SlideShare a Scribd company logo

Security testing in critical systems

Peter Wood
Peter Wood

Cyber security threats and testing strategies for Real Time and Critical National Infrastructure (CNI) systems

Technology
1 of 30
Download to read offline
Security Testing in Critical Systems An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
Who am I ? • Worked in computers & electronics since 1969 • Founded First•Base Technologies in 1989 (one of the first ethical hacking firms) • Primary roles: - Social engineer & penetration tester - Conference speaker - TV and radio security ‘expert’ - Member of ISACA Security Advisory Group - ISACA Conference Task Force member - Expert at the Corporate Executive Programme - Chair of Advisory board at CSA UK & Ireland Slide 2 © First Base Technologies 2011
Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 3 © First Base Technologies 2011
Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 4 © First Base Technologies 2011
Industrial Control Systems • Supervisory Control And Data Acquisition (SCADA) - computer systems that monitor and control industrial, infrastructure, or facility-based processes • Programmable Logic Controller (PLC) - a computer used for automation of electromechanical processes, such as control of machinery • Programmable Automation Controller (PAC) - a compact controller that combines the features and capabilities of a PC-based control system with that of a typical PLC • Remote Terminal Unit (RTU) or Intelligent Electronic Device (IED) - a microprocessor-controlled device that interfaces objects in the physical world to a distributed control system or SCADA Slide 5 © First Base Technologies 2011
Simple SCADA system Slide 6 © First Base Technologies 2011
Waste water treatment plant Slide 7 © First Base Technologies 2011
Network Architecture • RTUs and IEDs are proprietary devices running embedded operating systems • These originally used serial communications with field bus protocols such as Modbus, BITBUS, PROFIBUS etc. • Field bus protocols are now frequently encapsulated in TCP/IP • SCADA controllers manage communications, analyse data and display the alerts and events • Industrial systems now use UNIX or Windows in controllers and embedded in some field devices • This has exposed industrial systems to the same IT security challenges as commercial systems Slide 9 © First Base Technologies 2011
Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 10 © First Base Technologies 2011
Authentication Problems • Default (manufacturer) passwords • Very poor quality passwords • Passwords never changed • Passwords common across many devices • Shared credentials • No passwords / anonymous logins • Remote access via modem • Systems replaced less often than commercial systems: no cleanup, more opportunity for information leakage Slide 11 © First Base Technologies 2011
Systems not Patched or Hardened • Many systems running on legacy (unsupported) operating systems • Patching can break applications • Patching can violate some vendors’ service contracts • Systems never taken off-line, as downtime can cause massive problems • Systems are rarely hardened as it is believed this may impact the application • SCADA applications themselves often contain vulnerabilities • Frequently no anti-malware software Slide 12 © First Base Technologies 2011
Insecure Protocols • Field bus protocols were not designed to be secure • Most field devices use proprietary IP stacks that are prone to DoS attacks and buffer overflows • Field bus protocols designed for serial comms, so no built in authentication – all legitimate packets will be processed • Most communication is in plain text • Default SNMP strings … Slide 13 © First Base Technologies 2011
Lack of Segmentation • Firewalls usually only between the corporate network and the industrial network (if at all) • Firewalls may be badly configured, industrial protocols difficult to control - All field bus traffic may be on one port - Cannot risk blocking critical messages • Wireless can bypass firewalls • Traditionally SCADA systems were isolated … not any more • Systems therefore vulnerable to malware, especially worms Slide 14 © First Base Technologies 2011
Stuxnet (you had to ask) • Self-replicates through removable drives exploiting a vulnerability allowing auto- execution • Spreads in a LAN through a vulnerability in the Windows Print Spooler • Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability • Copies and executes itself on remote computers through network shares • Copies and executes itself on remote computers running a WinCC database server • Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded • Updates itself through a peer-to-peer mechanism within a LAN • Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed • Contacts a command and control server that allows the hacker to download and execute code, including updated versions • Contains a Windows rootkit that hide its binaries • Attempts to bypass security products • Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system • Hides modified code on PLCs, essentially a rootkit for PLCs Symantec: W32.Stuxnet Dossier version 1.4 (February 2011) Slide 15 © First Base Technologies 2011
Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 16 © First Base Technologies 2011
Problems with Testing While a ping sweep was being performed on an active SCADA network that controlled 9-foot robotic arms, it was noticed that one arm became active and swung around 180 degrees. The controller for the arm was in standby mode before the ping sweep was initiated. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 17 © First Base Technologies 2011
Problems with Testing A ping sweep was being performed on an ICS network to identify all hosts that were attached to the network, for inventory purposes. It caused a system controlling the creation of integrated circuits in the fabrication plant to hang. This test resulted in the destruction of $50,000 worth of wafers. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 18 © First Base Technologies 2011
Problems with Testing A gas utility hired an IT security consulting organization to conduct penetration testing on its corporate IT network. The consulting organization carelessly ventured into a part of the network that was directly connected to the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 19 © First Base Technologies 2011
Areas for Review • Perimeter • Network infrastructure • Active Directory etc. • Host operating systems • Applications • PLCs, RTUs, IEDs, etc. Slide 20 © First Base Technologies 2011
Security Review / Audit • Identification of devices and networks: - Router configs, router tables, switch tables, physical cable checks, packet sniffing • Identification of services: - Local port verification (netstat), scan of test or development system • Identification of vulnerabilities: - Local banner grabbing, scan of test or development system Penetration Testing of Industrial Control Systems Sandia National Laboratories Slide 21 © First Base Technologies 2011
Perimeter • Identify all external connections • Review firewall rules • Review remote access methods • Check for wireless networks • Check physical access • If if doubt: test duplicate systems Slide 22 © First Base Technologies 2011
Network Infrastructure • Review router configs • Review switch tables • Conduct physical cable checks • Conduct packet sniffing and analysis • If if doubt: test duplicate systems Slide 23 © First Base Technologies 2011
Active Directory • Audit Active Directory - Manual inspection - Interviews - Offline inspection Slide 24 © First Base Technologies 2011
Host Operating Systems • Review hardening • Review patch levels • Review password quality • Review share and directory permissions • Review remote access • If if doubt: test duplicate systems Slide 25 © First Base Technologies 2011
Applications • Review ports and services • Review OS credentials • Review password quality • Review remote access • Consider code review • If if doubt: test duplicate systems Slide 26 © First Base Technologies 2011
PLCs, RTUs, IEDs, etc. • Review hardening • Review patch levels • Review password quality (if any) • Conduct packet sniffing • If if doubt: test duplicate systems Slide 27 © First Base Technologies 2011
Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 28 © First Base Technologies 2011
Summary and Conclusions • Industrial systems now use UNIX or Windows exposing them to the same IT security challenges as commercial systems • Systems still considered to be isolated, but they are not • Systems not patched or hardened • All devices will have authentication problems • Systems replaced less often than commercial systems: no cleanup, more opportunity for information leakage • Field bus protocols were not designed to be secure • Poor segmentation and firewalling • Conventional scanning and testing can cause serious problems • Audit and careful manual inspection rather than pen test Slide 29 © First Base Technologies 2011
Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Slide 30 © First Base Technologies 2011

