SlideShare ist ein Scribd-Unternehmen logo

SCADA Security Insights

Als ODP, PDF herunterladen
Ahmed Sherif
Ahmed Sherif

Industrial Systems Security & Penetration testing with some custom Python Code .

Ingenieurwesen
1 von 56
SSCCAADDAA SSeeccuurriittyy SSCCAADDAA SSeeccuurriittyy || AAhhmmeedd SShheerriiff 22001144
AAggeennddaa IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss ● WWhhaatt iiss iitt ?? PPLLCC ● DDeeffiinniittiioonnss ● HHooww DDooeess iitt wwoorrkk ?? SSCCAADDAA ● DDeeffiinniittiioonnss ● HHooww DDooeess iitt wwoorrkk ?? SCADA Security | Ahmed Sherif 2014
AAggeennddaa ● Some Incidents ● Stuxnet VS PLC ● Security Best Practices SCADA Security | Ahmed Sherif 2014
IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss ● Industrial control system (ICS) is a general term that encompasses several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. SCADA Security | Ahmed Sherif 2014
PPLLCC ● A Programmable Logic Controller, PLC or Programmable Controller is a digital computer used for automation of typically industrial electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures. PLCs are used in many industries and machines SCADA Security | Ahmed Sherif 2014
PPLLCC –– HHooww DDooeess iitt WWoorrkk ?? 1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or RS-422 cabling . 2. The programming software allows entry and editing of the ladder-style logic 3. the program is transferred from a personal computer to the PLC through a programming board which writes the program into a removable chip such as an EEPROM 4. The Program Then Can Be Run and Executed. SCADA Security | Ahmed Sherif 2014
PLC – How Does it Work ? 1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or RS-422 cabling . SCADA Security | Ahmed Sherif 2014
PLC – How Does it Work ? 2. The programming software allows entry and editing of the ladder-style logic SCADA Security | Ahmed Sherif 2014
PLC – How Does it Work ? 3. the program is transferred from a personal computer to the PLC through a programming board which writes the program into a removable chip such as an EEPROM SCADA Security | Ahmed Sherif 2014
PLC – How Does it Work ? 4. The Program Then Can Be Run and Executed. SCADA Security | Ahmed Sherif 2014
PLC – Simulation SCADA Security | Ahmed Sherif 2014
SCADA SCADA is .... Industrial Control Systems (ICS), commonly referred to as SCADA underlie much of the infrastructure that makes every day life possible in the modern world. SCADA Security | Ahmed Sherif 2014
SCADA SSCCAADDAA iiss ........ ● Industrial Control Systems (ICS), commonly referred to as ● SCADA underlie much of the infrastructure that makes every day ● life possible in the modern world. ● Supervisory Control and Data Acquisition SCADA Security | Ahmed Sherif 2014
SCADA SCADA is used For .... PPOOWWEERR GGrriiddss SCADA Security | Ahmed Sherif 2014
SCADA SSCCAADDAA iiss uusseedd FFoorr ........ PPiippeeLLiinneess SCADA Security | Ahmed Sherif 2014
SCADA SSCCAADDAA iiss uusseedd FFoorr ........ IInntteerr-- ccoonnnneecctteedd sseennssoorrss aanndd ccoonnttrroollss uunnddeerr cceennttrraall mmaannaaggeemmeenntt SCADA Security | Ahmed Sherif 2014
SCADA SSCCAADDAA iiss uusseedd FFoorr ........ cchheemmiiccaall ppllaanntt,, ppoowweerr ppllaanntt,, mmaannuuffaaccttuurriinngg ffaacciilliittyy SCADA Security | Ahmed Sherif 2014
SCADA SSCCAADDAA iiss uusseedd FFoorr ........ IInntteerr-- ccoonnnneecctteedd sseennssoorrss aanndd ccoonnttrroollss uunnddeerr cceennttrraall mmaannaaggeemmeenntt SCADA Security | Ahmed Sherif 2014
SCADA SSCCAADDAA iiss uusseedd FFoorr ........ TTrraaffffiicc SSiiggnnaall SCADA Security | Ahmed Sherif 2014
HHooww DDooeess SSccaaddaa WWoorrkkss ?? PPhhyyssiiccaall MMeeaassuurreemmeenntt//ccoonnttrrooll eennddppooiinnttss:: ● RTU, PLC ● Measure voltage, adjust valve, flip switch IInntteerrmmeeddiiaattee pprroocceessssiinngg ● Usually based on a commonly used Oses ● *nix, Windows, VMS SCADA Security | Ahmed Sherif 2014
HHooww DDooeess SSccaaddaa WWoorrkkss ?? CCoommmmuunniiccaattiioonn IInnffrraassttrruuccttuurree ● Serial, Internet, Wi­fi ● Modbus, DNP3, OPC, ICCP SCADA Security | Ahmed Sherif 2014
SCADA Security | Ahmed Sherif 2014
