scada deep inside protocols and security mechanisms
play

SCADA deep inside: protocols and security mechanisms Aleksandr - PowerPoint PPT Presentation

Dec 06, 2022 •202 likes •1.03k views

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

  1. SCADA deep inside: protocols and security mechanisms Aleksandr Timorin � � � � � � � � 05|06|07 September 2014

  2. # whoami penetration tester at Positive Technologies • SCADA security researcher, main specialisation - industrial protocols • SCADAStrangeLove team member -> scadasl.org • speaker at PHDays, Power Of Community, Chaos Communication • Congress (workshop), CONFidence @atimorin • atimorin@ptsecurity.com • SCADA deep inside: protocols and security mechanisms BalCCon2k14 2

  3. # whoami SCADA deep inside: protocols and security mechanisms BalCCon2k14 3

  4. # agenda intro to scada world • current situation in ICS network security • overview of industrial protocols • well-known protocols: profinet, modbus, dnp3, goose • go to particular: • IEC 61850-8-1 (MMS) • IEC 61870-5-101/104 • FTE • Siemens S7 • how to analyse protocols • real case • outro: releases, QA • SCADA deep inside: protocols and security mechanisms BalCCon2k14 4

  5. # intro to scada world ICS - Industrial Control System SCADA - Supervisory Control And Data Acquisition PLC - Programmable Logic Controller HMI - Human-Machine Interface RTU - Remote Telemetry Unit Sensor, Actuator � … and much more � � � SCADA deep inside: protocols and security mechanisms BalCCon2k14 5

  6. # intro to scada world many many vendors in the world: siemens • advantech • problems in security: citectscada • � each vendor - own codesys • • protocol, technology moxa • etc. schneider electric • out-of-date: don’t • rslogics touch if it works! • patch management • general electric • cycle wellintech • � sielco sistemi • � emerson wild wild industrial world • abb • advanced micro controls • …. • SCADA deep inside: protocols and security mechanisms BalCCon2k14 6

  7. # current situation in ICS network security absolutely unbreakable ICS NETWORK ??? SCADA deep inside: protocols and security mechanisms BalCCon2k14 7

  8. # current situation in ICS network security NO, because of: � typical network devices with default/crappy settings ➡ unpatched, old as dirt, full of junk software [malware] engineering ➡ workstations wireless AP with WEP (if the best happend) ➡ low physical security ➡ … and ➡ industrial protocols ➡ SCADA deep inside: protocols and security mechanisms BalCCon2k14 8

  9. # current situation in ICS network security � � typical network devices with default/crappy settings ➡ unpatched, old as dirt, full of junk software [malware] engineering ➡ workstations wireless AP with WER (if the best happend) ➡ low physical security ➡ … and ➡ industrial protocols ➡ SCADA deep inside: protocols and security mechanisms BalCCon2k14 9

  10. # current situation in ICS network security How protocols live in the network ? � full expanse • not blocked by firewalls/switches • accessible between LAN segments • works from data link layer to application layer • easy to detect • easy to intercept, analyse, reproduce and reply (but not all ! ) • SCADA deep inside: protocols and security mechanisms BalCCon2k14 10

  11. # overview of industrial protocols modbus • profibus • profinet • dnp3 • ethernet/ip • s5/s7 (siemens protocols family) • CIP (rockwell automation) • cc-link (mitsubishi electric factory automation) • bacnet • iec 60870, iec 61850, iec 61107 • m-bus • zigbee • goose … • iec - international electrotechnical commission SCADA deep inside: protocols and security mechanisms BalCCon2k14 11

  12. # overview of industrial protocols SCADA deep inside: protocols and security mechanisms BalCCon2k14 12

  13. # modbus published by Modicon (now Schneider Electric) in 1979 • widely used for connecting industrial electronic devices • in XX: through rs-232/rs-485 • in XXI: modbus tcp • standard port 502/tcp • � � � SCADA deep inside: protocols and security mechanisms BalCCon2k14 13

  14. # modbus functions: � data access: read/write coils, registers, file records • diagnostics: device identification • user defined functions • � � � tools: � wireshark dissector • plcscan ( https://code.google.com/p/plcscan/ ) • modbus-discover nse (by Alexander Rudakov) • modbus simulators () • SCADA deep inside: protocols and security mechanisms BalCCon2k14 14

  15. # modbus security ? no authentication • no encryption • no security • � transaction id: 2 bytes protocol id: 2 bytes (always 0) length: 2 bytes unit id: 1 byte function code: 1 byte data … SCADA deep inside: protocols and security mechanisms BalCCon2k14 15