Recommended

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 

Recommended

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2David Spinks
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Dmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a TelecomDmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a TelecomPositive Hack Days
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
Ensuring your plant is secure
Ensuring your plant is secureEnsuring your plant is secure
Ensuring your plant is secureSchneider Electric
 

More Related Content

What's hot

BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Dmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a TelecomDmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a TelecomPositive Hack Days
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 

What's hot (20)

BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
Dmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a TelecomDmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a Telecom
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
 

Similar to Security testing in critical systems

Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSTripwire
 
Apresentação Técnica - Infecções por Malware no Brasil
Apresentação Técnica - Infecções por Malware no BrasilApresentação Técnica - Infecções por Malware no Brasil
Apresentação Técnica - Infecções por Malware no BrasilTI Safe
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...sequi_inc
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...TI Safe
 
[CLASS 2014] Palestra Técnica - Ilan Barda
[CLASS 2014] Palestra Técnica - Ilan Barda[CLASS 2014] Palestra Técnica - Ilan Barda
[CLASS 2014] Palestra Técnica - Ilan BardaTI Safe
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scadabhavuksharma10
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxssuserfb92ae
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesInductive Automation
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practiceteam-WIBU
 

Similar to Security testing in critical systems (20)

Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
 
Ensuring your plant is secure
Ensuring your plant is secureEnsuring your plant is secure
Ensuring your plant is secure
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter Gateways
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
 
