Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Exploiting SCADA Systems http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ Traditional SCADA Network Topology “ Control Systems Cyber Security: Defense in Dep...
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ As newer products compete to make SCADA systems intuitive and modern, you can see t...
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ Available at the App Store for only $2.99 (lite) and $74.99 for the full version
http://null.co.in/ http://nullcon.net/ So.. whats wrong?
http://null.co.in/ http://nullcon.net/ Security has been implemented as an add-on instead of being build around the produc...
http://null.co.in/ http://nullcon.net/ http://www.matrikonopc.com/products/opc-data-management/opc-tunneller.aspx
http://null.co.in/ http://nullcon.net/ http://www.indusoft.com/blog/?p=159
http://null.co.in/ http://nullcon.net/ http://www.wateronline.com/product.mvc/ClearSCADA-SCADA-Management-Software-0002
http://null.co.in/ http://nullcon.net/ http://www.isagraf.com/pages/news/0905PR-KingfisherDNP3.htm
http://null.co.in/ http://nullcon.net/ Systems are typically installed for long term, and software upgrades may require ne...
http://null.co.in/ http://nullcon.net/ Not to mention downtime, and nobody likes downtime. Depending on the product and th...
http://null.co.in/ http://nullcon.net/ Something somewhere is connected to something that is connected to the Internet
http://null.co.in/ http://nullcon.net/ And some things just are connected to the Internet...
http://null.co.in/ http://nullcon.net/ Courtesy of Shodan (www.shodanhq.com)
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ “ What really has to be done is better security around these systems and better, en...
http://null.co.in/ http://nullcon.net/ Quoted from someone in the Control Systems Industry. This is the wrong way to view ...
http://null.co.in/ http://nullcon.net/ No authentication? You've got problems.
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ What would you like to do?
http://null.co.in/ http://nullcon.net/ An exception has occurred. Server is entering safe mode...
http://null.co.in/ http://nullcon.net/ Oh, by the way, you no longer need credentials.
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ Vendors are not always “receptive” to vulnerability reports
http://null.co.in/ http://nullcon.net/ Favorite Quotes “ I'm not sure what this perl script is trying to do?” “ If the CSV...
http://null.co.in/ http://nullcon.net/ Possible “Security Unaware” Vendor Q&A
http://null.co.in/ http://nullcon.net/ I found several security vulnerabilities in your products.....information..... .......
http://null.co.in/ http://nullcon.net/ “ Product A isn't accessible from the Internet, so it's not vulnerable to attacks.”...
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ “ As long as you don't open untrusted files with Product AB, then the exploits can'...
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ “ Product ABC uses a complex, proprietary protocol to which it's documentation is o...
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ Why is it important to audit SCADA software?
http://null.co.in/ http://nullcon.net/ Stuxnet used a Siemens WinCC Hard-coded Database Credentials Vulnerability How many...
http://null.co.in/ http://nullcon.net/ Kevin Finisterre
http://null.co.in/ http://nullcon.net/ “ If you outlaw SCADA exploits, only outlaws will have SCADA exploits.” KF in 2008 ...
http://null.co.in/ http://nullcon.net/ If you find vulnerabilities in SCADA products, I suggest you work with ICS-CERT. Th...
http://null.co.in/ http://nullcon.net/ MODBUS Fuzzing
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ Wait a few seconds...
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ “ Tunneller” Protocol
http://null.co.in/ http://nullcon.net/ Header Signature Length Trailer Body Client -> Server Connect Handshake Msg ID
http://null.co.in/ http://nullcon.net/ Session Handshake Server -> Client
http://null.co.in/ http://nullcon.net/ Continued Client -> Server Server -> Client
http://null.co.in/ http://nullcon.net/ Session Handshake Complete Client -> Server
http://null.co.in/ http://nullcon.net/
http://null.co.in/ http://nullcon.net/ Playing with lengths can be fun!  Or not fun, or useful.   Often time consuming and...
http://null.co.in/ http://nullcon.net/ Sploitware
http://null.co.in/ http://nullcon.net/ Just a small project of mine focused on SCADA and related software
http://null.co.in/ http://nullcon.net/ Can check systems for potentially vulnerable software, exploit vulnerabilities, lot...
http://null.co.in/ http://nullcon.net/ DEMO!
http://null.co.in/ http://nullcon.net/ Recommendations
http://null.co.in/ http://nullcon.net/ Vendors... Try to break it before you ship it!
http://null.co.in/ http://nullcon.net/ (And check out TAOSSA)
http://null.co.in/ http://nullcon.net/ Clients... Do a security evaluation before you make the purchase.
http://null.co.in/ http://nullcon.net/ Because other people will.
http://null.co.in/ http://nullcon.net/ Thank you! jbrown at patchtuesday.org
Upcoming SlideShare
Loading in …5
×

