SlideShare a Scribd company logo

IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)

S
sequi_inc

Presentation for Industrial Control Systems Joint Working Group (ICSJWG). This presentation will lend insight to IEEE 1711-2010, a standard for securing substation serial-based SCADA assets, and its applicability across industry sectors: electric, oil, gas, water, and chemical. Also addressed are the benefits of its implementation on legacy retrofits, SCADA link management, and integrating legacy systems and Ethernet IP SCADA networks.

1 of 38
Download to read offline
IEEE 1711-2010 SECURITY FOR LEGACY SCADA PROTOCOLS Back Door Attacks: How to Protect Serial Communications Tracy Amaio, Ph.D. teamaio@sequi.com Tien Van tvan@sequi.com ©2011 SEQUI, Inc.
GENERAL INDUSTRIAL CONTROL SYSTEM (ICS) ■ Control Center Devices  Master Terminal Unit (MTU)/HMI Software/Data Historian ■ Remote Site Devices  Remote Terminal Unit (RTU)  Programmable Logic Controller (PLC)  Intelligent Electronic Device (IED)
ICS CHARACTERISTICS ■ Long operational life (10+ yrs) ■ Small to large geographic area ■ Highly complex and found everywhere ■ Field RTUs/PLCs are in the open, most are unprotected ■ Routable (TCP/IP) ■ Non-routable (serial) a.k.a. “legacy” equipment  Radio, leased line, dial-up, and multi-drop links  Low data throughput  Slow telemetry polling  Modbus, DNP3 protocols (MTU – RTU communications)  Difficult to add security to existing software  Little/no auditing, logging
FRONT DOOR ATTACK A “front door” attack is via internet – Attacks are often publicized – Methods of attack are well-known and found in instructional materials, books & lectures
BACK DOOR ATTACK What do we know about ICS serial communications? – They use radio, leased line, dial-up, and/or multi-drop links – They’re isolated, out in the open – They’re unprotected – They’re assumed safe because of a long-standing notion that’s based on security by obscurity: Trusting that nobody will find out about the systems’ vulnerabilities and those that do won’t exploit them!
SECURITY ISSUES… …IN RELATION TO INSECURE LEGACY SYSTEMS VULNERABILITIES Use of dial up maintenance port to diagnose, repair, configure… Use of single-frequency licensed radios No authentication or data protection THREAT Attackers… Motivation… Obtaining back-door access (eavesdropping, data altering) Is the threat real? Is a back door attack easy? RISK Risk = f (threat, vulnerability, cost) Likelihood that a threat will exploit a vulnerability that compromises safety and availability Cost = f (safety, availability) Consequences: Liabilities, financial loss, environmental, public safety… How much service would be lost and how vital is it?
BEFORE THE ATTACK Attackers typically do three things before the attack: “gather information”Reconnaissance Scanning Traffic Analysis “discover vulnerabilities by passive listening” “reverse engineer the protocol”
RECONNAISSANCE Use Social Engineering  Victim is tricked into doing what attacker wants by intimidation, helpfulness, name-dropping, technical assistance…  Caller ID spoofing (VOIP PBX, telespoof.com) Experiment by Idaho National Lab (2008) found that 40% of employees provided their passwords to a fake OpsCenter employee over the telephone Miles McQueen. Human Vulnerabilities. ISRCS 2009: 2nd International Symposium on Resilient Control Systems August 11 2009 https://secure.inl.gov/isrcs2009/docs/Tutorials/Session_3_McQueen.pdf Search Publicly Available Information  Search engines (meta, deep web…) with key words  www.uwhois.com  Dumpster diving Attacker Gathers As Much Information As Possible
RECONNAISSANCE Equipment (HW/SW) Dial-up Multi-drop Radio Configuration Facility Location Default Passwords Information Gathered
SCANNING Tools War dialing software: Freeware THC-Scan, RASUsers, TBA Commercial PhoneSweep, TeleSweep Unix PAW/PAWS, iWAR, THC-Scan NG, Telescan, ShokDial Mac Assault Dialer Upon active connection, the attacker can simply enter multiple returns, question marks, “Help” or “Hello” to gain a login prompt and probe the connection further Password cracking software: Freeware/Open Source Cain & Abel, Dsniff, John the Ripper, Ophcrack Commercial L0phtCrack, RainbowCrack, SAMInside Default password list:  Search user manuals - may state no PWs are used and security is disabled!  Search online databases, e.g., Phenoelit hacking group (Germany) maintains a database of default passwords www.phenoelit.de/dpl/dpl.html Attacker Locates Systems and Discover Vulnerabilities
DEFAULT PASSWORD LIST Vendor Model Version Access Type Username Password Privileges Notes 3COM CoreBuilder 7000/6000/3500/2500 Telnet debug synnet 3COM CoreBuilder 7000/6000/3500/2500 Telnet tech tech 3COM HiPerARC v4.1.x Telnet adm (none) 3COM LANplex 2500 Telnet debug synnet 3COM LANplex 2500 Telnet tech tech 3COM LinkSwitch 2000/2700 Telnet tech tech Huawei E960 admin admin Admin 3COM NetBuilder SNMP ILMI snmp-read 3COM Netbuilder Multi admin (none) Admin 3COM Office Connect ISDN Routers 5x0 Telnet n/a PASSWORD Admin 3COM SuperStack II Switch 2200 Telnet debug synnet 3COM SuperStack II Switch 2700 Telnet tech tech 3COM OfficeConnect 812 ADSL Multi adminttd adminttd Admin 3COM Wireless AP ANY Multi admin comcomcom Admin Works on all 3com wireless APs
SCANNING Tools Tapping:  Modem (FSK, PSK passive mode) – captures low baud data  CO Simulator – passes incoming calls & routes outgoing calls  Data Logger and GPRS cell modem – records/retrieves data  900MHz Radio Modem and Spectrum Analyzer – scans data  Radio Shack Mini Amplifier/Speaker – records DTMF Attacker Locates Systems and Discovers Vulnerabilities