  16. # dnp3 DNP3 Distributed Network Protocol first version in 1990 • standartized by IEEE only on 2010 • mainly used in water and electric industry • master - outstation communication • tcp/udp standard port 20000 • � tools: • wireshark dissector • free implementation https://code.google.com/p/dnp3/ � security ? DNP3 Secure Authentication v5. First version in 2007. Add device and user authentication Data protection SCADA deep inside: protocols and security mechanisms BalCCon2k14 16

  17. # dnp3 dnp3 frame: header - 10 bytes • data - max 282 bytes • � header: sync - 2 bytes • length -1 byte • link control - 1 byte • destination addr - 2 bytes • source addr - 2 bytes • crc - 2 bytes • � each device in network has unique address 1..65520 crc for every 16 bytes of data -> max frame len = 292 bytes work on iso/osi layers: data link layer, transport layer, application layer SCADA deep inside: protocols and security mechanisms BalCCon2k14 17

  18. # profinet dcp PROFINET family � Profinet CBA/IO/PTCP/DCP • iec 61158, iec 61784 in 2003 • Ethernet type 0x8892 • exchange data in real-time cycles • multicast discovery devices and stations • � security ? no encryption • no authentication • no security • SCADA deep inside: protocols and security mechanisms BalCCon2k14 18

  19. # profinet dcp PROFINET DCP - Discovery and basic Configuration Protocol � � � � � � � � � SCADA deep inside: protocols and security mechanisms BalCCon2k14 19

  20. # profinet dcp frame types: request 0xfefe • response 0xfeff • get/set 0xfefd • � multicast identify (scapy code): payload=‘ fefe05000401000200800004ffff ’.decode(‘hex’) srp(Ether(type=0x8892, src=smac, dst=’01:0e:cf:00:00:00’)/payload) � fefe request 05 service id: identify 00 service type: request 04010002 xid (request id) 0080 delay 0004 data len ff option: all ff suboption: all SCADA deep inside: protocols and security mechanisms BalCCon2k14 20

  21. # profinet dcp main interesting fields for playing is option and suboption • for example, set/get network info: opt 0x01, subopt 0x02 • led flashing: opt 0x05, subopt 0x03 • � so we can: scan profinet supported devices and stations • change name of station • change ip, netmask, gateway • request full network info • LED flashing: PLC, HMI (simulates that smth wrong with • device) and much more • SCADA deep inside: protocols and security mechanisms BalCCon2k14 21

  22. # profinet dcp profinet dcp scanner (raw sockets and scapy versions) � � � � � � � discover all devices (PC, PLC, HMI) in subnet � SCADA deep inside: protocols and security mechanisms BalCCon2k14 22

  23. # profinet dcp profinet fuzzer: fuzz options and sub options on plc siemens s7-1200 � CVE-2014-2252 “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system.” � what is “specially crafted profinet packets” ? SCADA deep inside: protocols and security mechanisms BalCCon2k14 23

  24. # profinet dcp CVE-2014-2252 � just “set” request: set network info with all zero values. � ip 0.0.0.0 mask 0.0.0.0 gw 0.0.0.0 � � � � SCADA deep inside: protocols and security mechanisms BalCCon2k14 24

  25. # profinet dcp DEMO: CVE-2014-2252 SCADA deep inside: protocols and security mechanisms BalCCon2k14 25

  26. # goose GSE - Generic Substation Events - fast and reliable mechanism for transfer events data over entire substation networks: • IEC 61850 • multicast, broadcast mechanism � GSE: • GOOSE: Generic Object Oriented Substations Events • GSSE: Generic Substation State Events SCADA deep inside: protocols and security mechanisms BalCCon2k14 26

  27. # goose • data as grouped dataset • transmitted within 4 ms • works on second layer (Ethernet) of ISO/OSI model • using publisher-subscriber mechanism -> broadcast, multicast MAC addresses (publisher ~ sender, subscriber ~ receiver) • use VLAN (IEEE 802.1Q standard) • message priority level (by VLAN PCP - Priority Code Point - in TCI field of packet) • retransmission mechanism and a message state number (new or retransmitted) • brand independent (i.e., IDE - intelligent electronic devices by some vendors doesn’t require specific cables) SCADA deep inside: protocols and security mechanisms BalCCon2k14 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

583 views • 36 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
Adaptation of Failure Detection Mechanisms to Handle Attacks against SCADA Systems J.

Adaptation of Failure Detection Mechanisms to Handle Attacks against SCADA Systems J.

