SlideShare a Scribd company logo
Sergey Gordeychik
    Denis Baranov
      Gleb Gritsai
   Sergey Gordeychik
     Positive Technologies CTO, Positive Hack Days Director
      and Scriptwriter, WASC board member
     http://sgordey.blogspot.com, http://www.phdays.com

   Gleb Gritsai
     Principal Researcher, Network security and forensic
      researcher, member of PHDays Challenges team
     @repdet, http://repdet.blogspot.com

   Denis Baranov
       Head of AppSec group, researcher, member of PHDays
        CTF team
   Group of security researchers focused on ICS/SCADA


to save Humanity from industrial disaster and
          to keep Purity Of Essence
Sergey Gordeychik   Gleb Gritsai            Denis Baranov
Roman Ilin          Ilya Karpov             Sergey Bobrov
Artem Chaykin       Yuriy Dyachenko         Sergey Drozdov
Dmitry Efanov       Yuri Goltsev            Vladimir Kochetkov
Andrey Medov        Sergey Scherbel         Timur Yunusov
Alexander Zaitsev   Dmitry Serebryannikov   Dmitry Nagibin
Dmitry Sklyarov     Alexander Timorin       Vyacheslav Egoshin
Ilya Smith          Roman Ilin              Alexander Tlyapov
http://scadastrangelove.blogspot.com/2012/11/scada-safety-in-numbers.html
   Siemens ProductCERT
     Reallyprofessional team
     Quick responses
     Personal contacts
     Even Patches 


   You guys rock!
   Common target during pentests
   Most common platform (market, ShodanHQ)
   Largest number of published and fixed bugs
   Invensys Wonderware
   Yokogawa
   ICONICS
   ….



   Stay tuned!
ERP

          BUSINESS LAYER
MES




          OPERATION AND
           PRODUCTION
           SUPERVISION
SCADA




           SUPERVISOR
            CONTROL
PLC/RTU




          DIRECT CONTROL
   SCADA network is isolated and is not connected to other
    networks, all the more so to Internet

   MES/SCADA/PLC is based on custom platforms, and
    attackers can’t hack it

   HMI has limited functionality and does not allow to
    mount attack

…
   100% of tested SCADA networks are exposed to
    Internet/Corporate network
     Network equipment/firewalls misconfiguration
     MES/OPC/ERP integration gateways
     HMI external devices (Phones/Modems/USB Flash) abuse
     VPN/Dialup remote access


   99.9(9)% of tested SCADA can be hacked with Metasploit
     Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)
     Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)
     Standard bugs (patch management, passwords, firewalling,
      application vulnerabilities)
   50% of HMI/Engineering stations are also used as
    desktops
     Kiosk mode bypass
     (Secret) Internet access
     games/”keygens”/trojans and other useful software


        ICS security = Internet security in the early 2000




                                 VS
•   NO magic on network
    •   Standard network protocols/channel level
•   NO magic on system level
    •   Standard OS/DBMS/APPs
        • Windows/SQL for SCADA
        • Linux/QNX for PLC
•   NO AppSec at all
•   ICS guys don’t care about IT/IS
•   MES reality - connecting SCADA to other
    networks/systems (ERP etc.)
•   Ethernet
•   Cell (GSM, GPRS, …)
•   RS-232/485
•   Wi-Fi
•   ZigBee
•   Lot’s of other radio and wire

•   All can be sniffed thanks to community
•   Modbus
•   DNP3
•   OPC
•   S7

•   And more and more …
•   EtherCAT
•   FL-net
•   Foundation Fieldbus
•   Sniffing
•   Spoofing/Injection
•   Fingerprinting/Data collection
•   Fuzzing
•   Security?!
   Wireshark supports most of it
   Third-party protocol dissectors for
    Wireshark
   Industry grade tools and their free
    functions
       FTE NetDecoder
   No dissector/tool – No problem
       Plaintext and easy to understand protocols
    Widely available tools for Modbus packet
     crafting
    Other protocols only with general packet
     crafters (Scapy)
    More tools to come (from us ;))
    Most of protocols can be attacked by simple
     packet replay
    Or you can write your own fuzZzer*…

*But don’t forget about Python compilation issues (sec-recon, hi there)
   Well known ports
   Modbus
       Product, Device, GW, Unit enumeration
   S7
       Product, Device, Associated devices
   OPC
       RPC/DCOM, but authentication
   Modern fingerprinting add-ons
       snmp, http, management ports
By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin

Google/Shodan dorks for:
   Siemens
   Emerson
   Allen-Bradley
   Rockwell Automation
   Schneider Electric
   General Electric


