SlideShare ist ein Scribd-Unternehmen logo

SCADA deep inside: protocols and security mechanisms

Aleksandr Timorin
Aleksandr Timorin

My talk on CONFidence 2014, Poland, Krakow

Präsentationen & Vorträge
1 von 75
Downloaden Sie, um offline zu lesen
SCADA deep inside: protocols and security mechanisms Aleksandr Timorin ! ! ! ! ! ! CONFIDENCE 2014 27-28 V 2014, Krakow
# whoami • penetration tester at Positive Technologies • SCADA security researcher, main specialisation - industrial protocols • SCADAStrangeLove team member • speaker at PHDays, Power Of Community, Chaos Communication Congress (workshop) • @atimorin • atimorin@ptsecurity.com 2SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# whoami 3SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# whoami 4SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
• intro to scada world • current situation in ICS network security • overview of industrial protocols • well-known protocols: profinet, modbus, dnp3 • go to particular: • IEC 61850-8-1 (MMS) • IEC 61870-5-101/104 • FTE • Siemens S7 • how to analyse protocols • releases • QA 5SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # agenda
ICS - Industrial Control System SCADA - Supervisory Control And Data Acquisition PLC - Programmable Logic Controller HMI - Human-Machine Interface RTU - Remote Telemetry Unit Sensor, Actuator ! … and much more 6SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # intro to scada world
many many vendors in the world: • siemens • advantech • citectscada • codesys • moxa • schneider electric • rslogics • general electric • wellintech • sielco sistemi • emerson • abb • advanced micro controls • …. 7SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # intro to scada world problems in security: ! • each vendor - own protocol, technology etc. • out-of-date: don’t touch if it works! wild wild industrial world
! ! ! ! 8SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # current situation in ICS network security ICS NETWORK absolutely unbreakable ???
NO, because of: ! ➡ typical network devices with default/crappy settings ➡ unpatched, old as dirt, full of junk software [malware] engineering workstations ➡ wireless AP with WEP (if the best happend) ➡ low physical security ➡ … and ➡ industrial protocols 9SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # current situation in ICS network security
! ! ➡ typical network devices with default/crappy settings ➡ unpatched, old as dirt, full of junk software [malware] engineering workstations ➡ wireless AP with WER (if the best happend) ➡ low physical security ➡ … and ➡ industrial protocols 10SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # current situation in ICS network security
How protocols live in the network ? ! • full expanse • not blocked by firewalls/switches • accessible between LAN segments • works from data link layer to application layer • easy to detect • easy to intercept, analyze, reproduce and reply (but not all ! ) 11SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # current situation in ICS network security
• modbus • profibus • profinet • dnp3 • ethernet/ip • s5/s7 (siemens protocols family) • CIP (rockwell automation) • cc-link (mitsubishi electric factory automation) • bacnet • iec 60870, iec 61850, iec 61107 • m-bus • zigbee • … iec - international electrotechnical commission 12SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # overview of industrial protocols
• published by Modicon (now Schneider Electric) in 1979 • widely used for connecting industrial electronic devices • in XX: through rs-232/rs-485 • in XXI: modbus tcp • standard port 502/tcp 13SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # modbus
functions: ! • data access: read/write coils, registers, file records • diagnostics: device identification • user defined functions ! ! ! tools: ! • wireshark dissector • plcscan ( https://code.google.com/p/plcscan/ ) • modbus-discover nse (by Alexander Rudakov) • modbus simulators () ! 14SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # modbus
security ? • no authentication • no encryption • no security ! transaction id: 2 bytes protocol id: 2 bytes (always 0) length: 2 bytes unit id: 1 byte function code: 1 byte data … 15SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # modbus
# dnp3 DNP3 Distributed Network Protocol • first version in 1990 • standartized by IEEE only on 2010 • mainly used in water and electric industry • master - outstation communication • tcp/udp standard port 20000 ! tools: wireshark dissector free implementation https://code.google.com/p/dnp3/ ! security ? DNP3 Secure Authentication v5. First version in 2007. Add device and user authentication Data protection 16SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# dnp3 dnp3 frame: • header - 10 bytes • data - max 282 bytes ! header: • sync - 2 bytes • length -1 byte • link control - 1 byte • destination addr - 2 bytes • source addr - 2 bytes • crc - 2 bytes ! each device in network has unique address 1..65520 crc for every 16 bytes of data -> max frame len = 292 bytes work on iso/osi layers: data link layer, transport layer, application layer 17SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# profinet dcp PROFINET family ! • Profinet CBA/IO/PTCP/DCP • iec 61158, iec 61784 in 2003 • Ethernet type 0x8892 • exchange data in real-time cycles • multicast discovery devices and stations ! security ? • no encryption • no authentication • no security 18SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# profinet dcp PROFINET DCP - Discovery and basic Configuration Protocol 19SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# profinet dcp frame types: • request 0xfefe • response 0xfeff • get/set 0xfefd ! multicast identify (scapy code): payload=‘fefe05000401000200800004ffff’.decode(‘hex’) srp(Ether(type=0x8892, src=smac, dst=’01:0e:cf:00:00:00’)/payload) ! fefe request 05 service id: identify 00 service type: request 04010002 xid (request id) 0080 delay 0004 data len ff option: all ff suboption: all 20SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# profinet dcp • main interesting fields for playing is option and suboption • for example, set/get network info: opt 0x01, subopt 0x02 • led flashing: opt 0x05, subopt 0x03 ! so we can: • scan profinet supported devices and stations • change name of station • change ip, netmask, gateway • request full network info • LED flashing: PLC, HMI (simulates that smth wrong with device) • and much more 21SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# profinet dcp profinet dcp scanner (raw sockets and scapy versions) ! ! ! ! ! ! ! ! ! discovering all devices (PC, PLC, HMI) in subnet ! live demo 22SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# profinet dcp profinet fuzzer: fuzz options and sub options on plc siemens s7-1200 ! CVE-2014-2252 “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system.” ! what is “specially crafted profinet packets” ? 23SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# profinet dcp CVE-2014-2252 ! just “set” request: set network info with all zero values. ! ip 0.0.0.0 mask 0.0.0.0 gw 0.0.0.0 ! ! ! ! live demo 24SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# iec 61850-8-1 IEC 61850-8-1 (MMS) ! ! ! ! ! MMS - Manufacturing Message Specification 25SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# iec 61850-8-1 • since 1980 • ISO 9501-1, 2003 • use ISO-TSAP as transport • standard tcp port 102 ! functions: • read/write tags, variables, domains (large unstructured data, i.e. program code) • start/stop/rewrite firmware on PLC • read/write/del files and directories ! security ? • simple methods whitelist • TLS (in theory, but in practice not supported by vendors and haven’t seen before in products) ! tools: • wireshark dissector • python and nmap identify scripts • emulator, open source libs 26SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# iec 61850-8-1 27SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# iec 61850-8-1 ~ nmap —script mms-identify.nse —script-args=‘mms- identify.timeout=500’ -p 102 <host> 28SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# iec 61870-5-101/104 IEC 61870-5-101/104 ! mainly for gathering telemetry in electricity distribution and power system automation ! huge list of functions, depends on vendors implementation: • read/write tags • upload/download files • broadcast connected devices discovery • time sync • reset process command • query log files • etc. ! security ? • no auth, no encryption • simple ip address whitelist (ip of master devices defined on slaves) 29SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# iec 61870-5-101/104 IEC 61870-5-101/104 ! standard tcp port 2404 ! toolkit: • simulators: sim104, mrts-ng etc. • wireshark dissector • python and nmap identify scripts 30SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# iec 61870-5-101/104 IEC 61870-5-101/104 ! 31SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# iec 61870-5-101/104 ~ nmap --script iec-identify.nse --script-args='iec-identify.timeout=500' -p 2404 <host> ! 32SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# FTE Fault Tolerant Ethernet by Honeywell ! Provides robust and low-cost technology for industrial networks. Each FTE-node connected twice to network, support actual route table and exchanges route table with other nodes through multicast request. ! UDP as a transport. ! Proprietary protocol. 33SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# FTE ! attack vectors: • flood udp ports • send multicast packets with fake routing table ! multicast packet ———> ! headers: 0x01000810 0x01a01001 sending each second 34SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# FTE 0x23 node index ! 0x433330302023303335 node name (C300 #5) ! 0x44 and 0xca bytes of some packets counter ! 0x32312032 part of firmware version full: EXP3 10.1-65.57 Sat Dec 06 20:22:33 2008 (Fri Nov 21 20:22:57 2008) 35SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens ! TIA Portal (Totally Intergated Automation Portal) ! ! TIA - intellectual kernel of more than 100000 products created last 15 years. ! ! What about users, passwords and permissions? 36SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens PLC read/write protection for main and critical operations: CPU start/stop/data change, project upload, firmware update, etc. 37SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens TIA Portal PEData.plf passwords history ! ! ! ! ! ! ! ! ! ! passwords in sha-1 but “helpful” redbox value: password_len * 2 + 1 srsly>? for what??? 38SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens After notification Siemens “strengthened” users passwords and switched to md5… ! ! ! ! TIA Portal V12 UPD 3 39SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens s7 password hashes extractor ! 40SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens Improve user rights ! ! ! ! ! ! ! ! ! User rights - 2 bytes after second md5 hash: 0x8001 —> 0xFFFF 41SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens SCADA <-> PLC auth scheme: ! scada -> plc: auth request scada <- plc: challenge scada -> plc: response = HMAC(SHA1(password), challenge) scada <- plc: auth result ! python scripts (for 1200 and 1500 Siemens S7 PLC) for extracting all challenge-responses, export to JtR format and simple bruteforce ! want to crack password? use john the ripper! 42SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens 43SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens Bruteforce PLC online! ! Use powerful THC-Hydra Tested on S7-300 PLC. Should work on S7-200, S7-400 ! ! ! ~ hydra -F -V -P ./wordlist/500-worst-passwords.txt s7-300://<host> ! ! ! 44SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# Siemens 45SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! CVE-2014-2250, CVE-2014-2251 ! SSA-654382, SSA-456423 Affected devices: Siemens S7-1200 PLC Siemens S7-1500 PLC ! CVSS Base Score: 8.3 46SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! Tested on S7-1200 CPU 1212C, firmware V 2.2.0 47SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM= ! uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM= ! Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM= ! tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM= ! ! ! ! 