SCADASTRANGELOVE is a group of security researchers focused on ICS/SCADA security. They have discovered over 100 vulnerabilities in industrial control systems and devices since 2012. Their goal is to raise awareness of security issues in critical infrastructure systems and work with a responsible disclosure process to help vendors patch vulnerabilities.
Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil
Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ
Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
This webinar will help you get more informed on PenTesting in SCADA and also best practices and methods used on risk assessment. Learning about the criticality in industry, makes you more flexible to boost the skills.
Main points covered:
• The SCADA ICS function in critical infrastructure industry
• Risk exposure of IT vs. SCADA ICS from Cyber Security Perspective
• Do's and don’ts of Vulnerability Assessment and Penetration Testing in SCADA ICS Environment
Presenter:
This webinar was presented by Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS, and PECB Certified Trainer.
Link of the recorded session published on YouTube: https://youtu.be/icq-RTwusZ8
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
This presentation provides an overview of industrial control systems and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the risks.
Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil
Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ
Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
This webinar will help you get more informed on PenTesting in SCADA and also best practices and methods used on risk assessment. Learning about the criticality in industry, makes you more flexible to boost the skills.
Main points covered:
• The SCADA ICS function in critical infrastructure industry
• Risk exposure of IT vs. SCADA ICS from Cyber Security Perspective
• Do's and don’ts of Vulnerability Assessment and Penetration Testing in SCADA ICS Environment
Presenter:
This webinar was presented by Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS, and PECB Certified Trainer.
Link of the recorded session published on YouTube: https://youtu.be/icq-RTwusZ8
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
This presentation provides an overview of industrial control systems and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the risks.
Learn what makes SCADAguardian (the Nozomi Networks flagship technology) so unique and powerful. From enterprise IT, to OT, we enable scalable security strategies for ICS.
Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.
This presentation was given at BSides Las Vegas 2015.
The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional.
The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
The Nozomi Networks solution improves ICS cyber resiliency and provides real-time operational visibility. Major customers have improved reliability, cybersecurity and operational efficiency using our technology. Learn more about our solutions and technology here and how they can bring immediate benefit to your industrial control system (ICS)
Secure Systems Security and ISA99- IEC62443Yokogawa1
With the new Industrial Network standards like ISA-IEC62443 companies are evolving their IT and OT networks to face evolving threats. This presentation will cover industrial networking best practices, secure architectures and segregation techniques that can be used by all businesses to prevent a minor business network breach from becoming an industrial catastrophe.
Topics Covered in this Seminar Include:
Overview Of Cyber Threat
Introduction - ISA IEC Industrial Control Security Standards
An Example - Advanced Persistent Threat (APT)
ISA/IEC 62443-3-2 Network Separation - An APT countermeasure
The next step in APT defenses System Certification to ISA/IEC 62443 Cybersecurity Standards
ISA/IEC 62443 Cybersecurity Standards Current Efforts
The Future of ISA/IEC 62443 Cybersecurity Standards
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Over the last 5 years, Data Centers, your most important asset, have evolved massively. The pace of change continues to ramp with new Architectures, Virtualization, Fabrics and Clouds. How do you evolve your data centers and ensure they are secure, and prove they are secure, for compliance and audit? Using a practical and pragmatic approach, we will present and demonstrate how Cisco can help you tackle your security challenges, leveraging the intelligent network infrastructure and the broadest security portfolio in the industry (ASA5585, ASA SM, ASA 1000v, VSG and TrustSec with ISE).
Presented: September 21, 2017
At: CS2AI, Washington, DC
A decade ago, ISA99 published the first standard in what is now the ISA/IEC 62443 series. Since then, the series has coalesced into the current form consisting of 13 individual documents in various stages of completion, publication, and/or revision. Printing out all of the existing standards and drafts can easily use up more than a ream of paper. It can be a daunting task to try to apply it to an organization. So, what are you supposed to do? How are you supposed to proceed? In this talk, I’ll go over some of the lessons I’ve learned from helping customers develop and evaluate security programs within their organization.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
In my topic I’ll share my experience in analysis of most popular open and vendor’s specific proprietary industrial protocols.
