scada strangelove
play

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr - PowerPoint PPT Presentation

May 04, 2023 •466 likes •1.13k views

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

  2. SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr

  3.  Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov Sergey Drozdov Alexander Tlyapov Dmitry Sklyarov Sergey Gordeychik Alexander Zaitsev Evgeny Ermakov Sergey Scherbel Alexey Osipov Gleb Gritsai Timur Yunusov Andrey Medov Ilya Karpov Valentin Shilnenkov Artem Chaykin Ivan Poliyanchuk Vladimir Kochetkov Denis Baranov Kirill Nesterov Vyacheslav Egoshin Dmitry Efanov Roman Ilin Yuri Goltsev Dmitry Nagibin Sergey Bobrov Yuriy Dyachenko to save Humanity from industrial disaster and to keep Purity Of Essence

  4. Aleksandr Timorin ICS security researcher Industrial protocols fan and 0-day PLC hunter SCADAStrangeLove team member The Ocean band fan atimorin atimorin@protonmail.ch

  5.  ICS basics 101  Vulnerabilities Input validation • • Design and architecture  Safety and security as a whole

  6. What is ICS world and why we should develop carefully  Today is the digital era (welcome back captain obvious!)  Automated processes is everywhere – from home automation to big energy plants, from brewery to traffic control systems

  7. What is ICS world and why we should develop carefully  Industry automatization processes becoming more comfortably for engineers and operators

  8. What is ICS world and why we should develop carefully  Switching from analog to digital brings old and absolutely not secure software development process

  9. What type of ICS products are vulnerable: Client/Server software • Field devices: RTU, PLC, protective relays, power meters, • converters, actuators and so on Network switches, gateways • GSM/GPRS modems, wireless AP • Mobile applications • Industrial protocols • Human factor •

  10. Analytics and statistics of ICS vulnerabilities • Analyzed CVE since ~2010 • Data source: ics-cert.us-cert.gov CVE details: NVD • • Total unique CVE: 689 • CVSS 2.0: min score 1.7 , max score 10.0 , avg score 6.5 , high and critical count of scores 285 (41%)

  11. Analytics and statistics of ICS vulnerabilities • CWE statistics: CWE - Common Weakness Enumeration Definitions and full detailed description at https://nvd.nist.gov/cwe.cfm Unique number of CWE = 43

  12. Analytics and statistics of ICS vulnerabilities • CWE statistics (TOP 20): $ sort cwe.all.raw | uniq -c | sort – nr | head -20

  13. Analytics and statistics of ICS vulnerabilities • CWE statistics (TOP 20):

  14. Other (after TOP20) Buffer Errors Numeric Errors NULL Pointer Dereference Code Injection Security Features Untrusted Search Path Unrestricted Upload of File with Dangerous Type SQL Injection Improper Access Control Information Leak / Disclosure CSRF Use of Hard-coded Credentials Authentication Issues Path Traversal Input Validation Resource Management Errors Credentials Management Permissions, Privileges, and Access Control Cryptographic Issues XSS

  16. Honeywell EPKS, CVE-2014-9189 •

  17. Honeywell EPKS, CVE-2014-9187 •

  18. cb is a buffer size •

  20. SpiderControl SCADA Web Server, stack-based bof, CVE- • 2015-1001

  21. Siemens SIPROTEC 7SJ64 (protective relay) XSS •

  22. Siemens WinCC •

  25. WinCC WinCC Web-Client DataMonitor Internet, corp lan, vpn’s Some networks WinCC WinCC WinCC WinCC Web-Client DataMonitor SCADA- SCADA- Client +Web- Clients Server LA WinCC Engineering station N Servers (TIA portal/PCS7) PROFINET PROFIBU S PLC PLC PLC 1 2 3

  26. WinCCExplorer.exe/PdlRt.exe Create and use your own security features Instead of standard features – that’s A bad idea!

  27. Hardcodes are for protocols with auth: SNMP, telnet, HTTP, • etc. You can hardcode keys, certificates, passwords • SMA Sunny WebBox •

  28. Siemens SIPROTEC 4 protective relay confirmation code • “311299”: - System log - Device info - Stack and other parts of memory - More ?

  29. Siemens SIPROTEC 4 protective relay confirmation code • “311299”: “ SIPROTEC 4 and SIPROTEC Compact devices allow the display of extended internal statistics and test information… To access this information, the confirmation code “311299” needs to be provided when prompted. ” “ ...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information... ”

  30. Siemens S7-1200 PLC, CVE-2014-2252 • “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system. ” Just “set” PROFINET request: set network info ( ip, netmask, gateway) with all zero values.

