SlideShare ist ein Scribd-Unternehmen logo

Man in the middle attacks on IEC 60870-5-104

P
pgmaynard

Man in the middle attacks on IEC 60870-5-104 http://dx.doi.org/10.14236/ewic/ics-csr2014.5

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530
2 Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE
3 What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning
4 PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator)
5 Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104
6 What's SCADA Used for?
7 How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.
8 What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware
9 SCADA Threats
10 Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge
11 Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored?
12 Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove[1] ● Simple Python Script ● Return Device name, IP, software version [1] https://github.com/atimorin/scada-tools
13 SCADA Fuzzers ● Protocol Fuzzers ● Project Robus[1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill [1] http://www.automatak.com/robus/
14 Protocol Analysers
15 Introduction IEC 104
16 Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP
17 IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented
18 104 Payload ASDU
19 Attacking IEC 104
20 Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing
21 Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values
22 Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff
23 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT
24 Cause of Transmission ● CoT values can use the following number ranges: – 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use.
25 Before and After Capture Before After
Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[Ss]{5}(x2D|x2E|x2F|x30|x64|x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) 26 SNORT Alert Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7
27 Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs
28 Linz Test-bed
29 Operator View
30 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value.
31 ON/OFF Value Modification Before After
32 Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations
33 Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850
34 Questions

Empfohlen

Firewalls
FirewallsFirewalls
FirewallsKalluri Madhuri
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 

Empfohlen

Firewalls
FirewallsFirewalls
FirewallsKalluri Madhuri
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabMykhaylo Skrypka
 
Fortinet SSL VPN access
Fortinet SSL VPN accessFortinet SSL VPN access
Fortinet SSL VPN accessNaseem Khoodoruth
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Aksum Institute of Technology(AIT, @Letsgo)
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba, a Hewlett Packard Enterprise company
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Security Principles and Protection Mechanism
Security Principles and Protection MechanismSecurity Principles and Protection Mechanism
Security Principles and Protection MechanismMona Rajput
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingBisrat Girma
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Netcat
NetcatNetcat
Netcatpenetration Tester
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
Chapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi modelChapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi modelRaja Waseem Akhtar
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switchIT Tech
 
Real Time Systems & RTOS
Real Time Systems & RTOSReal Time Systems & RTOS
Real Time Systems & RTOSVishwa Mohan
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTNishant Goel
 
IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11Kevin Mahoney
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 

Weitere ähnliche Inhalte

Was ist angesagt?

Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabMykhaylo Skrypka
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Security Principles and Protection Mechanism
Security Principles and Protection MechanismSecurity Principles and Protection Mechanism
Security Principles and Protection MechanismMona Rajput
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingBisrat Girma
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
Chapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi modelChapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi modelRaja Waseem Akhtar
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switchIT Tech
 
Real Time Systems & RTOS
Real Time Systems & RTOSReal Time Systems & RTOS
Real Time Systems & RTOSVishwa Mohan
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTNishant Goel
 

Was ist angesagt? (20)

Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration Lab
 
Fortinet SSL VPN access
Fortinet SSL VPN accessFortinet SSL VPN access
Fortinet SSL VPN access
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Security Principles and Protection Mechanism
Security Principles and Protection MechanismSecurity Principles and Protection Mechanism
Security Principles and Protection Mechanism
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP Addressing
 
Web application security
Web application securityWeb application security
Web application security
 
Netcat
NetcatNetcat
Netcat
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
Chapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi modelChapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi model
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switch
 
Real Time Systems & RTOS
Real Time Systems & RTOSReal Time Systems & RTOS
Real Time Systems & RTOS
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPT
 

Andere mochten auch

IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11Kevin Mahoney
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Man in the Middle Atack
Man in the Middle AtackMan in the Middle Atack
Man in the Middle AtackSDU CYBERLAB
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityCasey Dunham
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on BanksMarko Elezović
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3AVEVA
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsLiving Online
 
IEC104规约介绍
IEC104规约介绍IEC104规约介绍
IEC104规约介绍Chen Ray
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...Sarah Jiffry
 
Practical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & TechniciansPractical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & TechniciansLiving Online
 
Password sniffing
Password sniffingPassword sniffing
Password sniffingSRIMCA
 
Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)Nikandrov Maxim
 

Andere mochten auch (20)

IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
IEC-61850
IEC-61850IEC-61850
IEC-61850
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Man in the Middle Atack
Man in the Middle AtackMan in the Middle Atack
Man in the Middle Atack
 
man in the middle
man in the middleman in the middle
man in the middle
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-Security
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Man In The Middle
Man In The MiddleMan In The Middle
Man In The Middle
 
InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
 
IEC104规约介绍
IEC104规约介绍IEC104规约介绍
IEC104规约介绍
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
 
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
 
Practical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & TechniciansPractical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & Technicians
 
Password sniffing
Password sniffingPassword sniffing
Password sniffing
 
Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)
 

Ähnlich wie Man in the middle attacks on IEC 60870-5-104

Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSVipin Varghese
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadBrain IoT Project
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadBrain IoT Project
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887whendygarcia
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017Jian-Hong Pan
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentationSS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentationVEDLIoT Project
 
Gas leakage detection system
Gas leakage detection systemGas leakage detection system
Gas leakage detection systemAashiq Ahamed N
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 

Ähnlich wie Man in the middle attacks on IEC 60870-5-104 (20)

Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDS
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentationSS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
 
Gas leakage detection system
Gas leakage detection systemGas leakage detection system
Gas leakage detection system
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Man in the middle attacks on IEC 60870-5-104

  • 1. Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530
  • 2. 2 Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE
  • 3. 3 What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning
  • 4. 4 PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator)
  • 5. 5 Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104
  • 6. 6 What's SCADA Used for?
  • 7. 7 How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.
  • 8. 8 What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware
  • 10. 10 Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge
  • 11. 11 Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored?
  • 12. 12 Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove[1] ● Simple Python Script ● Return Device name, IP, software version [1] https://github.com/atimorin/scada-tools
  • 13. 13 SCADA Fuzzers ● Protocol Fuzzers ● Project Robus[1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill [1] http://www.automatak.com/robus/
  • 16. 16 Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP
  • 17. 17 IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented
  • 20. 20 Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing
  • 21. 21 Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values
  • 22. 22 Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff
  • 23. 23 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT
  • 24. 24 Cause of Transmission ● CoT values can use the following number ranges: – 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use.
  • 25. 25 Before and After Capture Before After
  • 26. Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[Ss]{5}(x2D|x2E|x2F|x30|x64|x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) 26 SNORT Alert Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7
  • 27. 27 Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs
  • 30. 30 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value.
  • 31. 31 ON/OFF Value Modification Before After
  • 32. 32 Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations
  • 33. 33 Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850