Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BLUE 2015

732 views

Published on

Electrical Grid is one of the sophisticated systems humanity ever built. New technologies such as IEC 61850 and Europe-wide initiatives to create continent-wide SmartGrid systems makes it more and more complex.

Our latest research was devoted to the analysis of the threat landscape, architecture and implementation of the modern Smart Grid elements, including relay protection, wind and solar energy generation.

It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security.

In this talk, we summarize our practical experience in security assessment of different components of European SmartGrid technologies: from housekeeping and rooftop PV systems to digital substations. We will release new (but responsibly disclosed) vulnerabilities in SmartGrid components, Cloud SCADA technologies as well as new tools for security assessment of SmartGrid industrial protocols.

Published in: Devices & Hardware
  • Be the first to comment

Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BLUE 2015

  1. 1. Too Smart Grid Sergey Gordeychik Alexander Timorin
  2. 2. www.scadasl.org • Group of security researchers focused on ICS/SCADA Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
  3. 3. Bugs in SCADA/PLC *ICS Security in 2014, Evgeny Druzhinin, Ilya Karpov, Alexander Timorin, Gleb Gritsay, Sergey Gordeychik
  4. 4. The Word of Power
  5. 5. Smartgrid cybersecurity http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf
  6. 6. Smartgrid cybersecurity http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf
  7. 7. IPC@CHIP
  8. 8. OSINT
  9. 9. Firmware ― Google dorks ― Configuration scripts ― FS structure
  10. 10. Direct search
  11. 11. ENCRYPTION!!!11
  12. 12. Firmware update
  13. 13. Fixes --snip-- Comment to PT-SOL-2014001: The upload path has been changed. It is still possible to upload files, but they can't overwrite system critical parts any more. Comment to PT-SOL-2014002: The system backup is created in a randomly chosen path an deleted afterwards. Therefore an unauthorized access is made much more difficult and very unlikely. Second comment to PT-SOL-2014002: In order to compensate the weak encryption in the configuration file, the whole configuration file is now encrypted via the new HTTP transmission. --snip--
  14. 14. osint
  15. 15. User manual
  16. 16. Admin manual
  17. 17. Source code
  18. 18. 117.220 MW Googled (1/22)
  19. 19. The Wind?
  20. 20. Nordex
  21. 21. Archaeology
  22. 22. CVE Details
  23. 23. Pictures from Google
  24. 24. 990.390 MW *Special Bushehr photo for scary ICS security slides *
  25. 25. #SCADASOS http://scadastrangelove.blogspot.com/2014/12/sos-secure-open-smartgrids.html
  26. 26. #SCADASOS Results • 60 000+ SmartGrid devices disconnected from the Internet • Two Advisories • XZERES 442SR Wind Turbine CSRF • SMA Solar Technology AG Sunny WebBox Hard-Coded Account Vulnerability
  27. 27. Global radio network • HUGE attack surface • TCP/IP networks • It GLOBAL
  28. 28. IP boxes
  29. 29. LTE radio security  Theory  A5/3 ciphers  GEA 2  128 bits keys  Practice  Backward compatibility with 2G (MITM)  Reuse of A5/1 or A5/0
  30. 30. Real 4G encryption Karsten Nohl, CCC, Hamburg, Germany, 2014
  31. 31. Vulnerabilities of (u)SIM ― Remote data recovery (Kc, TIMSI) • Chanel decryption (including A5/3) • «Clone» the SIM and mobile station ― SIM “malware” ― Block SIM via PIN/PUK bruteforce Alexander Zaitsev, Sergey Gordeychik , PacSec, Tokyo, Japan, 2014
  32. 32. Femtoland and 3G sniffer
  33. 33. 4G modem  Mobile computer  Linux/Android/BusyBox/VxWorks  Different interfaces  Storage  CWID USB SCSI CD-ROM USB Device  MMC Storage USB Device (MicroSD Card Reader)  Local management  COM-Port (UI, AT commands)  Remote management  Remote NDIS based Internet Sharing Device  WiFi Kirill Nesterov, Timur Yunusov, HITBSec 2015, Amsterdam
  34. 34. Attack host
  35. 35. Control
  36. 36. First one to guess now to bypass BIOS secure boot gets…
  37. 37. 133t prize or free beer!