For each protocol I will present packet structure, real examples, (in)secure features and possible hacks.
At the end of the topic I’ll share my practial approach, methodology and useful scripts.
During the presentation we will talk about:
Well-known protocols: Profinet, Modbus, DNP3
IEC 61850-8-1 (MMS)
IEC 61870-5-101/104
FTE (Fault Tolerant Ethernet)
Siemens S7
Learn what makes SCADAguardian (the Nozomi Networks flagship technology) so unique and powerful. From enterprise IT, to OT, we enable scalable security strategies for ICS.
Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.
This presentation was given at BSides Las Vegas 2015.
The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional.
The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
The Nozomi Networks solution improves ICS cyber resiliency and provides real-time operational visibility. Major customers have improved reliability, cybersecurity and operational efficiency using our technology. Learn more about our solutions and technology here and how they can bring immediate benefit to your industrial control system (ICS)
Secure Systems Security and ISA99- IEC62443Yokogawa1
With the new Industrial Network standards like ISA-IEC62443 companies are evolving their IT and OT networks to face evolving threats. This presentation will cover industrial networking best practices, secure architectures and segregation techniques that can be used by all businesses to prevent a minor business network breach from becoming an industrial catastrophe.
Topics Covered in this Seminar Include:
Overview Of Cyber Threat
Introduction - ISA IEC Industrial Control Security Standards
An Example - Advanced Persistent Threat (APT)
ISA/IEC 62443-3-2 Network Separation - An APT countermeasure
The next step in APT defenses System Certification to ISA/IEC 62443 Cybersecurity Standards
ISA/IEC 62443 Cybersecurity Standards Current Efforts
The Future of ISA/IEC 62443 Cybersecurity Standards
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Over the last 5 years, Data Centers, your most important asset, have evolved massively. The pace of change continues to ramp with new Architectures, Virtualization, Fabrics and Clouds. How do you evolve your data centers and ensure they are secure, and prove they are secure, for compliance and audit? Using a practical and pragmatic approach, we will present and demonstrate how Cisco can help you tackle your security challenges, leveraging the intelligent network infrastructure and the broadest security portfolio in the industry (ASA5585, ASA SM, ASA 1000v, VSG and TrustSec with ISE).
Presented: September 21, 2017
At: CS2AI, Washington, DC
A decade ago, ISA99 published the first standard in what is now the ISA/IEC 62443 series. Since then, the series has coalesced into the current form consisting of 13 individual documents in various stages of completion, publication, and/or revision. Printing out all of the existing standards and drafts can easily use up more than a ream of paper. It can be a daunting task to try to apply it to an organization. So, what are you supposed to do? How are you supposed to proceed? In this talk, I’ll go over some of the lessons I’ve learned from helping customers develop and evaluate security programs within their organization.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
In my topic I’ll share my experience in analysis of most popular open and vendor’s specific proprietary industrial protocols.
For each protocol I will present packet structure, real examples, (in)secure features and possible hacks.
At the end of the topic I’ll share my practial approach, methodology and useful scripts.
During the presentation we will talk about:
Well-known protocols: Profinet, Modbus, DNP3
IEC 61850-8-1 (MMS)
IEC 61870-5-101/104
FTE (Fault Tolerant Ethernet)
Siemens S7
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...CODE BLUE
Electrical Grid is one of the sophisticated systems humanity ever built. New technologies such as IEC 61850 and Europe-wide initiatives to create continent-wide SmartGrid systems makes it more and more complex.
Our latest research was devoted to the analysis of the threat landscape, architecture and implementation of the modern Smart Grid elements, including relay protection, wind and solar energy generation.
It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security.
In this talk, we summarize our practical experience in security assessment of different components of European SmartGrid technologies: from housekeeping and rooftop PV systems to digital substations. We will release new (but responsibly disclosed) vulnerabilities in SmartGrid components, Cloud SCADA technologies as well as new tools for security assessment of SmartGrid industrial protocols.
