SlideShare a Scribd company logo

Attacking SCADA systems: Story Of SCADASTRANGELOVE

Download as PPTX, PDF
Aleksandr Timorin
Aleksandr Timorin

SCADASTRANGELOVE is a group of security researchers focused on ICS/SCADA security. They have discovered over 100 vulnerabilities in industrial control systems and devices since 2012. Their goal is to raise awareness of security issues in critical infrastructure systems and work with a responsible disclosure process to help vendors patch vulnerabilities.

Presentations & Public Speaking
1 of 73
*AllpicturesaretakenfromDr StrangeLovemovieandother Internets Sergey Gordeychik Aleksandr Timorin Gleb Gritsai SCADA STRANGELOVE SCADA.SL
Aleksandr Timorin lifecycle:  Studied mathematics (OMG!)  Python developer  Penetration tester  ICS security researcher: • Industrial protocols fan and 0-day PLC hunter • SCADAStrangeLove team member atimorin atimorin@protonmail.ch
 WWW: who are we, why are we and what are we for ?  Milestone  Projects: • Past • Present • Future  Results
 Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
 We work for community and as community
Since Stuxnet (2010) ICS industry especially security has been warned.
• ICS is everywhere • Old technologies without classic and modern security principles • ICS networks “isolated”, but connected to other nets, other nets connected to Internet • Sometimes (shodan/censys/zmap/masscan proved) ICS devices connected to the Internet directly • Hacking ICS without money does not attract evil guy • Engineers tend to say “this works for a long period of time! Don’t touch it!”
• But reality shows us that evil guys touch them and ICS so tender • We was worried about it. • We didn’t accept this approach. • We decided to change situation. • Then SCADASTRANGELOVE was born
Peace is our profession!
 As a group of researchers we work in different companies  Not only one company with private atmosphere  Everybody can be a member
Members has their own projects but still contributing to long- term projects #SCADAPASS and #SCADASOS
 We regularly give a talks worldwide in security conferences: CCC, Power of Community, CodeBlue, PacSec, PHDays, Zeronights, Confidence, Hack.lu …  We show and share our results with community  We share researches of our projects  We share toolkits, scripts, dorks, analytics and statistics
 2012: only 4 members  From 2013 to 2016: over 30 members  Over 100 0-dayz  Tons of vulnerabilities: binary, web, default credentials and so on  Different industries: from transportation to renewable energy
Vulnerabilities: • Memory errors • Cryptofails • Web • Special “features” (aka backdoors) • Default and hardcoded credentials • Industrial protocols • Fun but non-profit
Vulnerabilities: • Siemens • General electric • Schneider electric • Yokogawa • Honeywell • Abb • Advantech • etc
Vulnerabilities: • Server/client scada software • PLC, HMI, RTU • Protective relays, actuators, converters • Smart meters, data concentrators • Network switches, gateways • Gsm/gprs modems • etc
• Honeywell EPKS, CVE-2014-9189
• Honeywell EPKS, CVE-2014-9187
• cb is a buffer size
• SpiderControl SCADA Web Server, stack-based bof, CVE- 2015-1001
to get firmware? to get debug symbols? to debug? ..PowerPC no “operation system”
• Siemens SIPROTEC 7SJ64 (protective relay) XSS
• Siemens WinCC
WinCCExplorer.exe/PdlRt.exe Create and use your own security features Instead of standard features – that’s A bad idea!
• Hardcodes are for protocols with auth: SNMP, telnet, HTTP, etc. • You can hardcode keys, certificates, passwords • SMA Sunny WebBox
• Siemens SIPROTEC 4 protective relay confirmation code “311299”: - System log - Device info - Stack and other parts of memory - More ?
• Siemens SIPROTEC 4 protective relay confirmation code “311299”: “SIPROTEC 4 and SIPROTEC Compact devices allow the display of extended internal statistics and test information… To access this information, the confirmation code “311299” needs to be provided when prompted.” “...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information...”
• Siemens S7-1200 PLC, CVE-2014-2252 “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system. ” Just “set” PROFINET request: set network info (ip, netmask, gateway) with all zero values.
KIOSK mode: Limit access to OS functions
KIOSK mode: Limit access to OS functions
• Wincc accounts: “secret” crypto key
• WinCC accounts: “secret” crypto key fixed • It’s XOR, they should not bother hardcoding for XOR
PLC password “encryption” Password (8 bytes)
• TIA Portal PEData.plf passwords history
• Winccwebbridge.dll: please hash your hardcoded account
• Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- 2014-2251
• Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- 2014-2251 • Seed = plc_start_time + const
Target – Siemens S7-1200 PLC
PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM= uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM= Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM= tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM= 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143 32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143 b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143
3e6cd1f7bdf743cac6dcba708c21994f MD5 of ? (16bytes) d37fa1c3 CONST (4 bytes) 0001 user logout counter (2 bytes) 0001 counter of issued cookies for this user (2 bytes) 00028ad7 value that doesn’t matter (4 bytes) 0a00aac8 user IP address (10.0.170.200) (4 bytes) 00000000000000008ad72143 value that doesn’t matter (12 bytes) What about 3e6cd1f7bdf743cac6dcba708c21994f ?
MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES) What is SECRET ? SECRET generates after PLC start by ~PRNG. PRNG is a little bit harder than standard C PRNG. SEED in {0x0000 , 0xFFFF}
SEED very often depends on time value SEED = PLC START TIME + 320 320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time PLC START TIME = CURRENT TIME – UPTIME Current time via web interface Uptime via SNMP with hardcoded read community string “public”
Profinet “feature” and PRNG vulnerability - real attack vector. Result - PLC takeover.
- Hash passwords - SHA is not good enough - Put length of plaintext nearby Redbox_value = len(pwd)*2+1
“Secure” set up speed of energetic turbine More details at “SCADA deep inside: protocols and security mechanisms”
Industrial protocols: S7-300 PLC password cracker. Included in the popular tool thc-hydra.
Don’t patch too much
Wait a second….
 We work with responsible disclosure approach  Full disclosure = all vuln details immediately in the wild. Giving the vendors absolutely no opportunity to release a fix  Responsible disclosure = researcher contacts the vendor before the vulnerability is released. And all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.  Because vulnerability patching very important for ICS and can take months. Even years.
 That’s why responsible disclosure in ICS highly important
1. Research 2. We send details directly to vendor and CERT 3. Vendor create CVE 4. Vulnerability patched 5. SCADASL public disclosure and exploit/toolkit publishing 6. Applause to SCADASL 7. Research 8. …
Analytics every year:  ICSMAP  ICSDORKS
 #SCADAPASS • Release 1.2 • 37 vendors • PLC, RTU, gateways, switches, servers …
 #SCADASOS (un)Secure Open SmartGrids is open initiative to rise awareness on insecurities of SmartGrid, Photovoltaic Power Stations and Wind Farms
Q: How to participate A: Find Internet-connected PV and Wind power stations and notify vendors/CERTs/community. Q: Wow! It simple! Can I hack it? A: No. It can be a hospital or your grandma’s cottage. Please use passive approach (firmware analysis, testbeds etc.) Q: I get an 0day! A: Please submit it to vendor and/or regional CERT Q: What will I get? A: Kudos at SCADA StrangeLove Talks/Knowledge/Safer World. Details You can make shodan saved search or drop google dorks to twitter Please use tags #solar #wind #scadasos
 60 000+ SmartGrid devices disconnected from the Internet  Two Advisories • XZERES 442SR Wind Turbine CSRF • SMA Solar Technology AG Sunny WebBox Hard-Coded Account Vulnerability
Current and future:  Smart energy generation  Rail road and signaling systems  Digital substations  GSM/GPRS modems
 Well-known and habitual world of information security growing up, evolving, changing quickly  Because a lot of specialists involved in it  Unfortunately ICS security area not very mobile and changeable  Also our team members growing old, starting a families  We think that our mission done successfully
 But not finished yet….
Still trying to hack ICS, son? Have you ever heard about SCADASTRANGELOVE ?!
 All materials at SCADA.SL  We hope that our work can help you create your own projects. But don’t forget about community and responsible disclosure principle
*Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko

