• Like
Techniques of attacking ICS systems
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Techniques of attacking ICS systems

  • 1,571 views
Published

 

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
1,571
On SlideShare
0
From Embeds
0
Number of Embeds
44

Actions

Shares
Downloads
67
Comments
2
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. All pictures are taken from Dr StrangeLove movie Alexander Timorin Ilya Karpov Yuri Goltsev Sergey Gordeychik
  • 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Ilya Karpov Artem Chaykin Dmitry Efanov Andrey Medov Alexander Zaitsev Dmitry Sklyarov _ Gleb Gritsai Sergey Bobrov Yuriy Dyachenko Yuri Goltsev Sergey Scherbel Dmitry Serebryannikov Alexander Tlyapov Denis Baranov Alexander Timorin Sergey Drozdov Vladimir Kochetkov Timur Yunusov Dmitry Nagibin
  • 3.   Goals to automate security assessment of ICS platforms and environment Objectives to understand system to assess built-in security features to create security audit/hardening guides to automate process Vulnerabilities – waste production
  • 4. Tilting at windmills: ICS pentest project management Playing with networks Rooting the PLC: don't even try OS/DB/Application I'm the Lord of the SCADA Hunting the operator: ICS network "forensic“
  • 5. Industrial Team Security Department The One Vendor IT Team SI
  • 6. absolutely ICS NETWORK unbreakable
  • 7.       Typical network devices with default/crappy settings Unpatched, old as dirt, full of junk software [malware] engineering workstations Wireless AP with WEP ( if the best happened ) Low physical security … and Industrial protocols
  • 8.       Typical network devices with default/crappy settings Unpatched, old as dirt, full of junk software [malware] engineering workstations Wireless AP with WEP ( if the best happened ) Low physical security … and Industrial protocols
  • 9.       Full expanse Not blocked by firewalls/switches Accessible between LAN segments Works from data link to application layers Easy for detecting Easy for intercepting and analyzing ( but not all! ) And what we know about protocols ?
  • 10.        Modbus Profinet family DNP3 IEC 61850-8-1 ( MMS ) IEC 60870-5-104 ( IEC 104 ) Siemens S7 … and much more And most of them INSECURE BY DESIGN
  • 11.      http://www.modbus.org/ Diagnostic functions Read/Write data/registers/tags Read/Write files Toolkit: PLCSCAN by Dmitry Efanov http://code.google.com/p/plcscan/
  • 12. IEC 61158, IEC 61784
  • 13.         Profinet CBA/IO/PTCP/DCP Ethernet type 0x8892 Exchange data in real-time cycles Multicast discovery devices and stations No encryption, no auth, no security We can change settings: name of the station, ip, netmask, gateway We can simulate and real DoS of PLC, HMI Toolkit: http://scadastrangelove.blogspot.kr/2013/11/po wer-of-community-2013-special-release.html
  • 14.      http://www.dnp.org Spread and popular Useful info: http://www.digitalbond.com/scadapedia/pro tocols/dnp3/ http://blog.iec61850.com/search/label/DNP3 Secure DNP3 specification Toolkit: coming soon ….
  • 15. Manufacturing Message Specification
  • 16.         ISO 9506-1:2003 Based on ISO-TSAP TCP/102 Read/write PLC tags, variables, domains (large unstructured data, i.e. code) Start/Stop/Rewrite firmware of PLC Read/Write/Del files and dirs Poor security mechanism: simply methods whitelist No auth, no encryption Toolkit: python and nmap scripts
  • 17.  Python and Nmap identify scripts: https://github.com/atimorin/PoC2013/tree/ master/iec-61850-8-1
  • 18.  TCP/2404    HEADER: 1st byte: 0x68 2nd byte: APDU len
  • 19.      Huge list of functions. Depends on vendors implementation Read/write tags, upload/download files, broadcast connected devices discovery, time sync, reset process command, query log files etc. No auth, no encryption Poor security mechanism: ip address whitelist Toolkit: python and nmap scripts
  • 20. Python and Nmap identify scripts: https://github.com/atimorin/PoC2013/tree/ma ster/iec-60870-5-104 
