3. AAggeennddaa
● Some Incidents
● Stuxnet VS PLC
● Security Best Practices
SCADA Security | Ahmed Sherif 2014
4. IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss
● Industrial control system (ICS) is a general term that
encompasses several types of control systems used
in industrial production, including supervisory control
and data acquisition (SCADA) systems, distributed
control systems (DCS), and other smaller control
system configurations such as programmable logic
controllers (PLC) often found in the industrial sectors
and critical infrastructures.
SCADA Security | Ahmed Sherif 2014
5. PPLLCC
● A Programmable Logic Controller, PLC or
Programmable Controller is a digital computer
used for automation of typically industrial
electromechanical processes, such as control
of machinery on factory assembly lines,
amusement rides, or light fixtures. PLCs are
used in many industries and machines
SCADA Security | Ahmed Sherif 2014
6. PPLLCC –– HHooww DDooeess iitt WWoorrkk ??
1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or
RS-422 cabling .
2. The programming software allows entry and editing of the ladder-style logic
3. the program is transferred from a personal computer to the PLC through a
programming board which writes the program into a removable chip such as an
EEPROM
4. The Program Then Can Be Run and Executed.
SCADA Security | Ahmed Sherif 2014
7. PLC – How Does it Work ?
1. Computer is Connected to PLC unit Through Ethernet, RS-232,
RS-485 or RS-422 cabling .
SCADA Security | Ahmed Sherif 2014
8. PLC – How Does it Work ?
2. The programming software allows entry and editing of the
ladder-style logic
SCADA Security | Ahmed Sherif 2014
9. PLC – How Does it Work ?
3. the program is transferred from a personal computer to the PLC
through a programming board which writes the program into a
removable chip such as an EEPROM
SCADA Security | Ahmed Sherif 2014
10. PLC – How Does it Work ?
4. The Program Then Can Be Run and Executed.
SCADA Security | Ahmed Sherif 2014
12. SCADA
SCADA is ....
Industrial Control Systems (ICS), commonly referred to as
SCADA underlie much of the infrastructure that makes every day
life possible in the modern world.
SCADA Security | Ahmed Sherif 2014
13. SCADA
SSCCAADDAA iiss ........
● Industrial Control Systems (ICS), commonly
referred to as
● SCADA underlie much of the infrastructure that
makes every day
● life possible in the modern world.
● Supervisory Control and Data Acquisition
SCADA Security | Ahmed Sherif 2014
14. SCADA
SCADA is used For ....
PPOOWWEERR GGrriiddss
SCADA Security | Ahmed Sherif 2014
23. Components ooff aa SSCCAADDAA nneettwwoorrkk
● RTU / PLC – Reads information on voltage, flow, the
status of
switches or valves. Controls pumps, switches, valves
● MTU – Master Terminal Unit – Processes data to send
to HMI
● HMI – Human Machine Interface – GUI, Windows –
Information
traditionally presented in the form of a mimic diagram
● Communication network – LAN, Wireless, Fiber etc etc
SCADA Security | Ahmed Sherif 2014
24. PPrroottooccoollss ooff SSccaaddaa NNeettwwoorrkk
RRaaww DDaattaa PPrroottooccoollss –– MMooddbbuuss // DDNNPP33
● For serial radio links mainly, but you can run anything over
● anything these days, especially TCP/IP (for better or worse)
● Reads data (measures voltage / fluid flow etc)
● Sends commands (flips switches, starts pumps) / alerts (it’s
● broken!)
HHiigghh LLeevveell DDaattaa PPrroottooccoollss –– IICCCCPP // OOCCPP
● Designed to send data / commands between apps / databases
● Provides info for humans
● These protocols often bridge between office and control
● networks
SCADA Security | Ahmed Sherif 2014
27. SSCCAADDAA ((iinn)) sseeccuurriittyy
LLaacckk ooff AAuutthheennttiiccaattiioonn
● I don’t mean lack of strong authentication. I mean NO AUTH!!
● There’s no “users” on an automated system
● OPC on Windows requires anonymous login rights for DCOM
● (XPSP2 breaks SCADA because anonymous DCOM off by
● default)
● Normal policies regarding user management, password rotation
● etc etc do not apply
SCADA Security | Ahmed Sherif 2014
28. SSCCAADDAA ((iinn)) sseeccuurriittyy
CCaann’’tt PPaattcchh,, WWoonn’’tt ppaattcchh
● SCADA systems traditionally aren’t patched
● Install the system, replace the system a decade later
● Effects of patching a system can be worse than the
effects of
● compromise?
● Very large vulnerability window
SCADA Security | Ahmed Sherif 2014
30. IInncciiddeennttss !! !!
In 2000, in Queensland, Australia. Vitek Boden
released millions of liters of Untreated Sewage
Into fresh water streams using a wireless laptop.
SCADA Security | Ahmed Sherif 2014
31. IInncciiddeennttss !! !!
“In August 2003 Slammer infected a private computer network at
the idled DavisBesse
nuclear power plant in Oak Harbor, Ohio,
disabling a safety monitoring system for nearly five hours.”
SCADA Security | Ahmed Sherif 2014
32. IInncciiddeennttss !! !!
In 2003, the east coast of America experienced a blackout.