Apresentação Técnica - Infecções por Malware no Brasil
Apresentação Técnica - Infecções por Malware no BrasilApresentação Técnica - Infecções por Malware no Brasil
Apresentação Técnica - Infecções por Malware no Brasil
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
 
ICS security
ICS securityICS security
ICS security
 
Is the Network Tap Mightier Than the Sword
Is the Network Tap Mightier Than the SwordIs the Network Tap Mightier Than the Sword
Is the Network Tap Mightier Than the Sword
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
 
[CLASS 2014] Palestra Técnica - Ilan Barda
[CLASS 2014] Palestra Técnica - Ilan Barda[CLASS 2014] Palestra Técnica - Ilan Barda
[CLASS 2014] Palestra Técnica - Ilan Barda
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practice
 

More from Peter Wood

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesPeter Wood
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud securityPeter Wood
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 ThreatscapePeter Wood
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Advanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExerciseAdvanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExercisePeter Wood
 
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPeter Wood
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big dataPeter Wood
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Peter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewPeter Wood
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePeter Wood
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 

More from Peter Wood (20)

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilities
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud security
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team Exercise
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to us
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Advanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExerciseAdvanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team Exercise
 
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's View
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network Infrastructure
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Security testing in critical systems

  • 1. Security Testing in Critical Systems An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
  • 2. Who am I ? • Worked in computers & electronics since 1969 • Founded First•Base Technologies in 1989 (one of the first ethical hacking firms) • Primary roles: - Social engineer & penetration tester - Conference speaker - TV and radio security ‘expert’ - Member of ISACA Security Advisory Group - ISACA Conference Task Force member - Expert at the Corporate Executive Programme - Chair of Advisory board at CSA UK & Ireland Slide 2 © First Base Technologies 2011
  • 3. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 3 © First Base Technologies 2011
  • 4. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 4 © First Base Technologies 2011
  • 5. Industrial Control Systems • Supervisory Control And Data Acquisition (SCADA) - computer systems that monitor and control industrial, infrastructure, or facility-based processes • Programmable Logic Controller (PLC) - a computer used for automation of electromechanical processes, such as control of machinery • Programmable Automation Controller (PAC) - a compact controller that combines the features and capabilities of a PC-based control system with that of a typical PLC • Remote Terminal Unit (RTU) or Intelligent Electronic Device (IED) - a microprocessor-controlled device that interfaces objects in the physical world to a distributed control system or SCADA Slide 5 © First Base Technologies 2011
  • 6. Simple SCADA system Slide 6 © First Base Technologies 2011
  • 7. Waste water treatment plant Slide 7 © First Base Technologies 2011
  • 8.
  • 9. Network Architecture • RTUs and IEDs are proprietary devices running embedded operating systems • These originally used serial communications with field bus protocols such as Modbus, BITBUS, PROFIBUS etc. • Field bus protocols are now frequently encapsulated in TCP/IP • SCADA controllers manage communications, analyse data and display the alerts and events • Industrial systems now use UNIX or Windows in controllers and embedded in some field devices • This has exposed industrial systems to the same IT security challenges as commercial systems Slide 9 © First Base Technologies 2011
  • 10. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 10 © First Base Technologies 2011
  • 11. Authentication Problems • Default (manufacturer) passwords • Very poor quality passwords • Passwords never changed • Passwords common across many devices • Shared credentials • No passwords / anonymous logins • Remote access via modem • Systems replaced less often than commercial systems: no cleanup, more opportunity for information leakage Slide 11 © First Base Technologies 2011
  • 12. Systems not Patched or Hardened • Many systems running on legacy (unsupported) operating systems • Patching can break applications • Patching can violate some vendors’ service contracts • Systems never taken off-line, as downtime can cause massive problems • Systems are rarely hardened as it is believed this may impact the application • SCADA applications themselves often contain vulnerabilities • Frequently no anti-malware software Slide 12 © First Base Technologies 2011
  • 13. Insecure Protocols • Field bus protocols were not designed to be secure • Most field devices use proprietary IP stacks that are prone to DoS attacks and buffer overflows • Field bus protocols designed for serial comms, so no built in authentication – all legitimate packets will be processed • Most communication is in plain text • Default SNMP strings … Slide 13 © First Base Technologies 2011
