How Sophisticated Penetration Testers  Get Through the Defenses Amsterdam,  08 September 2008
Precisely Right. Safe and sound.   And a clear competitive edge. <ul><li>We: </li></ul><ul><li>Advise. </li></ul><ul><li>D...
„ Traditional“ ways to  get through the defenses   2 ITC-Infrastructure  (A/D-modem, ISDN,  service ports) 1 Internet 6 Pa...
Which of these apply to SCADA? 2 ITC infrastructure  (A/D-modem, ISDN,  service ports) 1 Internet 6 Partner networks (corp...
Focus on some examples Access from not trustworthy networks <ul><ul><li>No or weak firewalls </li></ul></ul><ul><ul><ul><u...
Focus on some examples Insecure protocols <ul><ul><li>Serial or analog protocols ported to IP </li></ul></ul><ul><ul><li>P...
Focus on some examples Physical access <ul><ul><li>External & internal service technicians </li></ul></ul><ul><ul><ul><ul>...
What it all comes down to: Organization, procedures and processes <ul><ul><li>High  awareness  for safety but little or  n...
Outlook Duties and challenges <ul><ul><li>Building  awareness </li></ul></ul><ul><ul><ul><ul><li>Workshops and trainings <...
Philippe A. R. Schaeffer Chief Security Analyst TÜV Rheinland Secure iT GmbH Phone +49 221 806 2485 Email [email_address] ...
Upcoming SlideShare
Loading in …5
×

How sophisticated penetration testers get through the defenses

347 views
285 views

Published on

Examples of typical security vulnerabilities in SCADA networks and systems

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
347
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How sophisticated penetration testers get through the defenses

  1. 1. How Sophisticated Penetration Testers Get Through the Defenses Amsterdam, 08 September 2008
  2. 2. Precisely Right. Safe and sound. And a clear competitive edge. <ul><li>We: </li></ul><ul><li>Advise. </li></ul><ul><li>Develop. </li></ul><ul><li>Facilitate. </li></ul><ul><li>Inspect. </li></ul><ul><li>Certify. </li></ul><ul><li>Precisely Right. </li></ul><ul><li>For you. </li></ul>79 associated companies overseas. At 360 locations in 62 countries around the world. Wherever your market is: we are already there. And ready to help you with advice and assistance.
  3. 3. „ Traditional“ ways to get through the defenses 2 ITC-Infrastructure (A/D-modem, ISDN, service ports) 1 Internet 6 Partner networks (corporate WAN, service networks) 5 Internal or external staff 3 Mobile users ( RAS/VPN ) 7 New technologies IT 4 Mobile storage (USB devices)
  4. 4. Which of these apply to SCADA? 2 ITC infrastructure (A/D-modem, ISDN, service ports) 1 Internet 6 Partner networks (corporate WAN, service networks) 5 Internal or external staff 3 Mobile users ( RAS/VPN ) 7 New technologies SCADA 4 Mobile storage (USB devices) 8 Old technologies 9 Physical access
  5. 5. Focus on some examples Access from not trustworthy networks <ul><ul><li>No or weak firewalls </li></ul></ul><ul><ul><ul><ul><li>Insufficient access controls </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Too much communication allowed </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Generic sources and destinations </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Unnecessary ports </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Forgotten protocols (e.g. IPX) </li></ul></ul></ul></ul></ul><ul><ul><li>Explicitly allowed communication </li></ul></ul><ul><ul><ul><ul><li>Web applications </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Used to display information in office networks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Used as interface to corporate, partner or regulatory authority networks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Tunnels or jumping into other networks </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Resolution of public DNS records, ICMP </li></ul></ul></ul></ul></ul>
  6. 6. Focus on some examples Insecure protocols <ul><ul><li>Serial or analog protocols ported to IP </li></ul></ul><ul><ul><li>Proprietary protocols without authentication and encryption </li></ul></ul><ul><ul><ul><ul><li>New standard: IEC 61850 </li></ul></ul></ul></ul><ul><ul><li>Insecure data transfer protocols </li></ul></ul><ul><ul><ul><ul><li>http, ftp, nfs, SMTP (mail), syslog, SNMP, … </li></ul></ul></ul></ul><ul><ul><li>Insecure remote control protocols </li></ul></ul><ul><ul><ul><ul><li>SNMP, telnet, X11, SSH, … </li></ul></ul></ul></ul><ul><ul><li>Ineffective encryption </li></ul></ul><ul><ul><li>Radio communications </li></ul></ul><ul><ul><ul><ul><li>Wireless LAN, Bluetooth, ZigBee, … </li></ul></ul></ul></ul>
  7. 7. Focus on some examples Physical access <ul><ul><li>External & internal service technicians </li></ul></ul><ul><ul><ul><ul><li>Service laptops </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Direct access to SCADA networks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Insufficient policies </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Mobile storage </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>USB U3 flash drives </li></ul></ul></ul></ul></ul><ul><ul><li>Interfaces in the field </li></ul></ul><ul><ul><ul><ul><li>Easy access to sensors or field busses </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Security vulnerabilities in processing software </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Easy access to IP networks </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Routers in remote stations </li></ul></ul></ul></ul></ul><ul><ul><li>Access to the facilities </li></ul></ul>
  8. 8. What it all comes down to: Organization, procedures and processes <ul><ul><li>High awareness for safety but little or no awareness for security </li></ul></ul><ul><ul><ul><ul><li>Threats are neither known nor dealt with </li></ul></ul></ul></ul><ul><ul><ul><ul><li>People hardly know that IT is involved </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Frequent excuse: “Border security” </li></ul></ul></ul></ul><ul><ul><li>Insufficient processes and policies </li></ul></ul><ul><ul><ul><ul><li>Undefined responsibilities </li></ul></ul></ul></ul><ul><ul><ul><ul><li>No information security management </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Policies apply to office communications </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Processes are not adapted to special needs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Policies are not in line with other “traditional” policies </li></ul></ul></ul></ul><ul><ul><li>No consistent, internationally acknowledged standard </li></ul></ul>
  9. 9. Outlook Duties and challenges <ul><ul><li>Building awareness </li></ul></ul><ul><ul><ul><ul><li>Workshops and trainings </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Information exchange with vendors and suppliers </li></ul></ul></ul></ul><ul><ul><li>Development of an international standard </li></ul></ul><ul><ul><ul><ul><li>Information security management for SCADA </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Technical requirements </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Implementation guidelines and best practices </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Templates for policies and processes </li></ul></ul></ul></ul><ul><ul><li>Audits, assessments, reviews and penetration tests </li></ul></ul>
  10. 10. Philippe A. R. Schaeffer Chief Security Analyst TÜV Rheinland Secure iT GmbH Phone +49 221 806 2485 Email [email_address] Thank you for your attention! Do you have questions?

×