1. Sergey Gordeychik
Denis Baranov
Gleb Gritsai

2.  Sergey Gordeychik
 Positive Technologies CTO, Positive Hack Days Director
and Scriptwriter, WASC board member
 http://sgordey.blogspot.com, http://www.phdays.com
 Gleb Gritsai
 Principal Researcher, Network security and forensic
researcher, member of PHDays Challenges team
 @repdet, http://repdet.blogspot.com
 Denis Baranov
 Head of AppSec group, researcher, member of PHDays
CTF team

3.  Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and
to keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Roman Ilin Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin
Ilya Smith Roman Ilin Alexander Tlyapov

4. http://scadastrangelove.blogspot.com/2012/11/scada-safety-in-numbers.html

5.  Siemens ProductCERT
 Reallyprofessional team
 Quick responses
 Personal contacts
 Even Patches 
 You guys rock!

6.  Common target during pentests
 Most common platform (market, ShodanHQ)
 Largest number of published and fixed bugs

7.  Invensys Wonderware
 Yokogawa
 ICONICS
 ….
 Stay tuned!

9. ERP
BUSINESS LAYER
MES
OPERATION AND
PRODUCTION
SUPERVISION
SCADA
SUPERVISOR
CONTROL
PLC/RTU
DIRECT CONTROL

12.  SCADA network is isolated and is not connected to other
networks, all the more so to Internet
 MES/SCADA/PLC is based on custom platforms, and
attackers can’t hack it
 HMI has limited functionality and does not allow to
mount attack
…

13.  100% of tested SCADA networks are exposed to
Internet/Corporate network
 Network equipment/firewalls misconfiguration
 MES/OPC/ERP integration gateways
 HMI external devices (Phones/Modems/USB Flash) abuse
 VPN/Dialup remote access
 99.9(9)% of tested SCADA can be hacked with Metasploit
 Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)
 Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)
 Standard bugs (patch management, passwords, firewalling,
application vulnerabilities)

14.  50% of HMI/Engineering stations are also used as
desktops
 Kiosk mode bypass
 (Secret) Internet access
 games/”keygens”/trojans and other useful software
ICS security = Internet security in the early 2000
VS

15. • NO magic on network
• Standard network protocols/channel level
• NO magic on system level
• Standard OS/DBMS/APPs
• Windows/SQL for SCADA
• Linux/QNX for PLC
• NO AppSec at all
• ICS guys don’t care about IT/IS
• MES reality - connecting SCADA to other
networks/systems (ERP etc.)

17. • Ethernet
• Cell (GSM, GPRS, …)
• RS-232/485
• Wi-Fi
• ZigBee
• Lot’s of other radio and wire
• All can be sniffed thanks to community

18. • Modbus
• DNP3
• OPC
• S7
• And more and more …
• EtherCAT
• FL-net
• Foundation Fieldbus

19. • Sniffing
• Spoofing/Injection
• Fingerprinting/Data collection
• Fuzzing
• Security?!

20.  Wireshark supports most of it
 Third-party protocol dissectors for
Wireshark
 Industry grade tools and their free
functions
 FTE NetDecoder
 No dissector/tool – No problem
 Plaintext and easy to understand protocols

21.  Widely available tools for Modbus packet
crafting
 Other protocols only with general packet
crafters (Scapy)
 More tools to come (from us ;))
 Most of protocols can be attacked by simple
packet replay
 Or you can write your own fuzZzer*…
*But don’t forget about Python compilation issues (sec-recon, hi there)

22.  Well known ports
 Modbus
 Product, Device, GW, Unit enumeration
 S7
 Product, Device, Associated devices
 OPC
 RPC/DCOM, but authentication
 Modern fingerprinting add-ons
 snmp, http, management ports

24. By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin
Google/Shodan dorks for:
 Siemens
 Emerson
 Allen-Bradley
 Rockwell Automation
 Schneider Electric
 General Electric
Want to be real SCADAHacker?
Just click!
http://bit.ly/12RzuJC

26.  Open Source ICS devices scan/fingerprint tool
 Support modbus, S7, more to come
 Software and hardware version
 Device name and manufacturing
 Other technical info
 Thank to Dmitry Efanov

27. http://scadastrangelove.blogspot.ru/2012/11/plcscan.html

30.  Just a network device with it’s own
 OS
 Network stack
 Applications
 …vulnerabilities
 How to find vulnerabilities in PLC
 Nothing special
 Fuzzing
 Code analysis
 Firmware reversing

31.  Firmware is in Intel HEX format
 Several LZSS blobs and ARM code
 Blobs contain file system for PLC
 Web application source code (MSWL)
… And ...

