out of control demonstrating scada exploitation brian
play

Out of Control: Demonstrating SCADA Exploitation Brian Meixell - PowerPoint PPT Presentation

Jul 31, 2023 •162 likes •626 views

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

  1. Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

  2. Agenda • SCADA 101 • Attack Scenarios • Common Vulnerabilities • Remediation • Exploit Demo

  3. SCADA 101 SCADA DCS Supervisory Distributed Control Control And System Data Acquisition

  4. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Firewall Enterprise Network Domain Controller OPC Server Historian CCTV Server Plant Firewall Standard Plant Bus DCS Network HMI Control HMI Firewall EWS Terminal Bus Application Server Control Bus PLC PLC PLC PLC Field Bus to Instrumentation Hardwired Hardwired Field Bus to Instrumentation Instrumentation Instrumentation

  5. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Firewall Enterprise Network Domain Controller OPC Server Historian Central Facilities Firewall Standard ACN SCADA Network EWS HMI Control HMI Firewall Terminal Bus Application Server PLC PLC PLC PLC Field Bus to Instrumentation Field Bus to Instrumentation Hardwired Hardwired Instrumentation Instrumentation

  6. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Firewall Standard Typical Enterprise Network SCADA Network Domain Controller OPC Server Historian Central Facilities Firewall ACN My Favorite EWS HMI Control HMI Firewall Firewall Rule ANY <---> ANY Terminal Bus Application Server PLC PLC PLC PLC Field Bus to Instrumentation Field Bus to Instrumentation Hardwired Hardwired Instrumentation Instrumentation

  7. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Firewall Domain Controller OPC Server Historian Enterprise Network Or this... EWS HMI HMI Terminal Bus Application Server PLC PLC PLC PLC Field Bus to Instrumentation Field Bus to Instrumentation Hardwired Hardwired Instrumentation Instrumentation

  8. Components Historian

  9. Components Human Machine Interface

  10. Components Application Server

  11. Components Engineering Workstation

  12. Components Programmable Logic Controller

  13. Components Remote Terminal Unit

  14. Components Instrumentation

  15. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Attack Vectors Firewall It’s all about the pivot Enterprise Network Domain Controller OPC Server Historian CCTV Server Typical Communications Plant Firewall • Plant Bus Historical Data • Daily product totals HMI Control HMI • Firewall New product orders • Demand Calculations EWS Terminal Bus Application Server Control Bus PLC PLC PLC PLC Field Bus to Instrumentation Hardwired Hardwired Field Bus to Instrumentation Instrumentation Instrumentation

  16. So I’ve just owned a Historian... NOx Flared 60 • Windows Server Class Machine 50 • Cover up past poorly executed attacks 40 30 • Destroy a company’s Health/Safety record 20 • Modify view of plant state to corporation 10 • Pivot to juicier targets 0 NOx Flared

  17. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Attack Vectors Firewall It’s all about the pivot Enterprise Network Domain Controller OPC Server Historian CCTV Server Typical Communications Plant Firewall • Plant Bus Historical Data • Network Statistics HMI Control HMI • Firewall OPC • Domain Services EWS Terminal Bus Application Server Control Bus PLC PLC PLC PLC Field Bus to Instrumentation Hardwired Hardwired Field Bus to Instrumentation Instrumentation Instrumentation

  18. So I’ve just owned an HMI • Windows Workstation Class Machine • Write setpoints • Spoof operator’s view of process • CAUTION • Each HMI spoof process must be synchronized • Required IPC of some kind • Pivot to juicier targets

  19. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Attack Vectors Firewall It’s all about the pivot Enterprise Network Domain Controller OPC Server Historian CCTV Server Typical Communications Plant Firewall • Plant Bus Setpoint writes • I/O Value Reads HMI Control HMI • Firewall Alarm Notifications • Control Bus Diagnostics EWS Terminal Bus Application Server Control Bus PLC PLC PLC PLC Field Bus to Instrumentation Hardwired Hardwired Field Bus to Instrumentation Instrumentation Instrumentation

  20. So I’ve just owned an Application Server • Windows Server Class Machine • Spoof view of process to all downstream components • Real-time and Historical Data • No synchronization across components necessary • Simply modify the backend database values • Pivot to Juicier targets

  21. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Attack Vectors Firewall It’s all about the pivot Enterprise Network Domain Controller OPC Server Historian CCTV Server Plant Firewall Typical Communications • Doesn’t matter! Plant Bus • The benefits of dual homing boxes HMI Control HMI Firewall EWS Terminal Bus Application Server Control Bus PLC PLC PLC PLC Field Bus to Instrumentation Hardwired Hardwired Field Bus to Instrumentation Instrumentation Instrumentation

  22. So I’ve just owned an Engineering Workstation • Windows Server/Workstation Class Machine • Modify actual logic of controllers • Download online updates to controllers • Does not take down process but can subtly change it • Remove engineered safety logic • Steal PLC source code • Pivot to embedded hardware

