SlideShare a Scribd company logo

Scada Industrial Control Systems Penetration Testing

Download as PPTX, PDF
Yehia Mamdouh
Yehia Mamdouh

Scada Industrial Control Systems Penetration Testing Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow

Education
1 of 40
PENETRATION TESTING A SCADA INDUSTRIAL CONTROL SYSTEMS By : Yehia Mamdouh
THIS PRESENTATION WILL LET US KNOW: What is SCADA? What is used For? What the benefits behind using SCADA? SCADA system concept How SCADA Communication Works? SCADA Protocols SCADA Cyber security Types of SCADA Networks Attack Vectors Penetration testing methodology Conclusion
WHAT IS SCADA CONTROL SYSTEM? * SCADA : Supervisory Control and Data Acquisition. A type of control system can be used to monitor many different kinds of equipment in many different kinds of environments * In General Refers to an industrial control system (ICS)
WHERE YOU CAN LOCATE SCADA? * Electric power generation, transmission, and distribution * Water and sewage * Buildings, facilities, and environments * Manufacturing * Mass transit * Traffic signals.
BENEFITS OF SCADA Used For 1-Trasmits individual device status 2- Manages energy consumption by controlling the devices 3- Allowing directly control power system equipment 4- Control chemical plant processes, oil and gas pipelines, electrical generation and transmission equipment, manufacturing facilities...etc. EX: Motors, valves, pumps, relayes, etc. Benefits: 1- Identify and solve problems before they even start. 2- Keep your eye on long-term trends and threats 3- Identify and attack bottlenecks and inefficiencies throughout the enterprise 4- Effectively manage bigger and more complicated processes with a smaller staff.
SCADA SYSTEM CONCEPT SCADA WorkStation : Human operator it’s a device to issue a command central SCADA console, receiving raw data in human form, also monitor and control HMI: (Human-Machine Interface) It’s Software & Hardware that allows human operator to monitor state of process under control, modify control settings, manually override auto-control operations The interface locate between the human operator and the commands relevant to the SCADA system. (Windows, Linux or Unix)
SCADA SYSTEM CONCEPT Data Historian: Collect and store information from your mission critical systems, extract and perform accurate analyses (SQL) SCADA Server MTU: (Master terminal unit) is a device that issues the commands to the Remote Terminal Unit (RTUs) which are located at remote places from the control, gathers the required data, stores the information, and process the information and display the information RTU: Connecting to sensors on the process, converting sensors signals and sending digital data to the supervisory systems PLC: Programmable Logic Controller (PLC) automatically performers the main site control process which controls the operation of industrial equipment's. such as control of machinery
WHO SCADA COMMUNICATIONS WORKS? * The Control Operator or workstation monitor the data and initiates control commands to HMI * HMI which is machines, traditional applications installed on workstations running Windows or Linux and recently use web applications These HMIs speak to the SCADA controlling server *SCADA controlling server collected data from Data historian which is basically a database that the SCADA server pushes data to and in some cases pulls data from * SCADA server sends the appropriate signal to the correct RTU or PLC. * The RTU or PLC consults its pre-programmed logic to determine what it should do with this control signal controls the operation of industrial equipment's *Equipment's EX: Relays, Capacitor banks, Feeder Switches, Actuators
Temperature Level Pressure Level Oil Level Alarm Radioactivity level HMI (Web Interface) Work Station Data Historian SCADA Server Communication Router Wide Area Network RTU/PLC RTU/PLC ModBus TCP/IP– DNP3 protocols communicate between SCADA server and RTU/PLC System Concept of SCADA
SCADA PROTOCOL * We have mention that SCADA server send signals to RTU or PLC and vice versa How Can Central SCADA console to receive information from sensors, which are very simple devices? Here is comes SCADA Protocols ! * RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network and back to you DNP3(Distributed Network Protocol) used for communications between master station and RTUs Port 20000 TCP/UDP Modbus is typically used for Supervisory Control and Data Acquisition (SCADA)-style network communication between devices implementations over serial, TCP/IP Standard port 502 TCP DNP3 ModBus
WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? Why? *The ability of cyber intruders to gain access to networked control systems might be easy *More efficient methods of communication = more new risks cause disaster *Control systems share the common vulnerabilities with the traditional information technology *Control systems Recently adopting web technology , Which is interesting target for cyber attacks *Non secure protocols that transmitted data some of them = TCP/IP *Control systems turn on to use Windows , Linux which have known vulnerabilities
WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? * New protocols and communication standards that are providing increased are the same technologies that have been exploited and compromised in the Internet and networking domains Modbus TCP Modbus request packet No authentication no encryption no security Attacks on Field Devices Database Attacks Communications hijacking and ‘Man-in-the-middle’ attacks Vulnerabilities in Common Protocols
REAL ATTACKS For last years, security risks have been reported in control systems
Types of SCADA Networks