  • 21.     I love this protocol! Proprietary communication protocol supported by Siemens SCADA Software, PLC, HMI We can: detect protocol, extract some useful info (device serial number, type of station, firmware info etc.), extract and bruteforce (thanks to JtR community) authentication challenge-response hashes http://www.slideshare.net/phdays/timorinalexander-efanov-dmitry
  • 22. Toolkit: http://scadastrangelove.blogspot.kr/2013/11/po wer-of-community-2013-special-release.html 
  • 23. Welcome to our workshop!
  • 24. Rooting the PLC: don't even try
  • 25.     Pwn OS (often VxWorks, QNX) Reverse internal architecture Find bugs in services Snatch device BUT FOR WHAT ?
  • 26.       It is a universal and complex approach You can: detect devices and protocols monitor state, commands, exchanging data inject, modify, replay packets in real-time Because most of them INSECURE BY DESING Real example ?
  • 27. Simple UDP packet that set “speed” of turbine to 57 (min=1, max=100)
  • 28. OS/DB/Application
  • 29. Rise your hand up if ever thought about it
  • 30. You absolutely don’t need it, because you already have it  If you got an access to Windows machine – you have access to SCADA system. Why ? • Default/weak passwords • Network shares (C$, Trash ) • Undocumented accounts • Vulnerabilities in third-party software • Windows vulnerabilities * That’s enough, true story 
  • 31.  Build your own if you want. And commit it to github, like our guy @atimorin do  Ok, you got it. What’s next ?  Contribute
  • 32.    As usually - you build the system, you investigate it, learn it, fuzz it, reverse it Find a vulnerability ? Easy Build your own testlab ? Nightmare
  • 33.  • • • Find a vulnerability ? Easy What you probably want to find: (Where the droids we are looking for?) OWASP TOP 10 Logic errors Protocol analysis
  • 34.   • • • Build your own testlab ? Nightmare Everyone can install software, BUT: You should have very specific knowledge how to configure such systems You should know specific programming languages like LAD or STL to start applications You should know specific syntaxes of address stack (tags)
  • 35.   • • • Build your own testlab ? Nightmare Everyone can install software, BUT: Every vendor has own tools for engineers and developers Every vendor has own rules, own protocols (most of them) SCADA systems are the same like different operation systems – used for the same, but different ways
  • 36. CVE-2013-4911 CVE-2012-2595 CVE-2012-2596 CVE-2012-2597 CVE-2012-2598 CVE-2012-3003 CVE-2012-3028 CVE-2012-3030 CVE-2012-3031 CVE-2012-3032 CVE-2012-3034 CVE-2012-4710 CVE-2013-0674 CVE-2013-0675 CVE-2013-0676 CVE-2013-0677 CVE-2013-0678 CVE-2013-0679 CVE-2013-0684 CVE-2013-0685 CVE-2013-0686 CVE-2013-0688 CVE-2013-3957 CVE-2013-3958 CVE-2013-3959 CVE-2013-4912 CVE-2013-XXX CVE-2013-XXX CVE-2013-XXX CVE-2013-XXX CVE-2013-XXX CVE-2013-XXX CVE-2014-XXX CVE-2014-XXX CVE-2014-XXX CVE-2014-XXX CVE-2014-XXX CVE-2015-XXX CVE-2015-XXX http://scadastrangelove.blogspot.ru/search/label/Releases Siemens Invensys ABB Emerson Other…
  • 37. I'm the Lord of the SCADA
  • 38.       Please, _DO NOT_ click on any buttons at production I suppose you know why First, to control SCADA you need to know how that stuff really works Build your own testlab, read some docs from vendor Understand how it should work You ready for production
  • 39.       PLC/RTU often without password protection Second (additional) network interface for PLC/RTU network. Secure, isn’t it ? Big red emergency button. Sometimes pressed accidentally Rare backups Web interfaces with default credentials especially on PLC/RTU Rare firmware updates
  • 40. Controller signal converter
  • 41. APC. Turn UPS Off!
  • 42. Hunting the operator: ICS network "forensic"
  • 43.  Passwords on sticks (again)
  • 44.         No passwords or easy top10 passwords Disabled Windows firewall No AV Network shares without permissions (C: RW for all) Typical user with administrator rights “Secret” internet connecion Tons of shareware, personal software, adult content (agrhhhhhh!) Low physical security restrictions
  • 45.   Connect to ICS from home through RDP Wi-Fi/3G/4G connections from/to ICS
  • 46. All pictures are taken from Dr StrangeLove movie