This document contains information from a group of security researchers focused on assessing industrial control systems and SCADA platforms. Their goals are to automate security assessments, understand systems, assess security features, and create audit guides. It describes common ICS components like WinCC, S7 PLCs, and engineering tools. It also outlines vulnerabilities the group has found, including in WinCC, S7 communications, and TIA Portal. The document aims to share information to help secure ICS environments.

1. All pictures are taken from
Dr StrangeLove movie

2.  Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Roman Ilin Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin
Roman Ilin Alexander Tlyapov

4.  Goals
to automate security assessment of ICS
platforms and environment
 Objectives
to understand system
to assess built-in security features
to create security audit/hardening guides
to automate process
Vulnerabilities – waste production

5.  Goal
to create PoC of Stuxnet-style attack
 Initial conditions
common ICS components and configuration
common ICS security tools
only ICS components weakness
vulnerabilities by SCADA StrangeLove team

12.  Engineering tools
 STEP 7
 PCS7
 TIA PORTAL
 SCADA/HMI
 WinCC (Windows)
 WinCC Flexible/Advanced (Windows/Win CE)
 S7 family PLC
 Old line (200, 300, 400)
 New line (1200, 1500)

13.  WinCC Server
 Windows/MSSQL based SCADA
 WinCC Client (HMI)
 WinCC runtime + Project + OPC
 WinCC Web Server (WebNavigator)
 IIS/MSSQL/ASP/ASP.NET/SOAP
 WinCC WebClient (HMI)
 ActiveX/HTML/JS

16. 1 2 9 7 6
10 11
14 17
73
100 96
899
94
135
285
81
0
100
200
300
400
500
600
700
800
900
1000
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

18.  Cyber Weapon
 Tactics, Techniques, and Procedures (TTP's)
 APT1
 APT 2.0
 Cyber Kill Chain

19.  ChinJa (R) (tm)
 Breaking through
 Harvesting
 Creeping death
 Chaos

21. That is a question!

22. http://bit.ly/RI6FtQ
http://bit.ly/UXn7d1

23. http://www.surfpatrol.ru/en/report

24.  A lot of “WinCCed” IE from
countries/companies/industries
 Special prize to guys from US for
WinCC 6.X at 2012

27.  XPath Injection (CVE-2012-2596)
 Path Traversal (CVE-2012-2597)
 XSS ~ 20 Instances (CVE-2012-2595)
Fixed in Update 2 for WinCC V7.0 SP3
http://support.automation.siemens.com/WW/view/en/60984587

28.  Lot of XSS and CSRF
 CVE-2012-3031
 CVE-2012-3028
 Lot of arbitrary file reading
 CVE-2012-3030
 SQL injection over SOAP
 CVE-2012-3032
 Username and password disclosure via ActiveX
abuse
 CVE-2012-3034
Fixed in Update 3 for WinCC V7.0 SP3
http://support.automation.siemens.com/WW/view/en/63472422

29.  Path Traversal
 CVE-2013-0679
 Buffer overflow in ActiveX
 CVE-2013-0674
 XXE OOB
 CVE-2013-0677
 Missing encryption of sensitive data
 CVE-2013-0678
 Improper authorization
 CVE-2013-0676f
Fixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1
http://www.siemens.com/corporate-
technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-
714398.pdf

32.  Network-level
 Active scan
 S7, Modbus, MSSQL (WinCC Instance), HTTP(S)
 SNMP (public/private hardcoded for PLC and HMI
Panels)
 Passive scan
 Profinet
 Host-level
 WinCC forensic

33. Dmitry Efanov
http://scadastrangelove.blogspot.ru/2012/11/plcscan.html

34. Alexander Timorin
PHDays III release

36.  PdlRt.exe – graphic runtime
 CCRtsLoader.EXE – loader
 s7otbxsx.exe – network
 Inter process communication:
 RPC
 Sections (memory mapped files)
 BaseNamedObjectsTCPSharedMm and other
interesting stuff

37.  Detecting active project:
HKCUSoftwareSIEMENSWINCCControl
CenterDefault Settings
 LastOpenPath
 LastProject
 Detecting MS SQL database name (timestamp)
ArchiveManagerAlarmLogging
ArchiveManagerTagLogging*
Obtaining information from database and system
objects

