SlideShare ist ein Scribd-Unternehmen logo

Man in the middle attacks on IEC 60870-5-104

P
pgmaynard

Man in the middle attacks on IEC 60870-5-104 http://dx.doi.org/10.14236/ewic/ics-csr2014.5

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530
2 Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE
3 What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning
4 PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator)
5 Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104
6 What's SCADA Used for?
7 How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.
8 What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware
9 SCADA Threats
10 Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge
11 Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored?
12 Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove[1] ● Simple Python Script ● Return Device name, IP, software version [1] https://github.com/atimorin/scada-tools
13 SCADA Fuzzers ● Protocol Fuzzers ● Project Robus[1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill [1] http://www.automatak.com/robus/
14 Protocol Analysers
15 Introduction IEC 104
16 Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP
17 IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented
18 104 Payload ASDU
19 Attacking IEC 104
20 Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing
21 Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values
22 Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff
23 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT
24 Cause of Transmission ● CoT values can use the following number ranges: – 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use.
25 Before and After Capture Before After
Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[Ss]{5}(x2D|x2E|x2F|x30|x64|x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) 26 SNORT Alert Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7
27 Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs
28 Linz Test-bed
29 Operator View
30 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value.
31 ON/OFF Value Modification Before After
32 Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations
33 Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850
34 Questions

Empfohlen

Firewalls
FirewallsFirewalls
Firewalls
Kalluri Madhuri
 
Port Security
Port SecurityPort Security
Port Security
NetProtocol Xpert
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
Anthony Daniel
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 

Empfohlen

Firewalls
FirewallsFirewalls
Firewalls
Kalluri Madhuri
 
Port Security
Port SecurityPort Security
Port Security
NetProtocol Xpert
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
Anthony Daniel
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration Lab
Mykhaylo Skrypka
 
Fortinet SSL VPN access
Fortinet SSL VPN accessFortinet SSL VPN access
Fortinet SSL VPN access
Naseem Khoodoruth
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
Aksum Institute of Technology(AIT, @Letsgo)
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
Patel Mit
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
dkaya
 
Security Principles and Protection Mechanism
Security Principles and Protection MechanismSecurity Principles and Protection Mechanism
Security Principles and Protection Mechanism
Mona Rajput
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP Addressing
Bisrat Girma
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Netcat
NetcatNetcat
Netcat
penetration Tester
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
AIRTEL
 
Chapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi modelChapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi model
Raja Waseem Akhtar
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Sqlmap
SqlmapSqlmap
Sqlmap
Rushikesh Kulkarni
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switch
IT Tech
 
Real Time Systems & RTOS
Real Time Systems & RTOSReal Time Systems & RTOS
Real Time Systems & RTOS
Vishwa Mohan
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPT
Nishant Goel
 
IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11
Kevin Mahoney
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
Chris Sistrunk
 

Weitere ähnliche Inhalte

Was ist angesagt?

Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration Lab
Mykhaylo Skrypka
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
Aksum Institute of Technology(AIT, @Letsgo)
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switch
IT Tech
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 

Was ist angesagt? (20)

Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration Lab
 
Fortinet SSL VPN access
Fortinet SSL VPN accessFortinet SSL VPN access
Fortinet SSL VPN access
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Security Principles and Protection Mechanism
Security Principles and Protection MechanismSecurity Principles and Protection Mechanism
Security Principles and Protection Mechanism
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP Addressing
 
Web application security
Web application securityWeb application security
Web application security
 
Netcat
NetcatNetcat
Netcat
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
Chapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi modelChapter02 -- networking standards and the osi model
Chapter02 -- networking standards and the osi model
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
How to configure port security in cisco switch
How to configure port security in cisco switchHow to configure port security in cisco switch
How to configure port security in cisco switch
 
Real Time Systems & RTOS
Real Time Systems & RTOSReal Time Systems & RTOS
Real Time Systems & RTOS
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
CCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPTCCNA SUMMER TRAINNING PPT
CCNA SUMMER TRAINNING PPT
 

Andere mochten auch

SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
qqlan
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
qqlan
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
Living Online
 
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Sarah Jiffry
 
Practical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & TechniciansPractical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & Technicians
Living Online
 
Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)
Nikandrov Maxim
 

Andere mochten auch (20)

IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
IEC-61850
IEC-61850IEC-61850
IEC-61850
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Man in the Middle Atack
Man in the Middle AtackMan in the Middle Atack
Man in the Middle Atack
 
man in the middle
man in the middleman in the middle
man in the middle
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-Security
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Man In The Middle
Man In The MiddleMan In The Middle
Man In The Middle
 
InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
 
IEC104规约介绍
IEC104规约介绍IEC104规约介绍
IEC104规约介绍
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
 
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
 
Practical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & TechniciansPractical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & Technicians
 
Password sniffing
Password sniffingPassword sniffing
Password sniffing
 
Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)
 

Ähnlich wie Man in the middle attacks on IEC 60870-5-104

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
Positive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
IJET - International Journal of Engineering and Techniques
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
aaajjj4
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
Jian-Hong Pan
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
EC-Council
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Positive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Aleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 

Ähnlich wie Man in the middle attacks on IEC 60870-5-104 (20)

Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDS
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentationSS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
 
Gas leakage detection system
Gas leakage detection systemGas leakage detection system
Gas leakage detection system
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Man in the middle attacks on IEC 60870-5-104

  • 1. Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530
  • 2. 2 Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE
  • 3. 3 What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning
  • 4. 4 PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator)
  • 5. 5 Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104
  • 6. 6 What's SCADA Used for?
  • 7. 7 How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.
  • 8. 8 What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware
  • 10. 10 Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge
  • 11. 11 Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored?
  • 12. 12 Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove[1] ● Simple Python Script ● Return Device name, IP, software version [1] https://github.com/atimorin/scada-tools
  • 13. 13 SCADA Fuzzers ● Protocol Fuzzers ● Project Robus[1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill [1] http://www.automatak.com/robus/
  • 16. 16 Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP
  • 17. 17 IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented
  • 20. 20 Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing
  • 21. 21 Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values
  • 22. 22 Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff
  • 23. 23 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT
  • 24. 24 Cause of Transmission ● CoT values can use the following number ranges: – 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use.
  • 25. 25 Before and After Capture Before After
  • 26. Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[Ss]{5}(x2D|x2E|x2F|x30|x64|x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) 26 SNORT Alert Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7
  • 27. 27 Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs
  • 30. 30 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value.
  • 31. 31 ON/OFF Value Modification Before After
  • 32. 32 Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations
  • 33. 33 Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850