SlideShare una empresa de Scribd logo

Experience with testing industrial cybersecurity solutions against real-world attack scenarios

Anton Shipulin
Anton Shipulin

Slide deck from the XIII International Congress of Industrial Cybersecurity in Madrid Sep 24-25, by Industrial Cybersecurity Center (CCI) #CCICON_13

Tecnología
1 de 27
Descargar para leer sin conexión
• Industrial Cybersecurity Business Development at Kaspersky Lab • Head of program committee of Kaspersky Industrial Cybersecurity Conference • Coordinator for Russia at Industrial Cybersecurity Center (CCI) • Co-Founder of ICS Cyber Security community RUSCADASEC • Certified SCADA Security Architect (CSSA), CISSP, CEH • @shipulin_anton
• • •
https://ics.kaspersky.com/
https://www.nsslabs.com/tested-technologies/
• • • • • • • • • • • • • • • • • • • •
https://twitter.com/shipulin_anton
https://attack.mitre.org
https://public.tableau.com/profile/cyb3rpanda#!/vizhome/MITREATTCKMatrixforEnterpriseV2/ATTCK Endpoint Data Network Data
https://www.gartner.com/en/documents/3875421 https://blogs.gartner.com/augusto-barros/2018/04/17/threat-simulation-open-source-projects/ https://github.com/redhuntlabs/RedHunt-OS/ • • • • • • • • • • • • • • • • • https://attackevals.mitre.org
https://ctf.kaspersky.com
Full details on the testbed https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/ 6 stages: ►P1: RAW water Supply and storage ►P2: Pre‐treatment ►P3: Ultrafiltration and backwash ►P4: De‐Chlorination System ►P5: Reverse Osmosis (RO) ►P6: RO Permeate Transfer, UF Backwash and Cleaning
Cybercriminal Attacker Model - Control of the PLC through the Bridged Man-in-the-Middle (MiTM) at Level 0 - Control of the chemical dosing system through a Python script (pycomm) - Control of the Historian through the Aircrack WiFi - Control of the pressure through the Server Message Block (SMB) - Control of the water level in the tank through the Metasploit VNC Scanner - Control of the pump through a rogue router - Control of the pump through the FactoryTalk and password vulnerability - Control of the pressure pump through Python script (pycomm) - Control of the pump through the compromised HMI - Overwriting data stored at Historian - Control of the Historian through MiTM using ARP Insider Attacker Model - Control of the Motorised Valve through Manual Intervention - Control of the RIO/Display through manual configuration on the sensor - Control of the water pump P101 through the Python script (pycomm) - Control of the water pump P101 through manual operation of the HMI - Control of the pressure pump through Python script (pycomm) - Control of the water tank level LIT101 through Python script (pycomm) - Control of chemical dosing through modified PLC Logic - Control of the RIO through disconnecting Analogue Input/Output pin - Control of the amount of chemical dosing through Python script - Control of the PLC through the modification of PLC logic in Studio 5000 - Control of the motorised valve through modification of PLC logic in Studio 5000 - Control of the motorised valve MV201 through the modification of PLC logic - Control of the water tank level LIT301 through adjusting alarm levels - Control of the chemical dosing pump P205 through manual operation of the dosing meter - Control of the HMI/SCADA through simulation control - Control of the PLC through disconnected network cables Details: https://goo.gl/y1Pxre
• Out of the box installation with no learning mode • Only L1 monitoring / L0 attacks was out of scope • Didn’t monitor physical attacks Detection results Details: https://goo.gl/y1Pxre
2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 Attempt to do bridge in primary plc to RIO 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. Spoof water level to 390 2:54 - Attack Successful! 2:59 - Attack: Download modified P2 PLC code. 3:01 - Attack Unsuccessful! 3:18 - Attack: Downloading modified P2 PLC code. Attack Unsuccessful! 3:19 - Attack: Trying to breach the firewall. 3:22 - Attack: Overwriting PLC code. Attack Unsuccessful! 3:38 - Attack: Attempting to set LIT101 to 300. Attack Unsuccessful! 4:16 - Spoofing attack LIT101 at HMI Successful! 4:45 - Download of PLC code failed! 5:07 - Launch on DPIT pressure successful! 5:18 - Attempt to change plant to manual mode. 5:19 - Attempt successful! 5:20 - Attempt to stop plant process. 5:23 - Attempt to stop/start plant successful! 5:28 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 5:36 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:18 - Attack: Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:20 - Eternal Blue attack: Time Out! https://itrust.sutd.edu.sg/ciss-2019/
