This document provides an overview of industrial control systems (ICS) and SCADA security. It defines key concepts like PLCs, how they work by connecting to control units via various cabling and receiving programs from a computer. SCADA is introduced as the system commonly used to monitor and control infrastructure processes via interconnected sensors and controls under central management. Examples of its uses in power grids, pipelines and manufacturing are given. The document then covers components of a SCADA network, common protocols, testing methods, and security challenges like lack of authentication. Several security incidents involving SCADA systems are described. The Stuxnet malware is examined in depth as a well-known threat that targeted Siemens SCADA networks
Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil
Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ
Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
Scada Industrial Control Systems Penetration Testing
Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow
Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil
Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ
Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
Scada Industrial Control Systems Penetration Testing
Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
This webinar will help you get more informed on PenTesting in SCADA and also best practices and methods used on risk assessment. Learning about the criticality in industry, makes you more flexible to boost the skills.
Main points covered:
• The SCADA ICS function in critical infrastructure industry
• Risk exposure of IT vs. SCADA ICS from Cyber Security Perspective
• Do's and don’ts of Vulnerability Assessment and Penetration Testing in SCADA ICS Environment
Presenter:
This webinar was presented by Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS, and PECB Certified Trainer.
Link of the recorded session published on YouTube: https://youtu.be/icq-RTwusZ8
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
This presentation was given at BSides Las Vegas 2015.
The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional.
The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.
Your SCADA system has a DNP3 vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed.
SCADA deep inside:protocols and software architectureqqlan
Speakers: Alexander Timorin, Alexander Tlyapov, Gleb Gritsai
This talk will feature a technical description and a detailed analysis of such popular industrial protocols as Profinet DCP, IEC 61850-8-1 (MMS), IEC 61870-5-101/104, based on case studies. We will disclose potential opportunities that those protocols provide to attackers, as well as the authentication mechanism of the Siemens proprietary protocol called S7.
Besides protocols, the results of the research called Siemens Simatic WinCC will be presented. The overall component interaction architecture, HTTP protocols and interaction mechanisms, authorization and internal logic vulnerabilities will be shown.
The talk will be concluded with a methodological approach to network protocol analysis, recommendation, and script release.
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
This webinar will help you get more informed on PenTesting in SCADA and also best practices and methods used on risk assessment. Learning about the criticality in industry, makes you more flexible to boost the skills.
Main points covered:
• The SCADA ICS function in critical infrastructure industry
• Risk exposure of IT vs. SCADA ICS from Cyber Security Perspective
• Do's and don’ts of Vulnerability Assessment and Penetration Testing in SCADA ICS Environment
Presenter:
This webinar was presented by Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS, and PECB Certified Trainer.
Link of the recorded session published on YouTube: https://youtu.be/icq-RTwusZ8
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
This presentation was given at BSides Las Vegas 2015.
The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional.
The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.
Your SCADA system has a DNP3 vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed.
SCADA deep inside:protocols and software architectureqqlan
Speakers: Alexander Timorin, Alexander Tlyapov, Gleb Gritsai
This talk will feature a technical description and a detailed analysis of such popular industrial protocols as Profinet DCP, IEC 61850-8-1 (MMS), IEC 61870-5-101/104, based on case studies. We will disclose potential opportunities that those protocols provide to attackers, as well as the authentication mechanism of the Siemens proprietary protocol called S7.
Besides protocols, the results of the research called Siemens Simatic WinCC will be presented. The overall component interaction architecture, HTTP protocols and interaction mechanisms, authorization and internal logic vulnerabilities will be shown.
The talk will be concluded with a methodological approach to network protocol analysis, recommendation, and script release.
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
In a world rocked by the Industrial Internet of Things (IIoT), the mobile revolution, Digital Transformation, and COVID-19, supervisory control and data acquisition (SCADA) remains an essential technology system for manufacturers. However, a SCADA system that was “good enough” 10 or 15 years ago will not be adequate in today’s environment. Before adopting or upgrading to a new SCADA system, you must be certain that it offers the power and flexibility your organization needs to adapt to these unfolding changes.
For what reason would it be advisable for you to pick TONEX for your SCADA Security Training?
SCADA Security Training course gives progressed SCADA specialized outline of the developing patterns, propelled applications, activities, administration and security. We have Providing SCADA and Automation and Security Training and counseling for more than 15 years with 20+ man-long periods of improvement encounter.