  38. 38. USB Drivers Bugs Over network Travis Goodspeed, Sergey Bratus, https://www.troopers.de/wp-content/uploads/2012/12/TROOPERS13- You_wouldnt_share_a_syringe_Would_you_share_a_USB_port- Sergey_Bratus+Travis_Goodspeed.pdf
  39. 39. BADUSB via the Internet scadastrangelove.blogspot.com/2015/10/badusb-over-internet.html
  40. 40. SCADA with Antenna
  41. 41. The POWERful social network
  42. 42. Don’t patch too much
  43. 43. Some kWs only
  44. 44. #CablemeltingBAD As a side note, there is about a 3GW buffer in the European energy grids -- take 3GW off the net within a couple of seconds (or add them), and lights will go out. For quite a long while.
  45. 45. Smartgrid cybersecurity http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf
  46. 46. Digital Substations http://scadastrangelove.blogspot.com/2013/11/scada-security-deep-inside.html IEC 61850 tools:
  47. 47. Open Lab @PHDays PHDays III Choo Choo Choo Pwn – Security assessment/Pentest PHDays IV Critical Infrastructure Attack – 0-day research http://bit.ly/1t8poTL http://www.phdays.com/press/news/38171/
  48. 48. PHDays IV CIA • Goals – 0-day research on ICS components – Make a disaster – 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster) • Targets – Schneider Electric • Wonderware System Platform, InduSoft Web Studio 7.1.4, ClearSCADA, IGSS, MiCOM C264 – Siemens • Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1 PN), S7-300 (314С-2 DP + CP343), S7-1200 v3, S7-1200 v2.2 – Rockwell Automation • RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAA – WellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, Kepware KepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3), etc.
  49. 49. Results of PHDays IV CIA • Winners – Alisa Esage – SE InduSoft Web Studio 7.1 – Nikita Maximov & Pavel Markov - ICP DAS RTU – Dmitry Kazakov - Siemens Simatic S7- 1200 PLC • 2 days – 10+ 0days • Responsible disclosure
  50. 50. Digital Substation Takeover https://www.youtube.com/watch?v=w8T-bbO3Qec
  51. 51. Digital Substation Takeover
  52. 52. DoS in SIPROTEC 4 Specially crafted packets sent to port 50000/udp could cause a denial-of-service of the affected device. A manual reboot is required to recover the service of the device.
  53. 53. The Power of Japan
  54. 54. Japan energy stations map: megawatts and location
  55. 55. Ukishima solar power plant
  56. 56. Kagoshima solar power plant
  57. 57. Kagoshima plant diagram • SUNNY CENTRAL 500CP-JP • The 70-megawatt system in Kagoshima is a good example of how important it is to have the right service partner at your side - someone with broad experience, who can respond to unexpected events in a flexible manner. http://www.sma.de/en/products/references/kagoshima.html
  58. 58. Kagoshima plant diagram
  59. 59. ICS Security in Japan • 600+ SCADA/PLC on the Internet 20 129 408 19 8 13 ethernetip http modbus snmp s7 other
  60. 60. ICS Security in Japan
  61. 61. PS
  62. 62. Spot the difference 1 2
  63. 63. Super Heavy Trains 150 freight cars 12 500 tons Several locomotives
  64. 64. Super Heavy Jam
  65. 65. Automatic train protection - SIL 4!
  66. 66. SIL 4?! Safety Integrity Level Probability of Failure on Demand (PFD) Probability of Failure per Hour (PFH)
  67. 67. SIL 4? Root in 15 minutes!
  68. 68. We know the difference 1 2
  69. 69. Need for speed? http://www.theguardian.com/world/2013/jul/25/spain-train-crash-travelling-so-fast
  70. 70. PPS
  71. 71. Network Convergence?
  72. 72. OT Convergence? Modern Smart Grid: - ICS/SCADA - Mobile carrier - Billing/Payment - IoT -Cloud
  73. 73. root via SMS Alexander @arbitrarycode Zaitsev Alexey @GiftsUngiven Osipov Kirill @k_v_nesterov Nesterov Dmtry @_Dmit Sklyarov Timur @a66at Yunusov Gleb @repdet Gritsai Dmitry Kurbatov Sergey Puzankov Pavel Novikov
  74. 74. *AllpicturesaretakenfromDr StrangeLovemovieandother Internets The Great Train Cyber Robbery
  75. 75. We already know: Reverse perimeter
  76. 76. 93
  77. 77. HACK from the network 94
  78. 78. OPEN ATM in the internet 95
  79. 79. Thank you *Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel
  80. 80. Too Smart Grid Sergey Gordeychik Alexander Timorin

×