My talk from the ICS Cyber Security Conference in Atlanta on October 24th. Really enjoyed the great conversations on a topic which really can highlight the difference of opinions in the ICSsec community. Hope you all enjoy!
The Industrial IoT depends on connectivity and information exchange. Much of the business value derives from the ability to have independent systems share information in order to derive knowledge, make "smart decisions", and offer behavior and functionality never before possible.
Many industrial systems were designed with a focus on reliability and safety at a time were implicit trust of all components and communication was the norm. Restricting physical access is currently the only practical method for protecting this existing critical infrastructure. This includes the electrical power grid, process control, transportation, or manufacturing systems. This is changing with increased connectivity to the Internet and personal computers as well as awareness of malicious insider threats. Many industrial systems are being (or want to be) connected to external networks using standard technologies like Ethernet and the Internet Protocol Suite (TCP/UDP/IP). These technologies make systems more functional and efficient, unfortunately they also open the critical infrastructure to cyber attacks.
New IIoT Systems are being designed with security as a key concern. New systems can leverage a solid set of security technologies and building blocks for Authentication, Cryptography, Integrity, etc. However these security technologies must be used correctly and in ways that do not disrupt the performance or access to the legitimate applications/devices, yet limit legitimate access to just the needed information (to minimize the insider threats) and denies access to all others. Adding to this difficulties the new systems need to co-exist and (securely) exchange information with the already-deployed legacy systems which were built without such security elements.
Secure DDS (a recent standard from the OMG) is a "secure connectivity middleware" technology that can be used to address these three needs: (1) Build modern secure IIoT systems, (2) Secure legacy Industrial systems being connected on the Internet, and (3) Securely bridge between new and legacy systems. Secure DDS extends the proven Data-Distribution Service (DDS) and Real-Time Publish-Subscribe Protocol (DDS-RTPS) standards with enterprise-grade authentication, encryption and fine-grained security controls while maintaining the peer-to-peer, robustness and scalability features (including secure multicast) that have made DDS a clear choice for critical infrastructure systems.
This presentation introduces the DDS Security specification and provide describe several use-cases that exemplify how these standards are deployed in real-world applications.
Embedded computing is everywhere. It is in our car engines, refrigerators, and even in the singing greeting cards we send. With improvements in wireless technology, these systems are starting to talk with each other, and they are appearing in places like our shoes and wrists to monitor our athletic activity or health. This emerging Internet of Everything (IoE) has tremendous potential to improve our lives. But like any powerful technology, it also has a dark side: it will observe and implement many of our actions. Security in the IoE is likely to be even more critical than general Internet security. After reviewing some of the challenges in creating a secure IoE, Horowitz will describe a new research program at Stanford to address this issue.
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
For two years SCADA StrangeLove speaks about Industrial Control Systems and nuclear plants. This year we want to discuss Green Energy. Our hackers' vision of Green Energy, SmartGrids and Cloud IoT technology.
We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence. Our latest research was devoted to the analysis of the architecture and implementation of the most wide spread platforms for wind and solar energy generation which produce many gigawatts of it. It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security. We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common and why one should not develop brand new web server. Specially for the specialists on the other side of the fences, we will show by example of one industry the link between information security and industrial safety and will also demonstrate how a root access gained in a few minutes can bring to nought all the years of efforts that were devoted to the improvement of fail-safety and reliability of the ICS system. On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence.