Want to be real SCADAHacker?
Just click!
                                  http://bit.ly/12RzuJC
   Open Source ICS devices scan/fingerprint tool

   Support modbus, S7, more to come

       Software and hardware version
       Device name and manufacturing
       Other technical info


   Thank to Dmitry Efanov
http://scadastrangelove.blogspot.ru/2012/11/plcscan.html
   Just a network device with it’s own
       OS
       Network stack
       Applications
       …vulnerabilities
   How to find vulnerabilities in PLC
     Nothing special
     Fuzzing
     Code analysis
     Firmware reversing
   Firmware is in Intel HEX format
   Several LZSS blobs and ARM code
   Blobs contain file system for PLC
   Web application source code (MSWL)


              … And ...
   ASCII armored certificate!
   For what?
   For built-in Certification Authority

               ?!?!??!!!??!

   Is there a private key?

…responsible answer
   Hardcoded S7 PLC CA certificate (Dmitry Sklarov)

http://scadastrangelove.blogspot.com/2012/09/all-
your-plc-belong-to-us.html

   Multiple vulnerabilities in S7 1200 PLC Web
interface (Dmitriy Serebryannikov, Artem Chaikin,
Yury Goltsev, Timur Yunusov)

http://www.siemens.com/corporatetechnology/pool/
de/forschungsfelder/siemens_security_advisory_ssa-
279823.pdf
•   Network stack
    •   Connects with PLCs, etc
•   OS
•   Database
•   Applications
    • HMI
    • Web
    •   Tools
   Depends on OS/DBMS security
     GUI restrictions/Kiosk mode for HMI
     OS network stack and API heavily used
         File shares
         RPC/DCOM
         Database replication
   Password authentication, ACLs/RBAC
   Something else?
•   Nothing special
    •   Windows/Linux
    •   No Patches
    •   Weak/Absence-of Passwords
    •   Misconfiguration
    •   Insecure defaults
•   Insecurity configuration
•   Users/password
•   Configuration
•   ICS-related data
•   Hardcoded accounts (fixed)
•   MS SQL listening network from
    the box*
    •   “Security controller” restricts to Subnet
•   Two-tier architecture with
    Windows integrated auth and
    direct data access
    •   We don’t know how to make it secure
•   Lot of “encrypted” stored
    procedures with exec
•   First noticed in May 2005
•   Published in April 2008
•   Abused by StuxNet in 2010
•   Fixed by Siemens in Nov 2010*
•   Still works almost everywhere

*WinCC V7.0 SP2 Update 1
•   {Hostname}_{Project}_TLG*
    •   TAG data


•   СС_{Project}_{Timestamp}*
    •   Project data and configuration
    •   Users, PLCs, Priviledges
•   Managed by UM app
•   Stored in dbo.PW_USER
•   Administrator:ADMINISTRATOR
•   Avgur2 > Avgur
This is my
encryptionkey
…responsible disclosure
 WinCC Harvester msf module
 WinCC security hardening guide

 Exclusive cipher tool & msf
  module. We don’t have yet…


http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html
http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html
   WebNavigator
       Web-based HMI
       IIS/ASP.NET
       ActiveX client-side
   DiagAgent
       Diagnostic and remote management application
       Custom web-server
   …
   Not started by default and shouldn’t never be
    launched

   No authentication at all
   XSSes
   Path Traversal (arbitrary file reading)
   Buffer overflow
   Web-based HMI

   XPath Injection (CVE-2012-2596)
   Path Traversal (CVE-2012-2597)
   XSS ~ 20 Instances (CVE-2012-2595)

   Fixed in Update 2 for WinCC V7.0 SP3

http://support.automation.siemens.com/WW/view/en/60984587
   Can help to exploit server-side vulnerabilities*
   Operator’s browser is proxy to SCADAnet!





                               ?
    Anybody works with SCADA and Internet
    using same browser?
* http://www.slideshare.net/phdays/root-via-xss-10716726
http://www.surfpatrol.ru/en/report
 A lot of “WinCCed” IE from
countries/companies/industries

   Special prize to guys from US for
    WinCC 6.X at 2012
   Lot of XSS and CSRF
       CVE-2012-3031
       CVE-2012-3028
   Lot of arbitrary file reading
       CVE-2012-3030
   SQL injection over SOAP
       CVE-2012-3032
   ActiveX abuse
       CVE-2012-3034



http://bit.ly/WW0TL2

…responsible disclosure
All pictures are taken from
Dr StrangeLove movie

More Related Content

What's hot

SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Positive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2:  We already knowSCADA StrangeLove 2:  We already know
SCADA StrangeLove 2: We already know
qqlan
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
qqlan
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1   t. yunusov k. nesterov - bootkit via smsD1 t1   t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation  Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
Sergey Gordeychik
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and Furious
Sergey Gordeychik
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Aleksandr Timorin
 