Components ooff aa SSCCAADDAA nneettwwoorrkk ● RTU / PLC – Reads information on voltage, flow, the status of switches or valves. Controls pumps, switches, valves ● MTU – Master Terminal Unit – Processes data to send to HMI ● HMI – Human Machine Interface – GUI, Windows – Information traditionally presented in the form of a mimic diagram ● Communication network – LAN, Wireless, Fiber etc etc SCADA Security | Ahmed Sherif 2014
PPrroottooccoollss ooff SSccaaddaa NNeettwwoorrkk RRaaww DDaattaa PPrroottooccoollss –– MMooddbbuuss // DDNNPP33 ● For serial radio links mainly, but you can run anything over ● anything these days, especially TCP/IP (for better or worse) ● Reads data (measures voltage / fluid flow etc) ● Sends commands (flips switches, starts pumps) / alerts (it’s ● broken!) HHiigghh LLeevveell DDaattaa PPrroottooccoollss –– IICCCCPP // OOCCPP ● Designed to send data / commands between apps / databases ● Provides info for humans ● These protocols often bridge between office and control ● networks SCADA Security | Ahmed Sherif 2014
TTeessttiinngg SSccaaddaa NNeettwwoorrkkss SCADA Security | Ahmed Sherif 2014
SSccrriipptt KKiiddddiieess vvss SSccaaddaa SSoommeettiimmeess iitt DDooeessnn''tt rreeqquuiirree HHiigghh SSkkiillllss ccoozz ...... ● TTeennaabbllee hhaass rreelleeaasseedd 3322 pplluugg--iinnss ffoorr NNeessssuuss wwhhiicchh ssppeecciiffiiccaallllyy tteesstt SSCCAADDAA ddeevviicceess ● CCoorree--IImmppaacctt aanndd MMeettaassppllooiitt nnooww iinncclluuddee SSCCAADDAA hhaacckkss ((SSiinnccee AAuugguusstt 22000088)) SCADA Security | Ahmed Sherif 2014
SSCCAADDAA ((iinn)) sseeccuurriittyy LLaacckk ooff AAuutthheennttiiccaattiioonn ● I don’t mean lack of strong authentication. I mean NO AUTH!! ● There’s no “users” on an automated system ● OPC on Windows requires anonymous login rights for DCOM ● (XPSP2 breaks SCADA because anonymous DCOM off by ● default) ● Normal policies regarding user management, password rotation ● etc etc do not apply SCADA Security | Ahmed Sherif 2014
SSCCAADDAA ((iinn)) sseeccuurriittyy CCaann’’tt PPaattcchh,, WWoonn’’tt ppaattcchh ● SCADA systems traditionally aren’t patched ● Install the system, replace the system a decade later ● Effects of patching a system can be worse than the effects of ● compromise? ● Very large vulnerability window SCADA Security | Ahmed Sherif 2014
IInncciiddeennttss !! !! SCADA Security | Ahmed Sherif 2014
IInncciiddeennttss !! !! In 2000, in Queensland, Australia. Vitek Boden released millions of liters of Untreated Sewage Into fresh water streams using a wireless laptop. SCADA Security | Ahmed Sherif 2014
IInncciiddeennttss !! !! “In August 2003 Slammer infected a private computer network at the idled Davis­Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours.” SCADA Security | Ahmed Sherif 2014
IInncciiddeennttss !! !! In 2003, the east coast of America experienced a blackout. While the Blaster worm was not the cause, many related systems were found to be infected SCADA Security | Ahmed Sherif 2014
IInncciiddeennttss !! !! In 1997, a teenager broke into NYNEX and cut off Worcester Airport in Massachusetts for 6 hours by affecting ground and air communications SCADA Security | Ahmed Sherif 2014
TThhee NNiigghhttmmaarree ....SSttuuxxnneett SCADA Security | Ahmed Sherif 2014
TThhee NNiigghhttmmaarree ....SSttuuxxnneett TTaarrggeettss SSccaaddaa NNeettwwoorrkkss ● Siemens Simatic WinCC specifically. UUsseess RRoooottKKiitt tteecchhnnoollooggyy ttoo hhiiddee iittsseellff ● Classic Windows rootkit ● PLC rootkit SSpprreeaaddss vviiaa UUSSBB ssttiicckkss aanndd nneettwwoorrkk sshhaarreess ● Uses 4 Zero-day vulnerabilities SCADA Security | Ahmed Sherif 2014
TThhee NNiigghhttmmaarree ....SSttuuxxnneett MMaalliicciioouuss ppaayyllooaadd ssiiggnneedd wwiitthh ssttoolleenn ddiiggiittaall CCeerrttiiffiiccaatteess ● Realtek and Jmicron. IInnffeecctteedd MMaacchhiinneess bbeeccoommee ppaarrtt ooff tthhee SSttuuxxnneett bboottnneett ● Can Steal code,documents, Projects designs . ● Can inject and hide code into PLCs – modifying production processes. SCADA Security | Ahmed Sherif 2014
SSttuuxxnneett .... DDeeeeppeerr LLooookk ● MMaaiinn DDrrooppppeerr This section contains the main stuxnet DLL file. And this DLL contains all stuxnet’s functions, mechanisms, files and rootkits. SCADA Security | Ahmed Sherif 2014
