0
SCADA security Positive Hack Days.  Industrial systems.  Threats GLEG ltd -  SCADA+  Pack for CANVAS developer [email_addr...
SCADA security Plan <ul><ul><li>Attacks against SCADA: how could it look like ? </li></ul></ul><ul><ul><li>Intro — are SCA...
SCADA security SCADA — events timeline  <ul><li><  June 2010 — seems like there were NO (?) real world examples of SCADA t...
SCADA security SCADA ON THE WEB THERE ARE HUNDREDS OF SCADA SYSTEMS ALREADY EXPOSED TO INTERNET! Let us show «banners» for...
SCADa SCX SCADa e.g. SCX SCADA: SCX ADVANCED INDUSTRIAL AUTOMATION SOFTWARE ...the integrated SCX Web server is a standard...
SCADA SCX SCADA banner 1) “SCXWebServer” **************************** HTTP/1.1 200 OK Content-Encoding: deflate Date: Tue,...
 
SCADA security Codesys ENI server exploit CoDeSys Eni server: In this case the banner looks like:  «ENIServer» (though the...
 
SCADA SCADA Video of exploitation: http://pentesting.ru/eniserver.rar
SCADA security Postexploitation: <ul><ul><ul><li>Typical postexploitation: </li></ul></ul></ul><ul><ul><ul><li>Troyan </li...
SCADA security SCADA vulns <ul><li>Of course there could be other vulns types... other explore and exploitation tools and ...
 
SCADA SCADA attack This could be helpfull for hacker... you could exloit some buffer overfow,  enable Rdesktop and have fu...
SCADA security SCADA Current tools has limited Functionality for SCADA... e.g.  Shodan — searches only 80, 21, 22, 161, 50...
Безопасность АСУ Measures: <ul><ul><ul><li>What you should know and do: </li></ul></ul></ul><ul><ul><ul><li>SCADA systems ...
SCADA security CounterMeasures: <ul><li>Of course SCADA should be properly designed (hope it is so :) with redundancy , po...
SCADA security Resume: We have shown that SCADA systems ARE ALREADY AVAILABLE FROM THE INTERNET... and some could be explo...
SCADA Positive Hack Days.  Thanks for your attention [email_address] http:// www.gleg.net
Upcoming SlideShare
Loading in...5
×

Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)

2,638

Published on

Vulnerabilities in SCADA systems, after the mass propagation of the Stuxnet worm, have become journalists' favorite bugbear and a nightmare for all who has something to do with industry and national security.

How difficult is it to detect a vulnerability in SCADA systems? Which attack vectors are the most dangerous for such systems? How many unfixed vulnerabilities in SCADA are known as yet?

The reporter will practically demonstrate 0-day vulnerabilities in some popular systems of production process management.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,638
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
149
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)"