  • 14. Lack of Segmentation • Firewalls usually only between the corporate network and the industrial network (if at all) • Firewalls may be badly configured, industrial protocols difficult to control - All field bus traffic may be on one port - Cannot risk blocking critical messages • Wireless can bypass firewalls • Traditionally SCADA systems were isolated … not any more • Systems therefore vulnerable to malware, especially worms Slide 14 © First Base Technologies 2011
  • 15. Stuxnet (you had to ask) • Self-replicates through removable drives exploiting a vulnerability allowing auto- execution • Spreads in a LAN through a vulnerability in the Windows Print Spooler • Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability • Copies and executes itself on remote computers through network shares • Copies and executes itself on remote computers running a WinCC database server • Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded • Updates itself through a peer-to-peer mechanism within a LAN • Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed • Contacts a command and control server that allows the hacker to download and execute code, including updated versions • Contains a Windows rootkit that hide its binaries • Attempts to bypass security products • Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system • Hides modified code on PLCs, essentially a rootkit for PLCs Symantec: W32.Stuxnet Dossier version 1.4 (February 2011) Slide 15 © First Base Technologies 2011
  • 16. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 16 © First Base Technologies 2011
  • 17. Problems with Testing While a ping sweep was being performed on an active SCADA network that controlled 9-foot robotic arms, it was noticed that one arm became active and swung around 180 degrees. The controller for the arm was in standby mode before the ping sweep was initiated. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 17 © First Base Technologies 2011
  • 18. Problems with Testing A ping sweep was being performed on an ICS network to identify all hosts that were attached to the network, for inventory purposes. It caused a system controlling the creation of integrated circuits in the fabrication plant to hang. This test resulted in the destruction of $50,000 worth of wafers. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 18 © First Base Technologies 2011
  • 19. Problems with Testing A gas utility hired an IT security consulting organization to conduct penetration testing on its corporate IT network. The consulting organization carelessly ventured into a part of the network that was directly connected to the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 19 © First Base Technologies 2011
  • 20. Areas for Review • Perimeter • Network infrastructure • Active Directory etc. • Host operating systems • Applications • PLCs, RTUs, IEDs, etc. Slide 20 © First Base Technologies 2011
  • 21. Security Review / Audit • Identification of devices and networks: - Router configs, router tables, switch tables, physical cable checks, packet sniffing • Identification of services: - Local port verification (netstat), scan of test or development system • Identification of vulnerabilities: - Local banner grabbing, scan of test or development system Penetration Testing of Industrial Control Systems Sandia National Laboratories Slide 21 © First Base Technologies 2011
  • 22. Perimeter • Identify all external connections • Review firewall rules • Review remote access methods • Check for wireless networks • Check physical access • If if doubt: test duplicate systems Slide 22 © First Base Technologies 2011
  • 23. Network Infrastructure • Review router configs • Review switch tables • Conduct physical cable checks • Conduct packet sniffing and analysis • If if doubt: test duplicate systems Slide 23 © First Base Technologies 2011
  • 24. Active Directory • Audit Active Directory - Manual inspection - Interviews - Offline inspection Slide 24 © First Base Technologies 2011
  • 25. Host Operating Systems • Review hardening • Review patch levels • Review password quality • Review share and directory permissions • Review remote access • If if doubt: test duplicate systems Slide 25 © First Base Technologies 2011
  • 26. Applications • Review ports and services • Review OS credentials • Review password quality • Review remote access • Consider code review • If if doubt: test duplicate systems Slide 26 © First Base Technologies 2011
  • 27. PLCs, RTUs, IEDs, etc. • Review hardening • Review patch levels • Review password quality (if any) • Conduct packet sniffing • If if doubt: test duplicate systems Slide 27 © First Base Technologies 2011
  • 28. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusions Slide 28 © First Base Technologies 2011
  • 29. Summary and Conclusions • Industrial systems now use UNIX or Windows exposing them to the same IT security challenges as commercial systems • Systems still considered to be isolated, but they are not • Systems not patched or hardened • All devices will have authentication problems • Systems replaced less often than commercial systems: no cleanup, more opportunity for information leakage • Field bus protocols were not designed to be secure • Poor segmentation and firewalling • Conventional scanning and testing can cause serious problems • Audit and careful manual inspection rather than pen test Slide 29 © First Base Technologies 2011
  • 30. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Slide 30 © First Base Technologies 2011