2. Sergey Gordeychik
Positive Technologies CTO, Positive Hack Days Director
and Scriptwriter, WASC board member
http://sgordey.blogspot.com, http://www.phdays.com
Gleb Gritsai
Principal Researcher, Network security and forensic
researcher, member of PHDays Challenges team
@repdet, http://repdet.blogspot.com
Denis Baranov
Head of AppSec group, researcher, member of PHDays
CTF team
3. Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and
to keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Roman Ilin Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin
Ilya Smith Roman Ilin Alexander Tlyapov
9. ERP
BUSINESS LAYER
MES
OPERATION AND
PRODUCTION
SUPERVISION
SCADA
SUPERVISOR
CONTROL
PLC/RTU
DIRECT CONTROL
10.
11.
12. SCADA network is isolated and is not connected to other
networks, all the more so to Internet
MES/SCADA/PLC is based on custom platforms, and
attackers can’t hack it
HMI has limited functionality and does not allow to
mount attack
…
13. 100% of tested SCADA networks are exposed to
Internet/Corporate network
Network equipment/firewalls misconfiguration
MES/OPC/ERP integration gateways
HMI external devices (Phones/Modems/USB Flash) abuse
VPN/Dialup remote access
99.9(9)% of tested SCADA can be hacked with Metasploit
Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)
Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)
Standard bugs (patch management, passwords, firewalling,
application vulnerabilities)
14. 50% of HMI/Engineering stations are also used as
desktops
Kiosk mode bypass
(Secret) Internet access
games/”keygens”/trojans and other useful software
ICS security = Internet security in the early 2000
VS
15. • NO magic on network
• Standard network protocols/channel level
• NO magic on system level
• Standard OS/DBMS/APPs
• Windows/SQL for SCADA
• Linux/QNX for PLC
• NO AppSec at all
• ICS guys don’t care about IT/IS
• MES reality - connecting SCADA to other
networks/systems (ERP etc.)
16.
17. • Ethernet
• Cell (GSM, GPRS, …)
• RS-232/485
• Wi-Fi
• ZigBee
• Lot’s of other radio and wire
• All can be sniffed thanks to community
18. • Modbus
• DNP3
• OPC
• S7
• And more and more …
• EtherCAT
• FL-net
• Foundation Fieldbus
20. Wireshark supports most of it
Third-party protocol dissectors for
Wireshark
Industry grade tools and their free
functions
FTE NetDecoder
No dissector/tool – No problem
Plaintext and easy to understand protocols
21. Widely available tools for Modbus packet
crafting
Other protocols only with general packet
crafters (Scapy)
More tools to come (from us ;))
Most of protocols can be attacked by simple
packet replay
Or you can write your own fuzZzer*…
*But don’t forget about Python compilation issues (sec-recon, hi there)
22. Well known ports
Modbus
Product, Device, GW, Unit enumeration
S7
Product, Device, Associated devices
OPC
RPC/DCOM, but authentication
Modern fingerprinting add-ons
snmp, http, management ports
23.
24. By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin
Google/Shodan dorks for:
Siemens
Emerson
Allen-Bradley
Rockwell Automation
Schneider Electric
General Electric
Want to be real SCADAHacker?
Just click!
http://bit.ly/12RzuJC
25.
26. Open Source ICS devices scan/fingerprint tool
Support modbus, S7, more to come
Software and hardware version
Device name and manufacturing
Other technical info
Thank to Dmitry Efanov
30. Just a network device with it’s own
OS
Network stack
Applications
…vulnerabilities
How to find vulnerabilities in PLC
Nothing special
Fuzzing
Code analysis
Firmware reversing
31. Firmware is in Intel HEX format
Several LZSS blobs and ARM code
Blobs contain file system for PLC
Web application source code (MSWL)
… And ...
32. ASCII armored certificate!
For what?
For built-in Certification Authority
?!?!??!!!??!
Is there a private key?
40. • Hardcoded accounts (fixed)
• MS SQL listening network from
the box*
• “Security controller” restricts to Subnet
• Two-tier architecture with
Windows integrated auth and
direct data access
• We don’t know how to make it secure
• Lot of “encrypted” stored
procedures with exec
41. • First noticed in May 2005
• Published in April 2008
• Abused by StuxNet in 2010
• Fixed by Siemens in Nov 2010*
• Still works almost everywhere
*WinCC V7.0 SP2 Update 1
42.
43. • {Hostname}_{Project}_TLG*
• TAG data
• СС_{Project}_{Timestamp}*
• Project data and configuration
• Users, PLCs, Priviledges
59. Not started by default and shouldn’t never be
launched
No authentication at all
XSSes
Path Traversal (arbitrary file reading)
Buffer overflow
61. Can help to exploit server-side vulnerabilities*
Operator’s browser is proxy to SCADAnet!
?
Anybody works with SCADA and Internet
using same browser?
* http://www.slideshare.net/phdays/root-via-xss-10716726