Recommended

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
Jan Seidl
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
PECB
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Schneider Electric
 

Recommended

Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
Jan Seidl
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
PECB
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Schneider Electric
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
Filip Maertens
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
Chris Sistrunk
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdf
AhmedRKhan
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
Nozomi Networks
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
Cisco Canada
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 

More Related Content

What's hot

Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
Filip Maertens
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
Chris Sistrunk
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdf
AhmedRKhan
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
Nozomi Networks
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
Cisco Canada
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 

What's hot (20)

Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdf
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
ICS security
ICS securityICS security
ICS security
 

Similar to Attacking SCADA systems: Story Of SCADASTRANGELOVE

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
TI Safe
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
Aleksandr Timorin
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
CODE BLUE
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
Brian Proctor - GICSP, CISSP, CRISC
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
Gerardo Pardo-Castellote
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425c
Charles Li
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
automatskicorporation
 
Cyber security and Industry.pptx
Cyber security and Industry.pptxCyber security and Industry.pptx
Cyber security and Industry.pptx
Sabahat Waheed
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
Cybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT NetworksCybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT Networks
Yokogawa1
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
Luigi Auriemma
 
Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...
Data Driven Innovation
 
The Insecurity of Industrial Things
The Insecurity of Industrial ThingsThe Insecurity of Industrial Things
The Insecurity of Industrial Things
Senrio
 

Similar to Attacking SCADA systems: Story Of SCADASTRANGELOVE (20)

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425c
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
 
Cyber security and Industry.pptx
Cyber security and Industry.pptxCyber security and Industry.pptx
Cyber security and Industry.pptx
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Cybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT NetworksCybersecurity for Field IIoT Networks
Cybersecurity for Field IIoT Networks
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
 
Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...Security from sensor to sunset. “How to approach the security in the IoT ecos...
Security from sensor to sunset. “How to approach the security in the IoT ecos...
 
The Insecurity of Industrial Things
The Insecurity of Industrial ThingsThe Insecurity of Industrial Things
The Insecurity of Industrial Things
 

Recently uploaded

Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 

Recently uploaded (13)

Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 

Attacking SCADA systems: Story Of SCADASTRANGELOVE

  • 2. Aleksandr Timorin lifecycle:  Studied mathematics (OMG!)  Python developer  Penetration tester  ICS security researcher: • Industrial protocols fan and 0-day PLC hunter • SCADAStrangeLove team member atimorin atimorin@protonmail.ch
  • 3.  WWW: who are we, why are we and what are we for ?  Milestone  Projects: • Past • Present • Future  Results
  • 4.
  • 5.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
  • 6.  We work for community and as community
  • 7. Since Stuxnet (2010) ICS industry especially security has been warned.
  • 8. • ICS is everywhere • Old technologies without classic and modern security principles • ICS networks “isolated”, but connected to other nets, other nets connected to Internet • Sometimes (shodan/censys/zmap/masscan proved) ICS devices connected to the Internet directly • Hacking ICS without money does not attract evil guy • Engineers tend to say “this works for a long period of time! Don’t touch it!”
  • 9. • But reality shows us that evil guys touch them and ICS so tender • We was worried about it. • We didn’t accept this approach. • We decided to change situation. • Then SCADASTRANGELOVE was born
  • 10. Peace is our profession!
  • 11.  As a group of researchers we work in different companies  Not only one company with private atmosphere  Everybody can be a member
  • 12. Members has their own projects but still contributing to long- term projects #SCADAPASS and #SCADASOS
  • 13.  We regularly give a talks worldwide in security conferences: CCC, Power of Community, CodeBlue, PacSec, PHDays, Zeronights, Confidence, Hack.lu …  We show and share our results with community  We share researches of our projects  We share toolkits, scripts, dorks, analytics and statistics
  • 14.  2012: only 4 members  From 2013 to 2016: over 30 members  Over 100 0-dayz  Tons of vulnerabilities: binary, web, default credentials and so on  Different industries: from transportation to renewable energy
  • 15. Vulnerabilities: • Memory errors • Cryptofails • Web • Special “features” (aka backdoors) • Default and hardcoded credentials • Industrial protocols • Fun but non-profit
  • 16. Vulnerabilities: • Siemens • General electric • Schneider electric • Yokogawa • Honeywell • Abb • Advantech • etc
  • 17. Vulnerabilities: • Server/client scada software • PLC, HMI, RTU • Protective relays, actuators, converters • Smart meters, data concentrators • Network switches, gateways • Gsm/gprs modems • etc
  • 18. • Honeywell EPKS, CVE-2014-9189
  • 19. • Honeywell EPKS, CVE-2014-9187
  • 20. • cb is a buffer size
  • 21. • SpiderControl SCADA Web Server, stack-based bof, CVE- 2015-1001
  • 22.
  • 23. to get firmware? to get debug symbols? to debug? ..PowerPC no “operation system”
  • 24.
  • 25.
  • 26.
  • 27. • Siemens SIPROTEC 7SJ64 (protective relay) XSS
  • 29.
  • 30.
  • 31. WinCCExplorer.exe/PdlRt.exe Create and use your own security features Instead of standard features – that’s A bad idea!
  • 32. • Hardcodes are for protocols with auth: SNMP, telnet, HTTP, etc. • You can hardcode keys, certificates, passwords • SMA Sunny WebBox
  • 33. • Siemens SIPROTEC 4 protective relay confirmation code “311299”: - System log - Device info - Stack and other parts of memory - More ?
  • 34. • Siemens SIPROTEC 4 protective relay confirmation code “311299”: “SIPROTEC 4 and SIPROTEC Compact devices allow the display of extended internal statistics and test information… To access this information, the confirmation code “311299” needs to be provided when prompted.” “...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information...”
  • 35. • Siemens S7-1200 PLC, CVE-2014-2252 “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system. ” Just “set” PROFINET request: set network info (ip, netmask, gateway) with all zero values.
  • 36. KIOSK mode: Limit access to OS functions
  • 37. KIOSK mode: Limit access to OS functions
  • 38. • Wincc accounts: “secret” crypto key
  • 39. • WinCC accounts: “secret” crypto key fixed • It’s XOR, they should not bother hardcoding for XOR
  • 41. • TIA Portal PEData.plf passwords history
  • 42. • Winccwebbridge.dll: please hash your hardcoded account