TYPES OF SCADA NETWORKS Early or Monolithic SCADA systems *First SCADA systems held all operations in one *Usually a mainframe, computer. There was little control exercised, and most early SCADA functions were limited to monitoring sensors and flagging any operations *Limited to a single plant or facility. Like the software, SCADA hardware from one vendor was rarely usable in another vendor's SCADA system.
TYPES OF SCADA NETWORKS Distributed SCADA Systems *Shared control functions across multiple smaller (usually PC) computers connected by Local Area Networks (LAN) *Shared Real Time information and often performed small control tasks in addition to alerting operators of possible problems
TYPES OF SCADA NETWORKS Networked SCADA systems * Current SCADA systems are usually networked * Communicate through Wide Area Networks (WAN) systems, over phone or data lines and often transmit data between nodes through Ethernet or Fiber Optic connections. * Make heavy use of Programmable Logic Controllers (PLC) to monitor and make routine process adjustments, *The hardware tends to be more interchangeable as PLC and other sub-unit vendors have standardized communications and other protocols to allow the user to choose the best component for their needs
TYPES OF SCADA NETWORKS Internet of Things (IoT) *A data model allows to define the types of data that will be monitored, allows for new types to be added quickly and easily as new smart objects are added to the process *Allows combinations of smart things/objects, sensor network technologies * Communication will bring physical business benefits like high-resolution management of resources and products, better collaboration between enterprises, and improved life-cycle management
ATTACK VECTORS *SCADA systems are vulnerable to the same threats as any TCP/IP-based system. *SCADA Administrators and Industrial Systems Analysts deceived into thinking that since their industrial networks are on separate systems ,they are safe form outside attacks. *PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite systems *Security in an industrial network can be compromised in many places along the system and is most easily compromised at the SCADA host or control room level SCADA Attacks How Far?
ATTACK VECTORS *Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition *Delete system files on the SCADA server (System Downtime and Loss of Operations) *Plant a Trojan and take complete control of system *Log any company-sensitive operational data for personal or competition usage There is Attack Vectors Should be addressed 1- Backdoors and holes in network perimeter 2- Vulnerabilities in common protocols 3- Attacks on Field Devices 4- Database Attacks 5- Communications hijacking and ‘Man-in-the-middle’ attacks ++ Once the corporate network compromised, then any IP-based device or computer system can be accessed. ++ 24/7 provides an opportunity to attack the SCADA host system can cause :
ATTACK VECTORS 1-Modern networks in the control system arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to attackers once they are discovered. 2- Network components, have technologies These technologies often include firewalls, public-facing services, and wireless access. each of these components often does have associated security vulnerabilities 3-Remotely located control system elements that can be accessed via remotely connected communications if systems are based on commercial operating systems, the attacks can be via DDOS, escalated privilege exploits, Trojan horse Backdoors and holes in network perimeter
ATTACK VECTORS 4- Organizations in many CI/KR sectors provide data to customers, providers, through publicly accessible services. Such as calculating load expectations, billing futures information. As these services are in the public domain, they are often accessible from the Internet with little or no user access limitations 5- Relationship between the firewall and the web server if not deployed right this allows unauthorized, data to flow from the external side to the internal domain. If the attacker compromised the trusted web server, the attacker has a channel to access internal services (or control systems) LAN. Backdoors and holes in network perimeter
ATTACK VECTORS 1- Microsoft XP, a platform commonly used in control systems, mitigates the security issues 2- Control systems and modern networking technologies comes some inherited security vulnerabilities. Even though many of these vulnerabilities have solutions and available workarounds, the deployment of these mitigations in control systems architectures is not always feasible. Attacks Using Common Protocols
ATTACK VECTORS 1-Control systems architectures usually have a capability for remote access to terminal end points and devices in number of ways including by telephonic or dedicated means. To provide for the collection of operational and maintenance data 2-Modern equipment has embedded file servers and web servers to facilitate robust communications these devices are part of an internal and trusted domain, and thus access into these devices can provide an attacker with an unauthorized vector into the control system architecture. 3-RTUs, are an extension of the control domain, attackers can add these field devices to their list of viable targets to be investigated during reconnaissance and scanning phases of the attack. 3-If a device is compromised, and the attacker can leverage control over the device and escalate privileges Attack into control system via field devices
ATTACK VECTORS 1-Database applications have become core application components of control systems and their associated record keeping utilities 2-Databases used by control systems are often connected to databases located on the business network and most use (SQL). The information contained in databases makes them high-value targets for any attacker 3-Attackers can exploit the communications channel between the two networks and bypass the security mechanisms used to protect the control system environment 4-The effect of corrupted database content can impact data acquisition servers, historians, and even the operator HMI console. Control systems databases because they are so reliant on data accuracy and integrity. Database and SQL data injection attacks