SSttuuxxnneett .... DDeeeeppeerr LLooookk ● After finding this section, it loads stuxnet DLL file in a special way. 11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww PPrroocceessss.. ● It checks if the configuration data is correct and recent and then it checks the admin rights. If it’s not running on administrator level, it uses one of two zero-day vulnerabilities to escalate the privileges and run in the administrator level. ● CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability ● CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability ● These two vulnerabilities allow the worm to escalate the privileges and run in a new ● process (“csrss.exe” in case of Win32K.sys) or as a new task in the Task Scheduler case SCADA Security | Ahmed Sherif 2014
SSttuuxxnneett .... DDeeeeppeerr LLooookk 11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww PPrroocceessss.. After everything goes right and the environment is prepared to be infected by stuxnet, it injects itself into another process to install itself from that process. The injection begins by searching for an Antivirus application installed in the machine Depending on the antivirus application (AVP or McAfee or what?), stuxnet chooses the process to inject itself into. If there’s no antivirus program it chooses “lsass.exe” SCADA Security | Ahmed Sherif 2014
SSttuuxxnneett .... DDeeeeppeerr LLooookk 22..IInnssttaalllliinngg SSttuuxxnneett iinnttoo tthhee IInnffeecctteedd MMaacchhiinnee.. The Function #16 begins by checking the configuration data and be sure that everything is ready to begin the installation. And also, it checks if the there’s a value in the registry with this name “NTVDM TRACE” in SOFTWAREMicrosoftWindowsCurrentVersionMS-DOS Emulation And then, it checks if this value equal to “19790509”. This special number seems a date “May 9, 1979” and this date has a historical meaning (by Wikipedia) “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community” SCADA Security | Ahmed Sherif 2014
SSttuuxxnneett .... DDeeeeppeerr LLooookk 33..TThhee UUSSBB DDrriivveess IInnffeeccttiioonn For infecting USB Flash memory, Stuxnet creates a new hidden window “AFX64c313” and get notified of any new USB flash memory inserted to the computer by waiting for “WM_DEVICECHANGE” Windows Message. ● After getting notified of a new drive added to the computer (USB Flash Memory), stuxnet writes 6 files into the flash memory drive: ● Copy of Shortcut to.lnk ● Copy of Copy of Shortcut to.lnk ● Copy of Copy of Copy of Shortcut to.lnk ● Copy of Copy of Copy of Copy of Shortcut to.lnk ● And 2 executable files (DLL files): ● ~WTR4141.tmp ● ~WTR4132.tmp These malformed shortcut files use vulnerability in Windows Shell named: ● CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability SCADA Security | Ahmed Sherif 2014
WWaass iitt aa ssuucccceessss ?? SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
SShhooddaann && SSCCAADDAA port:161 country:US simatic SCADA Security | Ahmed Sherif 2014
SShhooddaann && SSCCAADDAA Python shodan_scan.py user.list pass.list SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess IInnffoorrmmaattiioonn PPrrootteeccttiioonn GGuuiiddeelliinneess:: ● Create strong passwords and protect those passwords. ● Use a security token (or some other additional protection method) with a password to provide much stronger protection than a password alone. ● Take great care in what you publish on the internet and your company intranet. ● Sanitize or destroy all equipment that may contain critical information. ● Follow your company's reporting procedures if you observe any suspicious or abnormal activity. SCADA Security | Ahmed Sherif 2014
SSeeccuurriittyy BBeesstt PPrraaccttiicciieess PPhhyyssiiccaall PPrrootteeccttiioonn GGuuiiddeelliinneess:: ● Limit access to systems you're responsible for to those who have a need to know. ● Protect systems and information (use password-protected screen savers, lock office doors, lock information in cabinets, etc.) when leaving them unattended. ● When traveling, pay special attention when going through airport security. Thieves may be able to steal your laptop while you are focusing on getting through the security checkpoint. ● Never leave systems or storage media in your vehicle. ● Protect work systems and information at home at the same level or higher as you would at work. SCADA Security | Ahmed Sherif 2014
SSoo,, IIss SSccaaddaa IImmppoorrttaanntt ?? ● No ... ● Why ?! ... SCADA Security | Ahmed Sherif 2014
Any Questions ? SCADA Security | Ahmed Sherif 2014

