2. Agenda
Positive Technologies Company overview
ICS/SCADA security myths
Positive Research on SCADA Security
MaxPatrol for SCADA
Positive Services for SCADA
Questions?
4. About Positive Technologies
10+ Years of experience
300+ Employees
Offices
• London, UK
• Moscow, Russia
• Seoul, Korea
• Tunis, Tunisia
• Rome, Italy
1000+ Customers & Partners globally
Partnerships with major software vendors
5. Positive Technologies Focus
MaxPatrol - Vulnerability & Compliance Management
System
Positive Services – a unique team of experts in
practical security
Positive Research – one of the biggest research
centers in Europe
Positive Hack Days – the annual information security
international Forum
6. Positive Services
We conduct more than 20 large-scale penetration
tests each year
We perform a consistently high volume of web
application security assessments
Security assessment
• Penetration testing
• Infrastructure analysis
• Custom applications assessment
Security management processes
• KPI development
• Technical standards and compliance
• Audit & IT security risks of business processes
7. Positive Research Center
One of the biggest security research labs in Europe
• 100+ new 0-day vulnerabilities discovered per year
• Our research is used by key industry bodies
We help global IT players to secure their products
We are involved in the development of industry
standards
Our portal Securitylab.ru – a leading Eastern
European security portal
8. Positive Hack Days Forum 2012
1,500 Participants
6 Tracks
10 Workshops
8 Challenges
Hacking CTF Contest
Keynote by Bruce Schneier
12. Why should we care about SCADA security?
SCADA network is isolated and is not connected to
other networks, all the more so to Internet
MES/SCADA/PLC is based on custom platforms, and
attackers can’t hack it
HMI has limited functionality and does not allow to
mount attack
…
13. PT security assessment experience
100% of tested SCADA networks are exposed to
Internet/Corporate network
Network equipment/firewalls misconfiguration
MES/OPC/ERP integration gateways
HMI external devices (Phones/Modems/USB Flash) abuse
VPN/Dialup remote access
90% of tested SCADA can be hacked with Metasploit
Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)
Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)
Standard bugs (patch management, passwords, firewalling,
application vulnerabilities)
14. PT security assessment experience
70% of HMI/Engineering stations are also used as
desktops
Kiosk mode bypass
(Secret) Internet access
games/”keygens”/trojans and other useful software
Overall SCADA security level = Internet security in
the beginning of XXI century
VS
16. Activities in 2012
SCADA Security in Numbers – research on
ICS/SCADA attack surface
SCADA applications security assessment – deep
analysis of different automation systems
Security Hardening guides development – security
configuration guides and benchmark checklists for
SCADA
Community collaboration
17. SCADA Security in Numbers
Deep technical analysis of ICS/SCADA attack surface
(2005 – August 2012)
Statistics of Vulnerabilities and Exploits
• Vulnerabilities in PLC/SACDA/MES systems
• Risks and exploits
• Vulnerability management effectiveness
• Attack vectors and impact
SCADA in the Internet
• Analysis of SCADA systems exposed to the Internet
• Distribution by vendor
• Security level
23. SCADA applications security assessment
Deep technical analysis of different automation
systems
• Siemens automation solutions
SIMATIC WINCC
S7 PLCs
TIA Portal
• Wonderware InTouch
• …
Methodologies
• BlackBox Penetration testing/fuzzing
• Web Application code review
• Firmware reversing and static analysis
• Forensic analysis
24. SCADA applications security assessment: Results
>50 vulnerabilities detected
• Client-side (XSS, CSRF etc)
• SQL/XPath injections
• Arbitrary file reading
• Username/passwords disclosure
• Weak encryption
• Hardcoded crypto keys
• …
Results
• Partially fixed by vendors
• Assessment and fixing roadmap with Siemens Product CERT
50 is a quarter of currently known SCADA
vulnerabilities!
25. Security Hardening guides development
Technical guides for built-in and external security
features
Useful for configuration management and security
assessment
First public release - Siemens SIMATIC WinCC
• To be:
• TIA Portal
• HMI Kiosk Mode
• Intouch
28. MaxPatrol in Figures
checks of known vulnerabilities
systems to work across
configuration parameters
new 0-day vulnerabilities per year
30,000+
1,000+
5,000+
100+
31. Our approach
Defense in Depth strategy
Network Layer
OS and DBMS
SCADA/HMI/PLCs
MES/ERP
Compliance management support
32. Network Layer
Vulnerabilities checks of different platforms
• Cisco, Juniper, Check Point, Arbor, Huawei, Nortel, Alcatel
Configuration analysis
• Authentication checks
• ACLs analysis
• Special checks of industrial protocols configuration (Cisco
Connected Grid, etc)
33. OS and DBMS
Exhaustive vulnerability and configuration analysis
Operating Systems: Windows, Mac OS X, Linux, IBM AIX, HP-
UX and Oracle Solaris
Databases: Microsoft SQL, Oracle, IBM DB2, PostgreSQL,
MySQL and Sybase
Offline USB/CD Scanner
• Useful for HMI/SCADA audits
• Not require network connections
• Full-featured reporting with MaxPatrol Server
34. SCADA/HMI/PLC
Support of automation protocols
• ModBus/S7/DNP3/OPC
Vulnerabilities checks of PLC/SCADA/MES
Predefined (Safe mode) assessment for SCADA
Configuration check of SCADA
HMI Kiosk mode checks
Mobile/Wireless/Internet access
Software whitelist/blacklist
Antivirus/HIPS checks
35. MES/ERP
Best among vulnerability and compliance
assessment of ERP system
Support of SAP Netweaver and Oracle EBS
• Complete analysis on OS/DBMS/Application levels
• Black box and White box vulnerability checks
• SAP Notes and OEBS patches checks
• Configuration analysis
• SAP Security Guide compliances
36. NERC Critical Infrastructure Protection Compliance
CIP-002-1: Critical Cyber Asset Identification
• Hardware and software discovery, network and
system asset inventory
CIP-003-1: Security Management Controls
• Built-in configuration compliance checklists,
automated vulnerability assessment
CIP-005-1 Electronic Security Perimeter(s)
• Control network security via network scan
configuration checks
37. NERC Critical Infrastructure Protection Compliance
CIP-007-1 Systems Security Management
• Automated assessment of security controls
(antivirus, SIEM, Firewall, etc.)
CIP-008-1 Incident Reporting and Response
Planning
• Control of risky configurations and compromise
detection
40. Positive Services
ICS Infrastructure Security Audit
Complex assessment of technical and
organizational security means. From PLC to
ERP. From Pentest to Checklists.
SCADA application security assessment
Deep technical inspection of SCADA security
on Network/OS/Database and Application
levels.
Security policy and configuration checklist
development
Vulnerability and compliance management
process implementation
41. Resume
Positive Technologies approach
Research: to understand vulnerabilities and to find
new
Audit: to discover risks and select
countermeasures
Automate: vulnerability and compliance
management with MaxPatrol
Control: security process efficiency
Consolidate: vendors, researchers and customers
to create safe ICS/SCADA infrastructure and
solutions