
  73. 73. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil FlameFlame Industrial Espionage Record Skype Conversations Keylogging + Screenlogging Network Sniffer Bluetooth scanning and compromise Most affected countries: Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
  74. 74. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil GaussGauss Industrial Espionage
  75. 75. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil GaussGauss Industrial Espionage Discovered ~August 2012 Flame+Banking+Nasty Stuff Same infection schemes as Stuxnet & Flame Has encrypted payload that is only run under certain circumstances
  76. 76. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil GaussGauss Industrial Espionage Steals passwords and cookies from browser Collects and reports system configuration Infects other removable media Enumerates files and directories
  77. 77. Industrial MalwaresIndustrial Malwares SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil GaussGauss Industrial Espionage Steals banking credentials from middle-east banking systems Steals information from social networks, instant messaging and email accounts
  78. 78. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  79. 79. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil First of AllFirst of All There is no single-box solution. Sorry :(
  80. 80. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Security is not only on your hosts but also networks and personnel First of AllFirst of All
  81. 81. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil You need the best solution for each area. Each vendor has expertise in its own area and probably won't master all of them at the same time. First of AllFirst of All
  82. 82. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Embrace good and old defense in depth model so...so... Photo credit: Sentrillion
  83. 83. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Embrace good and old defense in depth model so...so... Photo credit: Sentrillion Locks, cameras etc Firewalls, IDPS, Data diodes Segmentation, VLANs, port-mirrored IDS WAFs, strong architechture Encryption and access control Whitelisting software, HIDPS, central logging
  84. 84. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Network SegmentationNetwork Segmentation ISA/99 Zones and Conduits Model
  85. 85. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Network SegmentationNetwork Segmentation Proper DMZ Model
  86. 86. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs Commercial Solutions Tofino Security Appliance SIEMENS Scalance S
  87. 87. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs Commercial Solutions Firewall Industrial Protocol Enforcer VPN Centralized Management
  88. 88. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Industrial Control Systems Firewalls/IDSsIndustrial Control Systems Firewalls/IDSs OpenSource Solutions
  89. 89. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil SNORT SCADA IDS RulesSNORT SCADA IDS Rules http://www.digitalbond.com/tools/quickdraw/ http://blog.snort.org/2012/01/snort-292-scada-preprocessors.html Initially compiled by Digital Bond Many rules already on SNORT main repository Additional rules are easy to write
  90. 90. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil ModbusModbus Snort IDS rules
  91. 91. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Ether/IPEther/IP Snort IDS rules
  92. 92. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil DNP3DNP3 Snort IDS rules
  93. 93. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data DiodesData Diodes Allow traffic to flow only in one direction Enforced by hardware Photo-resistor on one end, Photo-transmitter on other As it depends on hardware, no open-source solution yet :( Can be enforced via firewall but not with same efficiency
  94. 94. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Data DiodesData Diodes Commercial Solution
  95. 95. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil White-listing SoftwareWhite-listing Software Anti-virus, seriously? CEBIT 2013 Workshop: Anti-virus are an efficient solution for industrial network protection? (short answer: no) http://slidesha.re/17AwTEd
  96. 96. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil MonitoringMonitoring ICS networks and hosts generally operate in regular and predictable manners. Simple monitoring and plotting can help detect anomalies when they happen [White paper] Detecting problems in industrial networks though continuous monitoring http://slidesha.re/17JyVSu
  97. 97. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil MonitoringMonitoring • $ nmap –sV 192.168.1.1 • Communications interception (ARP Poisoning)
  98. 98. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil MonitoringMonitoring • Denial of Service • • Malware infection
  99. 99. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil MonitoringMonitoring • Unauthorized Modbus traffic
  100. 100. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Educate your usersEducate your users Your users don't really know the impact of using a 3G modem to check their personal email or Facebook wall Even less that they can ruin plant's processes by clicking on a link sent by that hot girl he's chatting with for weeks
  101. 101. Solutions for ICS SecuritySolutions for ICS Security SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Never forget what your usersNever forget what your users mean to your securitymean to your security
  102. 102. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  103. 103. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil ALWAYS REMEMBER!!!!ALWAYS REMEMBER!!!! Do not test LIVE systems. Never. Ever.
  104. 104. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Gather documentationGather documentation Most protocols (even proprietary ones) have documentation available on-line Get it from manufacturer website or just freaking google it.
