industrial control systems (ics) and cyber security
TRANSCRIPT
ICS and Cyber Security
Özkan Erdoğan
About me
12 years of experience in Cyber Security
Cyber Security Consultant
Ddos and Pen Tests
… Now working on ICS Security
@ozkan_erdogan
Agenda
What are Cyber weapons
What is a critical infrastructure
ICS
Cyber weapons on ICS
Protocols
Threats
Attacks and Types of Attacks
Defense principles
Cyber Weapon
Computer code
Aiming Threat or damage
Unlike other codes, might have pyhsical and psychological affects
Low cost- High damage
Target: system, people, country, critical infrastructures
Critical Infrastructure
Energy
Water treatment
Hospitals
Nuclear reactors
Communication lines
Defense systems
All those systems are managed by ICS..
Utility
Market: 1 trillion $
7391 cyber attack (a successfull attack could cause in average 1.2 milyon$)
Oil and Gas
Market: 2.4 trillion $
5493 cyber attack (a successfull attack could cause in average 4 milyon$)
Why we use ICS
A brief description:
Converting signals from digital to analog, controlling equipment so they automatically function to our needs. i.e. in compliance with a logic that we program.. Example: Robot, valve, engine, generator, A/C,
Example: move a robot arm, turn on/off a water pump or valve, mix chemicals, flow control, increase/decrease temperature, measuring voltage, pumping oil and gas etc..
Scada in Enterprise Network
ICS, Scada and PLC DefinitionIndustrial Control System
HMI
PLC
Scada Security (?)
CIA vs. AIC.
No encryption
No authentication
No authorization
Mostly default passwords
Security through obscurity
So called ‘Air gap’
Rule of ‘no touch’
Cyber weapons targeted ICS
Most destructive: Stuxnet
A virus directly manipulating the process of uranium enrichment by Iran.
50 malwares targeting only Energy companies- Fireeye.
Havex/ Dragonfly: TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric)
Flame: Cyber espionage (20 times bigger than Havex
BlackEnergy: Variants Targeting critical infrastructure
Threat potential
Obama: Nuclear weapon result is either 0 or 1. However, cyber weapon is in a spectrum of 0-1 and you never know what its gonna cause.
John Kerry: 21.century version of nuclear attacks
Fenghui: Internet , if not controlled, could cause harm more than nuclears do.
Scada architecture
Technics:
Many different vendors, protocols and processes.
Need to get over against air-gap
Convergence of OT to IT, protocols using TCP/IP
Patch and upgrade almost impossible (locking, restart issues)
An ad
xxxx Bina Otomasyon Sistemi’nin mimarisi, programlanabilir kontrol ünitelerinden ve farklı nokta tip ve kapasitelerine sahip I/O üniteleri ile HMI (Dokunmatik Ekran) ünitelerinden oluşmaktadır. xxxxx en nemli özelliği, kontrol ünitelerinin doğrudan TCP-IP protokolü ile Ethernet’e çıkabilmesi, ftp ve web server özellikleriyle de INTERNET üzerinden sisteme erişim imkanı verebilmesidir. Bu sayede kullanıcılar uzaktan her hangi bir özel yazılıma ihtiyaç duymadan, web browser ile sistemle ilgili değerleri izleyebilmekte ve set değerlerini değiştirebilmektedirler.
xxxx Manager yazılımı kullanılarak, lokal veya uzaktan hatta internet bağlantısı ile kontrol ünitelerine bağlanıp, programlama yapmak mümkün olmaktadır
Scada Manufacturers
Siemens.
Honeywell.
Tecnomatix (USDATA)
ABB
Tibbo Systems (AggreGate SCADA/HMI)
Schneider Electric (Wonderware, Televent Citect)
Survalent Technology Company (STC)
Rockwell
Scada /ICS protocols
Modbus (Both way traffic, read/write, usually uses TCP/IP with single layer)
Profinet
DNP (Both way traffic, read/write, usually uses TCP/IP with single layer)
Siemens S7
IEC 60870
ICS-Attack Vectors
Information Gathering
Scan (nmap, plcscan)
Arp poisoning
Traffic Capture/Replay
Exploit (Nessus plugins and Metasploit modules)
Brute force
Information GatheringShodan, censys
Nmap
PLCScan
Masscan
Google hacking
Cont’d
● Nmap, plcscan● Rule 1: Be gentle● Nmap -scan-delay=1 (-n omits dns) (Digital Bond has nmap specific scripts)● Do a tcp scan instead of syn (Don’t use half open)● Do not use fingerprinting● Do not use -Sc (scripting)● Do not use udp scan ● Snmpcheck -t IP
Gives you● Open udp, tcp ports● Service details
● Python plcscan.py IP (Scans port 102 and 502)
ICS on Internet
Shodan findings
Siemens S7- 100 x 102.port
DNP: 20 xport:20000
Modbus: 338 x port:502
IEC 60870: 38 x port: 2404
Google dork
Physical Attacks
Physical attacks against
PLC
RTU -
Smart meter
Relays
Circuit breakers
.
Black box attacks
Web and ftp servers, field devices
Web based attacks
SQL injection
Privilege escalation
Trojan, Backdoor
Ddos
Internal attacks
Traffic capture and replay
Man in the middle
Arp poisoning
Nessus (Scada Policy & Credential Check)
Metasploit
Wireshark
Python
Defense
Patch management
DPI ?
Data diodes ?
Nw segmentation-Isolation
Awareness
Incident Response
Fuzzers
Commercial
Codemicon
Wurdtech Achilles
peachfuzzer.com
Open:
Aegis ( https://www.automatak.com/aegis/)
Modbus - tcpEncryption: NoneAuthentication: None
Modbus Protocol Fields
Modbus request packet
Modbus Case study
PLC Simulator (Modbus PAL) and mbtget https://youtu.be/jxJ6921qrpE
Exploit via Metasploithttps://youtu.be/1bCrCFqgP-M
Tampering via Mbtgethttps://youtu.be/mGixseMvaMM
Vulnerabilities
...and counting!!
Case Study: Ukraine power outage
Exploitation Tools
or buy from Agora Scada + ‘Made in Russia’
The End-
Thank you...
Questions?