Internet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLCInternet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLC
qqlan
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
qqlan
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
Peter Wood
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
Slawomir Jasek
 
Webshield internet of things
Webshield internet of thingsWebshield internet of things
Webshield internet of things
Raghav Shetty
 

What's hot (20)

SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2:  We already knowSCADA StrangeLove 2:  We already know
SCADA StrangeLove 2: We already know
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1   t. yunusov k. nesterov - bootkit via smsD1 t1   t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation  Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and Furious
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Internet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLCInternet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLC
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
Webshield internet of things
Webshield internet of thingsWebshield internet of things
Webshield internet of things
 

Similar to Scada Strangelove - 29c3

ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
Luigi Auriemma
 
Scada strange love.
Scada strange love.Scada strange love.
Scada strange love.
Positive Hack Days
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
DefconRussia
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 
It’s All In The Name - Deral Heiland
It’s All In The Name - Deral HeilandIt’s All In The Name - Deral Heiland
It’s All In The Name - Deral Heiland
EC-Council
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT:  Powered by KasperskyNext Generation Embedded Systems Security for IOT:  Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
L. Duke Golden
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
L. Duke Golden
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
Eric Larcheveque
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Julien Vermillard
 
NodeGrid Bold
NodeGrid BoldNodeGrid Bold
NodeGrid Bold
zpeofficial
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
dotnetcode
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueIndustrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Eurotech
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
Andy Shutka
 

Similar to Scada Strangelove - 29c3 (20)

ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
 
Scada strange love.
Scada strange love.Scada strange love.
Scada strange love.
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
It’s All In The Name - Deral Heiland
It’s All In The Name - Deral HeilandIt’s All In The Name - Deral Heiland
It’s All In The Name - Deral Heiland
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT:  Powered by KasperskyNext Generation Embedded Systems Security for IOT:  Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
NodeGrid Bold
NodeGrid BoldNodeGrid Bold
NodeGrid Bold
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the RescueIndustrial IoT Mayhem? Java IoT Gateways to the Rescue
Industrial IoT Mayhem? Java IoT Gateways to the Rescue
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
 

More from qqlan

Миссиоцентрический подход к кибербезопасности АСУ ТП
Миссиоцентрический подход к кибербезопасности АСУ ТПМиссиоцентрический подход к кибербезопасности АСУ ТП
Миссиоцентрический подход к кибербезопасности АСУ ТП
qqlan
 
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
qqlan
 
Best of Positive Research 2013
Best of Positive Research 2013Best of Positive Research 2013
Best of Positive Research 2013
qqlan
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychik
qqlan
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
qqlan
 
Pt infosec - 2014 - импортозамещение
Pt   infosec - 2014 - импортозамещениеPt   infosec - 2014 - импортозамещение
Pt infosec - 2014 - импортозамещениеqqlan
 
SCADA StrangeLove Kaspersky SAS 2014 - LHC
SCADA StrangeLove Kaspersky SAS 2014 - LHCSCADA StrangeLove Kaspersky SAS 2014 - LHC
SCADA StrangeLove Kaspersky SAS 2014 - LHC
qqlan
 
Firebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmFirebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfm
qqlan
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspector
qqlan
 
Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by design
qqlan
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspector
qqlan
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guide
qqlan
 
Positive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening GuidePositive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening Guide
qqlan
 
From ERP to SCADA and back
From ERP to SCADA and backFrom ERP to SCADA and back
From ERP to SCADA and backqqlan
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
qqlan
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan
 
Как взломать телеком и остаться в живых
Как взломать телеком и остаться в живыхКак взломать телеком и остаться в живых
Как взломать телеком и остаться в живых
qqlan
 
Sergey Gordeychik - Russian.Leaks
Sergey Gordeychik - Russian.LeaksSergey Gordeychik - Russian.Leaks
Sergey Gordeychik - Russian.Leaksqqlan
 
Positive Hack Days 2011 - Russian Hackers
Positive Hack Days 2011 - Russian HackersPositive Hack Days 2011 - Russian Hackers
Positive Hack Days 2011 - Russian Hackersqqlan
 

More from qqlan (20)

Миссиоцентрический подход к кибербезопасности АСУ ТП
Миссиоцентрический подход к кибербезопасности АСУ ТПМиссиоцентрический подход к кибербезопасности АСУ ТП
Миссиоцентрический подход к кибербезопасности АСУ ТП
 
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
ABUSE THEIR CLOUDS. ОБЛАЧНЫЕ ВЫЧИСЛЕНИЯ ГЛАЗАМИ ПЕНТЕСТЕРА, ЮРИЙ ГОЛЬЦЕВ, СЕ...
 