ATTACK VECTORS 1- The ability for an attacker to re-route data that is in transit on a network, the ability to capture and analyze critical traffic that is in plaintext format, and the ability toreverse engineer any unique protocols to gain command over control communications 2- By combining all of these MITM, attack is executed 3- As the attack is on the control domain, this plaintext traffic can be harvested (sniffed) and taken offline for analysis and review 4-Using ARP poisoning and collecting traffic, the attacker can establish and maintain complete control over the communications in the network , preventing the HMI from issuing alarms 5- MTM can be between HMI and RTU due to week protocol that are used like Modbus Man-in-the-middle attacks
Penetration Testing Methodology
PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? * We are dealing With Devices - Operating systems (windows , Linux ) – Protocols over TCP –Application and SQL Databases – Firewalls Audit identification Devices and networks: Router configs, router tables, switch tables, physical cable checks, packet sniffing Services Local Port verification (nestate) Vulnerabilities Local banner grabbing Perimeter Identify all external connections *Review firewall rules *Review remote access methods *Check for wireless networks *Check physical access
PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? Network Infrastructure Review router configs Review switch tables Conduct physical cable checks Conduct packet sniffing and analysis Host operating systems Review patch level Review password quality Review share and directory permissions Review remote access Applications Review ports and services Review OS credentials Revives remote access Consider code review PLCs, RTU,s ..etc. Review patch levels Review password quality Conduct packet sniffing
PENETRATION TESTING METHODOLOGY Scanning / Discovery Some tools are Available Like plcscan - Scans Modbus device Modescan - Scans Modbus devices Nmap ( Be carful single Nmap scan can crush system) Metasploit Modules for Modbus detection *Most PLCs (Communication Modules) have no ability to filter based on source IP address So we Can Use python scripts or John the Ripper for crack Bruteforce PLC online Scan supported devices and stations change name of stations change IP, Netmask, gateway request full network info
PENETRATION TESTING METHODOLOGY Analyze protocols How protocols live in the network? Not blocked by firewalls/switches Accessible between Lan segments Works form data link layer to application layer Easy to detect Easy to analyze So we Can Available Tools detect devices and their protocols monitor state, commands inject, modify reply packets in real times Sniffing Traffic Wireshark tcpdump python hex viewer
PENETRATION TESTING METHODOLOGY Analyze protocols Modbus Using the web is the often the easiest way 80% of Modbus/TCP devices have web interfaces Other research shows most devices run Windows 2k DNP3 *Has source and destination addresses that can be useful in Man-in the-Middle attacks Such as 1-Turn off unsolicited reporting to stifle alarms 2- Issue unauthorized stops, restart, or other functions that could disrupt specific operations *Implementations typically do not employ encryption, authentication and authorization; DNP3 devices simply assume that all messages are valid
PENETRATION TESTING METHODOLOGY Analyze protocols DNP3 Passive Network Reconnaissance With appropriate access captures and analyzes DNP3 messages. This provides the information about network topology, device functionality, Rogue Test Installs a “man-in-the-middle” device between the master and outstations that can read, modify and fabricate DNP3 messages and/or network traffic memory addresses and other data Other attacks on Data Link and Application Layer
PENETRATION TESTING METHODOLOGY Data Manipulation Available Tools Web Application Test and SQL Injection *As Scada Use Web application On HMI and SQL in Database we can test them for possible Vulnerabilities Modlib - Scapy extention [python] OpenDNP3 - Library [C++] Metasploit Modules
Conclusion
SCADA SECURITY Creating Demilitarized Zones (DMZs) Multiple DMZs could also be created for separate functionalities and access privileges, such as peer connections, the data historian, the Inter Control Center Communications Protocol (ICCP) server in SCADA systems Firewalls properly configured and coordinated, can protect passwords, IP addresses, files and more Proxy Servers Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and the internet The Security Policy Effective security policies and procedures are the first step to a secure control systems network. Many of the same policies Security Training Provide The staff that work in the facility Security Tanning very essential for preventing Physical and Social Engineering Attacks
SCADA SECURITY 1- Identify all connections to SCADA networks 2- Disconnect unnecessary connections to the SCADA network 3- Removing or Disable unnecessary services 4- Implement internal and external IDS and establish 24-hour incident monitoring 5- Conduct Physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 6- Clearly define cyber security roles, responsibilities and authorities for managers, system administrators and users 7- Document network architecture and identify systems that serve critical function that require additional levels of protection
Scada Industrial Control Systems Penetration Testing