SCADA Security Training course covers all parts of Industrial Control System (ICS) security for a few kinds of control frameworks including: Supervisory Control and Data Acquisition (SCADA) frameworks, Distributed Control Systems (DCS) and Other control framework arrangements, for example, slide mounted Programmable Logic Controllers (PLC).
#Some of the highlights of the SCADA Security Training:
Understand concepts behind Industrial Control Systems (ICS) and SCADA Security
Learn about DCS, SCADA and Industrial Control Systems technology, Infrastructure, instrumentation, HMI and Data Historians
SCADA and ICS Characteristics, Threats and Vulnerabilities
SCADA and ICS Security Program Development and Deployment
SCADA Network Architecture
SCADA Security Controls
Learn Passive and Active Techniques
Explore the impact of Wireless communications on SCADA System Security Testing
Explore SCADA System Security Testing with Active Techniques
Understand SCADA vulnerabilities and different techniques behind exploiting SCADA Systems
Understand how SCADA defense techniques and procedures work
Identify the weak links and challenges in SCADA cybersecurity
Review the available solutions and standards for secure SCADA architectures
Examine the state of policies on data privacy and Internet security and their impact on SCADA
Define a “To Do” list of action items to secure the SCADA systems
ICS/SCADA Security Essentials Essentials for NERC Critical Infrastructure Protection
ICS Active Defense and Incident Response
Assessing and Exploiting SCADA and Control Systems
Critical Infrastructure and Control System Cybersecurity
SCADA Security Management
#Learn more about the following aspects of SCADA, ICS and DCS Security:
Understanding Control System Vulnerabilities
Understanding and Identifying SCADA and ICS Vulnerabilities
SCADA, Industrial Control System (ICS) and Distributed Control Systems (DCS) Exploitation
Securing and Protecting Industrial Control Systems (ICS)
ICS, DCS and PLC Penetration Testing, Exploiting and Vulnerability Assessments
Hacking SCADA using Nmap, Nessus and Metasploit
Hacking Remote Web Servers
SCADA SQL Injection Attack
Learn more about SCADA security training
SCADA Security Training
https://www.tonex.com/training-courses/scada-security-training/
SCADA (Supervisory Control and Data Acquisition) networks have undergone significant changes, and the technological developments have made fiber optic technology a viable solution for users looking to build a network.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
3. AAggeennddaa
● Some Incidents
● Stuxnet VS PLC
● Security Best Practices
SCADA Security | Ahmed Sherif 2014
4. IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss
● Industrial control system (ICS) is a general term that
encompasses several types of control systems used
in industrial production, including supervisory control
and data acquisition (SCADA) systems, distributed
control systems (DCS), and other smaller control
system configurations such as programmable logic
controllers (PLC) often found in the industrial sectors
and critical infrastructures.
SCADA Security | Ahmed Sherif 2014
5. PPLLCC
● A Programmable Logic Controller, PLC or
Programmable Controller is a digital computer
used for automation of typically industrial
electromechanical processes, such as control
of machinery on factory assembly lines,
amusement rides, or light fixtures. PLCs are
used in many industries and machines
SCADA Security | Ahmed Sherif 2014
6. PPLLCC –– HHooww DDooeess iitt WWoorrkk ??
1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or
RS-422 cabling .
2. The programming software allows entry and editing of the ladder-style logic
3. the program is transferred from a personal computer to the PLC through a
programming board which writes the program into a removable chip such as an
EEPROM
4. The Program Then Can Be Run and Executed.
SCADA Security | Ahmed Sherif 2014
7. PLC – How Does it Work ?
1. Computer is Connected to PLC unit Through Ethernet, RS-232,
RS-485 or RS-422 cabling .
SCADA Security | Ahmed Sherif 2014
8. PLC – How Does it Work ?
2. The programming software allows entry and editing of the
ladder-style logic
SCADA Security | Ahmed Sherif 2014
9. PLC – How Does it Work ?
3. the program is transferred from a personal computer to the PLC
through a programming board which writes the program into a
removable chip such as an EEPROM
SCADA Security | Ahmed Sherif 2014
10. PLC – How Does it Work ?
4. The Program Then Can Be Run and Executed.
SCADA Security | Ahmed Sherif 2014
12. SCADA
SCADA is ....
