scada security why is it so hard
play

SCADA Security: Why is it so hard? Amol Sarwate, Director of - PowerPoint PPT Presentation

Aug 23, 2022 •338 likes •997 views

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc. June 22, 2012 HACK IN PARIS Agenda SCADA Basics Threats (where, why & how) Challenges Recommendations and Proposals ScadaScan tool HACK

  1. SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc. June 22, 2012 HACK IN PARIS

  2. Agenda SCADA Basics Threats (where, why & how) Challenges Recommendations and Proposals ScadaScan tool HACK IN PARIS

  3. SCADA DCS ICS HACK IN PARIS

  4. HACK IN PARIS

  5. accidents liquid pipeline failures http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf power failures http://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf other accidents http://en.wikipedia.org/wiki/List_of_industrial_disasters HACK IN PARIS

  6. vandalism vandals destroy insulators http://www.bpa.gov/corporate/BPAnews/archive /2002/NewsRelease.cfm?ReleaseNo=297 HACK IN PARIS

  7. insider disgruntle employee http://www.theregister.co.uk/2001/10/31 /hacker_jailed_for_revenge_sewage/ HACK IN PARIS

  8. APT terrorism or espionage http://www.symantec.com/content/en/us/enterprise/ media/security_response/whitepapers/w32_duqu_ the_precursor_to_the_next_stuxnet.pdf HACK IN PARIS

  9. basics Field Control Center HACK IN PARIS

  10. acquisition Convert parameters like light, temperature, pressure or flow to analog signals HACK IN PARIS

  11. conversion Converts analog and discrete measurements to digital information HACK IN PARIS

  12. communication Modbus DNP 3 OPC Front end processors (FEP) and protocols Wired or wireless communication ICCP ControlNet BBC 7200 ANSI X3.28 DCP 1 Gedac 7020 DeviceNet DH+ ProfiBus Tejas TRE UCA HACK IN PARIS

  13. presentation & control Control, monitor and alarming using human machine interface (HMI) HACK IN PARIS

  14. threats? HACK IN PARIS

  15. io & remote Requires physical access HACK IN PARIS

  16. io & remote F ield equipment generally does not contain process knowledge HACK IN PARIS

  17. io & remote Information like valve 16 or breaker 9B HACK IN PARIS

  18. io & remote Without process knowledge leads to nuisance disruption HACK IN PARIS

  19. communication Manipulate FEP directly HACK IN PARIS

  20. communication Change FEP output which is HMI input HACK IN PARIS

  21. communication Protocol threats HACK IN PARIS

  22. modbus protocol Master Slave Indication Request Modbus Client Modbus Server Confirmation Response MODBUS Request - Message sent on the network by the Client to initiate a transaction MODBUS Indication - Request message received on the Server side MODBUS Response - Response message sent by the Server MODBUS Confirmation - Response Message received on the Client side HACK IN PARIS

  23. frame MODBUS ADU PDU Additional addresses Function code Data Error Check MODBUS on TCP/IP IP Packet TCP Packet MODBUS TCP/IP ADU PDU IP Header TCP Header MBAP Header Function code Data HACK IN PARIS

  24. frame MODBUS ADU PDU Additional addresses Function code Data Error Check MODBUS on TCP/IP IP Packet TCP Packet MODBUS TCP/IP ADU PDU IP Header TCP Header MBAP Header Function code Data HACK IN PARIS

  25. frame MODBUS on TCP/IP MODBUS TCP/IP ADU PDU MBAP Header Function code Data Transaction ID Protocol ID Length Unit ID 2 bytes 2 bytes 2 bytes 1 byte HACK IN PARIS

  26. frame MODBUS on TCP/IP MODBUS TCP/IP ADU PDU MBAP Header Function code Data Read Discrete Read Holding Read FIFO Inputs 2 Registers 3 Queue 24 Get Com Event Counter 11 Transaction ID Protocol ID Length Unit ID Write Single Read File Read Coils 1 Register 6 Record 20 Get Com Event Log 12 2 bytes 2 bytes 2 bytes 1 byte Write Multiple Write File Write Single Coil 5 Registers 16 Record 21 Report Slave ID 17 Write Multiple Read/Write Read Exception Coils 15 Multiple Registers23 Status 7 Read Device Identification 43 Read Input Mask Write Encapsulated Interface Register 4 Register 22 Diagnostic 8 Transport 43 HACK IN PARIS