Recommended

OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdfAhmedRKhan
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoTAmy Daly
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 

Recommended

OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdfAhmedRKhan
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoTAmy Daly
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxMohanPandey31
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCreekside Marketing Group, LLC
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
CISSP-Certified.pptx
CISSP-Certified.pptxCISSP-Certified.pptx
CISSP-Certified.pptxssuser645549
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
Everything about TAXII
Everything about TAXIIEverything about TAXII
Everything about TAXIIstixproject
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Network security
Network securityNetwork security
Network securitymena kaheel
 
TI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity TrainingTI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity TrainingTI Safe
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA securityCysinfo Cyber Security Community
 
Introduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsIntroduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsAbdullah Alfadhly
 
Thingsboard IoT Platform - A Quick Tour
Thingsboard IoT Platform - A Quick TourThingsboard IoT Platform - A Quick Tour
Thingsboard IoT Platform - A Quick TourTechYugadi IT Solutions & Consulting
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scadabhavuksharma10
 
SCADA Assignment.pptx
SCADA Assignment.pptxSCADA Assignment.pptx
SCADA Assignment.pptxssuser1831ba
 

More Related Content

What's hot

Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxMohanPandey31
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
CISSP-Certified.pptx
CISSP-Certified.pptxCISSP-Certified.pptx
CISSP-Certified.pptxssuser645549
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
Everything about TAXII
Everything about TAXIIEverything about TAXII
Everything about TAXIIstixproject
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Network security
Network securityNetwork security
Network securitymena kaheel
 
TI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity TrainingTI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity TrainingTI Safe
 
Introduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsIntroduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsAbdullah Alfadhly
 

What's hot (20)

Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
The need for security
The need for securityThe need for security
The need for security
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and Solutions
 
CISSP-Certified.pptx
CISSP-Certified.pptxCISSP-Certified.pptx
CISSP-Certified.pptx
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
 
ICS security
ICS securityICS security
ICS security
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Everything about TAXII
Everything about TAXIIEverything about TAXII
Everything about TAXII
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Network security
Network securityNetwork security
Network security
 
TI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity TrainingTI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity Training
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
 
Introduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsIntroduction to IoT Architectures and Protocols
Introduction to IoT Architectures and Protocols
 
Thingsboard IoT Platform - A Quick Tour
Thingsboard IoT Platform - A Quick TourThingsboard IoT Platform - A Quick Tour
Thingsboard IoT Platform - A Quick Tour
 

