ICS and Cyber Security

Özkan Erdoğan

About me

12 years of experience in Cyber Security

Cyber Security Consultant

Ddos and Pen Tests

… Now working on ICS Security

@ozkan_erdogan

ozkerd@gmail.com

Agenda

What are Cyber weapons

What is a critical infrastructure

ICS

Cyber weapons on ICS

Protocols

Threats

Attacks and Types of Attacks

Defense principles

Cyber Weapon

Computer code

Aiming Threat or damage

Unlike other codes, might have pyhsical and psychological affects

Low cost- High damage

Target: system, people, country, critical infrastructures

Critical Infrastructure

Energy

Water treatment

Hospitals

Nuclear reactors

Communication lines

Defense systems

All those systems are managed by ICS..

Utility

Market: 1 trillion $

7391 cyber attack (a successfull attack could cause in average 1.2 milyon$)

Oil and Gas

Market: 2.4 trillion $

5493 cyber attack (a successfull attack could cause in average 4 milyon$)

Why we use ICS

A brief description:

Converting signals from digital to analog, controlling equipment so they automatically function to our needs. i.e. in compliance with a logic that we program.. Example: Robot, valve, engine, generator, A/C,

Example: move a robot arm, turn on/off a water pump or valve, mix chemicals, flow control, increase/decrease temperature, measuring voltage, pumping oil and gas etc..

Scada in Enterprise Network

ICS, Scada and PLC DefinitionIndustrial Control System

HMI

PLC

Scada Security (?)

CIA vs. AIC.

No encryption

No authentication

No authorization

Mostly default passwords

Security through obscurity

So called ‘Air gap’

Rule of ‘no touch’

Cyber weapons targeted ICS

Most destructive: Stuxnet

A virus directly manipulating the process of uranium enrichment by Iran.

50 malwares targeting only Energy companies- Fireeye.

Havex/ Dragonfly: TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric)

Flame: Cyber espionage (20 times bigger than Havex

BlackEnergy: Variants Targeting critical infrastructure

Threat potential

Obama: Nuclear weapon result is either 0 or 1. However, cyber weapon is in a spectrum of 0-1 and you never know what its gonna cause.

John Kerry: 21.century version of nuclear attacks

Fenghui: Internet , if not controlled, could cause harm more than nuclears do.

Aurora

Aurora Project: 2007.

Scada architecture

Technics:

Many different vendors, protocols and processes.

Need to get over against air-gap

Convergence of OT to IT, protocols using TCP/IP

Patch and upgrade almost impossible (locking, restart issues)

An ad

xxxx Bina Otomasyon Sistemi’nin mimarisi, programlanabilir kontrol ünitelerinden ve farklı nokta tip ve kapasitelerine sahip I/O üniteleri ile HMI (Dokunmatik Ekran) ünitelerinden oluşmaktadır. xxxxx en nemli özelliği, kontrol ünitelerinin doğrudan TCP-IP protokolü ile Ethernet’e çıkabilmesi, ftp ve web server özellikleriyle de INTERNET üzerinden sisteme erişim imkanı verebilmesidir. Bu sayede kullanıcılar uzaktan her hangi bir özel yazılıma ihtiyaç duymadan, web browser ile sistemle ilgili değerleri izleyebilmekte ve set değerlerini değiştirebilmektedirler.

xxxx Manager yazılımı kullanılarak, lokal veya uzaktan hatta internet bağlantısı ile kontrol ünitelerine bağlanıp, programlama yapmak mümkün olmaktadır

Scada Manufacturers

Siemens.

Honeywell.

Tecnomatix (USDATA)

ABB

Tibbo Systems (AggreGate SCADA/HMI)

Schneider Electric (Wonderware, Televent Citect)

Survalent Technology Company (STC)

Rockwell

Scada /ICS protocols

Modbus (Both way traffic, read/write, usually uses TCP/IP with single layer)

Profinet

DNP (Both way traffic, read/write, usually uses TCP/IP with single layer)

Siemens S7

IEC 60870

ICS-Attack Vectors

Information Gathering

Scan (nmap, plcscan)

Arp poisoning

Traffic Capture/Replay

Exploit (Nessus plugins and Metasploit modules)

Brute force

Information GatheringShodan, censys

Nmap

PLCScan

Masscan

Google hacking

Cont’d

● Nmap, plcscan● Rule 1: Be gentle● Nmap -scan-delay=1 (-n omits dns) (Digital Bond has nmap specific scripts)● Do a tcp scan instead of syn (Don’t use half open)● Do not use fingerprinting● Do not use -Sc (scripting)● Do not use udp scan ● Snmpcheck -t IP

Gives you● Open udp, tcp ports● Service details

● Python plcscan.py IP (Scans port 102 and 502)

ICS on Internet

Shodan findings

Siemens S7- 100 x 102.port

DNP: 20 xport:20000

Modbus: 338 x port:502

IEC 60870: 38 x port: 2404

Google dork

Physical Attacks

Physical attacks against

PLC

RTU -

Smart meter

Relays

Circuit breakers

.

Black box attacks

Web and ftp servers, field devices

Web based attacks

SQL injection

Privilege escalation

Trojan, Backdoor

Ddos

Internal attacks

Traffic capture and replay

Man in the middle

Arp poisoning

Nessus (Scada Policy & Credential Check)

Metasploit

Wireshark

Python

Defense

Patch management

DPI ?

Data diodes ?

Nw segmentation-Isolation

Awareness

Incident Response

Fuzzers

Commercial

Codemicon

Wurdtech Achilles

peachfuzzer.com

Open:

Aegis ( https://www.automatak.com/aegis/)

Modbus - tcpEncryption: NoneAuthentication: None

Modbus Protocol Fields

Modbus request packet

Modbus Case study

PLC Simulator (Modbus PAL) and mbtget https://youtu.be/jxJ6921qrpE

Exploit via Metasploithttps://youtu.be/1bCrCFqgP-M

Tampering via Mbtgethttps://youtu.be/mGixseMvaMM

Vulnerabilities

...and counting!!

Case Study: Ukraine power outage

Exploitation Tools

or buy from Agora Scada + ‘Made in Russia’

The End-

Thank you...

Questions?