Empfohlen

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 

Empfohlen

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2David Spinks
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Automation with plc & scada
Automation with plc & scadaAutomation with plc & scada
Automation with plc & scadaMNIT Jaipur
 
Scada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraScada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraRahul Mehra
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 

Was ist angesagt? (20)

Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 

Ähnlich wie SCADA Security Insights

Automation with plc & scada
Automation with plc & scadaAutomation with plc & scada
Automation with plc & scadaMNIT Jaipur
 
Scada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraScada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraRahul Mehra
 
Automation PLC & SCADA
Automation PLC & SCADA Automation PLC & SCADA
Automation PLC & SCADA NITISH SINGH
 
Choosing a SCADA System for the IIoT Era
Choosing a SCADA System for the IIoT Era Choosing a SCADA System for the IIoT Era
Choosing a SCADA System for the IIoT Era Inductive Automation
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security TrainingBryan Len
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
yogesh zodge ( ARTIFICIAL INTELLIGANCE) (1).pptx
yogesh zodge ( ARTIFICIAL INTELLIGANCE) (1).pptxyogesh zodge ( ARTIFICIAL INTELLIGANCE) (1).pptx
yogesh zodge ( ARTIFICIAL INTELLIGANCE) (1).pptxSHAHEDShaikh13
 
PLCs in diving systems_ a life cycle Presented by Ed Gardyne of Safewell. Man...
PLCs in diving systems_ a life cycle Presented by Ed Gardyne of Safewell. Man...PLCs in diving systems_ a life cycle Presented by Ed Gardyne of Safewell. Man...
PLCs in diving systems_ a life cycle Presented by Ed Gardyne of Safewell. Man...SATV8
 
IRJET- Design of SCADA based Wireless Monitoring and Control
IRJET- Design of SCADA based Wireless Monitoring and ControlIRJET- Design of SCADA based Wireless Monitoring and Control
IRJET- Design of SCADA based Wireless Monitoring and ControlIRJET Journal
 
Power point presentation on Industrial Automation
Power point presentation on Industrial AutomationPower point presentation on Industrial Automation
Power point presentation on Industrial AutomationJaiPrakash337
 
SCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data AcquisitionSCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data AcquisitionPower System Operation
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversVinny Chweety
 
WHAT IS SCADA AND BASIC KNOWLEDGE ABOUT IT.
WHAT IS SCADA AND BASIC KNOWLEDGE ABOUT IT.WHAT IS SCADA AND BASIC KNOWLEDGE ABOUT IT.
WHAT IS SCADA AND BASIC KNOWLEDGE ABOUT IT.kgaurav113
 
Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5SalmenHAJJI1
 

Ähnlich wie SCADA Security Insights (20)

Automation with plc & scada
Automation with plc & scadaAutomation with plc & scada
Automation with plc & scada
 
Scada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraScada Classification By-Rahul Mehra
Scada Classification By-Rahul Mehra
 
Automation PLC & SCADA
Automation PLC & SCADA Automation PLC & SCADA
Automation PLC & SCADA
 
