Scribd
Upload
18 views34 pages

Techniques of Attacking Real SCADA & ICS Systems

Uploaded by

Совсем Сдурели
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views34 pages

Techniques of Attacking Real SCADA & ICS Systems

Uploaded by

Совсем Сдурели
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

All pictures are taken from

Dr StrangeLove movie
 Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and to


keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Alexander
Tlyapov
 Goals
to automate security assessment of ICS
platforms and environment
 Objectives
to understand system
to assess built-in security features
to create security audit/hardening guides
to automate process

Vulnerabilities – waste production


 Goal
to create PoC of Stuxnet-style attack
 Initial conditions
common ICS components and configuration
common ICS security tools
only ICS components weakness
vulnerabilities by SCADA StrangeLove team
Tilting at windmills: ICS pentest project management

Playing with networks

Rooting the PLC: don't even try

OS/DB/Application

I'm the Lord of the SCADA

Hunting the operator: ICS network "forensic“

Jumping to business level


absolutely
ICS

NETWORK

unbreakable
 Typical network devices with default/crappy
settings
 Unpatched, old as dirt, full of junk software
[malware] engineering workstations
 Wireless AP with WEP ( if the best happened )
 Low physical security
 … and
 Industrial protocols
 Typical network devices with default/crappy
settings
 Unpatched, old as dirt, full of junk software
[malware] engineering workstations
 Wireless AP with WEP ( if the best happened )
 Low physical security
 … and
 Industrial protocols
 Full expanse
 Not blocked by firewalls/switches
 Accessible between LAN segments
 Works from data link to application layers
 Easy for detecting
 Easy for intercepting and analyzing
( but not all! )

And what we know about protocols ?


 Modbus
 Profinet family
 DNP3
 IEC 61850-8-1 ( MMS )
 IEC 60870-5-104 ( IEC 104 )
 Siemens S7
 … and much more

And most of them INSECURE BY DESIGN


 http://www.modbus.org/
 Diagnostic functions
 Read/Write data/registers/tags
 Read/Write files
 Toolkit: PLCSCAN by Dmitry Efanov
http://code.google.com/p/plcscan/
IEC 61158, IEC 61784
 Profinet CBA/IO/PTCP/DCP
 Ethernet type 0x8892
 Exchange data in real-time cycles
 Multicast discovery devices and stations
 No encryption, no auth, no security
 We can change settings: name of the station, ip,
netmask, gateway
 We can simulate and real DoS of PLC, HMI
 Toolkit: WWW
 http://www.dnp.org
 Spread and popular
 Useful info:
http://www.digitalbond.com/scadapedia/pro
tocols/dnp3/
http://blog.iec61850.com/search/label/DNP3
 Secure DNP3 specification
 Toolkit: coming soon ….
Manufacturing
Message
Specification
 ISO 9506-1:2003
 Based on ISO-TSAP TCP/102
 Read/write PLC tags, variables, domains (large
unstructured data, i.e. code)
 Start/Stop/Rewrite firmware of PLC
 Read/Write/Del files and dirs
 Poor security mechanism: simply methods
whitelist
 No auth, no encryption
 Toolkit: python and nmap scripts
 Python identify script: WWW
 Nmap identify script: WWW

 TCP/2404

 HEADER:
1st byte: 0x68
2nd byte: APDU len
 Huge list of functions. Depends on vendors
implementation
 Read/write tags, upload/download files,
broadcast connected devices discovery, time
sync, reset process command, query log files
etc.
 No auth, no encryption
 Poor security mechanism: ip address whitelist
 Toolkit: python and nmap scripts
 Python identify script: WWW
 Nmap identify script: WWW
 I love this protocol!
 Proprietary communication protocol supported
by Siemens SCADA Software, PLC, HMI
 We can: detect protocol, extract some useful
info (device serial number, type of station,
firmware info etc.), extract and bruteforce
(thanks to JtR community) authentication
challenge-response hashes
 http://www.slideshare.net/phdays/timorin-
alexander-efanov-dmitry
 Toolkit:
http://code.google.com/p/scada-tools/
https://code.google.com/p/plcscan/
Welcome to our workshop!
Rooting the PLC:
don't even try
 Pwn OS (often VxWorks, QNX)
 Reverse internal architecture
 Find bugs in services
 Snatch device

BUT FOR WHAT ?


 It is a universal and complex approach
 You can:
 detect devices and protocols
 monitor state, commands, exchanging data
 inject, modify, replay packets in real-time
 Because most of them INSECURE BY DESING

Real example ?
Simple UDP packet that set “speed” of turbine to
57 (min=1, max=100)

You might also like