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 ! b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143 ! 32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143 ! b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143 48SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 ! ! 3e6cd1f7bdf743cac6dcba708c21994f + d37fa1c30001000100028ad70a00aac800000000000000008ad72143 ! ! 3e6cd1f7bdf743cac6dcba708c21994f - ? d37fa1c3 - ? 0001 - ? 0001 - ? 00028ad7 - ? 0a00aac8 - ? 00000000000000008ad72143 - ? 49SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! 3e6cd1f7bdf743cac6dcba708c21994f MD5 of ? (16 bytes) d37fa1c3 CONST (4 bytes) 0001 user logout counter (2 bytes) 0001 counter of issued cookies for this user (2 bytes) 00028ad7 value that doesn’t matter (4 bytes) 0a00aac8 user IP address (10.0.170.200) (4 bytes) 00000000000000008ad72143 value that doesn’t matter (12 bytes) ! ! ! So, what about 3e6cd1f7bdf743cac6dcba708c21994f ??? 50SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! ! 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 ! ! 3e6cd1f7bdf743cac6dcba708c21994f ! ! MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES) ! ! What is SECRET ? 51SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! SECRET generates after PLC start by ~PRNG. ! PRNG is a little bit harder than standard C PRNG. ! SEED in {0x0000 , 0xFFFF} ! ! ! It’s too much for bruteforce (PLC so tender >_<) 52SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! What about SEED ? SEED very often depends on time value ! SEED = PLC START TIME + 320 ! 320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time ! ! How to obtain PLC START TIME ? ! ! ! PLC START TIME = CURRENT TIME – UPTIME 53SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! ! ! Current time via web interface ! ! ! ! Uptime via SNMP with hardcoded read community string “public” 54SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! ! ! ! * 100 - calculation lapse ! ! To generate cookie we should brute: • logout number (2 bytes, max 65535) • number of issued cookies (2 bytes, max 65535) • seed value (2 bytes, but max 100) ! ! Still too many values to bruteforce … 55SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! But if user (admin) not logged out properly then after 7 logins it is not possible to login again ! We should restart PLC or wait 30 minutes (cookie expire time) ! ! ! ! ! ! ! ! We can minimize logout and issued cookies counters to 7 To generate cookie we should brute: • logout number (2 bytes, max 7) • number of issued cookies (2 bytes, max 7) • seed value (2 bytes, but max 100) 56SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! 57SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# it’s a cookie time ! Exploitation dependences: ! • >= 1 success logins to PLC after last restart • SNMP enabled ! BUT IT DOES NOT NEED LOGIN AND PASSWORD !!! ! CVE Timeline: ! • End of July 2013 – vulnerability discovered • 5 August 2013 – vendor notified • 20 March 2014 – patch released, first public advisory 58SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# S7 protocol Standard port 102/TCP ! By Siemens terms it is ISO-on-TCP (RFC 1006) based communication protocol 59SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# S7 protocol Materials: ! • “Exploiting Siemens Simatic S7 PLCs” by Dillon Beresford • wireshark dissector • libnodave - free communication library • snap7 - open source communication suite • plcscan 60SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# S7 protocol • based on iso-tcp -> block oriented protocol ! • block - PDU (Protocol Data Unit) ! • functions and commands oriented -> each frame contains function request or reply to it ! S7 commands: • plc start/stop cpu • firmware update • read/write data (blocks, tags) • system info • authentication • etc… 61SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# S7 protocol History of S7: • S5 Communication (FETCH/WRITE, Sinec H1) • S7 Communication • “Another” S7 Communication ! Simply “another” S7 looks like: ! ! TCP : HEADER | ISO TCP ! ISO TCP: TPKT | COTP | S7 PDU 62SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# S7 protocol • For old versions: wireshark dissectors, libraries, simulators. ! • Because we know all about that versions of protocol. ! • But we know next to nothing about “another” S7. ! Challenge accepted ! 63SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? ! ! 64SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? How to analyze protocols ? ! this guy should now -> ! Rob Savoye, FOSDEM 2009 “Reverse engineering of proprietary protocols, tools and techniques” ! “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” ! ! ! *demo 65SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? ! ! 66SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? show_byte_sequences.py ! 67SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? s7-show-payloads.py 68SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? s7-packet-structure.py 69SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? Use your knowledge about protocols: ! • it’s a universal and complex approach • you can: • detect devices and their protocols • monitor state, commands, exchanging data • inject, modify, reply packets in real-time ! ! Because most of them INSECURE BY DESIGN ! real example? 70SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? Energetic turbine ! ! ! ! ! ! ! ! ! Simple UDP packet that set “speed” of turbine to 57 (min=0, max=100) 71SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? What will happen if you send another packet, another value? ! 72SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# How to analyse protocols? Yes, you’re right ! 73SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# outro all scripts, tools -> https://github.com/atimorin/scada-tools ! pcaps -> a little bit later after some cleaning ! ! ! ! QA ? 74SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
# outro Thank you! ! @atimorin atimorin@ptsecurity.com ! greetz to: @scadasl @repdet @GiftsUngiven Dmitry Sklyarov 75SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014