Industrial Control Systems (ICS), commonly referred to as
SCADA underlie much of the infrastructure that makes every day
life possible in the modern world.
SCADA Security | Ahmed Sherif 2014
13. SCADA
SSCCAADDAA iiss ........
● Industrial Control Systems (ICS), commonly
referred to as
● SCADA underlie much of the infrastructure that
makes every day
● life possible in the modern world.
● Supervisory Control and Data Acquisition
SCADA Security | Ahmed Sherif 2014
14. SCADA
SCADA is used For ....
PPOOWWEERR GGrriiddss
SCADA Security | Ahmed Sherif 2014
23. Components ooff aa SSCCAADDAA nneettwwoorrkk
● RTU / PLC – Reads information on voltage, flow, the
status of
switches or valves. Controls pumps, switches, valves
● MTU – Master Terminal Unit – Processes data to send
to HMI
● HMI – Human Machine Interface – GUI, Windows –
Information
traditionally presented in the form of a mimic diagram
● Communication network – LAN, Wireless, Fiber etc etc
SCADA Security | Ahmed Sherif 2014
24. PPrroottooccoollss ooff SSccaaddaa NNeettwwoorrkk
RRaaww DDaattaa PPrroottooccoollss –– MMooddbbuuss // DDNNPP33
● For serial radio links mainly, but you can run anything over
● anything these days, especially TCP/IP (for better or worse)
● Reads data (measures voltage / fluid flow etc)
● Sends commands (flips switches, starts pumps) / alerts (it’s
● broken!)
HHiigghh LLeevveell DDaattaa PPrroottooccoollss –– IICCCCPP // OOCCPP
● Designed to send data / commands between apps / databases
● Provides info for humans
● These protocols often bridge between office and control
● networks
SCADA Security | Ahmed Sherif 2014
27. SSCCAADDAA ((iinn)) sseeccuurriittyy
LLaacckk ooff AAuutthheennttiiccaattiioonn
● I don’t mean lack of strong authentication. I mean NO AUTH!!
● There’s no “users” on an automated system
● OPC on Windows requires anonymous login rights for DCOM
● (XPSP2 breaks SCADA because anonymous DCOM off by
● default)
● Normal policies regarding user management, password rotation
● etc etc do not apply
SCADA Security | Ahmed Sherif 2014
28. SSCCAADDAA ((iinn)) sseeccuurriittyy
CCaann’’tt PPaattcchh,, WWoonn’’tt ppaattcchh
● SCADA systems traditionally aren’t patched
● Install the system, replace the system a decade later
● Effects of patching a system can be worse than the
effects of
● compromise?
● Very large vulnerability window
SCADA Security | Ahmed Sherif 2014
30. IInncciiddeennttss !! !!
In 2000, in Queensland, Australia. Vitek Boden
released millions of liters of Untreated Sewage
Into fresh water streams using a wireless laptop.
SCADA Security | Ahmed Sherif 2014
31. IInncciiddeennttss !! !!
“In August 2003 Slammer infected a private computer network at
the idled DavisBesse
nuclear power plant in Oak Harbor, Ohio,
disabling a safety monitoring system for nearly five hours.”
SCADA Security | Ahmed Sherif 2014
32. IInncciiddeennttss !! !!
In 2003, the east coast of America experienced a blackout.
While the Blaster worm was not the cause, many related
systems were found to be infected
SCADA Security | Ahmed Sherif 2014
33. IInncciiddeennttss !! !!
In 1997, a teenager broke into NYNEX and cut off Worcester
Airport in Massachusetts for 6 hours by affecting ground and air
communications
SCADA Security | Ahmed Sherif 2014
36. TThhee NNiigghhttmmaarree ....SSttuuxxnneett
MMaalliicciioouuss ppaayyllooaadd ssiiggnneedd wwiitthh ssttoolleenn
ddiiggiittaall CCeerrttiiffiiccaatteess
● Realtek and Jmicron.
IInnffeecctteedd MMaacchhiinneess bbeeccoommee ppaarrtt ooff
tthhee SSttuuxxnneett bboottnneett
● Can Steal code,documents, Projects designs .
● Can inject and hide code into PLCs – modifying
production processes.
SCADA Security | Ahmed Sherif 2014
37. SSttuuxxnneett .... DDeeeeppeerr LLooookk
● MMaaiinn DDrrooppppeerr
This section contains the main stuxnet DLL file. And this DLL contains all stuxnet’s
functions, mechanisms, files and rootkits.