Choosing a SCADA System for the IIoT Era
Choosing a SCADA System for the IIoT Era Choosing a SCADA System for the IIoT Era
Choosing a SCADA System for the IIoT Era
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security Training
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
Understanding fiber optic technology for scada
Understanding fiber optic technology for scadaUnderstanding fiber optic technology for scada
Understanding fiber optic technology for scada
 
yogesh zodge ( ARTIFICIAL INTELLIGANCE) (1).pptx
yogesh zodge ( ARTIFICIAL INTELLIGANCE) (1).pptxyogesh zodge ( ARTIFICIAL INTELLIGANCE) (1).pptx
yogesh zodge ( ARTIFICIAL INTELLIGANCE) (1).pptx
 
PLCs in diving systems_ a life cycle Presented by Ed Gardyne of Safewell. Man...
PLCs in diving systems_ a life cycle Presented by Ed Gardyne of Safewell. Man...PLCs in diving systems_ a life cycle Presented by Ed Gardyne of Safewell. Man...
PLCs in diving systems_ a life cycle Presented by Ed Gardyne of Safewell. Man...
 
Alcohol report
Alcohol reportAlcohol report
Alcohol report
 
B43050518
B43050518B43050518
B43050518
 
IRJET- Design of SCADA based Wireless Monitoring and Control
IRJET- Design of SCADA based Wireless Monitoring and ControlIRJET- Design of SCADA based Wireless Monitoring and Control
IRJET- Design of SCADA based Wireless Monitoring and Control
 
Power point presentation on Industrial Automation
Power point presentation on Industrial AutomationPower point presentation on Industrial Automation
Power point presentation on Industrial Automation
 
ICS security
ICS securityICS security
ICS security
 
SCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data AcquisitionSCADA System ? Supervisory Control & Data Acquisition
SCADA System ? Supervisory Control & Data Acquisition
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken drivers
 
WHAT IS SCADA AND BASIC KNOWLEDGE ABOUT IT.
WHAT IS SCADA AND BASIC KNOWLEDGE ABOUT IT.WHAT IS SCADA AND BASIC KNOWLEDGE ABOUT IT.
WHAT IS SCADA AND BASIC KNOWLEDGE ABOUT IT.
 
Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5
 

Kürzlich hochgeladen

US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxVelmuruganTECE
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingBootNeck1
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...Amil Baba Dawood bangali
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptJasonTagapanGulla
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdfCaalaaAbdulkerim
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 

Kürzlich hochgeladen (20)

US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.ppt
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdf
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 

