Escolar Documentos
Profissional Documentos
Cultura Documentos
1
Jonathan Pollet CISSP, PCIP, CAP
12 Years of Electrical Engineering, SCADA, Industrial Controls, and IT
Experience
PLC Programming and SCADA System Design and Commissioning
Wireless RF and Telecommunications Design and Startup
Front-end Web Development for SCADA data
Backend Database design for SCADA data
Acting CIO for Major Oil Company for 2 years Enterprise IT Management
2
red tiger security
Consulting
Cyber Vulnerability Assessments for NERC CIP-005/007
SCADA / Wireless Telemetry Penetration Testing
Network Architecture Analysis / Design
Cyber Security Compliance Assistance
Development of SCADA Test Beds (Malaysia, Qatar, UAE, University of Tulsa,
University of Houston, and several private industry clients)
Training
5-SCADA Security Advanced Course (SANS)
2-Day SCADA Security Course (BlackHat)
Research
Applicability and Usability of Cyber Security Solutions for SCADA / ICS
Product Evaluations
Various DHS Research Initiatives for ICS
Standards Development
3
outline
the world has changed its digital and connected
threats have changed they are digital and connected
0-day Market
how can bad stuff get in? VIDEOS
direct compromise of vulnerable services
what can be done to SCADA / ICS devices once you are in? - VIDEOS
4
major world ISP and telecom trunks
5
malware can spread at the rate of 125 machines
per second
within ten minutes of the start of the SQL Slammer worm, 75,000 machines
were already infected. This included many critical infrastructure systems
6
new hacking techniques leverage social networking
platforms to establish trusted connections
7
anyone know this girl?
8
malicious attachments
MS Products
Word, Excel, etc
9
adobe is still leading the pact J
Targeted%A2acks%
4.52% 7.39%
MS%PowerPoint%
48.87%
MS%Excel%
39.22% MS%Word%
Adobe%Acrobat%
hIp://www.f secure.com/weblog/archives/00001676.html
10
malware most utilized attack vector
Malware
Other
66.8% Phishing
7.7%
Physical Loss
8.6%
3.1% Denial of Service
1.8% 11.8%
0.2% Unauthorized Access
Attempt
Inappropriate Use
11
usb toolkits provide fast physical access
autorun not required
U3 not required
12
anyone want a
free mouse?
13
android = rootkit in your pocket that knows your
location, and has access to your email, data, bank
accounts, and the Internet
14
we now have to worry about our phones
Google pulled more than 50 apps
in March from the Android
Marketplace after security
researcher found a Trojan that
used applications to spread. The
Trojan, called DroidDream,
infected more than a quarter
million Android phones. One sign
of a DroidDream infection was
resource consumption due to the
way the malware exploits the
phone.
15
electrical SCADA systems have changed too
16
all we had to worry about before was physical
access
17
now SCADA systems are digital and connected
18
modern SCADA systems are running on the same
OS as corporate desktops
19
they send data in the clear, without any
requirement for encryption or authentication
20
the SCADA control rooms and are morphing
into IT data rooms
21
the trend for new control room installations is to
keep the servers in data rooms and only leave the
screens, keyboards, and mice in the control room
22
from a cyber perspective, SCADA systems look
similar to business systems
Active Directory
File/Print servers
23
SCADA and ICS Systems are Low Hanging Fruit for
Security Researchers why?
Control System vendors, if they actually test their systems for bugs at all,
will typically only run their applications through basic regression tests,
and this process is maybe 5% of what Microsoft does to test their code.
All of those thousands of legacy products out there were NEVER tested
for simple cyber security flaws like buffer overflows.
24
100 SCADA bugs in 100 days - McCorkle & Rios
Terry McCorkle (Boing Red Team by day, security researcher by night)
All data and SCADA/ICS software used in their research was found FREE on
the web (over 3600 SCADA and ICS executable files found using:
+HMI +Download + filetype :(exe,zip,msi)
+HMI +<Vendor Name> +Download
25
100 SCADA bugs in 100 days - McCorkle & Rios
Downloaded over 380 HMI
and Control Workbench
software packages, but only
tested 76 of them
Most bugs and crashes were code problems that were straight out of the
90s Simple Buffer Overflows
They would setup the automated fuzzing software at night, go to sleep, and
find bugs and crashes in the morning or set the fuzzers in the morning,
and come back home from work and find more waiting for them at night.
26
interesting ICS-CERT facts
753% increase in vulnerability disclosures to
ICS-CERT over the past year.
Motivation?
Glory, Fame, $$ ??
27
the 0day market is booming
Nation States
Underground
Commercial market
ZDI (HP)
iDefence
Brokers
Researchers and Buyers
ExploitHub
28
Exploit Frameworks that now contain SCADA-
specific exploit modules
Metasploit 17 Exploit Modules
29
Night Dragon APT attacks on US Energy and Chemical
companies moved from the Internet, through Corporate IT
systems, and into the SCADA systems
30
so how does bad stuff get in?
the perfect ESP J
31
ideally, we would like to keep all of the Critical
Cyber Assets (CCAs) on the inside working while
blocking all of the bad stuff
32
we have to share information, so we create
islands of operations and then DMZs between
security zones
Internet
Corporate IT
SCADA DMZ SCADA LAN RTUs
PLCs
Meters
33
unfortunately, we become under pressure to open
holes for communications between what used to be
trusted security zones
Internet
Corporate IT
SCADA DMZ SCADA LAN RTUs
PLCs
Meters
34
scenario 1 - direct compromise of vulnerable
services
From open source intelligence gathering, Google searches, or
social engineering, an attacker determines the asset is
running an Emerson DeltaV DCS system
What is possible?
35
36
scenario 2 attacker pivots off of the historian,
which is accessible from the corporate IT LAN
What is
possible?
37
38
Scenario 3 now with routed access into SCADA
LAN, what can we do with the controllers?
enumeration of functions
denial of service
denial of access
denial of control
manipulation of view
39
function
enumeration
40
denial of service
41
denial of access
42
denial of access
43
denial of access
Locked Out. We just turned the PCN into some blinking bricks.
44
denial of control
Several vectors
At the Operator stations
On the wire (Ethernet)
At the source (Controller/IED)
45
46
manipulation of view
47
48
49
50
the sky is not falling (yet)
51
52
technologies that are holding back the tide
1. Physical Security & Remote Access
- Full Session Logging Solutions for VPN connections
2. Network Perimeter
- UTM devices (Fortinet, Juniper, Cisco ASA)
- Application Aware Firewalls (palo alto networks, barracuda appliances, etc..)
- Industrial Firewalls (Emerson, Honeywell, Torfino, M-Guard, Endian)
- Network Monitoring Tools (Solarwinds, LogicMonitor, Nagios...)
- Vulnerability Scanning Appliances (Nessus, Rapid7 Nexpose, Nmap, etc..)
- IDS/IPS solutions (Snort, Sourcefire, etc..)
- Centralized SEM solutions (Nitro Security, Industrial Defender, LogLogic,
etc...)
3. SCADA DMZ
- OPC tunnelers (Matrikon, Kepware)
- PI-toPI Trusts (OSI Soft)
53
technologies that are holding back the tide
4. Control Room Servers and Workstations
- Application Whitelisting (Core Trace, Bit9, Mcafee AV
- USB-port locking (BitLocker, USB Lock...)
54
lastlystep your game up :)
Get training
Try things
55
contact info / q & a
Credits
:: Ty Bodell for assistance with the demos
:: Thievery Corporation and Pendulum for the soundtracks
56