Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)

SCADA security Positive Hack Days. Industrial systems. Threats GLEG ltd - SCADA+ Pack for CANVAS developer [email_address] http:// www.gleg.net

SCADA security Plan
Attacks against SCADA: how could it look like ?
Intro — are SCADAs accessible from Internet...
Exploration — Searching the vulnerable systems available from the web
Exploitation
Post exploitation
Summary

SCADA security SCADA — events timeline
< June 2010 — seems like there were NO (?) real world examples of SCADA targeted attacks (just worm infections ...)
June 2010 — Stuxnet! The milestone in SCADA security...
> June 2010 — Hackers realized that there are accessible SCADA systems with vulns …
Dozens of new vulnerabilities uncovered
Potential risk has greatly increased

SCADA security SCADA ON THE WEB THERE ARE HUNDREDS OF SCADA SYSTEMS ALREADY EXPOSED TO INTERNET! Let us show «banners» for two SCADA systems, And SHODAN search results for them....

SCADa SCX SCADa e.g. SCX SCADA: SCX ADVANCED INDUSTRIAL AUTOMATION SOFTWARE ...the integrated SCX Web server is a standard component of the SCX product. Web Clients have access to all SCADA system functions...

SCADA SCX SCADA banner 1) “SCXWebServer” **************************** HTTP/1.1 200 OK Content-Encoding: deflate Date: Tue, 14 Dec 2010 19:09:52 GMT Expires: Tue, 14 Dec 2010 19:09:52 GMT Cache-Control: no-cache Server: SCXWebServer/6.0 — here is banner Content-Type: text/xml Content-Length: 1504 *********************** Search results for this:

SCADA security Codesys ENI server exploit CoDeSys Eni server: In this case the banner looks like: «ENIServer» (though there are many same kind servers available from different SCADA developers... all seems to be based on codesys...?) Again, let's search it on the web ...and show how it could be exploited using SCADA+ Pack 0day exploit for CoDeSys Eni Server.

SCADA SCADA Video of exploitation: http://pentesting.ru/eniserver.rar

SCADA security Postexploitation:
Typical postexploitation:
Troyan
Keylogger
Hiding activities... and waiting
for login+pwd...

SCADA security SCADA vulns
Of course there could be other vulns types... other explore and exploitation tools and techniques...
Example 2:
Some common situation for SCADA is … that local access is granted without auth by def.
e.g. in IGSS scada we have the following default project settings.... ( disable access control is checked !)

SCADA SCADA attack This could be helpfull for hacker... you could exloit some buffer overfow, enable Rdesktop and have fun with SCADA devices

SCADA security SCADA Current tools has limited Functionality for SCADA... e.g. Shodan — searches only 80, 21, 22, 161, 5060 ports... But, e.g. Realwin has vuln services on 910, 912 port In that case you will need to search yourself... but as long as there are dozens of scanners — this is not a problem. Also you could write your own.

Безопасность АСУ Measures:
What you should know and do:
SCADA systems are already on the Internet...
One should be ready for situation when SCADA «suddenly» becomes accessible ( e.g. it is very convenient for engineers to have remote access )
Should minimize internal threats - end-point security + IDS
Keep an eye on news for scada vulns, especially those leading to possible remote access to scada functions (eg login pwd steal)!
For scada it is not good to rely on local auth, database auth, has unauth local access!

SCADA security CounterMeasures:
Of course SCADA should be properly designed (hope it is so :) with redundancy , possibly involving different manufacturers equipment etc...
Some typical measures could also be helpfull:
Security policies and culture of personel (resistance to social eng.),
good pwds,
Penetration tests

SCADA security Resume: We have shown that SCADA systems ARE ALREADY AVAILABLE FROM THE INTERNET... and some could be exploited right now...

SCADA Positive Hack Days. Thanks for your attention [email_address] http:// www.gleg.net

http://phdays.com	393
http://2011.phdays.com	227
http://www.phdays.com	53
http://phday.com	13
http://www.phday.com	2
http://twitter.com	1
http://webcache.googleusercontent.com	1

Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)

by Positive Hack Days on Aug 18, 2011

Accessibility

Categories

Upload Details

Usage Rights

7 Embeds 690

Statistics

Positive Hack Days. Gurkin. Zero Day for SCADA (0-day) Presentation Transcript