Positive Hack Days. Komarov. SCADA Security Analysis

2,534 views

Published on

A participant will acquire practical experience of searching for vulnerabilities and analyzing SCADA security. The masterclass will cover both common network vulnerabilities, and exceptive cases that can be detected in the process of security assessment of real networks.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,534
On SlideShare
0
From Embeds
0
Number of Embeds
789
Actions
Shares
0
Downloads
78
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Positive Hack Days. Komarov. SCADA Security Analysis

  1. 1. Master class(Positive Hack Days)«Analysis of SCADA security protection»<br />Andrey Komarov(technical manager)<br />
  2. 2. SCADA protection analysis – «what for», «how» and «why»?<br />Regulations (USA, СК)<br />Security «Compliance» audit<br />Prevent security incidents in SCADA<br />Detect and specify security threats in SCADA<br />Improvement of software and hardwareсредств<br />Actualize regulation rules<br />Consider attacker’s actions and tendency<br />Improve efficiency of used protection measures<br />
  3. 3. Mismatches in regulations<br />
  4. 4. All checks and coverage area<br />System software (OS, ОСРВ)<br />SCADA<br />Application software<br />Network software<br />Data transferring channels<br />Hardware<br />
  5. 5. Used techniques<br />Application software(SCADA,RTU)<br />System software(OS, ОСРВ)<br />Data transferring channels and techniques(Industrial Ethernet, Modbus, DNP3, Profibus, etc.)<br />
  6. 6.
  7. 7.
  8. 8.
  9. 9. Used instruments («Click and Hack» type)<br />«/exploits/scada»<br />«+» «CLICK and HACK» model<br />«-» there are only 5 vulnerabilities<br />«-» limited set of features<br />«SCADA»<br />«+» «CLICK and HACK» model<br />«-» there are only 15 vulnerabilities<br />
  10. 10. Used instruments (specialized utilities)<br />Analysis of available NetDDE resources - Neutralbit’snbDDE tool <br />Network DDE (NetDDE) is designed by Wonderware company and is an add-on to MicrosoftWindows DDE that implements data exchangebetween computers in LAN<br />
  11. 11. Are there any difficulties?<br />Web application vulnerabilities (SQL-injection)<br />User ID = 1' or 1=(select top 1 password from Users)—Password = blank<br />
  12. 12. Active and passive network “secret service”<br />Available resources<br />«The Registered Ports» chapter (Internet Assigned Numbers Authority)ibm-mqisdp 1883/tcpIBM MQSeries SCADAibm-mqisdp 1883/udpIBM MQSeries SCADApnbscada3875/tcpPNBSCADA<br />pnbscada3875/udp PNBSCADA d-s-n 8086/tcpDistributed SCADA Networking Rendezvous Port<br />Active detection<br />- SNMP server scanning results;- detection of solution features (web servers, logged services)<br />Passive detection<br />- interception of network traffic to find specificrequests/responses;(application and network software);- detection of SCADA protocols in available network traffic (DNP3 over an Ethernet, Modbus-TCP);- direct analysis of productive protocols. (by special analyzers, analysis of signal propagation medium).<br />
  13. 13. Detected SCASA object - SIEMENS SIMATIC<br />
  14. 14. Testing of reliability<br />Stress-test (ICMPPing Flood implementation)– «Reg Tiger Security»<br />#denial of service, then recovery ( idle time - 1 minute)ping -f -s 60601 packets transmitted, 150 packets received, 75% packet loss<br />#denial of service, then recovery (idle time - 1 minute)ping -f -s 600497 packets transmitted, 32 packets received, 93% packet loss<br />#denial of service, without recovery (have to reload)ping -f -s 6000518 packets transmitted, 0 packets received, 100% packet loss<br />#denial of service, without recovery (have to reload)ping -f -s 6000 819 packets transmitted, 0 packets received, 100% packet loss<br />
  15. 15.
  16. 16. «US Blackout»<br />
  17. 17. Borrowed application software components in SCADA<br />
  18. 18. Реализация отказа в обслуживании в отношении встроенного WEB-сервера<br />
  19. 19.
  20. 20. Реализация отказа в обслуживании в отношении встроенного WEB-сервера<br />
  21. 21. Реализация отказа в обслуживании в отношении встроенного WEB-сервера<br />
  22. 22. Denial of service implementation against imbedded web server<br />
  23. 23. Thank you for your attention!<br />http://ITDEFENCE.ruGroup inLinkedIn «Industrial Automation Security»We discuss SCADA security questions<br />

×