SlideShare a Scribd company logo

Experience with testing industrial cybersecurity solutions against real-world attack scenarios

Anton Shipulin
Anton Shipulin

Slide deck from the XIII International Congress of Industrial Cybersecurity in Madrid Sep 24-25, by Industrial Cybersecurity Center (CCI) #CCICON_13

Technology
1 of 27
Download to read offline
• Industrial Cybersecurity Business Development at Kaspersky Lab • Head of program committee of Kaspersky Industrial Cybersecurity Conference • Coordinator for Russia at Industrial Cybersecurity Center (CCI) • Co-Founder of ICS Cyber Security community RUSCADASEC • Certified SCADA Security Architect (CSSA), CISSP, CEH • @shipulin_anton
• • •
https://ics.kaspersky.com/
https://www.nsslabs.com/tested-technologies/
• • • • • • • • • • • • • • • • • • • •
https://twitter.com/shipulin_anton
https://attack.mitre.org
https://public.tableau.com/profile/cyb3rpanda#!/vizhome/MITREATTCKMatrixforEnterpriseV2/ATTCK Endpoint Data Network Data
https://www.gartner.com/en/documents/3875421 https://blogs.gartner.com/augusto-barros/2018/04/17/threat-simulation-open-source-projects/ https://github.com/redhuntlabs/RedHunt-OS/ • • • • • • • • • • • • • • • • • https://attackevals.mitre.org
https://ctf.kaspersky.com
Full details on the testbed https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/ 6 stages: ►P1: RAW water Supply and storage ►P2: Pre‐treatment ►P3: Ultrafiltration and backwash ►P4: De‐Chlorination System ►P5: Reverse Osmosis (RO) ►P6: RO Permeate Transfer, UF Backwash and Cleaning
Cybercriminal Attacker Model - Control of the PLC through the Bridged Man-in-the-Middle (MiTM) at Level 0 - Control of the chemical dosing system through a Python script (pycomm) - Control of the Historian through the Aircrack WiFi - Control of the pressure through the Server Message Block (SMB) - Control of the water level in the tank through the Metasploit VNC Scanner - Control of the pump through a rogue router - Control of the pump through the FactoryTalk and password vulnerability - Control of the pressure pump through Python script (pycomm) - Control of the pump through the compromised HMI - Overwriting data stored at Historian - Control of the Historian through MiTM using ARP Insider Attacker Model - Control of the Motorised Valve through Manual Intervention - Control of the RIO/Display through manual configuration on the sensor - Control of the water pump P101 through the Python script (pycomm) - Control of the water pump P101 through manual operation of the HMI - Control of the pressure pump through Python script (pycomm) - Control of the water tank level LIT101 through Python script (pycomm) - Control of chemical dosing through modified PLC Logic - Control of the RIO through disconnecting Analogue Input/Output pin - Control of the amount of chemical dosing through Python script - Control of the PLC through the modification of PLC logic in Studio 5000 - Control of the motorised valve through modification of PLC logic in Studio 5000 - Control of the motorised valve MV201 through the modification of PLC logic - Control of the water tank level LIT301 through adjusting alarm levels - Control of the chemical dosing pump P205 through manual operation of the dosing meter - Control of the HMI/SCADA through simulation control - Control of the PLC through disconnected network cables Details: https://goo.gl/y1Pxre
• Out of the box installation with no learning mode • Only L1 monitoring / L0 attacks was out of scope • Didn’t monitor physical attacks Detection results Details: https://goo.gl/y1Pxre