Best of Positive Research 2013
Best of Positive Research 2013Best of Positive Research 2013
Best of Positive Research 2013
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychik
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
 
Pt infosec - 2014 - импортозамещение
Pt   infosec - 2014 - импортозамещениеPt   infosec - 2014 - импортозамещение
Pt infosec - 2014 - импортозамещение
 
SCADA StrangeLove Kaspersky SAS 2014 - LHC
SCADA StrangeLove Kaspersky SAS 2014 - LHCSCADA StrangeLove Kaspersky SAS 2014 - LHC
SCADA StrangeLove Kaspersky SAS 2014 - LHC
 
Firebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmFirebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfm
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspector
 
Database honeypot by design
Database honeypot by designDatabase honeypot by design
Database honeypot by design
 
Positive Technologies Application Inspector
Positive Technologies Application InspectorPositive Technologies Application Inspector
Positive Technologies Application Inspector
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guide
 
Positive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening GuidePositive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening Guide
 
From ERP to SCADA and back
From ERP to SCADA and backFrom ERP to SCADA and back
From ERP to SCADA and back
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Как взломать телеком и остаться в живых
Как взломать телеком и остаться в живыхКак взломать телеком и остаться в живых
Как взломать телеком и остаться в живых
 
Sergey Gordeychik - Russian.Leaks
Sergey Gordeychik - Russian.LeaksSergey Gordeychik - Russian.Leaks
Sergey Gordeychik - Russian.Leaks
 
Positive Hack Days 2011 - Russian Hackers
Positive Hack Days 2011 - Russian HackersPositive Hack Days 2011 - Russian Hackers
Positive Hack Days 2011 - Russian Hackers
 

Recently uploaded

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
maazsz111
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 

Recently uploaded (20)