  1. 1. SCADA security Positive Hack Days. Industrial systems. Threats GLEG ltd - SCADA+ Pack for CANVAS developer [email_address] http:// www.gleg.net
  2. 2. SCADA security Plan <ul><ul><li>Attacks against SCADA: how could it look like ? </li></ul></ul><ul><ul><li>Intro — are SCADAs accessible from Internet... </li></ul></ul><ul><ul><li>Exploration — Searching the vulnerable systems available from the web </li></ul></ul><ul><ul><li>Exploitation </li></ul></ul><ul><ul><li>Post exploitation </li></ul></ul><ul><ul><li>Summary </li></ul></ul>
  3. 3. SCADA security SCADA — events timeline <ul><li>< June 2010 — seems like there were NO (?) real world examples of SCADA targeted attacks (just worm infections ...) </li></ul><ul><li>June 2010 — Stuxnet! The milestone in SCADA security... </li></ul><ul><li>> June 2010 — Hackers realized that there are accessible SCADA systems with vulns … </li></ul><ul><ul><li>Dozens of new vulnerabilities uncovered </li></ul></ul><ul><ul><li>Potential risk has greatly increased </li></ul></ul>
  4. 4. SCADA security SCADA ON THE WEB THERE ARE HUNDREDS OF SCADA SYSTEMS ALREADY EXPOSED TO INTERNET! Let us show «banners» for two SCADA systems, And SHODAN search results for them....
  5. 5. SCADa SCX SCADa e.g. SCX SCADA: SCX ADVANCED INDUSTRIAL AUTOMATION SOFTWARE ...the integrated SCX Web server is a standard component of the SCX product. Web Clients have access to all SCADA system functions...
  6. 6. SCADA SCX SCADA banner 1) “SCXWebServer” **************************** HTTP/1.1 200 OK Content-Encoding: deflate Date: Tue, 14 Dec 2010 19:09:52 GMT Expires: Tue, 14 Dec 2010 19:09:52 GMT Cache-Control: no-cache Server: SCXWebServer/6.0 — here is banner Content-Type: text/xml Content-Length: 1504 *********************** Search results for this:
  7. 8. SCADA security Codesys ENI server exploit CoDeSys Eni server: In this case the banner looks like: «ENIServer» (though there are many same kind servers available from different SCADA developers... all seems to be based on codesys...?) Again, let's search it on the web ...and show how it could be exploited using SCADA+ Pack 0day exploit for CoDeSys Eni Server.
  8. 10. SCADA SCADA Video of exploitation: http://pentesting.ru/eniserver.rar
  9. 11. SCADA security Postexploitation: <ul><ul><ul><li>Typical postexploitation: </li></ul></ul></ul><ul><ul><ul><li>Troyan </li></ul></ul></ul><ul><ul><ul><li>Keylogger </li></ul></ul></ul><ul><ul><ul><li>Hiding activities... and waiting </li></ul></ul></ul><ul><ul><ul><li>for login+pwd... </li></ul></ul></ul>
  10. 12. SCADA security SCADA vulns <ul><li>Of course there could be other vulns types... other explore and exploitation tools and techniques... </li></ul><ul><li>Example 2: </li></ul><ul><li>Some common situation for SCADA is … that local access is granted without auth by def. </li></ul><ul><li>e.g. in IGSS scada we have the following default project settings.... ( disable access control is checked !) </li></ul>
  11. 14. SCADA SCADA attack This could be helpfull for hacker... you could exloit some buffer overfow, enable Rdesktop and have fun with SCADA devices
  12. 15. SCADA security SCADA Current tools has limited Functionality for SCADA... e.g. Shodan — searches only 80, 21, 22, 161, 5060 ports... But, e.g. Realwin has vuln services on 910, 912 port In that case you will need to search yourself... but as long as there are dozens of scanners — this is not a problem. Also you could write your own.
  13. 16. Безопасность АСУ Measures: <ul><ul><ul><li>What you should know and do: </li></ul></ul></ul><ul><ul><ul><li>SCADA systems are already on the Internet... </li></ul></ul></ul><ul><ul><ul><li>One should be ready for situation when SCADA «suddenly» becomes accessible ( e.g. it is very convenient for engineers to have remote access ) </li></ul></ul></ul><ul><ul><ul><li>Should minimize internal threats - end-point security + IDS </li></ul></ul></ul><ul><ul><ul><li>Keep an eye on news for scada vulns, especially those leading to possible remote access to scada functions (eg login pwd steal)! </li></ul></ul></ul><ul><ul><ul><li>For scada it is not good to rely on local auth, database auth, has unauth local access! </li></ul></ul></ul>
  14. 17. SCADA security CounterMeasures: <ul><li>Of course SCADA should be properly designed (hope it is so :) with redundancy , possibly involving different manufacturers equipment etc... </li></ul><ul><li>Some typical measures could also be helpfull: </li></ul><ul><li>Security policies and culture of personel (resistance to social eng.), </li></ul><ul><li>good pwds, </li></ul><ul><li>Penetration tests </li></ul>
  15. 18. SCADA security Resume: We have shown that SCADA systems ARE ALREADY AVAILABLE FROM THE INTERNET... and some could be exploited right now...
  16. 19. SCADA Positive Hack Days. Thanks for your attention [email_address] http:// www.gleg.net
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×