──────────
➤Speaker: Sergey Gordeychik, Aleksandr Timorin
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Cybersecurity has become a critical concern for businesses across all industries as they increasingly rely on digital technology to operate. In the face of evolving cyber threats such as ransomware attacks, data breaches, and other types of cyberattacks, organizations need to implement robust cybersecurity measures to protect their sensitive data, intellectual property, and reputation. Effective cybersecurity in industry requires a proactive approach to identify and address vulnerabilities and threats, including implementing firewalls, encryption, and multifactor authentication. It is also important for organizations to provide cybersecurity training to their employees and to develop incident response plans to minimize the damage in the event of a cyber attack. Additionally, complying with relevant regulatory requirements, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), is essential for maintaining customer trust and avoiding legal consequences. Ultimately, cybersecurity in industry is critical to maintaining the confidentiality, integrity, and availability of information and ensuring that businesses can continue to operate securely and efficiently in the digital age.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
IIoT solutions are providing operators with massive volumes of data while making it easier to apply them to improvements in quality and efficiency. However, the cybersecurity risk to IIoT solutions is often overlooked. Many IIoT devices reside on networks that use open connections such as Wi-Fi, cellular, or satellite. Those could inadvertently increase an ICS threat surface.
Participants in this session will learn how to configure new and existing IIoT devices in a manner that will continue providing the value of the IIoT solution while reducing the exposure to cyberattacks. Guidelines will also be provided in cases of IIoT devices, which do provide inherent security configuration options.
Old presentation held at a local event of the Critical Infrastructure Protection Directorate in Malta, September 2015.
An overview of the HMI/SCADA attack scenarios.
This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. Industrial Control Systems (ICS) are not unique snowflakes anymore but use the same ubiquitous technology as found in consumer IoT Devices. This presentation summarizes our experiences at Senrio exploiting embedded system and discusses the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting (including real vulnerabilities and how they work).
Similar to Attacking SCADA systems: Story Of SCADASTRANGELOVE (20)
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
2. Aleksandr Timorin lifecycle:
Studied mathematics (OMG!)
Python developer
Penetration tester
ICS security researcher:
• Industrial protocols fan and 0-day PLC hunter
• SCADAStrangeLove team member
atimorin
atimorin@protonmail.ch
3. WWW: who are we, why are we and what are we for ?
Milestone
Projects:
• Past
• Present
• Future
Results
4.
5. Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster
and to keep Purity Of Essence
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko
8. • ICS is everywhere
• Old technologies without classic and modern security
principles
• ICS networks “isolated”, but connected to other nets, other
nets connected to Internet
• Sometimes (shodan/censys/zmap/masscan proved) ICS
devices connected to the Internet directly
• Hacking ICS without money does not attract evil guy
• Engineers tend to say “this works for a long period of time!
Don’t touch it!”
9. • But reality shows us that evil guys touch them and ICS so
tender
• We was worried about it.
• We didn’t accept this approach.
• We decided to change situation.
• Then SCADASTRANGELOVE was born
11. As a group of researchers we work in different companies
Not only one company with private atmosphere
Everybody can be a member
12. Members has their own projects but still contributing to long-
term projects #SCADAPASS and #SCADASOS
13. We regularly give a talks worldwide in security conferences:
CCC, Power of Community, CodeBlue, PacSec, PHDays,
Zeronights, Confidence, Hack.lu …
We show and share our results with community
We share researches of our projects
We share toolkits, scripts, dorks, analytics and statistics
14. 2012: only 4 members
From 2013 to 2016: over 30 members
Over 100 0-dayz
Tons of vulnerabilities: binary, web, default credentials and
so on
Different industries: from transportation to renewable energy
15. Vulnerabilities:
• Memory errors
• Cryptofails
• Web
• Special “features” (aka backdoors)
• Default and hardcoded credentials
• Industrial protocols
• Fun but non-profit
32. • Hardcodes are for protocols with auth: SNMP, telnet, HTTP,
etc.
• You can hardcode keys, certificates, passwords
• SMA Sunny WebBox
33. • Siemens SIPROTEC 4 protective relay confirmation code
“311299”:
- System log
- Device info
- Stack and other
parts of memory
- More ?
34. • Siemens SIPROTEC 4 protective relay confirmation code
“311299”:
“SIPROTEC 4 and SIPROTEC Compact devices allow the
display of extended internal statistics and test information…
To access this information, the confirmation code “311299” needs
to be provided when prompted.”
