1.
All pictures are taken from
Dr StrangeLove movie
Alexander Timorin
Ilya Karpov
Yuri Goltsev
Sergey Gordeychik

2.

Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik
Ilya Karpov
Artem Chaykin
Dmitry Efanov
Andrey Medov
Alexander Zaitsev
Dmitry Sklyarov
_
Gleb Gritsai
Sergey Bobrov
Yuriy Dyachenko
Yuri Goltsev
Sergey Scherbel
Dmitry Serebryannikov
Alexander Tlyapov
Denis Baranov
Alexander Timorin
Sergey Drozdov
Vladimir Kochetkov
Timur Yunusov
Dmitry Nagibin

3.


Goals
to automate security assessment of ICS
platforms and environment
Objectives
to understand system
to assess built-in security features
to create security audit/hardening guides
to automate process
Vulnerabilities – waste production

4.
Tilting at windmills: ICS pentest project management
Playing with networks
Rooting the PLC: don't even try
OS/DB/Application
I'm the Lord of the SCADA
Hunting the operator: ICS network "forensic“

5.
Industrial
Team
Security Department
The
One
Vendor
IT Team
SI

6.
absolutely
ICS
NETWORK
unbreakable

7.






Typical network devices with default/crappy
settings
Unpatched, old as dirt, full of junk software
[malware] engineering workstations
Wireless AP with WEP ( if the best happened )
Low physical security
… and
Industrial protocols

8.






Typical network devices with default/crappy
settings
Unpatched, old as dirt, full of junk software
[malware] engineering workstations
Wireless AP with WEP ( if the best happened )
Low physical security
… and
Industrial protocols

9.






Full expanse
Not blocked by firewalls/switches
Accessible between LAN segments
Works from data link to application layers
Easy for detecting
Easy for intercepting and analyzing
( but not all! )
And what we know about protocols ?

10.







Modbus
Profinet family
DNP3
IEC 61850-8-1 ( MMS )
IEC 60870-5-104 ( IEC 104 )
Siemens S7
… and much more
And most of them INSECURE BY DESIGN

11.





http://www.modbus.org/
Diagnostic functions
Read/Write data/registers/tags
Read/Write files
Toolkit: PLCSCAN by Dmitry Efanov
http://code.google.com/p/plcscan/

12.
IEC 61158, IEC 61784

13.








Profinet CBA/IO/PTCP/DCP
Ethernet type 0x8892
Exchange data in real-time cycles
Multicast discovery devices and stations
No encryption, no auth, no security
We can change settings: name of the station, ip,
netmask, gateway
We can simulate and real DoS of PLC, HMI
Toolkit:
http://scadastrangelove.blogspot.kr/2013/11/po
wer-of-community-2013-special-release.html

14.





http://www.dnp.org
Spread and popular
Useful info:
http://www.digitalbond.com/scadapedia/pro
tocols/dnp3/
http://blog.iec61850.com/search/label/DNP3
Secure DNP3 specification
Toolkit: coming soon ….

15.
Manufacturing
Message
Specification

16.








ISO 9506-1:2003
Based on ISO-TSAP TCP/102
Read/write PLC tags, variables, domains (large
unstructured data, i.e. code)
Start/Stop/Rewrite firmware of PLC
Read/Write/Del files and dirs
Poor security mechanism: simply methods
whitelist
No auth, no encryption
Toolkit: python and nmap scripts

17.

Python and Nmap identify scripts:
https://github.com/atimorin/PoC2013/tree/
master/iec-61850-8-1

18.

TCP/2404



HEADER:
1st byte: 0x68
2nd byte: APDU len

19.





Huge list of functions. Depends on vendors
implementation
Read/write tags, upload/download files,
broadcast connected devices discovery, time
sync, reset process command, query log files
etc.
No auth, no encryption
Poor security mechanism: ip address whitelist
Toolkit: python and nmap scripts

20.
Python and Nmap identify scripts:
https://github.com/atimorin/PoC2013/tree/ma
ster/iec-60870-5-104


21.




I love this protocol!
Proprietary communication protocol supported
by Siemens SCADA Software, PLC, HMI
We can: detect protocol, extract some useful
info (device serial number, type of station,
firmware info etc.), extract and bruteforce
(thanks to JtR community) authentication
challenge-response hashes
http://www.slideshare.net/phdays/timorinalexander-efanov-dmitry

22.
Toolkit:
http://scadastrangelove.blogspot.kr/2013/11/po
wer-of-community-2013-special-release.html


23.
Welcome to our workshop!

24.
Rooting the PLC:
don't even try

25.