TRAFFIC ANALYSIS Interpret SCADA clear data…  Consult user manuals and engineering support documents – available and easily obtained Attacker Reverse Engineers the Protocol DNP3 [Header + Data] Max frame size: 292 bytes Header = 0x05 1-byte 0x64 1-byte Len 1-byte Ctrl 1-byte Dst 2-byte Src 2-byte CRC 2-byte Modbus RTU Start 3.5 char time Addr 1-byte Func 1-byte Data 0-252 CRC 2-byte End 3.5 char time Modbus ASCII Start : Addr 2-byte Func 2-byte Data 2x (0-252) LRC 2-byte End CR LF DNP3 has source and destination addresses that can be useful in Man-in-the-Middle attacks, such as:  Turn off unsolicited reporting to stifle specific alarms  Spoof unsolicited responses to the Master to falsify events and trick the operator into taking inappropriate actions  Issue unauthorized stops, restarts, or other functions that could disrupt specific operations Modbus was designed to program controllers by sending Read and Write I/O registers commands, for example:  List defined points and their values  Request information about Modbus servers, PLC configurations…  Clear, erase, or reset diagnostic information  Force slave devices into “listen only” mode
COMMON TYPES OF ATTACK Maintenance port To install a malicious program Denial of Service To delay or block the flow of information  By physical destruction – but can be detected through fault-handling programs or CCTV  By radio jamming - no effective countermeasures exist! (A cheap, limited range, jammer: cordless phone with modified oscillator + amplifier + coat hanger) Spoofing To masquerade as another to initiate an unauthorized action Replay To record and retransmit valid data (manipulating time variable) to trigger unpredictable results Man-in-the-Middle (MITM) To intercept, alter, and relay a communication message  A simple radio MITM can be setup by a combination of directional transmitter & jammer
RTU SPOOFING Vulnerability Attack Attack Result Master/slave cmd/rsp protocol has no authentication Slave has slow response time Auto emergency shutdown RTU spoofing: Send bogus status before a valid RTU response, e.g., change threshold of safety parameters Causes unpredictable outcome leading to system disruption or failure
RTU SPOOFING EXAMPLE MTU ← RTU ← IED ← Sensors Attacker constructs a forged RTU response:
MTU SPOOFING Vulnerability Attack Attack Result MTU has long polling time, e.g., 2s x 100 devices MTU spoofing: Send command to reprogram RTU, e.g., • rhythmically turn on/off a high-voltage motor • operate a valve hundreds of times per second • premature shutdown of a process • close a valve while pump is running Causes system disruption or failure
MTU SPOOFING EXAMPLE  Send periodically (if not sent as an automatic answer to a receive sequence) Repeat sequence every 1 seconds Attacker constructs a forged MTU command: MTU → RTU → IED → Actuators
ATTACK TOOL: SIMULATOR SOFTWARE Simulator software is downloadable from the web that can directly communicate with protocols, such as DNP 3.0, Modbus, BACnet, LonWorks, and OPC Modbus:
SECURITY ISSUES… …IN RELATION TO INSECURE LEGACY SYSTEMS VULNERABILITIES Use of dial up maintenance port to diagnose, repair, configure… Use of single-frequency licensed radios No authentication or data protection THREAT Attackers… Motivation… Obtaining back-door access (eavesdropping, data altering) Is the threat real? Is a back door attack easy? RISK Risk = f (threat, vulnerability, cost) Likelihood that a threat will exploit a vulnerability that compromises safety and availability Cost = f (safety, availability) Consequences: Liabilities, financial loss, environmental, public safety… The Threat is REAL. A Back Door Attack is EASY. Risk Management is the NEXT STEP.
RISK MANAGEMENT OF LEGACY SYSTEMS Taking Steps to Protect Assets “Eliminate back door” (remove risk) “Do nothing” (accept risk and budget for it) “Take action” (lessen the risk)
LEGACY RETROFIT ISSUES Legacy Retrofit Issues What We Want How do we plan for migration? • To choose when & how much security to apply • To have encrypted & clear communications on the same channel …Easy migration Do we make changes to our ICS software or equipment? Not to change our existing ICS software or equipment …Easy installation Do we make changes to our operational control? Not to change our existing operational control …Hassle-free Will it impact performance? Strong security without impacting performance …No impact Will it impact our existing configuration? Not to change our existing configuration Should support the following: • Modbus RTU/ASCII, DNP3 • Async 300 to 115200 bps • Point-to-point and multi-drop • Radio, dial-up, and leased line …Flexibility What encryption & authentication standard should we use?
IEEE 1711-2010 STANDARD To Protect Against Eavesdropping, Message Replaying, and Data Altering Began as AGA-12 in 2003 Originator: The American Gas Association (AGA) Goal: To secure legacy serial communication links in SCADA systems Key Players • American Gas Association (AGA) • Technical Support Working Group (TSWG) at Gas Technology Institute (GTI) • American Water Works Association Research Foundation (AWWARF) • The National Institute of Standards and Technology (NIST) • U.S. Department of Energy (DOE) • Idaho National Laboratories (INL) • Sandia National Laboratories • Pacific Northwest National Laboratory (PNNL) • IEEE Power & Energy Society • IEEE Committee: PE/SUB – Substations Now the IEEE Approved Standard Related to Smart Grid* IEEE 1711-2010 Trial Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links * Applicable across industry sectors, e.g., electric, oil, gas, water, & chemical
STRONG SECURITY SOLUTION Encryption & Authentication Cipher suite 1: AES128 CTR-mode, HmacSHA1, with holdback Cipher suite 2: AES128 PE-mode, HmacSHA1, no holdback Cipher suite 3: Cleartext, SHA1, with holdback Cipher suite 4: AES128 CTR-mode, HmacSHA256, with holdback Cipher suite 5: AES128 PE-mode, HmacSHA256, no holdback Cipher suite 6: Cleartext, SHA256, with holdback Cipher suite 7: Cleartext, HmacSHA1, with holdback Cipher suite 8: Cleartext, HmacSHA256, with holdback Cipher suite 9: AES128 CBC-mode, HmacSHA1, with holdback Cipher suite 10: AES128 CBC-mode, HmacSHA256, with holdback Two-level keys: • Pre-shared key • Session key (always randomly generated) Key Management
EASY MIGRATION – ALL CLEAR ■ “Bump-in-the-wire” solution  Installed at Control Center  Set to pass-through all messages
EASY MIGRATION – CLEAR & ENCRYPTED ■ Mixed mode deployment  One encryption link at a time – while other links operate in the clear
EASY MIGRATION – ALL ENCRYPTED ■ Secure tunneling (IPSec-like)  Up to 65,533 tunnels  Each tunnel has its own Encryption Key and Authentication Key and protects one or group of RTUs