Similar to Scada Industrial Control Systems Penetration Testing

Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scadabhavuksharma10
 
SCADA Assignment.pptx
SCADA Assignment.pptxSCADA Assignment.pptx
SCADA Assignment.pptxssuser1831ba
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applicationsUchi Pou
 
SCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionSCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionRapidAcademy
 
SCADA Systems and its security!
SCADA Systems and its security!SCADA Systems and its security!
SCADA Systems and its security!Shiv Sahni
 
A presentation on scada system
A presentation on scada systemA presentation on scada system
A presentation on scada systemIIT INDORE
 
Scada systems basics winnie mbau
Scada systems basics winnie mbauScada systems basics winnie mbau
Scada systems basics winnie mbauwinnie15
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADAPraveen Kumar
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTDeepeshK4
 
Scada presentation (group 10)
Scada presentation (group 10)Scada presentation (group 10)
Scada presentation (group 10)Ritvik Bhatia
 
scada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxscada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxsurangagw
 
SCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadaSCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadadarshanbs18
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnDien Ha The
 
Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1Mohamed Zahran
 

Similar to Scada Industrial Control Systems Penetration Testing (20)

Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
 
SCADA Assignment.pptx
SCADA Assignment.pptxSCADA Assignment.pptx
SCADA Assignment.pptx
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applications
 
SCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionSCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasition
 
SCADA Systems and its security!
SCADA Systems and its security!SCADA Systems and its security!
SCADA Systems and its security!
 
A presentation on scada system
A presentation on scada systemA presentation on scada system
A presentation on scada system
 
Scada slide
Scada slideScada slide
Scada slide
 
Scada systems basics winnie mbau
Scada systems basics winnie mbauScada systems basics winnie mbau
Scada systems basics winnie mbau
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADA
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPT
 
All about scada
All about scadaAll about scada
All about scada
 
Scada
ScadaScada
Scada
 
Fps scada
Fps scadaFps scada
Fps scada
 
Scada presentation (group 10)
Scada presentation (group 10)Scada presentation (group 10)
Scada presentation (group 10)
 
scada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxscada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptx
 
Dcs vs scada
Dcs vs scadaDcs vs scada
Dcs vs scada
 
SCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadaSCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scada
 
Scada and industry 4.0
Scada and industry 4.0Scada and industry 4.0
Scada and industry 4.0
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
 
Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1
 

Recently uploaded

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfSanaAli374401
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterMateoGardella
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Shubhangi Sonawane
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 

Recently uploaded (20)