2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 Attempt to do bridge in primary plc to RIO 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. Spoof water level to 390 2:54 - Attack Successful! 2:59 - Attack: Download modified P2 PLC code. 3:01 - Attack Unsuccessful! 3:18 - Attack: Downloading modified P2 PLC code. Attack Unsuccessful! 3:19 - Attack: Trying to breach the firewall. 3:22 - Attack: Overwriting PLC code. Attack Unsuccessful! 3:38 - Attack: Attempting to set LIT101 to 300. Attack Unsuccessful! 4:16 - Spoofing attack LIT101 at HMI Successful! 4:45 - Download of PLC code failed! 5:07 - Launch on DPIT pressure successful! 5:18 - Attempt to change plant to manual mode. 5:19 - Attempt successful! 5:20 - Attempt to stop plant process. 5:23 - Attempt to stop/start plant successful! 5:28 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 5:36 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:18 - Attack: Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:20 - Eternal Blue attack: Time Out! https://itrust.sutd.edu.sg/ciss-2019/
Overview of dataset requests by country (left) and year (right) • Secure Water Treatment (SWaT) • SWaT Security Showdown (S317) • Water Distribution (WADI) • BATtle of Attack Detection Algorithms (BATADAL) • Electric Power and Intelligent Control (EPIC) • Blaq_0 https://itrust.sutd.edu.sg/research/dataset/ Visit by Kaspersky LabDetected attack: 23 out of 34 Not detected: 9 with small impacts Correct interpretation: 22 out of 23 False positive: 3 as attack continuation New anomalies: 7 anomalies Kaspersky Machine Learning for Anomaly Detection Results on the SWaT Dataset https://tinyurl.com/mlad2018
• WMI Lateral Movement • Reconnaissance / Network Scan • Reconnaissance / Reading Project from PLC / Modbus • Reconnaissance / Modbus Scan • Transfer Malicious Firmware to Rockwell Automation PLC • Modbus Write Attempt from an Internet address • “Stuxnet” Malware Network Activity • “Havex” Malware Network Activity • “Greyenergy” Malware Network Activity https://www.youtube.com/watch?v=vSd8hoRqnF4&list=PLPmbqO785Hlt3yFvW-EZhvRq53EcCjmZc https://www.youtube.com/watch?v=A2tQo4t4ibo
KICS 60870-5-104 Protocol Events https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
Endpoint activities at different levels and stages Powershell, Python SSH clients (Putty/Plinks) Netcat/Cryptocat Mmikatz, PsExec AdExplorer, ShareEnum, PsGetSid Nmap, iPerf Trilog.exe Network activities at different levels and stages DNS SSH RDP RPC/SMB (PsExec) HTTP (Webshell) TCP/UDP (Nmap, iPerf) VPN Tristation (UDP) PLC Fieldbus Control Network SCADA/DCS Network Plant DMZ Network Office Network PLC SCADA SCADA SCADA SCADA SIS SIS Safety Instrumented System SIS EWS SIS Internet Attacker • Trilog.exe • Tristation (UDP)
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN
Unusual time for an engineering connection
Unauthorized application Not in the white list
• plaintext passwords • user authentication failures • new network devices • abnormal network traffic between devices • internet connectivity • data exfiltration • unauthorized software installations • PLC firmware modifications • unauthorized PLC logic modifications • file transfers between devices • abnormal ICS protocol communications • malware • denial of service (DoS) • abnormal manufacturing system operations • port scans/probes • environmental changes https://csrc.nist.gov/publications/detail/nistir/8219/draft
• • • • • • • • • • • • • • • • • • • •
Kaspersky HQ 39A/3 Leningradskoe Shosse, Moscow Т: +7 (495) 797 8700 #1746 Anton.Shipulin@kaspersky.com @shipulin_anton Anton Shipulin CISSP, CEH, CSSA Global Presales Manager Industrial Cybersecurity Business Development