EVERYBODY TALKS ABOUT… 1. …encryption delay!  What causes it? – Block protocol encryption overhead: Header, Trailer, Message Authentication Code + Encryption processing – The delay impact is greater for small messages – To minimize delay: 1. You can select appropriate cipher suite, e.g., ENC, AUTH, holdback options, etc. 2. You can select a solution that has a hardware crypto engine (versus software encryption) 2. …key management!  What is the simplest and fastest way? – Pre-shared key (used by IEEE 1711) – IEEE 1711 employs additional security with two-layer keys Layer 1: Pre-shared key (static) Layer 2: Session keys (dynamic): Encryption key & Authentication key (both randomly generated) – IEEE 1711 supports 65,533 uniquely shared keys  What is the disadvantage of a pre-shared key? – Must agree on what the pre-shared key is before distributing it securely  Is there a better way other than pre-agreement of keys? – Public Key Infrastructure (PKI)  Can PKI be used in SCADA? – Yes, but it slows response time (computationally intensive, too much overhead over low bandwidth) AND it’s expensive to implement – Its peer-to-peer distribution makes it unsuitable for master/slave structure – Could bring down the network when PKI Server is unavailable
LEGACY SYSTEMS GOING ETHERNET ■ The trend is to integrate serial SCADA protocols with corporate network for effective management and real-time business decisions However:  Serial protocols remain insecure, lack authentication (they’re simply wrapped inside TCP/IP packets!)  The backdoor risk is still there  TCP/IP has its own vulnerabilities (that are widely shared within the computer underground!) Numerous FREE scanning, vulnerability discovery, attack tools are available; see Top 100 Network Security Tools: http://sectools.org/ Ex: nmap, TCPview, Nessus, Attacker Tool Kit (ATK), Sniffit, Netcat, Wireshark
MODBUS TCP SCADA protocols simply wrapped inside TCP/IP data packets
DNP3 TCP SCADA protocols simply wrapped inside TCP/IP data packets
IEEE 1711-2010 ENHANCEMENTS Allows vendor-defined enhancements: ■ Management functions (e.g., audit logs, reports…) ■ P2P stream encryption: 8-Bit Cipher Feedback Mode Advantage: 1-byte encryption delay AND protocol independent (Allen-Bradley DF-1, Bristol BSAP, Fisher ROC & more) ■ Session key auto renewal ■ Secure Serial-over-Ethernet ■ Dial-up access control via session negotiation ■ Heartbeat “keepalive” from the Master to control how long the secure link remains active before it is disabled (in the event the remote device is stolen) ■ Interface to low-cost wireless (ZigBee® IEEE 802.15.4 )
SECURE SERIAL-OVER-ETHERNET Modbus TCP/IP Modbus UDP/IP Modbus RTU Over TCP/IP Modbus RTU Over UDP/IP Modbus ASCII Over TCP/IP Modbus ASCII Over UDP/IP DNP3 over TCP/IP
DIAL-UP ACCESS CONTROL VIA SESSION NEGOTIATION 1. Receives an incoming call (RI toggle) and auto-answers (DCD active) 2. Transmits challenge data 3. Receives response data 4. If “failed” challenge, drop DTR 5. Modem disconnects call (DCD inactive) Timing diagram for answering device:
VULNERABILITIES Use of dial up maintenance port to diagnose, repair, configure… Use of single-frequency licensed radios No authentication or data protection THREAT Attackers… Motivation… Obtaining back-door access (eavesdropping, data altering) Is the threat real? Is a back door attack easy? RISK Risk = f (threat, vulnerability, cost) Likelihood that a threat will exploit a vulnerability that compromises safety and availability Cost = f (safety, availability) Consequences: Liabilities, financial loss, environmental, public safety… CONCLUSION Secure one link at a time with IEEE 1711 “Take Action”
21 STEPS TO IMPROVE CYBER SECURITY OF SCADA NETWORKS BY THE U.S. DEPARTMENT OF ENERGY 1. Identify all connections to SCADA networks 2. Disconnect unnecessary connections to the SCADA network 3. Evaluate and strengthen the security of any remaining connections to the SCADA network 4. Harden SCADA networks by removing or disabling unnecessary services 5. Do not rely on proprietary protocols to protect your system 6. Implement the security features provided by device and system vendors 7. Establish strong controls over any medium that is used as a backdoor into the SCADA network 8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring 9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns 10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios 12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users 13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection 14. Establish a rigorous, ongoing risk management process 15. Establish a network protection strategy based on the principle of defense-in-depth 16. Clearly identify cyber security requirements 17. Establish effective configuration management processes 18. Conduct routine self-assessments 19. Establish system backups and disaster recovery plans 20. Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance 21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls Source: http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf
REFERENCES Energy Sector Control Systems Working Group (ESCSWG). Roadmap to Achieve Energy Delivery Systems Cybersecurity. September 2011. http://www.doe.gov/oe/downloads/roadmap-achieve-energy-delivery-systems-cybersecurity-2011 Idaho National Laboratory/DOE. Vulnerability Analysis of Energy Delivery Control Systems. September 2011. http://www.doe.gov/oe/downloads/vulnerability-analysis-energy-delivery-control-systems IEEE 1711-2010 Trial-Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links. September 2010. http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=5562693 NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View. March 2011. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security. June 2011. http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf Scientific American Magazine. Hacking the Lights Out: The Computer Virus Threat to the Electrical Grid. July 2011. http://www.scientificamerican.com/article.cfm?id=hacking-the-lights-out
THANK YOU Tracy Amaio, Ph.D. teamaio@sequi.com Tien Van tvan@sequi.com Please feel free to send your comments or questions

