This document discusses securing ICS/SCADA systems. It provides an overview of Positive Technologies, a security company focusing on vulnerability management, penetration testing, and research. The document discusses common myths about SCADA security and research finding vulnerabilities across many systems. Positive Technologies' MaxPatrol product is presented for vulnerability and compliance management. Services include auditing ICS infrastructure and SCADA applications to identify risks.

1. Securing ICS/SCADA systems

2. Agenda
Positive Technologies Company overview
ICS/SCADA security myths
Positive Research on SCADA Security
MaxPatrol for SCADA
Positive Services for SCADA
Questions?

3. Positive Technologies
Company overview

4. About Positive Technologies
10+ Years of experience
300+ Employees
Offices
• London, UK
• Moscow, Russia
• Seoul, Korea
• Tunis, Tunisia
• Rome, Italy
1000+ Customers & Partners globally
Partnerships with major software vendors

5. Positive Technologies Focus
MaxPatrol - Vulnerability & Compliance Management
System
Positive Services – a unique team of experts in
practical security
Positive Research – one of the biggest research
centers in Europe
Positive Hack Days – the annual information security
international Forum

6. Positive Services
We conduct more than 20 large-scale penetration
tests each year
We perform a consistently high volume of web
application security assessments
Security assessment
• Penetration testing
• Infrastructure analysis
• Custom applications assessment
Security management processes
• KPI development
• Technical standards and compliance
• Audit & IT security risks of business processes

7. Positive Research Center
One of the biggest security research labs in Europe
• 100+ new 0-day vulnerabilities discovered per year
• Our research is used by key industry bodies
We help global IT players to secure their products
We are involved in the development of industry
standards
Our portal Securitylab.ru – a leading Eastern
European security portal

8. Positive Hack Days Forum 2012
1,500 Participants
6 Tracks
10 Workshops
8 Challenges
Hacking CTF Contest
Keynote by Bruce Schneier

9. Telecoms &
hi-tech
Our Customers
Government
agencies
Banking & Finance

10. Our Customers
Industrial enterprises
Energia Space Corporation
Tactical missiles corp.
Sukhoi (aircraft building enterprise)
Magnitogorsk Iron & Steel Nizhnekamsk (Petrochemicals) AEP (Nuclear Technologies)

11. ICS/SCADA Security Myths

12. Why should we care about SCADA security?
SCADA network is isolated and is not connected to
other networks, all the more so to Internet
MES/SCADA/PLC is based on custom platforms, and
attackers can’t hack it
HMI has limited functionality and does not allow to
mount attack
…

13. PT security assessment experience
100% of tested SCADA networks are exposed to
Internet/Corporate network
Network equipment/firewalls misconfiguration
MES/OPC/ERP integration gateways
HMI external devices (Phones/Modems/USB Flash) abuse
VPN/Dialup remote access
90% of tested SCADA can be hacked with Metasploit
Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)
Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)
Standard bugs (patch management, passwords, firewalling,
application vulnerabilities)

14. PT security assessment experience
70% of HMI/Engineering stations are also used as
desktops
Kiosk mode bypass
(Secret) Internet access
games/”keygens”/trojans and other useful software
Overall SCADA security level = Internet security in
the beginning of XXI century
VS

15. Positive Research on
ICS/SCADA Security

16. Activities in 2012
SCADA Security in Numbers – research on
ICS/SCADA attack surface
SCADA applications security assessment – deep
analysis of different automation systems
Security Hardening guides development – security
configuration guides and benchmark checklists for
SCADA
Community collaboration

17. SCADA Security in Numbers
Deep technical analysis of ICS/SCADA attack surface
(2005 – August 2012)
Statistics of Vulnerabilities and Exploits
• Vulnerabilities in PLC/SACDA/MES systems
• Risks and exploits
• Vulnerability management effectiveness
• Attack vectors and impact
SCADA in the Internet
• Analysis of SCADA systems exposed to the Internet
• Distribution by vendor
• Security level

18. N of Vulnerabilities/Year

19. Risk level by vendor

20. Risk level (%)

21. N of Exploits/Year

22. % of Exploits

23. SCADA applications security assessment
Deep technical analysis of different automation
systems
• Siemens automation solutions
 SIMATIC WINCC
 S7 PLCs
 TIA Portal
• Wonderware InTouch
• …
Methodologies
• BlackBox Penetration testing/fuzzing
• Web Application code review
• Firmware reversing and static analysis
• Forensic analysis

24. SCADA applications security assessment: Results
>50 vulnerabilities detected
• Client-side (XSS, CSRF etc)
• SQL/XPath injections
• Arbitrary file reading
• Username/passwords disclosure
• Weak encryption
• Hardcoded crypto keys
• …
Results
• Partially fixed by vendors
• Assessment and fixing roadmap with Siemens Product CERT
50 is a quarter of currently known SCADA
vulnerabilities!