Adaptation of Failure Detection Mechanisms to Handle Attacks against SCADA Systems J. RUBIO-HERNAN and J. GARCIA-ALFARO Agenda Introduction State of the Art Physical-layer Failure Detection Mechanisms Conclusion & Future

465 views • 28 slides
SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

1.13k views • 65 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc. June 22, 2012 HACK IN PARIS Agenda SCADA Basics Threats (where, why & how) Challenges Recommendations and Proposals ScadaScan tool HACK

997 views • 65 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

Security The security environment Basics of cryptography User authentication Chapter 9: Security Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems CS 1550, cs.pitt.edu

538 views • 11 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Chapter 9: Security Security The security environment Basics of cryptography User

Chapter 9: Security Security The security environment Basics of cryptography User

Chapter 9: Security Security The security environment Basics of cryptography User authentication Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems Chapter 9: Security

801 views • 65 slides
Internet Conges+on Control Research Group Michael Welzl, Wes Eddy ICCRG @ PFLDNeT 2010

Internet Conges+on Control Research Group Michael Welzl, Wes Eddy ICCRG @ PFLDNeT 2010

Internet Conges+on Control Research Group Michael Welzl, Wes Eddy ICCRG @ PFLDNeT 2010 Lancaster, Pennsylvania USA 29 November 2010 RG Status Documents RFC 5783 Conges+on Control in the RFC Series published in February DraS on

230 views • 3 slides
Triples compression and Indexing Antonio Faria, Javier D. Fernndez and Miguel A.

Triples compression and Indexing Antonio Faria, Javier D. Fernndez and Miguel A.

Triples compression and Indexing Antonio Faria, Javier D. Fernndez and Miguel A. Martinez-Prieto 3rd KEYSTONE Training School Keyword search in Big Linked Data 23 TH AUGUST 2017 Agenda RDF management overview K 2 -Tree data

695 views • 50 slides
Building Applications on the Ethereum Blockchain Eoin Woods Endava @eoinwoodz 1 licensed

Building Applications on the Ethereum Blockchain Eoin Woods Endava @eoinwoodz 1 licensed

Building Applications on the Ethereum Blockchain Eoin Woods Endava @eoinwoodz 1 licensed under a Creative Commons Attribution-ShareAlike 4.0 International License Agenda Blockchain Recap Ethereum Application Design Development

537 views • 49 slides
iCouncil Jenny Rhodes jenny.rhodes@newcastle.edu.au Senior Desktop Technologies Officer IT

iCouncil Jenny Rhodes jenny.rhodes@newcastle.edu.au Senior Desktop Technologies Officer IT

iCouncil Jenny Rhodes jenny.rhodes@newcastle.edu.au Senior Desktop Technologies Officer IT Services - Client Services A case study 2 Our aims Vendor presentations and product evaluations Setup times and finance iPad

471 views • 21 slides
Introducing a Heterogeneous Execution Engine for LLVM Chris Margiolas chrmargiolas@gmail.com

Introducing a Heterogeneous Execution Engine for LLVM Chris Margiolas chrmargiolas@gmail.com

Introducing a Heterogeneous Execution Engine for LLVM Chris Margiolas chrmargiolas@gmail.com www.inf.ed.ac.uk What is this presentation about? Hexe: A compiler and runtime infrastructure targeting transparent software execution on

433 views • 26 slides
Transformation at the NRC: Innovation Commission Meeting March 28, 2019 Executive Director for

Transformation at the NRC: Innovation Commission Meeting March 28, 2019 Executive Director for

Transformation at the NRC: Innovation Commission Meeting March 28, 2019 Executive Director for Operations Margaret M. Doane 2 3 We will Address the Following Topic: NRC Innovation Efforts - InnovateNRC 4 Chair, NRC Innovation Forum

429 views • 11 slides
The Impact of Domain Knowledge on the Effectiveness of Requirements Idea Generation during

The Impact of Domain Knowledge on the Effectiveness of Requirements Idea Generation during

Introduction Methodology Controlled Experiment The Impact of Domain Knowledge on the Effectiveness of Requirements Idea Generation during Requirements Elicitation Ali Niknafs and Daniel M. Berry David R. Cheriton School of Computer Science

722 views • 47 slides
Spiral Computer Generation of Performance Libraries Applications Jos M. F. Moura Markus

Spiral Computer Generation of Performance Libraries Applications Jos M. F. Moura Markus

Carnegie Mellon Performance Spiral Computer Generation of Performance Libraries Applications Jos M. F. Moura Markus Pschel Franz Franchetti Platforms & the Spiral Team Carnegie Mellon What is Spiral? Traditionally Spiral

429 views • 12 slides

More recommend