nullcon 2011 - exploiting scada systems
DESCRIPTION
Exploiting SCADA Systems by Jeremy BrownTRANSCRIPT
![Page 1: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/1.jpg)
Exploiting SCADA SystemsExploiting SCADA Systems
http://null.co.in/ http://nullcon.net/
![Page 2: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/2.jpg)
http://null.co.in/ http://nullcon.net/
![Page 3: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/3.jpg)
http://null.co.in/ http://nullcon.net/
Traditional SCADA Network Topology
“Control Systems Cyber Security: Defense in Depth Strategies”
![Page 4: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/4.jpg)
http://null.co.in/ http://nullcon.net/
![Page 5: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/5.jpg)
http://null.co.in/ http://nullcon.net/
As newer products compete to make SCADA systems intuitive and modern, you can see the number of attack vectors rise.
Say hello to ScadaMobile.
![Page 6: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/6.jpg)
http://null.co.in/ http://nullcon.net/
![Page 7: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/7.jpg)
http://null.co.in/ http://nullcon.net/
Available at the App Store for only $2.99 (lite) and $74.99 for the full version
![Page 8: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/8.jpg)
http://null.co.in/ http://nullcon.net/
So.. whats wrong?
![Page 9: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/9.jpg)
http://null.co.in/ http://nullcon.net/
Security has been implemented as an add-on instead of being build around the product from the ground up
![Page 10: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/10.jpg)
http://null.co.in/ http://nullcon.net/
http://www.matrikonopc.com/products/opc-data-management/opc-tunneller.aspx
![Page 11: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/11.jpg)
http://null.co.in/ http://nullcon.net/
http://www.indusoft.com/blog/?p=159
![Page 12: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/12.jpg)
http://null.co.in/ http://nullcon.net/
http://www.wateronline.com/product.mvc/ClearSCADA-SCADA-Management-Software-0002
![Page 13: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/13.jpg)
http://null.co.in/ http://nullcon.net/
http://www.isagraf.com/pages/news/0905PR-KingfisherDNP3.htm
![Page 14: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/14.jpg)
http://null.co.in/ http://nullcon.net/
Systems are typically installed for long term, and software upgrades may require new hardware
![Page 15: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/15.jpg)
http://null.co.in/ http://nullcon.net/
Not to mention downtime, and nobody likes downtime.
Depending on the product and the environment, just planning
the patch process can be frustrating.
![Page 16: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/16.jpg)
http://null.co.in/ http://nullcon.net/
Something somewhere is connected to something that is
connected to the Internet
![Page 17: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/17.jpg)
http://null.co.in/ http://nullcon.net/
And some things just are connected to the Internet...
![Page 18: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/18.jpg)
http://null.co.in/ http://nullcon.net/
Courtesy of Shodan
(www.shodanhq.com)
![Page 19: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/19.jpg)
http://null.co.in/ http://nullcon.net/
![Page 20: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/20.jpg)
http://null.co.in/ http://nullcon.net/
![Page 21: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/21.jpg)
http://null.co.in/ http://nullcon.net/
![Page 22: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/22.jpg)
http://null.co.in/ http://nullcon.net/
“What really has to be done is better security around these systems and better, enforced security policies so the lack of patching does not matter.”
![Page 23: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/23.jpg)
http://null.co.in/ http://nullcon.net/
Quoted from someone in the Control Systems Industry.
This is the wrong way to view security. If this is what some
people in the industry believe, it is no wonder why so many vulnerabilities still exist...
![Page 24: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/24.jpg)
http://null.co.in/ http://nullcon.net/
No authentication?
You've got problems.
![Page 25: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/25.jpg)
http://null.co.in/ http://nullcon.net/
![Page 26: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/26.jpg)
http://null.co.in/ http://nullcon.net/
What would you like to do?
![Page 27: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/27.jpg)
http://null.co.in/ http://nullcon.net/
An exception has occurred.
Server is entering safe mode...
![Page 28: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/28.jpg)
http://null.co.in/ http://nullcon.net/
Oh, by the way, you no longer need credentials.
![Page 29: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/29.jpg)
http://null.co.in/ http://nullcon.net/
![Page 30: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/30.jpg)
http://null.co.in/ http://nullcon.net/
Vendors are not always “receptive” to vulnerability reports
![Page 31: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/31.jpg)
http://null.co.in/ http://nullcon.net/
Favorite Quotes
“I'm not sure what this perl script is trying to do?”
“If the CSV file is edited manually then it may not parse correctly when it gets loaded.”
“From what I can see there is no security vulnerability in our product, if the CSV file is invalid then the application will not run correctly.”
“Hi Jeremy, thanks but please don't waste my time.”
“That sounds like a threat Jeremy, are you expecting me to pay you something?”
![Page 32: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/32.jpg)
http://null.co.in/ http://nullcon.net/
Possible “Security Unaware” Vendor Q&A
![Page 33: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/33.jpg)
http://null.co.in/ http://nullcon.net/
I found several security vulnerabilities in your
products.....information.....
.....time passes.....
What are your plans regarding a patch?