Recommended

Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
Scada security webinar 2012
Scada security webinar 2012Scada security webinar 2012
Scada security webinar 2012
AVEVA
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
 
Ceh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingCeh v5 module 22 penetration testing
Ceh v5 module 22 penetration testing
Vi Tính Hoàng Nam
 
50120140501013
5012014050101350120140501013
50120140501013IAEME Publication
 
Huneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideHuneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution Guide
Glen Yi
 
infraxstructure: Piotr Wojciechowski "Secure Data Center"
infraxstructure: Piotr Wojciechowski "Secure Data Center"infraxstructure: Piotr Wojciechowski "Secure Data Center"
infraxstructure: Piotr Wojciechowski "Secure Data Center"
PROIDEA
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 

Recommended

Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
Scada security webinar 2012
Scada security webinar 2012Scada security webinar 2012
Scada security webinar 2012
AVEVA
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
 
Ceh v5 module 22 penetration testing
Ceh v5 module 22 penetration testingCeh v5 module 22 penetration testing
Ceh v5 module 22 penetration testing
Vi Tính Hoàng Nam
 
50120140501013
5012014050101350120140501013
50120140501013IAEME Publication
 
Huneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution GuideHuneed-Cisco Perimeter Security Solution Guide
Huneed-Cisco Perimeter Security Solution Guide
Glen Yi
 
infraxstructure: Piotr Wojciechowski "Secure Data Center"
infraxstructure: Piotr Wojciechowski "Secure Data Center"infraxstructure: Piotr Wojciechowski "Secure Data Center"
infraxstructure: Piotr Wojciechowski "Secure Data Center"
PROIDEA
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
Recomended ip telephony architecture
Recomended ip telephony architectureRecomended ip telephony architecture
Recomended ip telephony architectureFeras Ajjawi
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
AVEVA
 
Native Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on AndroidNative Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on Android
Fraunhofer AISEC
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
Vi Tính Hoàng Nam
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
Omar Shaya
 
Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...
Intergence Ltd.
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
Vi Tính Hoàng Nam
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
Jason Shen
 
Auditing Check Point Firewalls
Auditing Check Point FirewallsAuditing Check Point Firewalls
Auditing Check Point Firewalls
Ben Rothke
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
TI Safe
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and worms
Vi Tính Hoàng Nam
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Felipe Prado
 
Make things come alive in a secure way - Sigfox
Make things come alive in a secure way - SigfoxMake things come alive in a secure way - Sigfox
Make things come alive in a secure way - Sigfox
Sigfox
 
Атаки на мобильные сети
Атаки на мобильные сетиАтаки на мобильные сети
Атаки на мобильные сетиEkaterina Melnik
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Angeloluca Barba
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Jiunn-Jer Sun
 

More Related Content

What's hot

Recomended ip telephony architecture
Recomended ip telephony architectureRecomended ip telephony architecture
Recomended ip telephony architectureFeras Ajjawi
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
AVEVA
 
Native Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on AndroidNative Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on Android
Fraunhofer AISEC
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
Vi Tính Hoàng Nam
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
Omar Shaya
 
Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...
Intergence Ltd.
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
Vi Tính Hoàng Nam
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
Jason Shen
 
Auditing Check Point Firewalls
Auditing Check Point FirewallsAuditing Check Point Firewalls
Auditing Check Point Firewalls
Ben Rothke
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
TI Safe
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and worms
Vi Tính Hoàng Nam
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Felipe Prado
 
Make things come alive in a secure way - Sigfox
Make things come alive in a secure way - SigfoxMake things come alive in a secure way - Sigfox
Make things come alive in a secure way - Sigfox
Sigfox
 