38. • {Hostname}_{Project}_TLG*
• TAG data
• СС_{Project}_{Timestamp}*
• Project data and configuration
• Users, PLCs, Privileges

39. • Managed by UM app
• Stored in dbo.PW_USER

40. CVE-2013-0676

42. • Administrator:ADMINISTRATOR
• Avgur2 > Avgur

46. This is my
encryptionkey

50.  Select from MS SQL via COM objects
 “Special” Windows Account
 Shortcuts*
*we don’t know yet, you know

52. Authentication
via SQL-stored
accounts
ServerID magic to
get WebBridge
password
Magic is used for
SCSWebBridgeX

53. Too hard for me…

54. Oh! En/c(r)ypt[10]n!
ServerID = Base64(RC2(pass, key)), were key
= MD5(dll hardcode)

55. Not my department password!

56.  All other confections use WNUSR for
authentication
 For authorization ID parameter is used

57. Not yet…

58.  «Magic» password = MD5(WNUSR_DC92D7179E29.Password)
 WNUSR_DC92D7179E29.Password generated during installation
 Stored in registry via DPAPI
 Good length and chartset but…

60.  WinCC clients use hardcoded account to
communicate with OPC Web bridge
 Password for WNUSR_DC92D7179E29 generated
during installation and probably strong
 MD5(WNUSR_.Password) stored with DPAPI
protection
 “Encrypted” password for WNUSR_DC* can be
obtained by request to WinCCWebBridge.dll
 WNUSR_DC92D7179E29 is only account used for
work with Windows/Database

62. …responsible disclosure

63.  What is Project?
 Collection of ActiveX/COM/.NET objects
 Event Handlers and other code (C/VB)
 Configuration files, XML and other
 Can Project be trusted?
 Ways to spread malware with Project?

64.  NO!
 Project itself is dynamic code
 It’s easy to patch it “on the fly”
 Vulnerabilities in data handlers
(CVE-2013-0677)
 How to abuse?
 Simplest way – to patch event
handlers

66.  Hardcoded SNMP community string (unfixed)
 Hardcoded S7 PLC CA certificate (Dmitry Sklarov)
http://scadastrangelove.blogspot.com/2012/09/all-your-plc-
belong-to-us.html
 Multiple vulnerabilities in S7 1200 PLC Web
interface (Dmitriy Serebryannikov, Artem Chaikin, Yury
Goltsev, Timur Yunusov)
http://www.siemens.com/corporatetechnology/pool/de/fors
chungsfelder/siemens_security_advisory_ssa-279823.pdf

67.  Can be protected by password
 Authentication – simple challenge-
response
 Password hashed (SHA1) on client (TIA
Portal)
 Server (PLC) provide 20 byte challenge
 Client calculate HMAC-
SHA1(challenge, SHA1(password) as
response

70.  Can be protected by password
 Authentication – simple challenge-
response
 Password hashed (SHA1) on client (TIA
Portal)
 Server (PLC) provide 20 byte challenge
 Client calculate HMAC-
SHA1(challenge, SHA1(password)) as
response

71.  SHA-1 stored in PLC project files
 It can be intercepted during
firmware update/project upload
 It can be extracted from project file
SHA-1(pass)
VS
HMAC-SHA1(challenge, SHA1(pass))

76.  Buffer overflow
 CVE-2013-0669
 Cross-Site Scripting
 CVE-2013-0672/CVE-2013-0670/CVE-2013-0668
 Directory traversal/Response splitting
 CVE-2013-0671
 Server-side script injection
 CVE-2012-3032
Fixed in WinCC (TIA Portal) V12
http://www.siemens.com/corporate-
technology/pool/de/forschungsfelder/siemens_security_advisory_s
sa-212483.pdf

80.  Profinet scanner
 WinCC Harvester 2.0
http://scadastrangelove.blogspot.com/search/label/Releases

81.  TIA portal Security Hardening Guide
 S7 protocol password brute force tool and JtR
 Simatic WinCC Security Hardening Guide
 PLCScan tool
 ICS/SCADA/PLC Google/Shodan Cheat
Sheet
 SCADA Safety in Numbers
http://scadastrangelove.blogspot.com/search/label/Releases

82. All pictures are taken from
Dr StrangeLove movie