SCADA Security Insights

  • 1. SSCCAADDAA SSeeccuurriittyy SSCCAADDAA SSeeccuurriittyy || AAhhmmeedd SShheerriiff 22001144
  • 2. AAggeennddaa IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss ● WWhhaatt iiss iitt ?? PPLLCC ● DDeeffiinniittiioonnss ● HHooww DDooeess iitt wwoorrkk ?? SSCCAADDAA ● DDeeffiinniittiioonnss ● HHooww DDooeess iitt wwoorrkk ?? SCADA Security | Ahmed Sherif 2014
  • 3. AAggeennddaa ● Some Incidents ● Stuxnet VS PLC ● Security Best Practices SCADA Security | Ahmed Sherif 2014
  • 4. IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss ● Industrial control system (ICS) is a general term that encompasses several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. SCADA Security | Ahmed Sherif 2014
  • 5. PPLLCC ● A Programmable Logic Controller, PLC or Programmable Controller is a digital computer used for automation of typically industrial electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures. PLCs are used in many industries and machines SCADA Security | Ahmed Sherif 2014
  • 6. PPLLCC –– HHooww DDooeess iitt WWoorrkk ?? 1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or RS-422 cabling . 2. The programming software allows entry and editing of the ladder-style logic 3. the program is transferred from a personal computer to the PLC through a programming board which writes the program into a removable chip such as an EEPROM 4. The Program Then Can Be Run and Executed. SCADA Security | Ahmed Sherif 2014
  • 7. PLC – How Does it Work ? 1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or RS-422 cabling . SCADA Security | Ahmed Sherif 2014
  • 8. PLC – How Does it Work ? 2. The programming software allows entry and editing of the ladder-style logic SCADA Security | Ahmed Sherif 2014
  • 9. PLC – How Does it Work ? 3. the program is transferred from a personal computer to the PLC through a programming board which writes the program into a removable chip such as an EEPROM SCADA Security | Ahmed Sherif 2014
  • 10. PLC – How Does it Work ? 4. The Program Then Can Be Run and Executed. SCADA Security | Ahmed Sherif 2014
  • 11. PLC – Simulation SCADA Security | Ahmed Sherif 2014
  • 12. SCADA SCADA is .... Industrial Control Systems (ICS), commonly referred to as SCADA underlie much of the infrastructure that makes every day life possible in the modern world. SCADA Security | Ahmed Sherif 2014
  • 13. SCADA SSCCAADDAA iiss ........ ● Industrial Control Systems (ICS), commonly referred to as ● SCADA underlie much of the infrastructure that makes every day ● life possible in the modern world. ● Supervisory Control and Data Acquisition SCADA Security | Ahmed Sherif 2014
  • 14. SCADA SCADA is used For .... PPOOWWEERR GGrriiddss SCADA Security | Ahmed Sherif 2014
  • 15. SCADA SSCCAADDAA iiss uusseedd FFoorr ........ PPiippeeLLiinneess SCADA Security | Ahmed Sherif 2014
  • 16. SCADA SSCCAADDAA iiss uusseedd FFoorr ........ IInntteerr-- ccoonnnneecctteedd sseennssoorrss aanndd ccoonnttrroollss uunnddeerr cceennttrraall mmaannaaggeemmeenntt SCADA Security | Ahmed Sherif 2014
  • 17. SCADA SSCCAADDAA iiss uusseedd FFoorr ........ cchheemmiiccaall ppllaanntt,, ppoowweerr ppllaanntt,, mmaannuuffaaccttuurriinngg ffaacciilliittyy SCADA Security | Ahmed Sherif 2014
  • 18. SCADA SSCCAADDAA iiss uusseedd FFoorr ........ IInntteerr-- ccoonnnneecctteedd sseennssoorrss aanndd ccoonnttrroollss uunnddeerr cceennttrraall mmaannaaggeemmeenntt SCADA Security | Ahmed Sherif 2014
  • 19. SCADA SSCCAADDAA iiss uusseedd FFoorr ........ TTrraaffffiicc SSiiggnnaall SCADA Security | Ahmed Sherif 2014
  • 20. HHooww DDooeess SSccaaddaa WWoorrkkss ?? PPhhyyssiiccaall MMeeaassuurreemmeenntt//ccoonnttrrooll eennddppooiinnttss:: ● RTU, PLC ● Measure voltage, adjust valve, flip switch IInntteerrmmeeddiiaattee pprroocceessssiinngg ● Usually based on a commonly used Oses ● *nix, Windows, VMS SCADA Security | Ahmed Sherif 2014
  • 21. HHooww DDooeess SSccaaddaa WWoorrkkss ?? CCoommmmuunniiccaattiioonn IInnffrraassttrruuccttuurree ● Serial, Internet, Wi­fi ● Modbus, DNP3, OPC, ICCP SCADA Security | Ahmed Sherif 2014
  • 22. SCADA Security | Ahmed Sherif 2014
  • 23. Components ooff aa SSCCAADDAA nneettwwoorrkk ● RTU / PLC – Reads information on voltage, flow, the status of switches or valves. Controls pumps, switches, valves ● MTU – Master Terminal Unit – Processes data to send to HMI ● HMI – Human Machine Interface – GUI, Windows – Information traditionally presented in the form of a mimic diagram ● Communication network – LAN, Wireless, Fiber etc etc SCADA Security | Ahmed Sherif 2014