  105. 105. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Gather documentationGather documentation DNP3 Primer http://www.dnp.org/AboutUs/DNP3%20Primer%20Rev%20A.pdf Modbus Specification http://www.modbus.org/specs.php
  106. 106. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Sniff master-slave communication with WiresharkSniff master-slave communication with Wireshark
  107. 107. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed Buy from manufacturer (expensive, sometimes impeditive) Buy from e-bay (quite easy) Real, hardware-based
  108. 108. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed http://www.ebay.com/sch/i.html? _trksid=p2050601.m570.l1313.TR0.TRC0.Xs7-300&_nkw=s7- 300&_sacat=0&_from=R40 Real, hardware-based
  109. 109. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed http://www.ebay.com/sch/i.html?_odkw=s7- 300&_osacat=0&_from=R40&_trksid=p2045573.m570.l1313.TR3.TRC1.A0.Xwago+ 750&_nkw=wago+750&_sacat=0 Real, hardware-based
  110. 110. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed Emulated, software-based Fully programmable Available in many programming languages Self-contained solutions available
  111. 111. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed Emulated, software-based Pymodbus library https://github.com/bashwork/pymodbus/blob/master/examples/common/synchro nous-server.py # initialize data store = ModbusSlaveContext( di = ModbusSequentialDataBlock(0, [17]*100), co = ModbusSequentialDataBlock(0, [17]*100), hr = ModbusSequentialDataBlock(0, [17]*100), ir = ModbusSequentialDataBlock(0, [17]*100)) context = ModbusServerContext(slaves=store, single=True) # initialize the server information identity = ModbusDeviceIdentification() identity.VendorName = 'Pymodbus' identity.ProductCode = 'PM' identity.VendorUrl = 'http://github.com/bashwork/pymodbus/' identity.ProductName = 'Pymodbus Server' identity.ModelName = 'Pymodbus Server' identity.MajorMinorRevision = '1.0' # run the server you want StartTcpServer(context, identity=identity, address=("localhost", 5020))
  112. 112. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get a test-bedGet a test-bed Emulated, software-based ModSak (commercial with free trial) http://wingpath.co.uk/modbus/modsak.php
  113. 113. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Get some ICS software from vendorsGet some ICS software from vendors Vendors often have trial versions on their sites You might have to ask them for a copy They might not like it what you'll be using it for Be brave. Don't desist.
  114. 114. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Scan the crap out of itScan the crap out of it Use network and software vulnerabilities scanners heavily, don't mind if sometimes devices go crazy but do one at a time or you may DOS your device For both equipment and software
  115. 115. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Fuzz'em until smoke comes outFuzz'em until smoke comes out Create fuzz model files based on documentation See how they handle malformed data For both equipment and software
  116. 116. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Fuzz'em until smoke comes outFuzz'em until smoke comes out Peach fuzzer For both equipment and software http://peachfuzzer.com/
  117. 117. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Fuzz'em until smoke comes outFuzz'em until smoke comes out Modbus PIT file for Peach Fuzzer (WIP) For both equipment and software https://github.com/jseidl/peach-pit/blob/master/modbus/modbus.xml
  118. 118. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Fuzz'em until smoke comes outFuzz'em until smoke comes out ROBUS & AEGIS Project For both equipment and software http://www.automatak.com/aegis/ & http://www.automatak.com/robus/
  119. 119. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Set up a honeypotSet up a honeypot Put it faced over to the internet and learn from other attackers (caution! risky!)
  120. 120. Researching SCADAResearching SCADA SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Set up a honeypotSet up a honeypot “The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module and a CP 443-1 which would be needed in a real setup to provide network connectivity.” https://github.com/glastopf/conpot Conpot – SCADA/ICS Honeypot
  121. 121. Attack DemonstrationAttack Demonstration SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil
  122. 122. Questions?Questions? SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Please, don't be shy!
  123. 123. Thanks for your time!Thanks for your time! SCADA Hacking – Industrial Scale Fun. SEIDL, Jan Hackers 2 Hackers Conference/2013 – São Paulo, Brazil Hope you enjoyed it! @jseidl jseidl@wroot.org http://wroot.org https://github.com/jseidl http://www.slideshare.net/jseidl http://www.linkedin.com/in/janseidl
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×