While the Blaster worm was not the cause, many related
systems were found to be infected
SCADA Security | Ahmed Sherif 2014
33. IInncciiddeennttss !! !!
In 1997, a teenager broke into NYNEX and cut off Worcester
Airport in Massachusetts for 6 hours by affecting ground and air
communications
SCADA Security | Ahmed Sherif 2014
36. TThhee NNiigghhttmmaarree ....SSttuuxxnneett
MMaalliicciioouuss ppaayyllooaadd ssiiggnneedd wwiitthh ssttoolleenn
ddiiggiittaall CCeerrttiiffiiccaatteess
● Realtek and Jmicron.
IInnffeecctteedd MMaacchhiinneess bbeeccoommee ppaarrtt ooff
tthhee SSttuuxxnneett bboottnneett
● Can Steal code,documents, Projects designs .
● Can inject and hide code into PLCs – modifying
production processes.
SCADA Security | Ahmed Sherif 2014
37. SSttuuxxnneett .... DDeeeeppeerr LLooookk
● MMaaiinn DDrrooppppeerr
This section contains the main stuxnet DLL file. And this DLL contains all stuxnet’s
functions, mechanisms, files and rootkits.
SCADA Security | Ahmed Sherif 2014
38. SSttuuxxnneett .... DDeeeeppeerr LLooookk
● After finding this section, it loads stuxnet DLL file in a special way.
11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww
PPrroocceessss..
● It checks if the configuration data is correct and recent and then it checks the admin rights. If
it’s not running on administrator level, it uses one of two zero-day vulnerabilities to escalate
the privileges and run in the administrator level.
● CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability
● CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability
● These two vulnerabilities allow the worm to escalate the privileges and run in a new
● process (“csrss.exe” in case of Win32K.sys) or as a new task in the Task Scheduler case
SCADA Security | Ahmed Sherif 2014
39. SSttuuxxnneett .... DDeeeeppeerr LLooookk
11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww
PPrroocceessss..
After everything goes right and the environment is prepared to be infected by stuxnet, it
injects itself into another process to install itself from that process.
The injection begins by searching for an Antivirus application installed in the machine
Depending on the antivirus application (AVP or McAfee or what?), stuxnet chooses the
process to inject itself into. If there’s no antivirus program it chooses “lsass.exe”
SCADA Security | Ahmed Sherif 2014
40. SSttuuxxnneett .... DDeeeeppeerr LLooookk
22..IInnssttaalllliinngg SSttuuxxnneett iinnttoo tthhee
IInnffeecctteedd MMaacchhiinnee..
The Function #16 begins by checking the configuration data and be sure that everything
is ready to begin the installation. And also, it checks if the there’s a value in the registry
with this name “NTVDM TRACE” in
SOFTWAREMicrosoftWindowsCurrentVersionMS-DOS Emulation
And then, it checks if this value equal to “19790509”.
This special number seems a date “May 9, 1979” and this date has a historical meaning
(by Wikipedia) “Habib Elghanian was executed by a firing squad in Tehran sending
shock waves through the closely knit Iranian Jewish community”
SCADA Security | Ahmed Sherif 2014
41. SSttuuxxnneett .... DDeeeeppeerr LLooookk
33..TThhee UUSSBB DDrriivveess IInnffeeccttiioonn
For infecting USB Flash memory, Stuxnet creates a new hidden window “AFX64c313”
and get notified of any new USB flash memory inserted to the computer by waiting for “WM_DEVICECHANGE”
Windows Message.
● After getting notified of a new drive added to the computer (USB Flash Memory),
stuxnet writes 6 files into the flash memory drive:
● Copy of Shortcut to.lnk
● Copy of Copy of Shortcut to.lnk
● Copy of Copy of Copy of Shortcut to.lnk
● Copy of Copy of Copy of Copy of Shortcut to.lnk
● And 2 executable files (DLL files):
● ~WTR4141.tmp
● ~WTR4132.tmp
These malformed shortcut files use vulnerability in Windows Shell named:
● CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability
SCADA Security | Ahmed Sherif 2014
42. WWaass iitt aa ssuucccceessss ??
SCADA Security | Ahmed Sherif 2014
53. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess
IInnffoorrmmaattiioonn PPrrootteeccttiioonn GGuuiiddeelliinneess::
● Create strong passwords and protect those passwords.
● Use a security token (or some other additional protection method) with a
password to provide much stronger protection than a password alone.
● Take great care in what you publish on the internet and your company intranet.
● Sanitize or destroy all equipment that may contain critical information.
● Follow your company's reporting procedures if you observe any suspicious or
abnormal activity.
SCADA Security | Ahmed Sherif 2014
54. SSeeccuurriittyy BBeesstt PPrraaccttiicciieess
PPhhyyssiiccaall PPrrootteeccttiioonn GGuuiiddeelliinneess::
● Limit access to systems you're responsible for to those who have a need to know.
● Protect systems and information (use password-protected screen savers, lock office
doors, lock information in cabinets, etc.) when leaving them unattended.
● When traveling, pay special attention when going through airport security. Thieves
may be able to steal your laptop while you are focusing on getting through the
security checkpoint.
● Never leave systems or storage media in your vehicle.
● Protect work systems and information at home at the same level or higher as you
would at work.
SCADA Security | Ahmed Sherif 2014
55. SSoo,, IIss SSccaaddaa IImmppoorrttaanntt ??
● No ...
● Why ?! ...
SCADA Security | Ahmed Sherif 2014