  27. example # Transaction ID (2 bytes) $buffer[0] = chr(1); $buffer[1] = chr(0); # Protocol ID (2 bytes) $buffer[2] = chr(0); $socket = IO::Socket::INET->new ( $buffer[3] = chr(0); PeerHost => $ip, # Length (2 bytes) PeerPort => '502', $buffer[4] = chr(0); Proto => 'tcp', $buffer[5] = chr(6); ) # Unit ID (1 bye) $socket->send($data); $buffer[6] = chr(1); # Function Code (1 byte) $buffer[7] = chr(3); # Data $buffer[8] = chr(hex (substr $data_val, 0, 2)); $buffer[9] = chr(hex (substr $data_val, 2, 2)); $buffer[10] = chr(0); $buffer[11] = chr($num_registers); HACK IN PARIS

  28. request HACK IN PARIS

  29. response HACK IN PARIS

  30. what does modbus provide? HACK IN PARIS

  31. ScadaScan (alpha) HACK IN PARIS

  32. DNP 3.0 HACK IN PARIS

  33. application layer HACK IN PARIS

  34. transport layer HACK IN PARIS

  35. link layer HACK IN PARIS

  36. example # DNP 3.0 link layer frame # Start character (2 bytes) $buffer[0] = chr(5); $buffer[1] = chr(100); # Length field (1 byte) $socket = IO::Socket::INET->new ( $buffer[2] = chr(05); PeerHost => $ip, # Control byte (1 byte) PeerPort => ‘20000', $buffer[3] = chr(201); Proto => 'tcp', # Destination address (2 bytes) ) $buffer[4] = chr(241); $socket->send($data); $buffer[5] = chr(255); # Source address (2 bytes) $buffer[6] = chr(05); $buffer[7] = chr(00); # CRC (2 bytes) $buffer[8] = chr(170); $buffer[9] = chr(210); HACK IN PARIS

  37. request HACK IN PARIS

  38. response HACK IN PARIS

  39. what does DNP 3.0 provide? HACK IN PARIS

  40. ScadaScan (alpha) HACK IN PARIS

  41. Secure DNP 3.0 Version 1.0 specification released in Feb 2007 Authentication Initialization Periodic Critical Function Code Requests Implementation Specific Cryptography Keyed Hashing for Message Authentication (HMAC) Key Management New Function Codes HACK IN PARIS

  42. master threats Control system network connected to corporate network or internet HACK IN PARIS

  43. master threats No authentication or per user authentication HACK IN PARIS

  44. master threats Shared passwords or default passwords HACK IN PARIS

  45. master threats No password change policy HACK IN PARIS

  46. master threats No patching HACK IN PARIS

  47. master threats Not restarted in years HACK IN PARIS

  48. master threats Unnecessary services HACK IN PARIS

  49. master threats Off-the-shelf software HACK IN PARIS

  50. challenges SCADA system long life cycle HACK IN PARIS

  51. challenges Difficulty and cost of upgrading HACK IN PARIS

  52. challenges No testing or guidance about OS patches from SCADA vendors HACK IN PARIS

  53. challenges Some systems managed by SCADA vendors HACK IN PARIS

  54. challenges Data historians and other systems on the SCADA network HACK IN PARIS

  55. challenges Internal differences between IT and SCADA engineers HACK IN PARIS

  56. challenges Wrong mentality - SCADA too obscure for hackers HACK IN PARIS

  57. proposals Strategy for password policy, access control, access roles HACK IN PARIS

  58. proposals Strategy for software upgrades and patches HACK IN PARIS

  59. proposals SCADA Test environment HACK IN PARIS

  60. proposals Demand from SCADA vendors expedite testing and approval of OS patches HACK IN PARIS

  61. proposals Demand from SCADA vendors newer and secure protocols HACK IN PARIS

  62. proposals Apply experience from IT network management and security HACK IN PARIS

  63. proposals Auditing and scanning HACK IN PARIS

  64. ScadaScan Alpha version Scan network range Works with TCP/IP Identifies Modbus TCP slaves Identifies DNP 3 TCP slaves Beta version SCADA master vulnerability scanning SNMP support HTTP support 1.0 Release User configurable signature files Authenticated support for Windows and *nix Code cleanup HACK IN PARIS

  65. Thank You http://code.google.com/p/scadascan/ Twitter: @amolsarwate https://community.qualys.com HACK IN PARIS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

1.03k views • 81 slides
SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

1.13k views • 65 slides
SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS COMMUNICATIONS Dieter Gtschow Telecommunications specialist Industry Association Resource Centre African Utility Week, 810 May 2006 Overview

549 views • 21 slides
Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

626 views • 45 slides
Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

583 views • 36 slides
_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor slrtu030.doc ~_-Computer Alternate Signal Path (3 x #16 wires) 3.275 Ghz Satollite Earth Station 3.275 Ghz Satellite _-'/P"lnK Antenna

2.28k views • 183 slides
SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data Acquisition SCADA is the system that controls the various operating processes at our facilities. It is also the system that collects and stores

1.17k views • 23 slides
System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is SCADA? S upervisory C ontrol A nd D ata A cquisition , a computer system for gathering and analysing real-time data. SCADA systems are used to