Атаки на мобильные сети
Атаки на мобильные сетиАтаки на мобильные сети
Атаки на мобильные сетиEkaterina Melnik
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Angeloluca Barba
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 

What's hot (20)

Recomended ip telephony architecture
Recomended ip telephony architectureRecomended ip telephony architecture
Recomended ip telephony architecture
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
Native Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on AndroidNative Code Execution Control for Attack Mitigation on Android
Native Code Execution Control for Attack Mitigation on Android
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
 
Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...Webinar on identifying, preventing and securing against the unidentifiable at...
Webinar on identifying, preventing and securing against the unidentifiable at...
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Auditing Check Point Firewalls
Auditing Check Point FirewallsAuditing Check Point Firewalls
Auditing Check Point Firewalls
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and worms
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics Defcon 23 - Chris Sistrunk - nsm 101 for ics
Defcon 23 - Chris Sistrunk - nsm 101 for ics
 
Make things come alive in a secure way - Sigfox
Make things come alive in a secure way - SigfoxMake things come alive in a secure way - Sigfox
Make things come alive in a secure way - Sigfox
 
Атаки на мобильные сети
Атаки на мобильные сетиАтаки на мобильные сети
Атаки на мобильные сети
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
 

Similar to IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)

The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Jiunn-Jer Sun
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Community Protection Forum
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
CODE BLUE
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
network security / information security
network security / information securitynetwork security / information security
network security / information security
Rohan Choudhari
 
PROFIsafe and IT security - Peter Brown of Siemens A&D
PROFIsafe and IT security - Peter Brown of Siemens A&DPROFIsafe and IT security - Peter Brown of Siemens A&D
PROFIsafe and IT security - Peter Brown of Siemens A&D
PROFIBUS and PROFINET InternationaI - PI UK
 
Smart Grid Cyber Security
Smart Grid Cyber SecuritySmart Grid Cyber Security
Smart Grid Cyber Security
JAZEEL K T
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
NiMa Bagheriasl
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
Yehia Mamdouh
 
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
sequi_inc
 
Advanced Metering Infrastructure Security Test.pptx
Advanced Metering Infrastructure Security Test.pptxAdvanced Metering Infrastructure Security Test.pptx
Advanced Metering Infrastructure Security Test.pptx
Francesco Faenzi
 
Taking a closer look at level 0 and level 1 security
Taking a closer look at level 0 and level 1 securityTaking a closer look at level 0 and level 1 security
Taking a closer look at level 0 and level 1 security
Matt Loong
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
New internet security
New internet securityNew internet security
New internet security
university of mumbai
 
NewIinternet security
NewIinternet securityNewIinternet security
NewIinternet security
university of mumbai
 

Similar to IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc) (20)

The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT Approach
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
network security / information security
network security / information securitynetwork security / information security
network security / information security
 
PROFIsafe and IT security - Peter Brown of Siemens A&D
PROFIsafe and IT security - Peter Brown of Siemens A&DPROFIsafe and IT security - Peter Brown of Siemens A&D
PROFIsafe and IT security - Peter Brown of Siemens A&D
 
Smart Grid Cyber Security
Smart Grid Cyber SecuritySmart Grid Cyber Security
Smart Grid Cyber Security
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
 
Advanced Metering Infrastructure Security Test.pptx
Advanced Metering Infrastructure Security Test.pptxAdvanced Metering Infrastructure Security Test.pptx
Advanced Metering Infrastructure Security Test.pptx
 
Taking a closer look at level 0 and level 1 security
Taking a closer look at level 0 and level 1 securityTaking a closer look at level 0 and level 1 security
Taking a closer look at level 0 and level 1 security
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
New internet security
New internet securityNew internet security
New internet security
 
NewIinternet security
NewIinternet securityNewIinternet security
NewIinternet security
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 

IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)