  23. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Attack Vectors Firewall It’s all about the pivot Enterprise Network Domain Controller OPC Server Historian CCTV Server Plant Firewall O wnage Imminent • Logic updates to controllers Plant Bus • Reconfigure network HMI Control HMI Firewall • Reconfigure controllers • EWS Full visibility into process Terminal Bus Application Server Control Bus PLC PLC PLC PLC Field Bus to Instrumentation Hardwired Hardwired Field Bus to Instrumentation Instrumentation Instrumentation

  24. So I’ve just destroyed the process... • Embedded Hardware • VxWorks • Linux (Usually BusyBox) • Old crusty RTOS • Modify logic while online • Write arbitrary memory • Input Table • Output Table

  25. You’d think it would take a Nation State • It doesn’t! • Most Windows based machines are woefully out of date • Vendors must approve all patches • Any change in a system requires a complicated MOC processes • If it ain’t broke, don’t fix it mentality • Many Controllers are laughably insecure • Designed for availability and ease of troubleshooting

  26. INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Firewall Enterprise Network Domain Controller OPC Server Historian Central Facilities That was exhausting Firewall ACN Let’s make life easy EWS HMI Control HMI Firewall Terminal Bus Application Server PLC PLC PLC PLC Field Bus to Instrumentation Field Bus to Instrumentation Hardwired Hardwired Instrumentation Instrumentation

  27. But they seem patched and I have no 0-day • Industrial protocols • Not encrypted by design • Hardware too weak to support encryption • Many are little more than encapsulated serial frames • Controllers now have many services • FTP IP Header Legacy Serial Protocol • HTTP • Debug • CVE-2005-3715, CVE-2005-3804, CVE-2006-0374

  28. Industrial Protocols • Modbus/TCP • TCP port 502 • Minor changes from Modbus/RTU developed in 1970s • Ethernet/IP • TCP port 44818 • Similar to SNMP • Fully compatible with serial brethren • ControlNet, DeviceNet • IP encapsulated serial • Encryption never a concern

  29. At the end of the day, it’s all just bits Octet 0 1 2 3 Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Source Port (16 bits) Modbus 502/tcp Sequence Number (32 bits) Acknowledgement Number (32 bits) C E U A P R S F Dat a Offset N Window Size (16 bits) Reserve W C R C S S I Y (4 bits) S d R E G K H T N N TCP Checksum (16 bits) Urgent Pointer (16 bits) Options Padding Modbus Data

  30. At the end of the day, it’s all just bits A look at Modbus over TCP Function Transaction ID Protocol ID Data Data Length Unit ID Code MSB LSB 0x00 0x00 DATA # of bytes See Table 0xFF (Typ) Function Code Function 0x01 Read Coil 0x02 Read Discrete Input 0x03 Read Holding Register 0x04 Read Input Register 0x05 Write Single Coil 0x06 Write Single Register

  31. Just ask nicely • How to turn on a pump Function Trans ID Data Length Protocol ID Unit ID Data Code 0x00 0x00 0xFF 0xFF 0x00 0x06 0xFF (Typ) 0x05 0x00 0x00 0xFF 0x00 Data Byte Meaning 1: 0x00 MSB of Reference Number 2: 0x00 LSB of Reference Number 3: 0xFF ON (0x00 for OFF) 4: 0x00 Always zero CAUTION: The reference number mapping to the pump must be known Nuke Button Approach: Just write every output ON

  32. Complications • Control Engineers implement safety logic • Interlocks • Permissives

  33. Solutions • Remove safety logic! • Modify logic on the fly • Required feature of most Controllers • Updates can be made from EWS • Logic source is also on EWS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data Acquisition SCADA is the system that controls the various operating processes at our facilities. It is also the system that collects and stores

1.17k views • 23 slides
Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

www.elvac.eu Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems for energetics Quality metering in class A ARTIQ 144 measurements 4V4I, communication interface RS-485, optionally Ethernet or USB,

605 views • 13 slides
SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp;

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp;

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &amp; Jason Wong 1. BACKGROUND What is Spire? What is SCADA? What is SCADA? Supervisory Control and Data Acquisition Allows for centralized

530 views • 18 slides
SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia &amp; HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA networks Researchers: Wenyu Ren , Klara Nahrstedt, Tim Yardley Motivation Supervisory Control And Data Acquisition (SCADA) Problem with

1.12k views • 22 slides
THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS COMMUNICATIONS Dieter Gtschow Telecommunications specialist Industry Association Resource Centre African Utility Week, 810 May 2006 Overview

549 views • 21 slides
SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

1.13k views • 65 slides
_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor slrtu030.doc ~_-Computer Alternate Signal Path (3 x #16 wires) 3.275 Ghz Satollite Earth Station 3.275 Ghz Satellite _-'/P&quot;lnK Antenna