309 views • 15 slides
Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

www.elvac.eu Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems for energetics Quality metering in class A ARTIQ 144 measurements 4V4I, communication interface RS-485, optionally Ethernet or USB,

605 views • 13 slides
Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

10/30/2015 Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh University by Dr. Liang Cheng and Dr. Shalinee Kishore. Motivation for SCADA Suppose you have a simple electrical circuit consisting

538 views • 15 slides
ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, & Jason Wong 1. BACKGROUND What is Spire? What is SCADA? What is SCADA? Supervisory Control and Data Acquisition Allows for centralized

530 views • 18 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA networks Researchers: Wenyu Ren , Klara Nahrstedt, Tim Yardley Motivation Supervisory Control And Data Acquisition (SCADA) Problem with

1.12k views • 22 slides
Introduction (1) Packet Loss Recovery for Streaming is growing Commercial streaming

Introduction (1) Packet Loss Recovery for Streaming is growing Commercial streaming

Introduction (1) Packet Loss Recovery for Streaming is growing Commercial streaming successful (ie Streaming Video RealPlayer and MediaPlayer) but proprietary and inflexible N. Feamster and H. Balakrishnan Use MPEG-4 since open

478 views • 6 slides
Evaluation of the ARC Controller for the NASA IRTF Anthony Denault, Charles Lockhart, Eric

Evaluation of the ARC Controller for the NASA IRTF Anthony Denault, Charles Lockhart, Eric

Evaluation of the ARC Controller for the NASA IRTF Anthony Denault, Charles Lockhart, Eric Warmbier, & John Rayner 2012.01.24 Our goal is to answer this question: Does the ARC Gen III array controller satisfy IRTF's needs? Noise

631 views • 39 slides
Inequivalent bundle representations for the Noncommutative Torus Chern numbers: from

Inequivalent bundle representations for the Noncommutative Torus Chern numbers: from

Inequivalent bundle representations for the Noncommutative Torus Chern numbers: from abstract to concrete Giuseppe De Nittis Mathematical Physics Sector of: SISSA International School for Advanced Studies, Trieste Noncommutative

662 views • 47 slides
Negative Dependence, Stable Polynomials etc in ML Part 2 SUVRIT SRA & STEFANIE JEGELKA

Negative Dependence, Stable Polynomials etc in ML Part 2 SUVRIT SRA & STEFANIE JEGELKA

Negative Dependence, Stable Polynomials etc in ML Part 2 SUVRIT SRA & STEFANIE JEGELKA Laboratory for Information and Decision Systems Massachusetts Institute of Technology Neural information Processing Systems, 2018 ml.mit.edu

787 views • 31 slides
Understanding Patterns of Understanding Patterns of TCP Connection Usage TCP Connection Usage

Understanding Patterns of Understanding Patterns of TCP Connection Usage TCP Connection Usage

The UNIVERSITY UNIVERSITY of of NORTH CAROLINA NORTH CAROLINA Motivation Motivation The at at CHAPEL HILL CHAPEL HILL Modeling Internet Traffic Modeling Internet Traffic Understanding Patterns of Understanding Patterns of TCP Connection

258 views • 8 slides
BERKELEY LANDLORD 101 Michele Byrnes, PIU Manager Berkeley Rent Board September 30, 2020 AGENDA

BERKELEY LANDLORD 101 Michele Byrnes, PIU Manager Berkeley Rent Board September 30, 2020 AGENDA

BERKELEY LANDLORD 101 Michele Byrnes, PIU Manager Berkeley Rent Board September 30, 2020 AGENDA REGISTRATION RENT STABILIZATION SECURITY DEPOSITS & INTEREST LEASE GUIDELINES LANDLORD ENTRY GOOD CAUSE FOR EVICTION CONSIDERATIONS DURING

771 views • 31 slides
Joint prediction in MST style discourse parsing for argumentation mining Andreas Peldszus

Joint prediction in MST style discourse parsing for argumentation mining Andreas Peldszus

Joint prediction in MST style discourse parsing for argumentation mining Andreas Peldszus Manfred Stede Applied Computational Linguistics, University of Potsdam EMNLP 20.09.2015 Peldszus, Stede (Uni Potsdam) Joint prediction for argumentation

990 views • 84 slides
Stochastic Quasi-Gradient Methods: Variance Reduction via Jacobian Sketching Peter Richtrik

Stochastic Quasi-Gradient Methods: Variance Reduction via Jacobian Sketching Peter Richtrik

Stochastic Quasi-Gradient Methods: Variance Reduction via Jacobian Sketching Peter Richtrik Randomized Numerical Linear Algebra and Applications (Program: Foundations of Data Science) Simons Institute for the Theory of Computing, UC Berkeley

875 views • 50 slides

More recommend