  • 1. IEEE 1711-2010 SECURITY FOR LEGACY SCADA PROTOCOLS Back Door Attacks: How to Protect Serial Communications Tracy Amaio, Ph.D. teamaio@sequi.com Tien Van tvan@sequi.com ©2011 SEQUI, Inc.
  • 2. GENERAL INDUSTRIAL CONTROL SYSTEM (ICS) ■ Control Center Devices  Master Terminal Unit (MTU)/HMI Software/Data Historian ■ Remote Site Devices  Remote Terminal Unit (RTU)  Programmable Logic Controller (PLC)  Intelligent Electronic Device (IED)
  • 3. ICS CHARACTERISTICS ■ Long operational life (10+ yrs) ■ Small to large geographic area ■ Highly complex and found everywhere ■ Field RTUs/PLCs are in the open, most are unprotected ■ Routable (TCP/IP) ■ Non-routable (serial) a.k.a. “legacy” equipment  Radio, leased line, dial-up, and multi-drop links  Low data throughput  Slow telemetry polling  Modbus, DNP3 protocols (MTU – RTU communications)  Difficult to add security to existing software  Little/no auditing, logging
  • 4. FRONT DOOR ATTACK A “front door” attack is via internet – Attacks are often publicized – Methods of attack are well-known and found in instructional materials, books & lectures
  • 5. BACK DOOR ATTACK What do we know about ICS serial communications? – They use radio, leased line, dial-up, and/or multi-drop links – They’re isolated, out in the open – They’re unprotected – They’re assumed safe because of a long-standing notion that’s based on security by obscurity: Trusting that nobody will find out about the systems’ vulnerabilities and those that do won’t exploit them!
  • 6. SECURITY ISSUES… …IN RELATION TO INSECURE LEGACY SYSTEMS VULNERABILITIES Use of dial up maintenance port to diagnose, repair, configure… Use of single-frequency licensed radios No authentication or data protection THREAT Attackers… Motivation… Obtaining back-door access (eavesdropping, data altering) Is the threat real? Is a back door attack easy? RISK Risk = f (threat, vulnerability, cost) Likelihood that a threat will exploit a vulnerability that compromises safety and availability Cost = f (safety, availability) Consequences: Liabilities, financial loss, environmental, public safety… How much service would be lost and how vital is it?
  • 7. BEFORE THE ATTACK Attackers typically do three things before the attack: “gather information”Reconnaissance Scanning Traffic Analysis “discover vulnerabilities by passive listening” “reverse engineer the protocol”
  • 8. RECONNAISSANCE Use Social Engineering  Victim is tricked into doing what attacker wants by intimidation, helpfulness, name-dropping, technical assistance…  Caller ID spoofing (VOIP PBX, telespoof.com) Experiment by Idaho National Lab (2008) found that 40% of employees provided their passwords to a fake OpsCenter employee over the telephone Miles McQueen. Human Vulnerabilities. ISRCS 2009: 2nd International Symposium on Resilient Control Systems August 11 2009 https://secure.inl.gov/isrcs2009/docs/Tutorials/Session_3_McQueen.pdf Search Publicly Available Information  Search engines (meta, deep web…) with key words  www.uwhois.com  Dumpster diving Attacker Gathers As Much Information As Possible
  • 10. SCANNING Tools War dialing software: Freeware THC-Scan, RASUsers, TBA Commercial PhoneSweep, TeleSweep Unix PAW/PAWS, iWAR, THC-Scan NG, Telescan, ShokDial Mac Assault Dialer Upon active connection, the attacker can simply enter multiple returns, question marks, “Help” or “Hello” to gain a login prompt and probe the connection further Password cracking software: Freeware/Open Source Cain & Abel, Dsniff, John the Ripper, Ophcrack Commercial L0phtCrack, RainbowCrack, SAMInside Default password list:  Search user manuals - may state no PWs are used and security is disabled!  Search online databases, e.g., Phenoelit hacking group (Germany) maintains a database of default passwords www.phenoelit.de/dpl/dpl.html Attacker Locates Systems and Discover Vulnerabilities
  • 11. DEFAULT PASSWORD LIST Vendor Model Version Access Type Username Password Privileges Notes 3COM CoreBuilder 7000/6000/3500/2500 Telnet debug synnet 3COM CoreBuilder 7000/6000/3500/2500 Telnet tech tech 3COM HiPerARC v4.1.x Telnet adm (none) 3COM LANplex 2500 Telnet debug synnet 3COM LANplex 2500 Telnet tech tech 3COM LinkSwitch 2000/2700 Telnet tech tech Huawei E960 admin admin Admin 3COM NetBuilder SNMP ILMI snmp-read 3COM Netbuilder Multi admin (none) Admin 3COM Office Connect ISDN Routers 5x0 Telnet n/a PASSWORD Admin 3COM SuperStack II Switch 2200 Telnet debug synnet 3COM SuperStack II Switch 2700 Telnet tech tech 3COM OfficeConnect 812 ADSL Multi adminttd adminttd Admin 3COM Wireless AP ANY Multi admin comcomcom Admin Works on all 3com wireless APs
  • 12. SCANNING Tools Tapping:  Modem (FSK, PSK passive mode) – captures low baud data  CO Simulator – passes incoming calls & routes outgoing calls  Data Logger and GPRS cell modem – records/retrieves data  900MHz Radio Modem and Spectrum Analyzer – scans data  Radio Shack Mini Amplifier/Speaker – records DTMF Attacker Locates Systems and Discovers Vulnerabilities
  • 13. TRAFFIC ANALYSIS Interpret SCADA clear data…  Consult user manuals and engineering support documents – available and easily obtained Attacker Reverse Engineers the Protocol DNP3 [Header + Data] Max frame size: 292 bytes Header = 0x05 1-byte 0x64 1-byte Len 1-byte Ctrl 1-byte Dst 2-byte Src 2-byte CRC 2-byte Modbus RTU Start 3.5 char time Addr 1-byte Func 1-byte Data 0-252 CRC 2-byte End 3.5 char time Modbus ASCII Start : Addr 2-byte Func 2-byte Data 2x (0-252) LRC 2-byte End CR LF DNP3 has source and destination addresses that can be useful in Man-in-the-Middle attacks, such as:  Turn off unsolicited reporting to stifle specific alarms  Spoof unsolicited responses to the Master to falsify events and trick the operator into taking inappropriate actions  Issue unauthorized stops, restarts, or other functions that could disrupt specific operations Modbus was designed to program controllers by sending Read and Write I/O registers commands, for example:  List defined points and their values  Request information about Modbus servers, PLC configurations…  Clear, erase, or reset diagnostic information  Force slave devices into “listen only” mode