Empfohlen

Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 

Empfohlen

Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_SecurityWillianMachadoFonsec
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA securityCysinfo Cyber Security Community
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.pptImXaib
 
Cryptography - A Brief History
Cryptography - A Brief HistoryCryptography - A Brief History
Cryptography - A Brief Historyprasenjeetd
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing Reza Pahlava
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Network Security and Firewall
Network Security and FirewallNetwork Security and Firewall
Network Security and FirewallShafeeqaFarsana
 
MISP EcoSystem - Threat Intelligence, VMRay, MISP
MISP EcoSystem - Threat Intelligence, VMRay, MISPMISP EcoSystem - Threat Intelligence, VMRay, MISP
MISP EcoSystem - Threat Intelligence, VMRay, MISPKoen Van Impe
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 

Weitere ähnliche Inhalte

Was ist angesagt?

BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.pptImXaib
 
Cryptography - A Brief History
Cryptography - A Brief HistoryCryptography - A Brief History
Cryptography - A Brief Historyprasenjeetd
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing Reza Pahlava
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Network Security and Firewall
Network Security and FirewallNetwork Security and Firewall
Network Security and FirewallShafeeqaFarsana
 
MISP EcoSystem - Threat Intelligence, VMRay, MISP
MISP EcoSystem - Threat Intelligence, VMRay, MISPMISP EcoSystem - Threat Intelligence, VMRay, MISP
MISP EcoSystem - Threat Intelligence, VMRay, MISPKoen Van Impe
 

Was ist angesagt? (20)

BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_Security
 
ICS security
ICS securityICS security
ICS security
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
 
Cryptography - A Brief History
Cryptography - A Brief HistoryCryptography - A Brief History
Cryptography - A Brief History
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Network Security and Firewall
Network Security and FirewallNetwork Security and Firewall
Network Security and Firewall
 