nullcon 2011 - Exploiting SCADA Systems

3,015 views

Published on

Exploiting SCADA Systems by Jeremy Brown

Published in: Technology
  • Be the first to comment

  • Be the first to like this

nullcon 2011 - Exploiting SCADA Systems

  1. 1. Exploiting SCADA Systems http://null.co.in/ http://nullcon.net/
  2. 2. http://null.co.in/ http://nullcon.net/
  3. 3. http://null.co.in/ http://nullcon.net/ Traditional SCADA Network Topology “ Control Systems Cyber Security: Defense in Depth Strategies”
  4. 4. http://null.co.in/ http://nullcon.net/
  5. 5. http://null.co.in/ http://nullcon.net/ As newer products compete to make SCADA systems intuitive and modern, you can see the number of attack vectors rise. Say hello to ScadaMobile.
  6. 6. http://null.co.in/ http://nullcon.net/
  7. 7. http://null.co.in/ http://nullcon.net/ Available at the App Store for only $2.99 (lite) and $74.99 for the full version
  8. 8. http://null.co.in/ http://nullcon.net/ So.. whats wrong?
  9. 9. http://null.co.in/ http://nullcon.net/ Security has been implemented as an add-on instead of being build around the product from the ground up
  10. 10. http://null.co.in/ http://nullcon.net/ http://www.matrikonopc.com/products/opc-data-management/opc-tunneller.aspx
  11. 11. http://null.co.in/ http://nullcon.net/ http://www.indusoft.com/blog/?p=159
  12. 12. http://null.co.in/ http://nullcon.net/ http://www.wateronline.com/product.mvc/ClearSCADA-SCADA-Management-Software-0002
  13. 13. http://null.co.in/ http://nullcon.net/ http://www.isagraf.com/pages/news/0905PR-KingfisherDNP3.htm
  14. 14. http://null.co.in/ http://nullcon.net/ Systems are typically installed for long term, and software upgrades may require new hardware
  15. 15. http://null.co.in/ http://nullcon.net/ Not to mention downtime, and nobody likes downtime. Depending on the product and the environment, just planning the patch process can be frustrating.
  16. 16. http://null.co.in/ http://nullcon.net/ Something somewhere is connected to something that is connected to the Internet
  17. 17. http://null.co.in/ http://nullcon.net/ And some things just are connected to the Internet...
  18. 18. http://null.co.in/ http://nullcon.net/ Courtesy of Shodan (www.shodanhq.com)
  19. 19. http://null.co.in/ http://nullcon.net/
  20. 20. http://null.co.in/ http://nullcon.net/
  21. 21. http://null.co.in/ http://nullcon.net/
  22. 22. http://null.co.in/ http://nullcon.net/ “ What really has to be done is better security around these systems and better, enforced security policies so the lack of patching does not matter.”
  23. 23. http://null.co.in/ http://nullcon.net/ Quoted from someone in the Control Systems Industry. This is the wrong way to view security. If this is what some people in the industry believe, it is no wonder why so many vulnerabilities still exist...
  24. 24. http://null.co.in/ http://nullcon.net/ No authentication? You've got problems.
  25. 25. http://null.co.in/ http://nullcon.net/
  26. 26. http://null.co.in/ http://nullcon.net/ What would you like to do?
  27. 27. http://null.co.in/ http://nullcon.net/ An exception has occurred. Server is entering safe mode...
  28. 28. http://null.co.in/ http://nullcon.net/ Oh, by the way, you no longer need credentials.
  29. 29. http://null.co.in/ http://nullcon.net/
  30. 30. http://null.co.in/ http://nullcon.net/ Vendors are not always “receptive” to vulnerability reports
  31. 31. http://null.co.in/ http://nullcon.net/ Favorite Quotes “ I'm not sure what this perl script is trying to do?” “ If the CSV file is edited manually then it may not parse correctly when it gets loaded.” “ From what I can see there is no security vulnerability in our product, if the CSV file is invalid then the application will not run correctly.” “ Hi Jeremy, thanks but please don't waste my time.” “ That sounds like a threat Jeremy, are you expecting me to pay you something?”
  32. 32. http://null.co.in/ http://nullcon.net/ Possible “Security Unaware” Vendor Q&A