  • 43. • Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- 2014-2251
  • 44. • Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- 2014-2251 • Seed = plc_start_time + const
  • 45. Target – Siemens S7-1200 PLC
  • 47. 3e6cd1f7bdf743cac6dcba708c21994f MD5 of ? (16bytes) d37fa1c3 CONST (4 bytes) 0001 user logout counter (2 bytes) 0001 counter of issued cookies for this user (2 bytes) 00028ad7 value that doesn’t matter (4 bytes) 0a00aac8 user IP address (10.0.170.200) (4 bytes) 00000000000000008ad72143 value that doesn’t matter (12 bytes) What about 3e6cd1f7bdf743cac6dcba708c21994f ?
  • 48. MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES) What is SECRET ? SECRET generates after PLC start by ~PRNG. PRNG is a little bit harder than standard C PRNG. SEED in {0x0000 , 0xFFFF}
  • 49. SEED very often depends on time value SEED = PLC START TIME + 320 320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time PLC START TIME = CURRENT TIME – UPTIME Current time via web interface Uptime via SNMP with hardcoded read community string “public”
  • 50. Profinet “feature” and PRNG vulnerability - real attack vector. Result - PLC takeover.
  • 51.
  • 52. - Hash passwords - SHA is not good enough - Put length of plaintext nearby Redbox_value = len(pwd)*2+1
  • 53. “Secure” set up speed of energetic turbine More details at “SCADA deep inside: protocols and security mechanisms”
  • 54. Industrial protocols: S7-300 PLC password cracker. Included in the popular tool thc-hydra.
  • 55.
  • 56.
  • 57.
  • 60.  We work with responsible disclosure approach  Full disclosure = all vuln details immediately in the wild. Giving the vendors absolutely no opportunity to release a fix  Responsible disclosure = researcher contacts the vendor before the vulnerability is released. And all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.  Because vulnerability patching very important for ICS and can take months. Even years.
  • 61.  That’s why responsible disclosure in ICS highly important
  • 62. 1. Research 2. We send details directly to vendor and CERT 3. Vendor create CVE 4. Vulnerability patched 5. SCADASL public disclosure and exploit/toolkit publishing 6. Applause to SCADASL 7. Research 8. …
  • 63. Analytics every year:  ICSMAP  ICSDORKS
  • 64.  #SCADAPASS • Release 1.2 • 37 vendors • PLC, RTU, gateways, switches, servers …
  • 65.  #SCADASOS (un)Secure Open SmartGrids is open initiative to rise awareness on insecurities of SmartGrid, Photovoltaic Power Stations and Wind Farms
  • 66. Q: How to participate A: Find Internet-connected PV and Wind power stations and notify vendors/CERTs/community. Q: Wow! It simple! Can I hack it? A: No. It can be a hospital or your grandma’s cottage. Please use passive approach (firmware analysis, testbeds etc.) Q: I get an 0day! A: Please submit it to vendor and/or regional CERT Q: What will I get? A: Kudos at SCADA StrangeLove Talks/Knowledge/Safer World. Details You can make shodan saved search or drop google dorks to twitter Please use tags #solar #wind #scadasos
  • 67.  60 000+ SmartGrid devices disconnected from the Internet  Two Advisories • XZERES 442SR Wind Turbine CSRF • SMA Solar Technology AG Sunny WebBox Hard-Coded Account Vulnerability
  • 68. Current and future:  Smart energy generation  Rail road and signaling systems  Digital substations  GSM/GPRS modems
  • 69.  Well-known and habitual world of information security growing up, evolving, changing quickly  Because a lot of specialists involved in it  Unfortunately ICS security area not very mobile and changeable  Also our team members growing old, starting a families  We think that our mission done successfully
  • 70.  But not finished yet….
  • 71. Still trying to hack ICS, son? Have you ever heard about SCADASTRANGELOVE ?!
  • 72.  All materials at SCADA.SL  We hope that our work can help you create your own projects. But don’t forget about community and responsible disclosure principle
  • 73. *Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko

Editor's Notes

  1. For eample DS in your window – easy target for evil guy. Bud good news and only one – he is not economically motivated to do this. No profit! He prefer to hack banks and so on
  2. JUST A BSOD_JOKE!