MISP EcoSystem - Threat Intelligence, VMRay, MISP
MISP EcoSystem - Threat Intelligence, VMRay, MISPMISP EcoSystem - Threat Intelligence, VMRay, MISP
MISP EcoSystem - Threat Intelligence, VMRay, MISP
 

Ähnlich wie SCADA deep inside: protocols and security mechanisms

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]RootedCON
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsMohammad Reza Zamiri
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkChristopher Grayson
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllersardiri
 

Ähnlich wie SCADA deep inside: protocols and security mechanisms (20)

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
A2 e overview
A2 e overviewA2 e overview
A2 e overview
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
a framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypotsa framework for fingerprinting ICS honeypots
a framework for fingerprinting ICS honeypots
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllers
 

Kürzlich hochgeladen

Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...NETWAYS
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝soniya singh
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 

Kürzlich hochgeladen (20)

Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 

SCADA deep inside: protocols and security mechanisms

  • 1. SCADA deep inside: protocols and security mechanisms Aleksandr Timorin ! ! ! ! ! ! CONFIDENCE 2014 27-28 V 2014, Krakow
  • 2. # whoami • penetration tester at Positive Technologies • SCADA security researcher, main specialisation - industrial protocols • SCADAStrangeLove team member • speaker at PHDays, Power Of Community, Chaos Communication Congress (workshop) • @atimorin • atimorin@ptsecurity.com 2SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 3. # whoami 3SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 4. # whoami 4SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 5. • intro to scada world • current situation in ICS network security • overview of industrial protocols • well-known protocols: profinet, modbus, dnp3 • go to particular: • IEC 61850-8-1 (MMS) • IEC 61870-5-101/104 • FTE • Siemens S7 • how to analyse protocols • releases • QA 5SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # agenda
  • 6. ICS - Industrial Control System SCADA - Supervisory Control And Data Acquisition PLC - Programmable Logic Controller HMI - Human-Machine Interface RTU - Remote Telemetry Unit Sensor, Actuator ! … and much more 6SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # intro to scada world
  • 7. many many vendors in the world: • siemens • advantech • citectscada • codesys • moxa • schneider electric • rslogics • general electric • wellintech • sielco sistemi • emerson • abb • advanced micro controls • …. 7SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # intro to scada world problems in security: ! • each vendor - own protocol, technology etc. • out-of-date: don’t touch if it works! wild wild industrial world
  • 8. ! ! ! ! 8SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # current situation in ICS network security ICS NETWORK absolutely unbreakable ???
  • 9. NO, because of: ! ➡ typical network devices with default/crappy settings ➡ unpatched, old as dirt, full of junk software [malware] engineering workstations ➡ wireless AP with WEP (if the best happend) ➡ low physical security ➡ … and ➡ industrial protocols 9SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # current situation in ICS network security
  • 10. ! ! ➡ typical network devices with default/crappy settings ➡ unpatched, old as dirt, full of junk software [malware] engineering workstations ➡ wireless AP with WER (if the best happend) ➡ low physical security ➡ … and ➡ industrial protocols 10SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # current situation in ICS network security
  • 11. How protocols live in the network ? ! • full expanse • not blocked by firewalls/switches • accessible between LAN segments • works from data link layer to application layer • easy to detect • easy to intercept, analyze, reproduce and reply (but not all ! ) 11SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # current situation in ICS network security
  • 12. • modbus • profibus • profinet • dnp3 • ethernet/ip • s5/s7 (siemens protocols family) • CIP (rockwell automation) • cc-link (mitsubishi electric factory automation) • bacnet • iec 60870, iec 61850, iec 61107 • m-bus • zigbee • … iec - international electrotechnical commission 12SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # overview of industrial protocols
  • 13. • published by Modicon (now Schneider Electric) in 1979 • widely used for connecting industrial electronic devices • in XX: through rs-232/rs-485 • in XXI: modbus tcp • standard port 502/tcp 13SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # modbus
  • 14. functions: ! • data access: read/write coils, registers, file records • diagnostics: device identification • user defined functions ! ! ! tools: ! • wireshark dissector • plcscan ( https://code.google.com/p/plcscan/ ) • modbus-discover nse (by Alexander Rudakov) • modbus simulators () ! 14SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # modbus