  • 24. PPrroottooccoollss ooff SSccaaddaa NNeettwwoorrkk RRaaww DDaattaa PPrroottooccoollss –– MMooddbbuuss // DDNNPP33 ● For serial radio links mainly, but you can run anything over ● anything these days, especially TCP/IP (for better or worse) ● Reads data (measures voltage / fluid flow etc) ● Sends commands (flips switches, starts pumps) / alerts (it’s ● broken!) HHiigghh LLeevveell DDaattaa PPrroottooccoollss –– IICCCCPP // OOCCPP ● Designed to send data / commands between apps / databases ● Provides info for humans ● These protocols often bridge between office and control ● networks SCADA Security | Ahmed Sherif 2014
  • 25. TTeessttiinngg SSccaaddaa NNeettwwoorrkkss SCADA Security | Ahmed Sherif 2014
  • 26. SSccrriipptt KKiiddddiieess vvss SSccaaddaa SSoommeettiimmeess iitt DDooeessnn''tt rreeqquuiirree HHiigghh SSkkiillllss ccoozz ...... ● TTeennaabbllee hhaass rreelleeaasseedd 3322 pplluugg--iinnss ffoorr NNeessssuuss wwhhiicchh ssppeecciiffiiccaallllyy tteesstt SSCCAADDAA ddeevviicceess ● CCoorree--IImmppaacctt aanndd MMeettaassppllooiitt nnooww iinncclluuddee SSCCAADDAA hhaacckkss ((SSiinnccee AAuugguusstt 22000088)) SCADA Security | Ahmed Sherif 2014
  • 27. SSCCAADDAA ((iinn)) sseeccuurriittyy LLaacckk ooff AAuutthheennttiiccaattiioonn ● I don’t mean lack of strong authentication. I mean NO AUTH!! ● There’s no “users” on an automated system ● OPC on Windows requires anonymous login rights for DCOM ● (XPSP2 breaks SCADA because anonymous DCOM off by ● default) ● Normal policies regarding user management, password rotation ● etc etc do not apply SCADA Security | Ahmed Sherif 2014
  • 28. SSCCAADDAA ((iinn)) sseeccuurriittyy CCaann’’tt PPaattcchh,, WWoonn’’tt ppaattcchh ● SCADA systems traditionally aren’t patched ● Install the system, replace the system a decade later ● Effects of patching a system can be worse than the effects of ● compromise? ● Very large vulnerability window SCADA Security | Ahmed Sherif 2014
  • 29. IInncciiddeennttss !! !! SCADA Security | Ahmed Sherif 2014
  • 30. IInncciiddeennttss !! !! In 2000, in Queensland, Australia. Vitek Boden released millions of liters of Untreated Sewage Into fresh water streams using a wireless laptop. SCADA Security | Ahmed Sherif 2014
  • 31. IInncciiddeennttss !! !! “In August 2003 Slammer infected a private computer network at the idled Davis­Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours.” SCADA Security | Ahmed Sherif 2014
  • 32. IInncciiddeennttss !! !! In 2003, the east coast of America experienced a blackout. While the Blaster worm was not the cause, many related systems were found to be infected SCADA Security | Ahmed Sherif 2014
  • 33. IInncciiddeennttss !! !! In 1997, a teenager broke into NYNEX and cut off Worcester Airport in Massachusetts for 6 hours by affecting ground and air communications SCADA Security | Ahmed Sherif 2014
  • 34. TThhee NNiigghhttmmaarree ....SSttuuxxnneett SCADA Security | Ahmed Sherif 2014
  • 35. TThhee NNiigghhttmmaarree ....SSttuuxxnneett TTaarrggeettss SSccaaddaa NNeettwwoorrkkss ● Siemens Simatic WinCC specifically. UUsseess RRoooottKKiitt tteecchhnnoollooggyy ttoo hhiiddee iittsseellff ● Classic Windows rootkit ● PLC rootkit SSpprreeaaddss vviiaa UUSSBB ssttiicckkss aanndd nneettwwoorrkk sshhaarreess ● Uses 4 Zero-day vulnerabilities SCADA Security | Ahmed Sherif 2014
  • 36. TThhee NNiigghhttmmaarree ....SSttuuxxnneett MMaalliicciioouuss ppaayyllooaadd ssiiggnneedd wwiitthh ssttoolleenn ddiiggiittaall CCeerrttiiffiiccaatteess ● Realtek and Jmicron. IInnffeecctteedd MMaacchhiinneess bbeeccoommee ppaarrtt ooff tthhee SSttuuxxnneett bboottnneett ● Can Steal code,documents, Projects designs . ● Can inject and hide code into PLCs – modifying production processes. SCADA Security | Ahmed Sherif 2014
  • 37. SSttuuxxnneett .... DDeeeeppeerr LLooookk ● MMaaiinn DDrrooppppeerr This section contains the main stuxnet DLL file. And this DLL contains all stuxnet’s functions, mechanisms, files and rootkits. SCADA Security | Ahmed Sherif 2014
  • 38. SSttuuxxnneett .... DDeeeeppeerr LLooookk ● After finding this section, it loads stuxnet DLL file in a special way. 11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww PPrroocceessss.. ● It checks if the configuration data is correct and recent and then it checks the admin rights. If it’s not running on administrator level, it uses one of two zero-day vulnerabilities to escalate the privileges and run in the administrator level. ● CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability ● CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability ● These two vulnerabilities allow the worm to escalate the privileges and run in a new ● process (“csrss.exe” in case of Win32K.sys) or as a new task in the Task Scheduler case SCADA Security | Ahmed Sherif 2014