“...Siemens does not publish official documentation on these
statistics. It is strongly recommended to work together with
Siemens SIPROTEC customer care or commissioning experts to
retrieve and interpret the statistics and test information...”
35. • Siemens S7-1200 PLC, CVE-2014-2252
“An attacker could cause the device to go into defect mode if
specially crafted PROFINET packets are sent to the device. A
cold restart is required to recover the system. ”
Just “set” PROFINET request: set network info (ip, netmask,
gateway) with all zero values.
47. 3e6cd1f7bdf743cac6dcba708c21994f MD5 of ? (16bytes)
d37fa1c3 CONST (4 bytes)
0001 user logout counter (2 bytes)
0001 counter of issued cookies for this user (2
bytes)
00028ad7 value that doesn’t matter (4 bytes)
0a00aac8 user IP address (10.0.170.200) (4 bytes)
00000000000000008ad72143 value that doesn’t matter (12 bytes)
What about 3e6cd1f7bdf743cac6dcba708c21994f ?
48. MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES)
What is SECRET ?
SECRET generates after PLC start by ~PRNG.
PRNG is a little bit harder than standard C PRNG.
SEED in {0x0000 , 0xFFFF}
49. SEED very often depends on time value
SEED = PLC START TIME + 320
320 by practical way: secret generates after ~ 3-4 seconds of PLC start using
current time
PLC START TIME = CURRENT TIME – UPTIME
Current time via web interface
Uptime via SNMP with hardcoded
read community string “public”
60. We work with responsible disclosure approach
Full disclosure = all vuln details immediately in the wild.
Giving the vendors absolutely no opportunity to release a fix
Responsible disclosure = researcher contacts the vendor
before the vulnerability is released. And all stakeholders
agree to allow a period of time for the vulnerability to be
patched before publishing the details.
Because vulnerability patching very important for ICS and
can take months. Even years.
61. That’s why responsible disclosure in ICS highly important
62. 1. Research
2. We send details directly to vendor and CERT
3. Vendor create CVE
4. Vulnerability patched
5. SCADASL public disclosure and exploit/toolkit publishing
6. Applause to SCADASL
7. Research
8. …
65. #SCADASOS
(un)Secure Open SmartGrids is open initiative to rise
awareness on insecurities of SmartGrid, Photovoltaic Power
Stations and Wind Farms
66. Q: How to participate
A: Find Internet-connected PV and Wind power stations and notify vendors/CERTs/community.
Q: Wow! It simple! Can I hack it?
A: No. It can be a hospital or your grandma’s cottage. Please use passive approach (firmware analysis, testbeds etc.)
Q: I get an 0day!
A: Please submit it to vendor and/or regional CERT
Q: What will I get?
A: Kudos at SCADA StrangeLove Talks/Knowledge/Safer World.
Details
You can make shodan saved search or drop google dorks to twitter
Please use tags #solar #wind #scadasos
67. 60 000+ SmartGrid devices disconnected from the Internet
Two Advisories
• XZERES 442SR Wind Turbine CSRF
• SMA Solar Technology AG Sunny WebBox Hard-Coded
Account Vulnerability
68. Current and future:
Smart energy generation
Rail road and signaling systems
Digital substations
GSM/GPRS modems
69. Well-known and habitual world of information security
growing up, evolving, changing quickly
Because a lot of specialists involved in it
Unfortunately ICS security area not very mobile and
changeable
Also our team members growing old, starting a families
We think that our mission done successfully
71. Still trying to hack ICS, son?
Have you ever heard
about
SCADASTRANGELOVE ?!
72. All materials at SCADA.SL
We hope that our work can help you create your own
projects. But don’t forget about community and responsible
disclosure principle
73. *Allpicturesaretakenfrom
googleandotherInternets
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko
Editor's Notes
For eample DS in your window – easy target for evil guy. Bud good news and only one – he is not economically motivated to do this. No profit! He prefer to hack banks and so on