  • 15. security ? • no authentication • no encryption • no security ! transaction id: 2 bytes protocol id: 2 bytes (always 0) length: 2 bytes unit id: 1 byte function code: 1 byte data … 15SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014 # modbus
  • 16. # dnp3 DNP3 Distributed Network Protocol • first version in 1990 • standartized by IEEE only on 2010 • mainly used in water and electric industry • master - outstation communication • tcp/udp standard port 20000 ! tools: wireshark dissector free implementation https://code.google.com/p/dnp3/ ! security ? DNP3 Secure Authentication v5. First version in 2007. Add device and user authentication Data protection 16SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 17. # dnp3 dnp3 frame: • header - 10 bytes • data - max 282 bytes ! header: • sync - 2 bytes • length -1 byte • link control - 1 byte • destination addr - 2 bytes • source addr - 2 bytes • crc - 2 bytes ! each device in network has unique address 1..65520 crc for every 16 bytes of data -> max frame len = 292 bytes work on iso/osi layers: data link layer, transport layer, application layer 17SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 18. # profinet dcp PROFINET family ! • Profinet CBA/IO/PTCP/DCP • iec 61158, iec 61784 in 2003 • Ethernet type 0x8892 • exchange data in real-time cycles • multicast discovery devices and stations ! security ? • no encryption • no authentication • no security 18SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 19. # profinet dcp PROFINET DCP - Discovery and basic Configuration Protocol 19SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 20. # profinet dcp frame types: • request 0xfefe • response 0xfeff • get/set 0xfefd ! multicast identify (scapy code): payload=‘fefe05000401000200800004ffff’.decode(‘hex’) srp(Ether(type=0x8892, src=smac, dst=’01:0e:cf:00:00:00’)/payload) ! fefe request 05 service id: identify 00 service type: request 04010002 xid (request id) 0080 delay 0004 data len ff option: all ff suboption: all 20SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 21. # profinet dcp • main interesting fields for playing is option and suboption • for example, set/get network info: opt 0x01, subopt 0x02 • led flashing: opt 0x05, subopt 0x03 ! so we can: • scan profinet supported devices and stations • change name of station • change ip, netmask, gateway • request full network info • LED flashing: PLC, HMI (simulates that smth wrong with device) • and much more 21SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 22. # profinet dcp profinet dcp scanner (raw sockets and scapy versions) ! ! ! ! ! ! ! ! ! discovering all devices (PC, PLC, HMI) in subnet ! live demo 22SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 23. # profinet dcp profinet fuzzer: fuzz options and sub options on plc siemens s7-1200 ! CVE-2014-2252 “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system.” ! what is “specially crafted profinet packets” ? 23SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 24. # profinet dcp CVE-2014-2252 ! just “set” request: set network info with all zero values. ! ip 0.0.0.0 mask 0.0.0.0 gw 0.0.0.0 ! ! ! ! live demo 24SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 25. # iec 61850-8-1 IEC 61850-8-1 (MMS) ! ! ! ! ! MMS - Manufacturing Message Specification 25SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 26. # iec 61850-8-1 • since 1980 • ISO 9501-1, 2003 • use ISO-TSAP as transport • standard tcp port 102 ! functions: • read/write tags, variables, domains (large unstructured data, i.e. program code) • start/stop/rewrite firmware on PLC • read/write/del files and directories ! security ? • simple methods whitelist • TLS (in theory, but in practice not supported by vendors and haven’t seen before in products) ! tools: • wireshark dissector • python and nmap identify scripts • emulator, open source libs 26SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 27. # iec 61850-8-1 27SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 28. # iec 61850-8-1 ~ nmap —script mms-identify.nse —script-args=‘mms- identify.timeout=500’ -p 102 <host> 28SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 29. # iec 61870-5-101/104 IEC 61870-5-101/104 ! mainly for gathering telemetry in electricity distribution and power system automation ! huge list of functions, depends on vendors implementation: • read/write tags • upload/download files • broadcast connected devices discovery • time sync • reset process command • query log files • etc. ! security ? • no auth, no encryption • simple ip address whitelist (ip of master devices defined on slaves) 29SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 30. # iec 61870-5-101/104 IEC 61870-5-101/104 ! standard tcp port 2404 ! toolkit: • simulators: sim104, mrts-ng etc. • wireshark dissector • python and nmap identify scripts 30SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 31. # iec 61870-5-101/104 IEC 61870-5-101/104 ! 31SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 32. # iec 61870-5-101/104 ~ nmap --script iec-identify.nse --script-args='iec-identify.timeout=500' -p 2404 <host> ! 32SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 33. # FTE Fault Tolerant Ethernet by Honeywell ! Provides robust and low-cost technology for industrial networks. Each FTE-node connected twice to network, support actual route table and exchanges route table with other nodes through multicast request. ! UDP as a transport. ! Proprietary protocol. 33SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 34. # FTE ! attack vectors: • flood udp ports • send multicast packets with fake routing table ! multicast packet ———> ! headers: 0x01000810 0x01a01001 sending each second 34SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 35. # FTE 0x23 node index ! 0x433330302023303335 node name (C300 #5) ! 0x44 and 0xca bytes of some packets counter ! 0x32312032 part of firmware version full: EXP3 10.1-65.57 Sat Dec 06 20:22:33 2008 (Fri Nov 21 20:22:57 2008) 35SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 36. # Siemens ! TIA Portal (Totally Intergated Automation Portal) ! ! TIA - intellectual kernel of more than 100000 products created last 15 years. ! ! What about users, passwords and permissions? 36SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 37. # Siemens PLC read/write protection for main and critical operations: CPU start/stop/data change, project upload, firmware update, etc. 37SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 38. # Siemens TIA Portal PEData.plf passwords history ! ! ! ! ! ! ! ! ! ! passwords in sha-1 but “helpful” redbox value: password_len * 2 + 1 srsly>? for what??? 38SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 39. # Siemens After notification Siemens “strengthened” users passwords and switched to md5… ! ! ! ! TIA Portal V12 UPD 3 39SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 40. # Siemens s7 password hashes extractor ! 40SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 41. # Siemens Improve user rights ! ! ! ! ! ! ! ! ! User rights - 2 bytes after second md5 hash: 0x8001 —> 0xFFFF 41SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 42. # Siemens SCADA <-> PLC auth scheme: ! scada -> plc: auth request scada <- plc: challenge scada -> plc: response = HMAC(SHA1(password), challenge) scada <- plc: auth result ! python scripts (for 1200 and 1500 Siemens S7 PLC) for extracting all challenge-responses, export to JtR format and simple bruteforce ! want to crack password? use john the ripper! 42SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 43. # Siemens 43SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 44. # Siemens Bruteforce PLC online! ! Use powerful THC-Hydra Tested on S7-300 PLC. Should work on S7-200, S7-400 ! ! ! ~ hydra -F -V -P ./wordlist/500-worst-passwords.txt s7-300://<host> ! ! ! 44SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 45. # Siemens 45SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 46. # it’s a cookie time ! CVE-2014-2250, CVE-2014-2251 ! SSA-654382, SSA-456423 Affected devices: Siemens S7-1200 PLC Siemens S7-1500 PLC ! CVSS Base Score: 8.3 46SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 47. # it’s a cookie time ! Tested on S7-1200 CPU 1212C, firmware V 2.2.0 47SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 48. # it’s a cookie time ! PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM= ! uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM= ! Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM= ! tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM= ! ! ! ! 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 ! b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143 ! 32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143 ! b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143 48SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 49. # it’s a cookie time ! 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 ! ! 3e6cd1f7bdf743cac6dcba708c21994f + d37fa1c30001000100028ad70a00aac800000000000000008ad72143 ! ! 3e6cd1f7bdf743cac6dcba708c21994f - ? d37fa1c3 - ? 0001 - ? 0001 - ? 00028ad7 - ? 0a00aac8 - ? 00000000000000008ad72143 - ? 49SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 50. # it’s a cookie time ! 3e6cd1f7bdf743cac6dcba708c21994f MD5 of ? (16 bytes) d37fa1c3 CONST (4 bytes) 0001 user logout counter (2 bytes) 0001 counter of issued cookies for this user (2 bytes) 00028ad7 value that doesn’t matter (4 bytes) 0a00aac8 user IP address (10.0.170.200) (4 bytes) 00000000000000008ad72143 value that doesn’t matter (12 bytes) ! ! ! So, what about 3e6cd1f7bdf743cac6dcba708c21994f ??? 50SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 51. # it’s a cookie time ! ! 3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143 ! ! 3e6cd1f7bdf743cac6dcba708c21994f ! ! MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES) ! ! What is SECRET ? 51SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 52. # it’s a cookie time ! SECRET generates after PLC start by ~PRNG. ! PRNG is a little bit harder than standard C PRNG. ! SEED in {0x0000 , 0xFFFF} ! ! ! It’s too much for bruteforce (PLC so tender >_<) 52SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 53. # it’s a cookie time ! What about SEED ? SEED very often depends on time value ! SEED = PLC START TIME + 320 ! 