  • 39. SSttuuxxnneett .... DDeeeeppeerr LLooookk 11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww PPrroocceessss.. After everything goes right and the environment is prepared to be infected by stuxnet, it injects itself into another process to install itself from that process. The injection begins by searching for an Antivirus application installed in the machine Depending on the antivirus application (AVP or McAfee or what?), stuxnet chooses the process to inject itself into. If there’s no antivirus program it chooses “lsass.exe” SCADA Security | Ahmed Sherif 2014
  • 40. SSttuuxxnneett .... DDeeeeppeerr LLooookk 22..IInnssttaalllliinngg SSttuuxxnneett iinnttoo tthhee IInnffeecctteedd MMaacchhiinnee.. The Function #16 begins by checking the configuration data and be sure that everything is ready to begin the installation. And also, it checks if the there’s a value in the registry with this name “NTVDM TRACE” in SOFTWAREMicrosoftWindowsCurrentVersionMS-DOS Emulation And then, it checks if this value equal to “19790509”. This special number seems a date “May 9, 1979” and this date has a historical meaning (by Wikipedia) “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community” SCADA Security | Ahmed Sherif 2014
  • 41. SSttuuxxnneett .... DDeeeeppeerr LLooookk 33..TThhee UUSSBB DDrriivveess IInnffeeccttiioonn For infecting USB Flash memory, Stuxnet creates a new hidden window “AFX64c313” and get notified of any new USB flash memory inserted to the computer by waiting for “WM_DEVICECHANGE” Windows Message. ● After getting notified of a new drive added to the computer (USB Flash Memory), stuxnet writes 6 files into the flash memory drive: ● Copy of Shortcut to.lnk ● Copy of Copy of Shortcut to.lnk ● Copy of Copy of Copy of Shortcut to.lnk ● Copy of Copy of Copy of Copy of Shortcut to.lnk ● And 2 executable files (DLL files): ● ~WTR4141.tmp ● ~WTR4132.tmp These malformed shortcut files use vulnerability in Windows Shell named: ● CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability SCADA Security | Ahmed Sherif 2014
  • 42. WWaass iitt aa ssuucccceessss ?? SCADA Security | Ahmed Sherif 2014
  • 43. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
  • 44. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
  • 45. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
  • 46. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
  • 47. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
  • 48. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
  • 49. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
  • 50. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess ● Real World Scenario SCADA Security | Ahmed Sherif 2014
  • 51. SShhooddaann && SSCCAADDAA port:161 country:US simatic SCADA Security | Ahmed Sherif 2014
  • 52. SShhooddaann && SSCCAADDAA Python shodan_scan.py user.list pass.list SCADA Security | Ahmed Sherif 2014
  • 53. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess IInnffoorrmmaattiioonn PPrrootteeccttiioonn GGuuiiddeelliinneess:: ● Create strong passwords and protect those passwords. ● Use a security token (or some other additional protection method) with a password to provide much stronger protection than a password alone. ● Take great care in what you publish on the internet and your company intranet. ● Sanitize or destroy all equipment that may contain critical information. ● Follow your company's reporting procedures if you observe any suspicious or abnormal activity. SCADA Security | Ahmed Sherif 2014
  • 54. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess PPhhyyssiiccaall PPrrootteeccttiioonn GGuuiiddeelliinneess:: ● Limit access to systems you're responsible for to those who have a need to know. ● Protect systems and information (use password-protected screen savers, lock office doors, lock information in cabinets, etc.) when leaving them unattended. ● When traveling, pay special attention when going through airport security. Thieves may be able to steal your laptop while you are focusing on getting through the security checkpoint. ● Never leave systems or storage media in your vehicle. ● Protect work systems and information at home at the same level or higher as you would at work. SCADA Security | Ahmed Sherif 2014
  • 55. SSoo,, IIss SSccaaddaa IImmppoorrttaanntt ?? ● No ... ● Why ?! ... SCADA Security | Ahmed Sherif 2014
  • 56. Any Questions ? SCADA Security | Ahmed Sherif 2014