  • 14. COMMON TYPES OF ATTACK Maintenance port To install a malicious program Denial of Service To delay or block the flow of information  By physical destruction – but can be detected through fault-handling programs or CCTV  By radio jamming - no effective countermeasures exist! (A cheap, limited range, jammer: cordless phone with modified oscillator + amplifier + coat hanger) Spoofing To masquerade as another to initiate an unauthorized action Replay To record and retransmit valid data (manipulating time variable) to trigger unpredictable results Man-in-the-Middle (MITM) To intercept, alter, and relay a communication message  A simple radio MITM can be setup by a combination of directional transmitter & jammer
  • 15. RTU SPOOFING Vulnerability Attack Attack Result Master/slave cmd/rsp protocol has no authentication Slave has slow response time Auto emergency shutdown RTU spoofing: Send bogus status before a valid RTU response, e.g., change threshold of safety parameters Causes unpredictable outcome leading to system disruption or failure
  • 16. RTU SPOOFING EXAMPLE MTU ← RTU ← IED ← Sensors Attacker constructs a forged RTU response:
  • 17. MTU SPOOFING Vulnerability Attack Attack Result MTU has long polling time, e.g., 2s x 100 devices MTU spoofing: Send command to reprogram RTU, e.g., • rhythmically turn on/off a high-voltage motor • operate a valve hundreds of times per second • premature shutdown of a process • close a valve while pump is running Causes system disruption or failure
  • 18. MTU SPOOFING EXAMPLE  Send periodically (if not sent as an automatic answer to a receive sequence) Repeat sequence every 1 seconds Attacker constructs a forged MTU command: MTU → RTU → IED → Actuators
  • 19. ATTACK TOOL: SIMULATOR SOFTWARE Simulator software is downloadable from the web that can directly communicate with protocols, such as DNP 3.0, Modbus, BACnet, LonWorks, and OPC Modbus:
  • 20. SECURITY ISSUES… …IN RELATION TO INSECURE LEGACY SYSTEMS VULNERABILITIES Use of dial up maintenance port to diagnose, repair, configure… Use of single-frequency licensed radios No authentication or data protection THREAT Attackers… Motivation… Obtaining back-door access (eavesdropping, data altering) Is the threat real? Is a back door attack easy? RISK Risk = f (threat, vulnerability, cost) Likelihood that a threat will exploit a vulnerability that compromises safety and availability Cost = f (safety, availability) Consequences: Liabilities, financial loss, environmental, public safety… The Threat is REAL. A Back Door Attack is EASY. Risk Management is the NEXT STEP.
  • 21. RISK MANAGEMENT OF LEGACY SYSTEMS Taking Steps to Protect Assets “Eliminate back door” (remove risk) “Do nothing” (accept risk and budget for it) “Take action” (lessen the risk)
  • 22. LEGACY RETROFIT ISSUES Legacy Retrofit Issues What We Want How do we plan for migration? • To choose when & how much security to apply • To have encrypted & clear communications on the same channel …Easy migration Do we make changes to our ICS software or equipment? Not to change our existing ICS software or equipment …Easy installation Do we make changes to our operational control? Not to change our existing operational control …Hassle-free Will it impact performance? Strong security without impacting performance …No impact Will it impact our existing configuration? Not to change our existing configuration Should support the following: • Modbus RTU/ASCII, DNP3 • Async 300 to 115200 bps • Point-to-point and multi-drop • Radio, dial-up, and leased line …Flexibility What encryption & authentication standard should we use?
  • 23. IEEE 1711-2010 STANDARD To Protect Against Eavesdropping, Message Replaying, and Data Altering Began as AGA-12 in 2003 Originator: The American Gas Association (AGA) Goal: To secure legacy serial communication links in SCADA systems Key Players • American Gas Association (AGA) • Technical Support Working Group (TSWG) at Gas Technology Institute (GTI) • American Water Works Association Research Foundation (AWWARF) • The National Institute of Standards and Technology (NIST) • U.S. Department of Energy (DOE) • Idaho National Laboratories (INL) • Sandia National Laboratories • Pacific Northwest National Laboratory (PNNL) • IEEE Power & Energy Society • IEEE Committee: PE/SUB – Substations Now the IEEE Approved Standard Related to Smart Grid* IEEE 1711-2010 Trial Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links * Applicable across industry sectors, e.g., electric, oil, gas, water, & chemical
  • 24. STRONG SECURITY SOLUTION Encryption & Authentication Cipher suite 1: AES128 CTR-mode, HmacSHA1, with holdback Cipher suite 2: AES128 PE-mode, HmacSHA1, no holdback Cipher suite 3: Cleartext, SHA1, with holdback Cipher suite 4: AES128 CTR-mode, HmacSHA256, with holdback Cipher suite 5: AES128 PE-mode, HmacSHA256, no holdback Cipher suite 6: Cleartext, SHA256, with holdback Cipher suite 7: Cleartext, HmacSHA1, with holdback Cipher suite 8: Cleartext, HmacSHA256, with holdback Cipher suite 9: AES128 CBC-mode, HmacSHA1, with holdback Cipher suite 10: AES128 CBC-mode, HmacSHA256, with holdback Two-level keys: • Pre-shared key • Session key (always randomly generated) Key Management
  • 25. EASY MIGRATION – ALL CLEAR ■ “Bump-in-the-wire” solution  Installed at Control Center  Set to pass-through all messages
  • 26. EASY MIGRATION – CLEAR & ENCRYPTED ■ Mixed mode deployment  One encryption link at a time – while other links operate in the clear
  • 27. EASY MIGRATION – ALL ENCRYPTED ■ Secure tunneling (IPSec-like)  Up to 65,533 tunnels  Each tunnel has its own Encryption Key and Authentication Key and protects one or group of RTUs