320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time ! ! How to obtain PLC START TIME ? ! ! ! PLC START TIME = CURRENT TIME – UPTIME 53SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 54. # it’s a cookie time ! ! ! Current time via web interface ! ! ! ! Uptime via SNMP with hardcoded read community string “public” 54SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 55. # it’s a cookie time ! ! ! ! * 100 - calculation lapse ! ! To generate cookie we should brute: • logout number (2 bytes, max 65535) • number of issued cookies (2 bytes, max 65535) • seed value (2 bytes, but max 100) ! ! Still too many values to bruteforce … 55SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 56. # it’s a cookie time ! But if user (admin) not logged out properly then after 7 logins it is not possible to login again ! We should restart PLC or wait 30 minutes (cookie expire time) ! ! ! ! ! ! ! ! We can minimize logout and issued cookies counters to 7 To generate cookie we should brute: • logout number (2 bytes, max 7) • number of issued cookies (2 bytes, max 7) • seed value (2 bytes, but max 100) 56SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 57. # it’s a cookie time ! 57SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 58. # it’s a cookie time ! Exploitation dependences: ! • >= 1 success logins to PLC after last restart • SNMP enabled ! BUT IT DOES NOT NEED LOGIN AND PASSWORD !!! ! CVE Timeline: ! • End of July 2013 – vulnerability discovered • 5 August 2013 – vendor notified • 20 March 2014 – patch released, first public advisory 58SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 59. # S7 protocol Standard port 102/TCP ! By Siemens terms it is ISO-on-TCP (RFC 1006) based communication protocol 59SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 60. # S7 protocol Materials: ! • “Exploiting Siemens Simatic S7 PLCs” by Dillon Beresford • wireshark dissector • libnodave - free communication library • snap7 - open source communication suite • plcscan 60SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 61. # S7 protocol • based on iso-tcp -> block oriented protocol ! • block - PDU (Protocol Data Unit) ! • functions and commands oriented -> each frame contains function request or reply to it ! S7 commands: • plc start/stop cpu • firmware update • read/write data (blocks, tags) • system info • authentication • etc… 61SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 62. # S7 protocol History of S7: • S5 Communication (FETCH/WRITE, Sinec H1) • S7 Communication • “Another” S7 Communication ! Simply “another” S7 looks like: ! ! TCP : HEADER | ISO TCP ! ISO TCP: TPKT | COTP | S7 PDU 62SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 63. # S7 protocol • For old versions: wireshark dissectors, libraries, simulators. ! • Because we know all about that versions of protocol. ! • But we know next to nothing about “another” S7. ! Challenge accepted ! 63SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 64. # How to analyse protocols? ! ! 64SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 65. # How to analyse protocols? How to analyze protocols ? ! this guy should now -> ! Rob Savoye, FOSDEM 2009 “Reverse engineering of proprietary protocols, tools and techniques” ! “Believe it or not, if you stare at the hex dumps long enough, you start to see the patterns” ! ! ! *demo 65SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 66. # How to analyse protocols? ! ! 66SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 67. # How to analyse protocols? show_byte_sequences.py ! 67SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 68. # How to analyse protocols? s7-show-payloads.py 68SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 69. # How to analyse protocols? s7-packet-structure.py 69SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 70. # How to analyse protocols? Use your knowledge about protocols: ! • it’s a universal and complex approach • you can: • detect devices and their protocols • monitor state, commands, exchanging data • inject, modify, reply packets in real-time ! ! Because most of them INSECURE BY DESIGN ! real example? 70SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 71. # How to analyse protocols? Energetic turbine ! ! ! ! ! ! ! ! ! Simple UDP packet that set “speed” of turbine to 57 (min=0, max=100) 71SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 72. # How to analyse protocols? What will happen if you send another packet, another value? ! 72SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 73. # How to analyse protocols? Yes, you’re right ! 73SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 74. # outro all scripts, tools -> https://github.com/atimorin/scada-tools ! pcaps -> a little bit later after some cleaning ! ! ! ! QA ? 74SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014
  • 75. # outro Thank you! ! @atimorin atimorin@ptsecurity.com ! greetz to: @scadasl @repdet @GiftsUngiven Dmitry Sklyarov 75SCADA deep inside: protocols and security mechanisms CONFIDENCE 2014