SCADA Security | Ahmed Sherif 2014
38. SSttuuxxnneett .... DDeeeeppeerr LLooookk
● After finding this section, it loads stuxnet DLL file in a special way.
11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww
PPrroocceessss..
● It checks if the configuration data is correct and recent and then it checks the admin rights. If
it’s not running on administrator level, it uses one of two zero-day vulnerabilities to escalate
the privileges and run in the administrator level.
● CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability
● CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability
● These two vulnerabilities allow the worm to escalate the privileges and run in a new
● process (“csrss.exe” in case of Win32K.sys) or as a new task in the Task Scheduler case
SCADA Security | Ahmed Sherif 2014
39. SSttuuxxnneett .... DDeeeeppeerr LLooookk
11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww
PPrroocceessss..
After everything goes right and the environment is prepared to be infected by stuxnet, it
injects itself into another process to install itself from that process.
The injection begins by searching for an Antivirus application installed in the machine
Depending on the antivirus application (AVP or McAfee or what?), stuxnet chooses the
process to inject itself into. If there’s no antivirus program it chooses “lsass.exe”
SCADA Security | Ahmed Sherif 2014
40. SSttuuxxnneett .... DDeeeeppeerr LLooookk
22..IInnssttaalllliinngg SSttuuxxnneett iinnttoo tthhee
IInnffeecctteedd MMaacchhiinnee..
The Function #16 begins by checking the configuration data and be sure that everything
is ready to begin the installation. And also, it checks if the there’s a value in the registry
with this name “NTVDM TRACE” in
SOFTWAREMicrosoftWindowsCurrentVersionMS-DOS Emulation
And then, it checks if this value equal to “19790509”.
This special number seems a date “May 9, 1979” and this date has a historical meaning
(by Wikipedia) “Habib Elghanian was executed by a firing squad in Tehran sending
shock waves through the closely knit Iranian Jewish community”
SCADA Security | Ahmed Sherif 2014
41. SSttuuxxnneett .... DDeeeeppeerr LLooookk
33..TThhee UUSSBB DDrriivveess IInnffeeccttiioonn
For infecting USB Flash memory, Stuxnet creates a new hidden window “AFX64c313”
and get notified of any new USB flash memory inserted to the computer by waiting for “WM_DEVICECHANGE”
Windows Message.
● After getting notified of a new drive added to the computer (USB Flash Memory),
stuxnet writes 6 files into the flash memory drive:
● Copy of Shortcut to.lnk
● Copy of Copy of Shortcut to.lnk
● Copy of Copy of Copy of Shortcut to.lnk
● Copy of Copy of Copy of Copy of Shortcut to.lnk
● And 2 executable files (DLL files):
● ~WTR4141.tmp
● ~WTR4132.tmp
These malformed shortcut files use vulnerability in Windows Shell named:
● CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability
SCADA Security | Ahmed Sherif 2014
42. WWaass iitt aa ssuucccceessss ??
SCADA Security | Ahmed Sherif 2014
53. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess
IInnffoorrmmaattiioonn PPrrootteeccttiioonn GGuuiiddeelliinneess::
● Create strong passwords and protect those passwords.
● Use a security token (or some other additional protection method) with a
password to provide much stronger protection than a password alone.
● Take great care in what you publish on the internet and your company intranet.
● Sanitize or destroy all equipment that may contain critical information.
● Follow your company's reporting procedures if you observe any suspicious or
abnormal activity.
SCADA Security | Ahmed Sherif 2014
54. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess
PPhhyyssiiccaall PPrrootteeccttiioonn GGuuiiddeelliinneess::
● Limit access to systems you're responsible for to those who have a need to know.
● Protect systems and information (use password-protected screen savers, lock office
doors, lock information in cabinets, etc.) when leaving them unattended.
● When traveling, pay special attention when going through airport security. Thieves
may be able to steal your laptop while you are focusing on getting through the
security checkpoint.
● Never leave systems or storage media in your vehicle.
● Protect work systems and information at home at the same level or higher as you
would at work.
SCADA Security | Ahmed Sherif 2014
55. SSoo,, IIss SSccaaddaa IImmppoorrttaanntt ??
● No ...
● Why ?! ...
SCADA Security | Ahmed Sherif 2014