Recommended

DDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворотDDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворот
Positive Hack Days
 
FinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatraFinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatra
Ratan Mohapatra
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
Pallavi7776
 
Microprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructionsMicroprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructions
Arkhom Jodtang
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
amiable_indian
 
62.water level control in reservoiers
62.water level control in reservoiers62.water level control in reservoiers
62.water level control in reservoiers
Padmakar Mangrule
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
PROIDEA
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 

Recommended

DDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворотDDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворот
Positive Hack Days
 
FinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatraFinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatra
Ratan Mohapatra
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
Pallavi7776
 
Microprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructionsMicroprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructions
Arkhom Jodtang
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
amiable_indian
 
62.water level control in reservoiers
62.water level control in reservoiers62.water level control in reservoiers
62.water level control in reservoiers
Padmakar Mangrule
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
PROIDEA
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Electronic DIY project book
Electronic DIY project book Electronic DIY project book
Electronic DIY project book
Raghav Shetty
 
Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0
Gautam Ahuja
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
Jose Palanco
 
Alcohol report
Alcohol reportAlcohol report
Alcohol report
chandan kumar
 
Tech
TechTech
Tech
Orafu James
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken drivers
Vinny Chweety
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Stuxnet
StuxnetStuxnet
Stuxnet
bueno buono good
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
P1111141868
P1111141868P1111141868
P1111141868
Ashraf Aboshosha
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Dominik Obermaier
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 

More Related Content

Similar to Experience with testing industrial cybersecurity solutions against real-world attack scenarios

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Electronic DIY project book
Electronic DIY project book Electronic DIY project book
Electronic DIY project book
Raghav Shetty
 
Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0
Gautam Ahuja
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
Jose Palanco
 
Alcohol report
Alcohol reportAlcohol report
Alcohol report
chandan kumar
 
Tech
TechTech
Tech
Orafu James
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken drivers
Vinny Chweety
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Stuxnet
StuxnetStuxnet
Stuxnet
bueno buono good
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
P1111141868
P1111141868P1111141868
P1111141868
Ashraf Aboshosha
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Dominik Obermaier
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 

Similar to Experience with testing industrial cybersecurity solutions against real-world attack scenarios (20)

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Electronic DIY project book
Electronic DIY project book Electronic DIY project book
Electronic DIY project book
 
Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Alcohol report
Alcohol reportAlcohol report
Alcohol report
 
Tech
TechTech
Tech
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken drivers
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
P1111141868
P1111141868P1111141868
P1111141868
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 

Recently uploaded

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 

Recently uploaded (20)

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 

Experience with testing industrial cybersecurity solutions against real-world attack scenarios