2.28k views • 183 slides
SCADA MikroDispeink News Vlastimil Janik Mikrodispeink Control system for electric stations

SCADA MikroDispeink News Vlastimil Janik Mikrodispeink Control system for electric stations

www.elvac.eu SCADA MikroDispeink News Vlastimil Janik Mikrodispeink Control system for electric stations and dispatching centers Editing Module - WEdit It is now possible for users to edit description of signal states, signal attributes

322 views • 20 slides
Production Control System Upgrade - SCADA Pre-Proposal Meeting July 10, 2018 Robert Pina

Production Control System Upgrade - SCADA Pre-Proposal Meeting July 10, 2018 Robert Pina

Production Control System Upgrade - SCADA Pre-Proposal Meeting July 10, 2018 Robert Pina Director Enterprise Solutions, SAWS Janie M. Powell Contract Administrator, SAWS Susan Rodriquez SMWVB Program Specialist, SAWS Nabil Antary

564 views • 30 slides
System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is SCADA? S upervisory C ontrol A nd D ata A cquisition , a computer system for gathering and analysing real-time data. SCADA systems are used to

309 views • 15 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

10/30/2015 Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh University by Dr. Liang Cheng and Dr. Shalinee Kishore. Motivation for SCADA Suppose you have a simple electrical circuit consisting

538 views • 15 slides
Scheme in Industrial Automation Marco Benelli &lt;mbenelli@yahoo.com&gt; SCADA Supervisor

Scheme in Industrial Automation Marco Benelli &lt;mbenelli@yahoo.com&gt; SCADA Supervisor

Scheme in Industrial Automation Marco Benelli &lt;mbenelli@yahoo.com&gt; SCADA Supervisor Control And Data Acquisition Sensors / Actuators Microcontrollers (PLCs) Supervisor Human Machine Interface Image from wikipedia

559 views • 39 slides
Feedback Control Theory a Computer System s Perspective Introduction Introduction

Feedback Control Theory a Computer System s Perspective Introduction Introduction

Feedback Control Theory a Computer System s Perspective Introduction Introduction What is feedback control? What is feedback control? Why do computer systems need feedback control? Why do computer systems need feedback

928 views • 50 slides
Realworldexample:StuxnetWorm Stuxnet:Overview

Realworldexample:StuxnetWorm Stuxnet:Overview

Realworldexample:StuxnetWorm Stuxnet:Overview June2010:Awormtarge&lt;ngSiemensWinCC industrialcontrolsystem. Targetshighspeedvariablefrequency

439 views • 39 slides
Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic

Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic

Green Lights Forever: Analyzing the Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic Infrastructure Case Study Threat Model Types of Attack Recommendation Broader Lesson Conclusion Outline

777 views • 36 slides
From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu

From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu

From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu Kim 1 , Chung Hwan Kim 2 , Altay Ozen 1 , Fan Fei 1 , Zhan Tu 1 , Xiangyu Zhang 1 , Xinyan Deng 1 , Dave (Jing) Tian 1 , Dongyan Xu 1 1 Purdue

517 views • 17 slides
Distributed Design of Glocal Controllers Hampe pei i Sasahar ahara a (KTH), ), Takayuk uki

Distributed Design of Glocal Controllers Hampe pei i Sasahar ahara a (KTH), ), Takayuk uki

IEEE E CDC 2019 19 Distrib tribute uted d Contr ntrol ol I/ ThA20 A20 Hierarchical Model Decomposition for Distributed Design of Glocal Controllers Hampe pei i Sasahar ahara a (KTH), ), Takayuk uki i Ishiza hizaki (Tok okyoT

737 views • 22 slides
GP-RARS: Evolving Controllers for the Robot Auto Racing Simulator Yehonatan Shichel &amp; Moshe

GP-RARS: Evolving Controllers for the Robot Auto Racing Simulator Yehonatan Shichel &amp; Moshe

GP-RARS: Evolving Controllers for the Robot Auto Racing Simulator Yehonatan Shichel &amp; Moshe Sipper Ben-Gurion University 2011 HUMIES AWARDS FOR HUMAN-COMPETITIVE RESULTS RARS: Robot Auto Racing Simulator Car-race simulation

350 views • 23 slides
Self-Supervised Exploration via Disagreement Deepak Pathak* Dhiraj Gandhi* Abhinav Gupta UC

Self-Supervised Exploration via Disagreement Deepak Pathak* Dhiraj Gandhi* Abhinav Gupta UC

Self-Supervised Exploration via Disagreement Deepak Pathak* Dhiraj Gandhi* Abhinav Gupta UC Berkeley CMU CMU, FAIR ICML 2019 * equal contribution Exploration a major challenge! Exploration a major challenge! Mohamed et.al.

817 views • 66 slides
The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu Targets. Targets. You can be one, too. Assume I briefly have physical access your laptop. #FAIL for you, I

327 views • 30 slides

More recommend