Pwn OS (often VxWorks, QNX)
Reverse internal architecture
Find bugs in services
Snatch device
BUT FOR WHAT ?

26.






It is a universal and complex approach
You can:
detect devices and protocols
monitor state, commands, exchanging data
inject, modify, replay packets in real-time
Because most of them INSECURE BY DESING
Real example ?

27.
Simple UDP packet that set “speed” of turbine to
57 (min=1, max=100)

28.
OS/DB/Application

29.
Rise your hand up if ever
thought about it

30.
You absolutely don’t need it, because you
already have it
 If you got an access to Windows machine – you
have access to SCADA system. Why ?
• Default/weak passwords
• Network shares (C$, Trash )
• Undocumented accounts
• Vulnerabilities in third-party software
• Windows vulnerabilities
* That’s enough, true story


31.

Build your own if you want. And commit it to
github, like our guy @atimorin do

Ok, you got it. What’s next ?

Contribute

32.



As usually - you build the system, you
investigate it, learn it, fuzz it, reverse it
Find a vulnerability ? Easy
Build your own testlab ? Nightmare

33.

•
•
•
Find a vulnerability ? Easy
What you probably want to find:
(Where the droids we are looking for?)
OWASP TOP 10
Logic errors
Protocol analysis

34.


•
•
•
Build your own testlab ? Nightmare
Everyone can install software, BUT:
You should have very specific knowledge how
to configure such systems
You should know specific programming
languages like LAD or STL to start applications
You should know specific syntaxes of address
stack (tags)

35.


•
•
•
Build your own testlab ? Nightmare
Everyone can install software, BUT:
Every vendor has own tools for engineers and
developers
Every vendor has own rules, own protocols
(most of them)
SCADA systems are the same like different
operation systems – used for the same, but
different ways

36.
CVE-2013-4911
CVE-2012-2595
CVE-2012-2596
CVE-2012-2597
CVE-2012-2598
CVE-2012-3003
CVE-2012-3028
CVE-2012-3030
CVE-2012-3031
CVE-2012-3032
CVE-2012-3034
CVE-2012-4710
CVE-2013-0674
CVE-2013-0675
CVE-2013-0676
CVE-2013-0677
CVE-2013-0678
CVE-2013-0679
CVE-2013-0684
CVE-2013-0685
CVE-2013-0686
CVE-2013-0688
CVE-2013-3957
CVE-2013-3958
CVE-2013-3959
CVE-2013-4912
CVE-2013-XXX
CVE-2013-XXX
CVE-2013-XXX
CVE-2013-XXX
CVE-2013-XXX
CVE-2013-XXX
CVE-2014-XXX
CVE-2014-XXX
CVE-2014-XXX
CVE-2014-XXX
CVE-2014-XXX
CVE-2015-XXX
CVE-2015-XXX
http://scadastrangelove.blogspot.ru/search/label/Releases
Siemens
Invensys
ABB
Emerson
Other…

37.
I'm the Lord of the SCADA

38.






Please, _DO NOT_ click on any buttons at
production
I suppose you know why
First, to control SCADA you need to know how
that stuff really works
Build your own testlab, read some docs from
vendor
Understand how it should work
You ready for production

39.






PLC/RTU often without password protection
Second (additional) network interface for
PLC/RTU network. Secure, isn’t it ?
Big red emergency button. Sometimes pressed
accidentally
Rare backups
Web interfaces with default credentials
especially on PLC/RTU
Rare firmware updates

40.
Controller signal converter

41.
APC. Turn UPS Off!

42.
Hunting the operator: ICS
network "forensic"

43.

Passwords on sticks (again)

44.








No passwords or easy top10 passwords
Disabled Windows firewall
No AV
Network shares without permissions (C: RW
for all)
Typical user with administrator rights
“Secret” internet connecion
Tons of shareware, personal software, adult
content (agrhhhhhh!)
Low physical security restrictions

45.


Connect to ICS from home through RDP
Wi-Fi/3G/4G connections from/to ICS

46.
All pictures are taken from
Dr StrangeLove movie