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 

Scada Industrial Control Systems Penetration Testing

  • 1. PENETRATION TESTING A SCADA INDUSTRIAL CONTROL SYSTEMS By : Yehia Mamdouh
  • 2. THIS PRESENTATION WILL LET US KNOW: What is SCADA? What is used For? What the benefits behind using SCADA? SCADA system concept How SCADA Communication Works? SCADA Protocols SCADA Cyber security Types of SCADA Networks Attack Vectors Penetration testing methodology Conclusion
  • 3. WHAT IS SCADA CONTROL SYSTEM? * SCADA : Supervisory Control and Data Acquisition. A type of control system can be used to monitor many different kinds of equipment in many different kinds of environments * In General Refers to an industrial control system (ICS)
  • 4. WHERE YOU CAN LOCATE SCADA? * Electric power generation, transmission, and distribution * Water and sewage * Buildings, facilities, and environments * Manufacturing * Mass transit * Traffic signals.
  • 5. BENEFITS OF SCADA Used For 1-Trasmits individual device status 2- Manages energy consumption by controlling the devices 3- Allowing directly control power system equipment 4- Control chemical plant processes, oil and gas pipelines, electrical generation and transmission equipment, manufacturing facilities...etc. EX: Motors, valves, pumps, relayes, etc. Benefits: 1- Identify and solve problems before they even start. 2- Keep your eye on long-term trends and threats 3- Identify and attack bottlenecks and inefficiencies throughout the enterprise 4- Effectively manage bigger and more complicated processes with a smaller staff.
  • 6. SCADA SYSTEM CONCEPT SCADA WorkStation : Human operator it’s a device to issue a command central SCADA console, receiving raw data in human form, also monitor and control HMI: (Human-Machine Interface) It’s Software & Hardware that allows human operator to monitor state of process under control, modify control settings, manually override auto-control operations The interface locate between the human operator and the commands relevant to the SCADA system. (Windows, Linux or Unix)
  • 7. SCADA SYSTEM CONCEPT Data Historian: Collect and store information from your mission critical systems, extract and perform accurate analyses (SQL) SCADA Server MTU: (Master terminal unit) is a device that issues the commands to the Remote Terminal Unit (RTUs) which are located at remote places from the control, gathers the required data, stores the information, and process the information and display the information RTU: Connecting to sensors on the process, converting sensors signals and sending digital data to the supervisory systems PLC: Programmable Logic Controller (PLC) automatically performers the main site control process which controls the operation of industrial equipment's. such as control of machinery
  • 8. WHO SCADA COMMUNICATIONS WORKS? * The Control Operator or workstation monitor the data and initiates control commands to HMI * HMI which is machines, traditional applications installed on workstations running Windows or Linux and recently use web applications These HMIs speak to the SCADA controlling server *SCADA controlling server collected data from Data historian which is basically a database that the SCADA server pushes data to and in some cases pulls data from * SCADA server sends the appropriate signal to the correct RTU or PLC. * The RTU or PLC consults its pre-programmed logic to determine what it should do with this control signal controls the operation of industrial equipment's *Equipment's EX: Relays, Capacitor banks, Feeder Switches, Actuators
  • 9. Temperature Level Pressure Level Oil Level Alarm Radioactivity level HMI (Web Interface) Work Station Data Historian SCADA Server Communication Router Wide Area Network RTU/PLC RTU/PLC ModBus TCP/IP– DNP3 protocols communicate between SCADA server and RTU/PLC System Concept of SCADA
  • 10. SCADA PROTOCOL * We have mention that SCADA server send signals to RTU or PLC and vice versa How Can Central SCADA console to receive information from sensors, which are very simple devices? Here is comes SCADA Protocols ! * RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network and back to you DNP3(Distributed Network Protocol) used for communications between master station and RTUs Port 20000 TCP/UDP Modbus is typically used for Supervisory Control and Data Acquisition (SCADA)-style network communication between devices implementations over serial, TCP/IP Standard port 502 TCP DNP3 ModBus
  • 11.
  • 12. WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? Why? *The ability of cyber intruders to gain access to networked control systems might be easy *More efficient methods of communication = more new risks cause disaster *Control systems share the common vulnerabilities with the traditional information technology *Control systems Recently adopting web technology , Which is interesting target for cyber attacks *Non secure protocols that transmitted data some of them = TCP/IP *Control systems turn on to use Windows , Linux which have known vulnerabilities
  • 13. WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? * New protocols and communication standards that are providing increased are the same technologies that have been exploited and compromised in the Internet and networking domains Modbus TCP Modbus request packet No authentication no encryption no security Attacks on Field Devices Database Attacks Communications hijacking and ‘Man-in-the-middle’ attacks Vulnerabilities in Common Protocols
  • 14. REAL ATTACKS For last years, security risks have been reported in control systems
  • 15. Types of SCADA Networks