  • 1.
  • 2. • Industrial Cybersecurity Business Development at Kaspersky Lab • Head of program committee of Kaspersky Industrial Cybersecurity Conference • Coordinator for Russia at Industrial Cybersecurity Center (CCI) • Co-Founder of ICS Cyber Security community RUSCADASEC • Certified SCADA Security Architect (CSSA), CISSP, CEH • @shipulin_anton
  • 12. Full details on the testbed https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/ 6 stages: ►P1: RAW water Supply and storage ►P2: Pre‐treatment ►P3: Ultrafiltration and backwash ►P4: De‐Chlorination System ►P5: Reverse Osmosis (RO) ►P6: RO Permeate Transfer, UF Backwash and Cleaning
  • 13. Cybercriminal Attacker Model - Control of the PLC through the Bridged Man-in-the-Middle (MiTM) at Level 0 - Control of the chemical dosing system through a Python script (pycomm) - Control of the Historian through the Aircrack WiFi - Control of the pressure through the Server Message Block (SMB) - Control of the water level in the tank through the Metasploit VNC Scanner - Control of the pump through a rogue router - Control of the pump through the FactoryTalk and password vulnerability - Control of the pressure pump through Python script (pycomm) - Control of the pump through the compromised HMI - Overwriting data stored at Historian - Control of the Historian through MiTM using ARP Insider Attacker Model - Control of the Motorised Valve through Manual Intervention - Control of the RIO/Display through manual configuration on the sensor - Control of the water pump P101 through the Python script (pycomm) - Control of the water pump P101 through manual operation of the HMI - Control of the pressure pump through Python script (pycomm) - Control of the water tank level LIT101 through Python script (pycomm) - Control of chemical dosing through modified PLC Logic - Control of the RIO through disconnecting Analogue Input/Output pin - Control of the amount of chemical dosing through Python script - Control of the PLC through the modification of PLC logic in Studio 5000 - Control of the motorised valve through modification of PLC logic in Studio 5000 - Control of the motorised valve MV201 through the modification of PLC logic - Control of the water tank level LIT301 through adjusting alarm levels - Control of the chemical dosing pump P205 through manual operation of the dosing meter - Control of the HMI/SCADA through simulation control - Control of the PLC through disconnected network cables Details: https://goo.gl/y1Pxre
  • 14. • Out of the box installation with no learning mode • Only L1 monitoring / L0 attacks was out of scope • Didn’t monitor physical attacks Detection results Details: https://goo.gl/y1Pxre
  • 15. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 Attempt to do bridge in primary plc to RIO 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. Spoof water level to 390 2:54 - Attack Successful! 2:59 - Attack: Download modified P2 PLC code. 3:01 - Attack Unsuccessful! 3:18 - Attack: Downloading modified P2 PLC code. Attack Unsuccessful! 3:19 - Attack: Trying to breach the firewall. 3:22 - Attack: Overwriting PLC code. Attack Unsuccessful! 3:38 - Attack: Attempting to set LIT101 to 300. Attack Unsuccessful! 4:16 - Spoofing attack LIT101 at HMI Successful! 4:45 - Download of PLC code failed! 5:07 - Launch on DPIT pressure successful! 5:18 - Attempt to change plant to manual mode. 5:19 - Attempt successful! 5:20 - Attempt to stop plant process. 5:23 - Attempt to stop/start plant successful! 5:28 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 5:36 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:18 - Attack: Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:20 - Eternal Blue attack: Time Out! https://itrust.sutd.edu.sg/ciss-2019/
  • 16. Overview of dataset requests by country (left) and year (right) • Secure Water Treatment (SWaT) • SWaT Security Showdown (S317) • Water Distribution (WADI) • BATtle of Attack Detection Algorithms (BATADAL) • Electric Power and Intelligent Control (EPIC) • Blaq_0 https://itrust.sutd.edu.sg/research/dataset/ Visit by Kaspersky LabDetected attack: 23 out of 34 Not detected: 9 with small impacts Correct interpretation: 22 out of 23 False positive: 3 as attack continuation New anomalies: 7 anomalies Kaspersky Machine Learning for Anomaly Detection Results on the SWaT Dataset https://tinyurl.com/mlad2018
  • 17. • WMI Lateral Movement • Reconnaissance / Network Scan • Reconnaissance / Reading Project from PLC / Modbus • Reconnaissance / Modbus Scan • Transfer Malicious Firmware to Rockwell Automation PLC • Modbus Write Attempt from an Internet address • “Stuxnet” Malware Network Activity • “Havex” Malware Network Activity • “Greyenergy” Malware Network Activity https://www.youtube.com/watch?v=vSd8hoRqnF4&list=PLPmbqO785Hlt3yFvW-EZhvRq53EcCjmZc https://www.youtube.com/watch?v=A2tQo4t4ibo
  • 18.
  • 19. KICS 60870-5-104 Protocol Events https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
  • 20.
  • 21. Endpoint activities at different levels and stages Powershell, Python SSH clients (Putty/Plinks) Netcat/Cryptocat Mmikatz, PsExec AdExplorer, ShareEnum, PsGetSid Nmap, iPerf Trilog.exe Network activities at different levels and stages DNS SSH RDP RPC/SMB (PsExec) HTTP (Webshell) TCP/UDP (Nmap, iPerf) VPN Tristation (UDP) PLC Fieldbus Control Network SCADA/DCS Network Plant DMZ Network Office Network PLC SCADA SCADA SCADA SCADA SIS SIS Safety Instrumented System SIS EWS SIS Internet Attacker • Trilog.exe • Tristation (UDP)
  • 23. Unusual time for an engineering connection
  • 25. • plaintext passwords • user authentication failures • new network devices • abnormal network traffic between devices • internet connectivity • data exfiltration • unauthorized software installations • PLC firmware modifications • unauthorized PLC logic modifications • file transfers between devices • abnormal ICS protocol communications • malware • denial of service (DoS) • abnormal manufacturing system operations • port scans/probes • environmental changes https://csrc.nist.gov/publications/detail/nistir/8219/draft
  • 27. Kaspersky HQ 39A/3 Leningradskoe Shosse, Moscow Т: +7 (495) 797 8700 #1746 Anton.Shipulin@kaspersky.com @shipulin_anton Anton Shipulin CISSP, CEH, CSSA Global Presales Manager Industrial Cybersecurity Business Development