![Page 34: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/34.jpg)
http://null.co.in/ http://nullcon.net/
“Product A isn't accessible from the Internet, so it's not vulnerable to attacks.”
So if someone owns a workstation on the same subnet with an IE exploit, how vulnerable do you consider it now?
![Page 35: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/35.jpg)
http://null.co.in/ http://nullcon.net/
![Page 36: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/36.jpg)
http://null.co.in/ http://nullcon.net/
“As long as you don't open untrusted files with Product AB, then the exploits can't harm the system.”
“Do you really want to risk the organization's security by trusting that someone won't open a file that could be found on the web, emailed, or dropped in a trusted location?”
![Page 37: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/37.jpg)
http://null.co.in/ http://nullcon.net/
![Page 38: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/38.jpg)
http://null.co.in/ http://nullcon.net/
“Product ABC uses a complex, proprietary protocol to which it's documentation is only circulated internally.”
What is to stop someone from using a packet sniffer and disassembler to analyze the protocol, figure out how it works, and spend some time researching how to exploit it?
![Page 39: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/39.jpg)
http://null.co.in/ http://nullcon.net/
![Page 40: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/40.jpg)
http://null.co.in/ http://nullcon.net/
Why is it important to audit SCADA software?
![Page 41: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/41.jpg)
http://null.co.in/ http://nullcon.net/
Stuxnet used a Siemens WinCC Hard-coded Database
Credentials Vulnerability
How many other vendors do this?
![Page 42: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/42.jpg)
http://null.co.in/ http://nullcon.net/
Kevin Finisterre
![Page 43: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/43.jpg)
http://null.co.in/ http://nullcon.net/
“If you outlaw SCADA exploits, only outlaws will have SCADA
exploits.”
KF in 2008 after releasing CitectSCADA vulnerability
information
http://www.exploit-db.com/papers/13028/
![Page 44: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/44.jpg)
http://null.co.in/ http://nullcon.net/
If you find vulnerabilities in SCADA products, I suggest you work with ICS-CERT. They will
contact vendors, help coordinate disclosure, and generally help the
process go smoothly.
![Page 45: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/45.jpg)
http://null.co.in/ http://nullcon.net/
MODBUS Fuzzing
![Page 46: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/46.jpg)
http://null.co.in/ http://nullcon.net/
![Page 47: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/47.jpg)
http://null.co.in/ http://nullcon.net/
Wait a few seconds...
![Page 48: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/48.jpg)
http://null.co.in/ http://nullcon.net/
![Page 49: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/49.jpg)
http://null.co.in/ http://nullcon.net/
“Tunneller” Protocol
![Page 50: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/50.jpg)
http://null.co.in/ http://nullcon.net/
HeaderSignature Length
TrailerBody
Client → Server
Connect Handshake
Msg ID
![Page 51: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/51.jpg)
http://null.co.in/ http://nullcon.net/
Session Handshake
Server → Client
![Page 52: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/52.jpg)
http://null.co.in/ http://nullcon.net/
Continued
Client → Server
Server → Client
![Page 53: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/53.jpg)
http://null.co.in/ http://nullcon.net/
Session Handshake Complete
Client → Server
![Page 54: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/54.jpg)
http://null.co.in/ http://nullcon.net/
![Page 55: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/55.jpg)
http://null.co.in/ http://nullcon.net/
Playing with lengths can be fun! Or not fun, or useful. Often time consuming and irritating actually. Literally be prepared to spend a lot of time chasing possibilities that aren't there. Just to, in the end, when you end up with another denial of service bug, wondering why you're still inside when its 8 in the evening. Maybe I should have listened to Dad and became a doctor, or a lawyer.
Not only in SCADA protocols, but others too!
![Page 56: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/56.jpg)
http://null.co.in/ http://nullcon.net/
Sploitware
![Page 57: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/57.jpg)
http://null.co.in/ http://nullcon.net/
Just a small project of mine focused on SCADA and related
software
![Page 58: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/58.jpg)
http://null.co.in/ http://nullcon.net/
Can check systems for potentially vulnerable software, exploit
vulnerabilities, lots of fun stuff
![Page 59: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/59.jpg)
http://null.co.in/ http://nullcon.net/
DEMO!
![Page 60: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/60.jpg)
http://null.co.in/ http://nullcon.net/
Recommendations
![Page 61: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/61.jpg)
http://null.co.in/ http://nullcon.net/
Vendors...
Try to break it before you ship it!
![Page 62: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/62.jpg)
http://null.co.in/ http://nullcon.net/
(And check out TAOSSA)
![Page 63: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/63.jpg)
http://null.co.in/ http://nullcon.net/
Clients...
Do a security evaluation before you make the purchase.
![Page 64: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/64.jpg)
http://null.co.in/ http://nullcon.net/
Because other people will.
![Page 65: nullcon 2011 - Exploiting SCADA Systems](https://reader037.vdocuments.site/reader037/viewer/2022103113/55495e73b4c905e94e8b5647/html5/thumbnails/65.jpg)
http://null.co.in/ http://nullcon.net/
Thank you!
jbrown at patchtuesday.org