  • 28. EVERYBODY TALKS ABOUT… 1. …encryption delay!  What causes it? – Block protocol encryption overhead: Header, Trailer, Message Authentication Code + Encryption processing – The delay impact is greater for small messages – To minimize delay: 1. You can select appropriate cipher suite, e.g., ENC, AUTH, holdback options, etc. 2. You can select a solution that has a hardware crypto engine (versus software encryption) 2. …key management!  What is the simplest and fastest way? – Pre-shared key (used by IEEE 1711) – IEEE 1711 employs additional security with two-layer keys Layer 1: Pre-shared key (static) Layer 2: Session keys (dynamic): Encryption key & Authentication key (both randomly generated) – IEEE 1711 supports 65,533 uniquely shared keys  What is the disadvantage of a pre-shared key? – Must agree on what the pre-shared key is before distributing it securely  Is there a better way other than pre-agreement of keys? – Public Key Infrastructure (PKI)  Can PKI be used in SCADA? – Yes, but it slows response time (computationally intensive, too much overhead over low bandwidth) AND it’s expensive to implement – Its peer-to-peer distribution makes it unsuitable for master/slave structure – Could bring down the network when PKI Server is unavailable
  • 29. LEGACY SYSTEMS GOING ETHERNET ■ The trend is to integrate serial SCADA protocols with corporate network for effective management and real-time business decisions However:  Serial protocols remain insecure, lack authentication (they’re simply wrapped inside TCP/IP packets!)  The backdoor risk is still there  TCP/IP has its own vulnerabilities (that are widely shared within the computer underground!) Numerous FREE scanning, vulnerability discovery, attack tools are available; see Top 100 Network Security Tools: http://sectools.org/ Ex: nmap, TCPview, Nessus, Attacker Tool Kit (ATK), Sniffit, Netcat, Wireshark
  • 30. MODBUS TCP SCADA protocols simply wrapped inside TCP/IP data packets
  • 31. DNP3 TCP SCADA protocols simply wrapped inside TCP/IP data packets
  • 32. IEEE 1711-2010 ENHANCEMENTS Allows vendor-defined enhancements: ■ Management functions (e.g., audit logs, reports…) ■ P2P stream encryption: 8-Bit Cipher Feedback Mode Advantage: 1-byte encryption delay AND protocol independent (Allen-Bradley DF-1, Bristol BSAP, Fisher ROC & more) ■ Session key auto renewal ■ Secure Serial-over-Ethernet ■ Dial-up access control via session negotiation ■ Heartbeat “keepalive” from the Master to control how long the secure link remains active before it is disabled (in the event the remote device is stolen) ■ Interface to low-cost wireless (ZigBee® IEEE 802.15.4 )
  • 33. SECURE SERIAL-OVER-ETHERNET Modbus TCP/IP Modbus UDP/IP Modbus RTU Over TCP/IP Modbus RTU Over UDP/IP Modbus ASCII Over TCP/IP Modbus ASCII Over UDP/IP DNP3 over TCP/IP
  • 34. DIAL-UP ACCESS CONTROL VIA SESSION NEGOTIATION 1. Receives an incoming call (RI toggle) and auto-answers (DCD active) 2. Transmits challenge data 3. Receives response data 4. If “failed” challenge, drop DTR 5. Modem disconnects call (DCD inactive) Timing diagram for answering device:
  • 35. VULNERABILITIES Use of dial up maintenance port to diagnose, repair, configure… Use of single-frequency licensed radios No authentication or data protection THREAT Attackers… Motivation… Obtaining back-door access (eavesdropping, data altering) Is the threat real? Is a back door attack easy? RISK Risk = f (threat, vulnerability, cost) Likelihood that a threat will exploit a vulnerability that compromises safety and availability Cost = f (safety, availability) Consequences: Liabilities, financial loss, environmental, public safety… CONCLUSION Secure one link at a time with IEEE 1711 “Take Action”
  • 36. 21 STEPS TO IMPROVE CYBER SECURITY OF SCADA NETWORKS BY THE U.S. DEPARTMENT OF ENERGY 1. Identify all connections to SCADA networks 2. Disconnect unnecessary connections to the SCADA network 3. Evaluate and strengthen the security of any remaining connections to the SCADA network 4. Harden SCADA networks by removing or disabling unnecessary services 5. Do not rely on proprietary protocols to protect your system 6. Implement the security features provided by device and system vendors 7. Establish strong controls over any medium that is used as a backdoor into the SCADA network 8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring 9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns 10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios 12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users 13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection 14. Establish a rigorous, ongoing risk management process 15. Establish a network protection strategy based on the principle of defense-in-depth 16. Clearly identify cyber security requirements 17. Establish effective configuration management processes 18. Conduct routine self-assessments 19. Establish system backups and disaster recovery plans 20. Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance 21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls Source: http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf
  • 37. REFERENCES Energy Sector Control Systems Working Group (ESCSWG). Roadmap to Achieve Energy Delivery Systems Cybersecurity. September 2011. http://www.doe.gov/oe/downloads/roadmap-achieve-energy-delivery-systems-cybersecurity-2011 Idaho National Laboratory/DOE. Vulnerability Analysis of Energy Delivery Control Systems. September 2011. http://www.doe.gov/oe/downloads/vulnerability-analysis-energy-delivery-control-systems IEEE 1711-2010 Trial-Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links. September 2010. http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=5562693 NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View. March 2011. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security. June 2011. http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf Scientific American Magazine. Hacking the Lights Out: The Computer Virus Threat to the Electrical Grid. July 2011. http://www.scientificamerican.com/article.cfm?id=hacking-the-lights-out
  • 38. THANK YOU Tracy Amaio, Ph.D. teamaio@sequi.com Tien Van tvan@sequi.com Please feel free to send your comments or questions