  • 16. TYPES OF SCADA NETWORKS Early or Monolithic SCADA systems *First SCADA systems held all operations in one *Usually a mainframe, computer. There was little control exercised, and most early SCADA functions were limited to monitoring sensors and flagging any operations *Limited to a single plant or facility. Like the software, SCADA hardware from one vendor was rarely usable in another vendor's SCADA system.
  • 17. TYPES OF SCADA NETWORKS Distributed SCADA Systems *Shared control functions across multiple smaller (usually PC) computers connected by Local Area Networks (LAN) *Shared Real Time information and often performed small control tasks in addition to alerting operators of possible problems
  • 18. TYPES OF SCADA NETWORKS Networked SCADA systems * Current SCADA systems are usually networked * Communicate through Wide Area Networks (WAN) systems, over phone or data lines and often transmit data between nodes through Ethernet or Fiber Optic connections. * Make heavy use of Programmable Logic Controllers (PLC) to monitor and make routine process adjustments, *The hardware tends to be more interchangeable as PLC and other sub-unit vendors have standardized communications and other protocols to allow the user to choose the best component for their needs
  • 19. TYPES OF SCADA NETWORKS Internet of Things (IoT) *A data model allows to define the types of data that will be monitored, allows for new types to be added quickly and easily as new smart objects are added to the process *Allows combinations of smart things/objects, sensor network technologies * Communication will bring physical business benefits like high-resolution management of resources and products, better collaboration between enterprises, and improved life-cycle management
  • 20.
  • 21. ATTACK VECTORS *SCADA systems are vulnerable to the same threats as any TCP/IP-based system. *SCADA Administrators and Industrial Systems Analysts deceived into thinking that since their industrial networks are on separate systems ,they are safe form outside attacks. *PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite systems *Security in an industrial network can be compromised in many places along the system and is most easily compromised at the SCADA host or control room level SCADA Attacks How Far?
  • 22. ATTACK VECTORS *Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition *Delete system files on the SCADA server (System Downtime and Loss of Operations) *Plant a Trojan and take complete control of system *Log any company-sensitive operational data for personal or competition usage There is Attack Vectors Should be addressed 1- Backdoors and holes in network perimeter 2- Vulnerabilities in common protocols 3- Attacks on Field Devices 4- Database Attacks 5- Communications hijacking and ‘Man-in-the-middle’ attacks ++ Once the corporate network compromised, then any IP-based device or computer system can be accessed. ++ 24/7 provides an opportunity to attack the SCADA host system can cause :
  • 23. ATTACK VECTORS 1-Modern networks in the control system arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to attackers once they are discovered. 2- Network components, have technologies These technologies often include firewalls, public-facing services, and wireless access. each of these components often does have associated security vulnerabilities 3-Remotely located control system elements that can be accessed via remotely connected communications if systems are based on commercial operating systems, the attacks can be via DDOS, escalated privilege exploits, Trojan horse Backdoors and holes in network perimeter
  • 24. ATTACK VECTORS 4- Organizations in many CI/KR sectors provide data to customers, providers, through publicly accessible services. Such as calculating load expectations, billing futures information. As these services are in the public domain, they are often accessible from the Internet with little or no user access limitations 5- Relationship between the firewall and the web server if not deployed right this allows unauthorized, data to flow from the external side to the internal domain. If the attacker compromised the trusted web server, the attacker has a channel to access internal services (or control systems) LAN. Backdoors and holes in network perimeter
  • 25. ATTACK VECTORS 1- Microsoft XP, a platform commonly used in control systems, mitigates the security issues 2- Control systems and modern networking technologies comes some inherited security vulnerabilities. Even though many of these vulnerabilities have solutions and available workarounds, the deployment of these mitigations in control systems architectures is not always feasible. Attacks Using Common Protocols
  • 26. ATTACK VECTORS 1-Control systems architectures usually have a capability for remote access to terminal end points and devices in number of ways including by telephonic or dedicated means. To provide for the collection of operational and maintenance data 2-Modern equipment has embedded file servers and web servers to facilitate robust communications these devices are part of an internal and trusted domain, and thus access into these devices can provide an attacker with an unauthorized vector into the control system architecture. 3-RTUs, are an extension of the control domain, attackers can add these field devices to their list of viable targets to be investigated during reconnaissance and scanning phases of the attack. 3-If a device is compromised, and the attacker can leverage control over the device and escalate privileges Attack into control system via field devices
  • 27. ATTACK VECTORS 1-Database applications have become core application components of control systems and their associated record keeping utilities 2-Databases used by control systems are often connected to databases located on the business network and most use (SQL). The information contained in databases makes them high-value targets for any attacker 3-Attackers can exploit the communications channel between the two networks and bypass the security mechanisms used to protect the control system environment 4-The effect of corrupted database content can impact data acquisition servers, historians, and even the operator HMI console. Control systems databases because they are so reliant on data accuracy and integrity. Database and SQL data injection attacks