  33. 33. http://null.co.in/ http://nullcon.net/ I found several security vulnerabilities in your products.....information..... .....time passes..... What are your plans regarding a patch?
  34. 34. http://null.co.in/ http://nullcon.net/ “ Product A isn't accessible from the Internet, so it's not vulnerable to attacks.” So if someone owns a workstation on the same subnet with an IE exploit, how vulnerable do you consider it now?
  35. 35. http://null.co.in/ http://nullcon.net/
  36. 36. http://null.co.in/ http://nullcon.net/ “ As long as you don't open untrusted files with Product AB, then the exploits can't harm the system.” “ Do you really want to risk the organization's security by trusting that someone won't open a file that could be found on the web, emailed, or dropped in a trusted location?”
  37. 37. http://null.co.in/ http://nullcon.net/
  38. 38. http://null.co.in/ http://nullcon.net/ “ Product ABC uses a complex, proprietary protocol to which it's documentation is only circulated internally.” What is to stop someone from using a packet sniffer and disassembler to analyze the protocol, figure out how it works, and spend some time researching how to exploit it?
  39. 39. http://null.co.in/ http://nullcon.net/
  40. 40. http://null.co.in/ http://nullcon.net/ Why is it important to audit SCADA software?
  41. 41. http://null.co.in/ http://nullcon.net/ Stuxnet used a Siemens WinCC Hard-coded Database Credentials Vulnerability How many other vendors do this?
  42. 42. http://null.co.in/ http://nullcon.net/ Kevin Finisterre
  43. 43. http://null.co.in/ http://nullcon.net/ “ If you outlaw SCADA exploits, only outlaws will have SCADA exploits.” KF in 2008 after releasing CitectSCADA vulnerability information http://www.exploit-db.com/papers/13028/
  44. 44. http://null.co.in/ http://nullcon.net/ If you find vulnerabilities in SCADA products, I suggest you work with ICS-CERT. They will contact vendors, help coordinate disclosure, and generally help the process go smoothly.
  45. 45. http://null.co.in/ http://nullcon.net/ MODBUS Fuzzing
  46. 46. http://null.co.in/ http://nullcon.net/
  47. 47. http://null.co.in/ http://nullcon.net/ Wait a few seconds...
  48. 48. http://null.co.in/ http://nullcon.net/
  49. 49. http://null.co.in/ http://nullcon.net/ “ Tunneller” Protocol
  50. 50. http://null.co.in/ http://nullcon.net/ Header Signature Length Trailer Body Client -> Server Connect Handshake Msg ID
  51. 51. http://null.co.in/ http://nullcon.net/ Session Handshake Server -> Client
  52. 52. http://null.co.in/ http://nullcon.net/ Continued Client -> Server Server -> Client
  53. 53. http://null.co.in/ http://nullcon.net/ Session Handshake Complete Client -> Server
  54. 54. http://null.co.in/ http://nullcon.net/
  55. 55. http://null.co.in/ http://nullcon.net/ Playing with lengths can be fun! Or not fun, or useful. Often time consuming and irritating actually. Literally be prepared to spend a lot of time chasing possibilities that aren't there. Just to, in the end, when you end up with another denial of service bug, wondering why you're still inside when its 8 in the evening. Maybe I should have listened to Dad and became a doctor, or a lawyer. Not only in SCADA protocols, but others too!
  56. 56. http://null.co.in/ http://nullcon.net/ Sploitware
  57. 57. http://null.co.in/ http://nullcon.net/ Just a small project of mine focused on SCADA and related software
  58. 58. http://null.co.in/ http://nullcon.net/ Can check systems for potentially vulnerable software, exploit vulnerabilities, lots of fun stuff
  59. 59. http://null.co.in/ http://nullcon.net/ DEMO!
  60. 60. http://null.co.in/ http://nullcon.net/ Recommendations
  61. 61. http://null.co.in/ http://nullcon.net/ Vendors... Try to break it before you ship it!
  62. 62. http://null.co.in/ http://nullcon.net/ (And check out TAOSSA)
  63. 63. http://null.co.in/ http://nullcon.net/ Clients... Do a security evaluation before you make the purchase.
  64. 64. http://null.co.in/ http://nullcon.net/ Because other people will.
  65. 65. http://null.co.in/ http://nullcon.net/ Thank you! jbrown at patchtuesday.org

×