32.  ASCII armored certificate!
 For what?
 For built-in Certification Authority
?!?!??!!!??!
 Is there a private key?

33. 
…responsible answer

34.  Hardcoded S7 PLC CA certificate (Dmitry Sklarov)
http://scadastrangelove.blogspot.com/2012/09/all-
your-plc-belong-to-us.html
 Multiple vulnerabilities in S7 1200 PLC Web
interface (Dmitriy Serebryannikov, Artem Chaikin,
Yury Goltsev, Timur Yunusov)
http://www.siemens.com/corporatetechnology/pool/
de/forschungsfelder/siemens_security_advisory_ssa-
279823.pdf

36. • Network stack
• Connects with PLCs, etc
• OS
• Database
• Applications
• HMI
• Web
• Tools

37.  Depends on OS/DBMS security
 GUI restrictions/Kiosk mode for HMI
 OS network stack and API heavily used
 File shares
 RPC/DCOM
 Database replication
 Password authentication, ACLs/RBAC
 Something else?

38. • Nothing special
• Windows/Linux
• No Patches
• Weak/Absence-of Passwords
• Misconfiguration
• Insecure defaults

39. • Insecurity configuration
• Users/password
• Configuration
• ICS-related data

40. • Hardcoded accounts (fixed)
• MS SQL listening network from
the box*
• “Security controller” restricts to Subnet
• Two-tier architecture with
Windows integrated auth and
direct data access
• We don’t know how to make it secure
• Lot of “encrypted” stored
procedures with exec

41. • First noticed in May 2005
• Published in April 2008
• Abused by StuxNet in 2010
• Fixed by Siemens in Nov 2010*
• Still works almost everywhere
*WinCC V7.0 SP2 Update 1

43. • {Hostname}_{Project}_TLG*
• TAG data
• СС_{Project}_{Timestamp}*
• Project data and configuration
• Users, PLCs, Priviledges

44. • Managed by UM app
• Stored in dbo.PW_USER

46. • Administrator:ADMINISTRATOR
• Avgur2 > Avgur

51. This is my
encryptionkey

53. …responsible disclosure

54.  WinCC Harvester msf module
 WinCC security hardening guide
 Exclusive cipher tool & msf
module. We don’t have yet…
http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html
http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html

57.  WebNavigator
 Web-based HMI
 IIS/ASP.NET
 ActiveX client-side
 DiagAgent
 Diagnostic and remote management application
 Custom web-server
 …

59.  Not started by default and shouldn’t never be
launched
 No authentication at all
 XSSes
 Path Traversal (arbitrary file reading)
 Buffer overflow

60.  Web-based HMI
 XPath Injection (CVE-2012-2596)
 Path Traversal (CVE-2012-2597)
 XSS ~ 20 Instances (CVE-2012-2595)
 Fixed in Update 2 for WinCC V7.0 SP3
http://support.automation.siemens.com/WW/view/en/60984587

61.  Can help to exploit server-side vulnerabilities*
 Operator’s browser is proxy to SCADAnet!

?
Anybody works with SCADA and Internet
using same browser?
* http://www.slideshare.net/phdays/root-via-xss-10716726

62. http://www.surfpatrol.ru/en/report

63.  A lot of “WinCCed” IE from
countries/companies/industries
 Special prize to guys from US for
WinCC 6.X at 2012

65.  Lot of XSS and CSRF
 CVE-2012-3031
 CVE-2012-3028
 Lot of arbitrary file reading
 CVE-2012-3030
 SQL injection over SOAP
 CVE-2012-3032
 ActiveX abuse
 CVE-2012-3034
http://bit.ly/WW0TL2

67. 
…responsible disclosure

74. All pictures are taken from
Dr StrangeLove movie