  31. Not secure by design: default credentials, autocomplete Defaults, factory settings (sometimes unchangeable) is • everywhere SCADA StrangeLove Default/Hardcoded Passwords List https://github.com/scadastrangelove/SCADAPASS

  32. KIOSK mode: Limit access to OS functions

  33. KIOSK mode: Limit access to OS functions

  34. Wincc accounts: “secret” crypto key •

  35. WinCC accounts: “secret” crypto key fixed • It’s XOR, they should not bother hardcoding for XOR •

  36. PLC password “encryption” Password (8 bytes)

  37. TIA Portal PEData.plf passwords history •

  38. Winccwebbridge.dll: please hash your hardcoded account •

  39. Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- • 2014-2251

  40. Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- • 2014-2251 Seed = plc_start_time + const •

  41. Target – Siemens S7-1200 PLC

  42. Profinet “feature” and PRNG vulnerability - real attack vector. Result - PLC takeover.

  43. - Hash passwords - SHA is not good enough - Put length of plaintext nearby Redbox_value = len(pwd)*2+1

  44. Architecture looks like ideal (from developers point of view)

  45. Reality looks like ideal too (from attacker point of view)

  46. Reality looks like ideal too (from attacker point of view)

  47. Many vendors tend to develop bicycles own services (ftp, telnet, ssh, http etc.) Guten Tag WinCC: • WinCC Server Windows/MSSQL based SCADA • WinCC Client (HMI) WinCC runtime + project • WinCC Web Server (WebNavigator) IIS/MSSQL/ASP/ASP.NET/SOAP • WinCC WebClient (HMI) ActiveX/HTML/JS

  48. Third-party services: deploying with default and example.config configurations (i.e. • lot of busybox based devices with default root account) No patches and updates •

  49. Mirai DDos botnet DVR, NVR, IP cameras Over 0.5 million IoT devices are vulnerable What’s the problem? Hardcoded root:xc3511 Moreover, not so easy to change it

  51. to get firmware? to get debug symbols? to debug? .. PowerPC no “operation system”

  54. ― Interlocking security (by Jakob Lyng Petersen) • Trains must not collide • Trains must not derail • Trains must not hit person working the tracks — Sadly, animals can’t handle the interview ― Formal methods and verification (rtfm) • B Method, Event B — Underground rail network in Beijing, Milan and Sao Paulo • Prover.com — Sweden, USA

  55. ― Safety critical systems ― Abstract machines + formal methods ― Atelier B • Available IDE and C translator • No Ada translator ― Newer version – Event-B • See Rodin framework

  58. “Everything will be C in the end. If it's not C, it's not the end.” • – almost John Lennon

  59. ― KVB: Alstom • Automatic Train Protection for the French railway company (SNCF), installed on 6,000 trains since 1993 — 60,000 lines of B; 10,000 proofs; 22,000 lines of Ada ― SAET METEOR: Siemens Transportation Systems • Automatic Train Control: new driverless metro line 14 in Paris (RATP), 1998. 3 safety-critical software parts: onboard, section, line — 107,000 lines of B; 29,000 proofs; 87,000 lines of Ada ― Roissy VAL: ClearSy (for STS) • Section Automatic Pilot: light driverless shuttle for Paris-Roissy airport (ADP), 2006 — 28,000+155,000 lines of B; 43,000 proofs; 158,000 lines of Ada

  62. RTFM • SSDLC • ICS best practices • Follow CERTs • Common Weakness Enumeration at cwe.mitre.org • More practice: OWASP TOP 10 • TESTING TESTING AND TESTING AGAIN! •

  63. Mr. ICS developer, are you creating your products within SSDLC concepts?

  64. Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev google and other Internets Yuriy Dyachenko *All pictures are taken from

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS COMMUNICATIONS Dieter Gtschow Telecommunications specialist Industry Association Resource Centre African Utility Week, 810 May 2006 Overview

549 views • 21 slides
Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

626 views • 45 slides
_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor slrtu030.doc ~_-Computer Alternate Signal Path (3 x #16 wires) 3.275 Ghz Satollite Earth Station 3.275 Ghz Satellite _-'/P"lnK Antenna

2.28k views • 183 slides
SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data Acquisition SCADA is the system that controls the various operating processes at our facilities. It is also the system that collects and stores

1.17k views • 23 slides
System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is SCADA? S upervisory C ontrol A nd D ata A cquisition , a computer system for gathering and analysing real-time data. SCADA systems are used to

309 views • 15 slides
ECO 199 - GAMES OF STRATEGY Spring Term 2004 GUIDE TO STRATEGIES IN DR. STRANGELOVE What follows

ECO 199 - GAMES OF STRATEGY Spring Term 2004 GUIDE TO STRATEGIES IN DR. STRANGELOVE What follows

ECO 199 - GAMES OF STRATEGY Spring Term 2004 GUIDE TO STRATEGIES IN DR. STRANGELOVE What follows is a statement and discussion of the many strategic issues and incidents from the movie. It is based on the points brought up in class as well as

266 views • 3 slides
Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

www.elvac.eu Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems for energetics Quality metering in class A ARTIQ 144 measurements 4V4I, communication interface RS-485, optionally Ethernet or USB,