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 

Scada Strangelove - 29c3

  • 1. Sergey Gordeychik Denis Baranov Gleb Gritsai
  • 2. Sergey Gordeychik  Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member  http://sgordey.blogspot.com, http://www.phdays.com  Gleb Gritsai  Principal Researcher, Network security and forensic researcher, member of PHDays Challenges team  @repdet, http://repdet.blogspot.com  Denis Baranov  Head of AppSec group, researcher, member of PHDays CTF team
  • 3. Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Ilya Smith Roman Ilin Alexander Tlyapov
  • 5. Siemens ProductCERT  Reallyprofessional team  Quick responses  Personal contacts  Even Patches   You guys rock!
  • 6. Common target during pentests  Most common platform (market, ShodanHQ)  Largest number of published and fixed bugs
  • 7. Invensys Wonderware  Yokogawa  ICONICS  ….  Stay tuned!
  • 8.
  • 9. ERP BUSINESS LAYER MES OPERATION AND PRODUCTION SUPERVISION SCADA SUPERVISOR CONTROL PLC/RTU DIRECT CONTROL
  • 10.
  • 11.
  • 12. SCADA network is isolated and is not connected to other networks, all the more so to Internet  MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it  HMI has limited functionality and does not allow to mount attack …
  • 13. 100% of tested SCADA networks are exposed to Internet/Corporate network  Network equipment/firewalls misconfiguration  MES/OPC/ERP integration gateways  HMI external devices (Phones/Modems/USB Flash) abuse  VPN/Dialup remote access  99.9(9)% of tested SCADA can be hacked with Metasploit  Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)  Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)  Standard bugs (patch management, passwords, firewalling, application vulnerabilities)
  • 14. 50% of HMI/Engineering stations are also used as desktops  Kiosk mode bypass  (Secret) Internet access  games/”keygens”/trojans and other useful software ICS security = Internet security in the early 2000 VS
  • 15. NO magic on network • Standard network protocols/channel level • NO magic on system level • Standard OS/DBMS/APPs • Windows/SQL for SCADA • Linux/QNX for PLC • NO AppSec at all • ICS guys don’t care about IT/IS • MES reality - connecting SCADA to other networks/systems (ERP etc.)
  • 16.
  • 17. Ethernet • Cell (GSM, GPRS, …) • RS-232/485 • Wi-Fi • ZigBee • Lot’s of other radio and wire • All can be sniffed thanks to community
  • 18. Modbus • DNP3 • OPC • S7 • And more and more … • EtherCAT • FL-net • Foundation Fieldbus
  • 19. Sniffing • Spoofing/Injection • Fingerprinting/Data collection • Fuzzing • Security?!
  • 20. Wireshark supports most of it  Third-party protocol dissectors for Wireshark  Industry grade tools and their free functions  FTE NetDecoder  No dissector/tool – No problem  Plaintext and easy to understand protocols
  • 21. Widely available tools for Modbus packet crafting  Other protocols only with general packet crafters (Scapy)  More tools to come (from us ;))  Most of protocols can be attacked by simple packet replay  Or you can write your own fuzZzer*… *But don’t forget about Python compilation issues (sec-recon, hi there)
  • 22. Well known ports  Modbus  Product, Device, GW, Unit enumeration  S7  Product, Device, Associated devices  OPC  RPC/DCOM, but authentication  Modern fingerprinting add-ons  snmp, http, management ports
  • 23.
  • 24. By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin Google/Shodan dorks for:  Siemens  Emerson  Allen-Bradley  Rockwell Automation  Schneider Electric  General Electric Want to be real SCADAHacker? Just click! http://bit.ly/12RzuJC
  • 25.
  • 26. Open Source ICS devices scan/fingerprint tool  Support modbus, S7, more to come  Software and hardware version  Device name and manufacturing  Other technical info  Thank to Dmitry Efanov
  • 28.
  • 29.
  • 30. Just a network device with it’s own  OS  Network stack  Applications  …vulnerabilities  How to find vulnerabilities in PLC  Nothing special  Fuzzing  Code analysis  Firmware reversing
  • 31. Firmware is in Intel HEX format  Several LZSS blobs and ARM code  Blobs contain file system for PLC  Web application source code (MSWL) … And ...
  • 32. ASCII armored certificate!  For what?  For built-in Certification Authority ?!?!??!!!??!  Is there a private key?
  • 34. Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all- your-plc-belong-to-us.html  Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/ de/forschungsfelder/siemens_security_advisory_ssa- 279823.pdf
  • 35.
  • 36. Network stack • Connects with PLCs, etc • OS • Database • Applications • HMI • Web • Tools
  • 37. Depends on OS/DBMS security  GUI restrictions/Kiosk mode for HMI  OS network stack and API heavily used  File shares  RPC/DCOM  Database replication  Password authentication, ACLs/RBAC  Something else?
  • 38. Nothing special • Windows/Linux • No Patches • Weak/Absence-of Passwords • Misconfiguration • Insecure defaults
  • 39. Insecurity configuration • Users/password • Configuration • ICS-related data
  • 40. Hardcoded accounts (fixed) • MS SQL listening network from the box* • “Security controller” restricts to Subnet • Two-tier architecture with Windows integrated auth and direct data access • We don’t know how to make it secure • Lot of “encrypted” stored procedures with exec
  • 41. First noticed in May 2005 • Published in April 2008 • Abused by StuxNet in 2010 • Fixed by Siemens in Nov 2010* • Still works almost everywhere *WinCC V7.0 SP2 Update 1
  • 42.
  • 43. {Hostname}_{Project}_TLG* • TAG data • СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Priviledges
  • 44. Managed by UM app • Stored in dbo.PW_USER
  • 45.
  • 46. Administrator:ADMINISTRATOR • Avgur2 > Avgur
  • 47.
  • 48.
  • 49.
  • 50.
  • 52.
  • 54.  WinCC Harvester msf module  WinCC security hardening guide  Exclusive cipher tool & msf module. We don’t have yet… http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html
  • 55.
  • 56.
  • 57. WebNavigator  Web-based HMI  IIS/ASP.NET  ActiveX client-side  DiagAgent  Diagnostic and remote management application  Custom web-server  …
  • 58.
  • 59. Not started by default and shouldn’t never be launched  No authentication at all  XSSes  Path Traversal (arbitrary file reading)  Buffer overflow
  • 60. Web-based HMI  XPath Injection (CVE-2012-2596)  Path Traversal (CVE-2012-2597)  XSS ~ 20 Instances (CVE-2012-2595)  Fixed in Update 2 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/60984587
  • 61. Can help to exploit server-side vulnerabilities*  Operator’s browser is proxy to SCADAnet!  ? Anybody works with SCADA and Internet using same browser? * http://www.slideshare.net/phdays/root-via-xss-10716726
  • 63.  A lot of “WinCCed” IE from countries/companies/industries  Special prize to guys from US for WinCC 6.X at 2012
  • 64.
  • 65. Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028  Lot of arbitrary file reading  CVE-2012-3030  SQL injection over SOAP  CVE-2012-3032  ActiveX abuse  CVE-2012-3034 http://bit.ly/WW0TL2
  • 66.
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
  • 74. All pictures are taken from Dr StrangeLove movie