25. Security Hardening guides development
Technical guides for built-in and external security
features
Useful for configuration management and security
assessment
First public release - Siemens SIMATIC WinCC
• To be:
• TIA Portal
• HMI Kiosk Mode
• Intouch

26. Community collaboration
Collaboration with Siemens Product CERT and other
vendors
Reports on security conferences

27. MaxPatrol for SCADA

28. MaxPatrol in Figures
checks of known vulnerabilities
systems to work across
configuration parameters
new 0-day vulnerabilities per year
30,000+
1,000+
5,000+
100+

29. MaxPatrol – An All-in-One Solution

30. MaxPatrol Highlights
Password Policy Audit
Malware Detection Integrity Monitoring
Sensitive Data Detection
Agentless & low-privileged
Assessment
Web-Application Security

31. Our approach
Defense in Depth strategy
 Network Layer
 OS and DBMS
 SCADA/HMI/PLCs
 MES/ERP
Compliance management support

32. Network Layer
Vulnerabilities checks of different platforms
• Cisco, Juniper, Check Point, Arbor, Huawei, Nortel, Alcatel
Configuration analysis
• Authentication checks
• ACLs analysis
• Special checks of industrial protocols configuration (Cisco
Connected Grid, etc)

33. OS and DBMS
Exhaustive vulnerability and configuration analysis
Operating Systems: Windows, Mac OS X, Linux, IBM AIX, HP-
UX and Oracle Solaris
Databases: Microsoft SQL, Oracle, IBM DB2, PostgreSQL,
MySQL and Sybase
Offline USB/CD Scanner
• Useful for HMI/SCADA audits
• Not require network connections
• Full-featured reporting with MaxPatrol Server

34. SCADA/HMI/PLC
Support of automation protocols
• ModBus/S7/DNP3/OPC
Vulnerabilities checks of PLC/SCADA/MES
Predefined (Safe mode) assessment for SCADA
Configuration check of SCADA
HMI Kiosk mode checks
Mobile/Wireless/Internet access
Software whitelist/blacklist
Antivirus/HIPS checks

35. MES/ERP
Best among vulnerability and compliance
assessment of ERP system
Support of SAP Netweaver and Oracle EBS
• Complete analysis on OS/DBMS/Application levels
• Black box and White box vulnerability checks
• SAP Notes and OEBS patches checks
• Configuration analysis
• SAP Security Guide compliances

36. NERC Critical Infrastructure Protection Compliance
CIP-002-1: Critical Cyber Asset Identification
• Hardware and software discovery, network and
system asset inventory
CIP-003-1: Security Management Controls
• Built-in configuration compliance checklists,
automated vulnerability assessment
CIP-005-1 Electronic Security Perimeter(s)
• Control network security via network scan
configuration checks

37. NERC Critical Infrastructure Protection Compliance
CIP-007-1 Systems Security Management
• Automated assessment of security controls
(antivirus, SIEM, Firewall, etc.)
CIP-008-1 Incident Reporting and Response
Planning
• Control of risky configurations and compromise
detection

38. Key Features: Flexibility & Integration
Asset Management
Help Desk Ticketing
Risk Management
Patch Management
SIM/SIEM
IPS and WAF Penetration Testing
NAC/NAP

39. Positive Services for
SCADA

40. Positive Services
ICS Infrastructure Security Audit
Complex assessment of technical and
organizational security means. From PLC to
ERP. From Pentest to Checklists.
SCADA application security assessment
Deep technical inspection of SCADA security
on Network/OS/Database and Application
levels.
Security policy and configuration checklist
development
Vulnerability and compliance management
process implementation

41. Resume
Positive Technologies approach
Research: to understand vulnerabilities and to find
new
Audit: to discover risks and select
countermeasures
Automate: vulnerability and compliance
management with MaxPatrol
Control: security process efficiency
Consolidate: vendors, researchers and customers
to create safe ICS/SCADA infrastructure and
solutions

42. Thanks!
Question?
EMEA@ptsecurity.com