  • 28. ATTACK VECTORS 1- The ability for an attacker to re-route data that is in transit on a network, the ability to capture and analyze critical traffic that is in plaintext format, and the ability toreverse engineer any unique protocols to gain command over control communications 2- By combining all of these MITM, attack is executed 3- As the attack is on the control domain, this plaintext traffic can be harvested (sniffed) and taken offline for analysis and review 4-Using ARP poisoning and collecting traffic, the attacker can establish and maintain complete control over the communications in the network , preventing the HMI from issuing alarms 5- MTM can be between HMI and RTU due to week protocol that are used like Modbus Man-in-the-middle attacks
  • 30. PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? * We are dealing With Devices - Operating systems (windows , Linux ) – Protocols over TCP –Application and SQL Databases – Firewalls Audit identification Devices and networks: Router configs, router tables, switch tables, physical cable checks, packet sniffing Services Local Port verification (nestate) Vulnerabilities Local banner grabbing Perimeter Identify all external connections *Review firewall rules *Review remote access methods *Check for wireless networks *Check physical access
  • 31. PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? Network Infrastructure Review router configs Review switch tables Conduct physical cable checks Conduct packet sniffing and analysis Host operating systems Review patch level Review password quality Review share and directory permissions Review remote access Applications Review ports and services Review OS credentials Revives remote access Consider code review PLCs, RTU,s ..etc. Review patch levels Review password quality Conduct packet sniffing
  • 32. PENETRATION TESTING METHODOLOGY Scanning / Discovery Some tools are Available Like plcscan - Scans Modbus device Modescan - Scans Modbus devices Nmap ( Be carful single Nmap scan can crush system) Metasploit Modules for Modbus detection *Most PLCs (Communication Modules) have no ability to filter based on source IP address So we Can Use python scripts or John the Ripper for crack Bruteforce PLC online Scan supported devices and stations change name of stations change IP, Netmask, gateway request full network info
  • 33. PENETRATION TESTING METHODOLOGY Analyze protocols How protocols live in the network? Not blocked by firewalls/switches Accessible between Lan segments Works form data link layer to application layer Easy to detect Easy to analyze So we Can Available Tools detect devices and their protocols monitor state, commands inject, modify reply packets in real times Sniffing Traffic Wireshark tcpdump python hex viewer
  • 34. PENETRATION TESTING METHODOLOGY Analyze protocols Modbus Using the web is the often the easiest way 80% of Modbus/TCP devices have web interfaces Other research shows most devices run Windows 2k DNP3 *Has source and destination addresses that can be useful in Man-in the-Middle attacks Such as 1-Turn off unsolicited reporting to stifle alarms 2- Issue unauthorized stops, restart, or other functions that could disrupt specific operations *Implementations typically do not employ encryption, authentication and authorization; DNP3 devices simply assume that all messages are valid
  • 35. PENETRATION TESTING METHODOLOGY Analyze protocols DNP3 Passive Network Reconnaissance With appropriate access captures and analyzes DNP3 messages. This provides the information about network topology, device functionality, Rogue Test Installs a “man-in-the-middle” device between the master and outstations that can read, modify and fabricate DNP3 messages and/or network traffic memory addresses and other data Other attacks on Data Link and Application Layer
  • 36. PENETRATION TESTING METHODOLOGY Data Manipulation Available Tools Web Application Test and SQL Injection *As Scada Use Web application On HMI and SQL in Database we can test them for possible Vulnerabilities Modlib - Scapy extention [python] OpenDNP3 - Library [C++] Metasploit Modules
  • 38. SCADA SECURITY Creating Demilitarized Zones (DMZs) Multiple DMZs could also be created for separate functionalities and access privileges, such as peer connections, the data historian, the Inter Control Center Communications Protocol (ICCP) server in SCADA systems Firewalls properly configured and coordinated, can protect passwords, IP addresses, files and more Proxy Servers Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and the internet The Security Policy Effective security policies and procedures are the first step to a secure control systems network. Many of the same policies Security Training Provide The staff that work in the facility Security Tanning very essential for preventing Physical and Social Engineering Attacks
  • 39. SCADA SECURITY 1- Identify all connections to SCADA networks 2- Disconnect unnecessary connections to the SCADA network 3- Removing or Disable unnecessary services 4- Implement internal and external IDS and establish 24-hour incident monitoring 5- Conduct Physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 6- Clearly define cyber security roles, responsibilities and authorities for managers, system administrators and users 7- Document network architecture and identify systems that serve critical function that require additional levels of protection