605 views • 13 slides
New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and Nicholas Carlini http://hexhive.github.io (c) Castro Theatre and Spoke Art, 2013 DR. STRANGELOVE DR. STRANGELOVE OR: HOW I LEARNED TO STOP OR: HOW I

549 views • 42 slides
Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

10/30/2015 Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh University by Dr. Liang Cheng and Dr. Shalinee Kishore. Motivation for SCADA Suppose you have a simple electrical circuit consisting

538 views • 15 slides
ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, & Jason Wong 1. BACKGROUND What is Spire? What is SCADA? What is SCADA? Supervisory Control and Data Acquisition Allows for centralized

530 views • 18 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

1.03k views • 81 slides
ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA

ADNA: online, context-aware, intelligent framework for Anomaly Detection aNd Analysis in SCADA networks Researchers: Wenyu Ren , Klara Nahrstedt, Tim Yardley Motivation Supervisory Control And Data Acquisition (SCADA) Problem with

1.12k views • 22 slides
How to Dance Without Embarrassing Yourself? Outline Background Hustle Baseline Model

How to Dance Without Embarrassing Yourself? Outline Background Hustle Baseline Model

How to Dance Without Embarrassing Yourself? Outline Background Hustle Baseline Model Hustle Guess Model Box Steps Baseline Model Box Steps Guess Model Hustle Guess Model with Tuning Parameter Tia Jiang &

427 views • 14 slides
How Proposed Changes to the Public Charge Rule Will Affect Health, Hunger and the Economy

How Proposed Changes to the Public Charge Rule Will Affect Health, Hunger and the Economy

THE UCLA CENTER FOR HEALTH POLICY RESEARCH The Centers 2018 Health Policy Seminar Series: How Proposed Changes to the Public Charge Rule Will Affect Health, Hunger and the Economy in California Ninez Ponce, Laurel Lucia and Tia Shimada

1.01k views • 52 slides
TR-45 Subcommittee TR-45.2 Emergency Services Overview TIA TR-45.2 AHES Contact: Larry A. Young

TR-45 Subcommittee TR-45.2 Emergency Services Overview TIA TR-45.2 AHES Contact: Larry A. Young

Telecommunications Industry Association TR-45 Subcommittee TR-45.2 Emergency Services Overview TIA TR-45.2 AHES Contact: Larry A. Young larry.a.young@sprint.com Presentation Overview TIA Overview TIA Engineering Committee TR-45

537 views • 9 slides
2010 Transportation 2010 Transportation Investment Act Investment Act (TIA) (TIA) Maximum

2010 Transportation 2010 Transportation Investment Act Investment Act (TIA) (TIA) Maximum

2010 Transportation 2010 Transportation Investment Act Investment Act (TIA) (TIA) Maximum dollars for minimum congestion relief "In theory, theory and practice are the same. In practice, they are not. -- Yogi Berra The $8 Million

415 views • 17 slides
2019 New York State Tourism Conference April 25, 2019 Credit: NASA/GSFC & AVHRR Travel

2019 New York State Tourism Conference April 25, 2019 Credit: NASA/GSFC & AVHRR Travel

2019 New York State Tourism Conference April 25, 2019 Credit: NASA/GSFC & AVHRR Travel Powers the Economy Source: NTTO unless otherwise noted and Enhances the Image of the USA #1 Services Export 76.9 million international visitors

546 views • 31 slides
Triage in Trouble Hospital emergency rooms are busy Patients are impatient Triage

Triage in Trouble Hospital emergency rooms are busy Patients are impatient Triage

A Triage Information Agent (TIA) based on the IDA Technology Stan Franklin and Dan Jones, M.D. Computer Science Division & Institute for Intelligent Systems The University of Memphis 1 Triage in Trouble Hospital emergency rooms are

389 views • 6 slides
Date: April 8, 2014 Current Meeting: April 17, 2014 Board Meeting: May 1, 2014 BOARD

Date: April 8, 2014 Current Meeting: April 17, 2014 Board Meeting: May 1, 2014 BOARD

7 Date: April 8, 2014 Current Meeting: April 17, 2014 Board Meeting: May 1, 2014 BOARD MEMORANDUM TO: Santa Clara Valley Transportation Authority Congestion Management Program & Planning Committee THROUGH: General Manager, Nuria I.

527 views • 30 slides
1-bit Audio and the Arduino David J. Zielinski Overview 1. Terminology of Sound 2. Atari 2600

1-bit Audio and the Arduino David J. Zielinski Overview 1. Terminology of Sound 2. Atari 2600

1-bit Audio and the Arduino David J. Zielinski Overview 1. Terminology of Sound 2. Atari 2600 a. clock division frequencies b. linear feedback shift registers 3. Arduino Uno a. Specifications b. Audio Generation Methods c. Code Examples

816 views • 47 slides

More recommend