Overview of dataset requests by country (left) and year (right) • Secure Water Treatment (SWaT) • SWaT Security Showdown (S317) • Water Distribution (WADI) • BATtle of Attack Detection Algorithms (BATADAL) • Electric Power and Intelligent Control (EPIC) • Blaq_0 https://itrust.sutd.edu.sg/research/dataset/ Visit by Kaspersky LabDetected attack: 23 out of 34 Not detected: 9 with small impacts Correct interpretation: 22 out of 23 False positive: 3 as attack continuation New anomalies: 7 anomalies Kaspersky Machine Learning for Anomaly Detection Results on the SWaT Dataset https://tinyurl.com/mlad2018
• WMI Lateral Movement • Reconnaissance / Network Scan • Reconnaissance / Reading Project from PLC / Modbus • Reconnaissance / Modbus Scan • Transfer Malicious Firmware to Rockwell Automation PLC • Modbus Write Attempt from an Internet address • “Stuxnet” Malware Network Activity • “Havex” Malware Network Activity • “Greyenergy” Malware Network Activity https://www.youtube.com/watch?v=vSd8hoRqnF4&list=PLPmbqO785Hlt3yFvW-EZhvRq53EcCjmZc https://www.youtube.com/watch?v=A2tQo4t4ibo
KICS 60870-5-104 Protocol Events https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
Endpoint activities at different levels and stages Powershell, Python SSH clients (Putty/Plinks) Netcat/Cryptocat Mmikatz, PsExec AdExplorer, ShareEnum, PsGetSid Nmap, iPerf Trilog.exe Network activities at different levels and stages DNS SSH RDP RPC/SMB (PsExec) HTTP (Webshell) TCP/UDP (Nmap, iPerf) VPN Tristation (UDP) PLC Fieldbus Control Network SCADA/DCS Network Plant DMZ Network Office Network PLC SCADA SCADA SCADA SCADA SIS SIS Safety Instrumented System SIS EWS SIS Internet Attacker • Trilog.exe • Tristation (UDP)
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN
Unusual time for an engineering connection
Unauthorized application Not in the white list
• plaintext passwords • user authentication failures • new network devices • abnormal network traffic between devices • internet connectivity • data exfiltration • unauthorized software installations • PLC firmware modifications • unauthorized PLC logic modifications • file transfers between devices • abnormal ICS protocol communications • malware • denial of service (DoS) • abnormal manufacturing system operations • port scans/probes • environmental changes https://csrc.nist.gov/publications/detail/nistir/8219/draft
• • • • • • • • • • • • • • • • • • • •
Kaspersky HQ 39A/3 Leningradskoe Shosse, Moscow Т: +7 (495) 797 8700 #1746 Anton.Shipulin@kaspersky.com @shipulin_anton Anton Shipulin CISSP, CEH, CSSA Global Presales Manager Industrial Cybersecurity Business Development

Recomendados

DDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворотDDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворот
Positive Hack Days
 
FinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatraFinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatra
Ratan Mohapatra
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
Pallavi7776
 
Microprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructionsMicroprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructions
Arkhom Jodtang
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
amiable_indian
 
62.water level control in reservoiers
62.water level control in reservoiers62.water level control in reservoiers
62.water level control in reservoiers
Padmakar Mangrule
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
PROIDEA
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 

Recomendados

DDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворотDDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворот
Positive Hack Days
 
FinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatraFinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatra
Ratan Mohapatra
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
Pallavi7776
 
Microprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructionsMicroprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructions
Arkhom Jodtang
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
amiable_indian
 
62.water level control in reservoiers
62.water level control in reservoiers62.water level control in reservoiers
62.water level control in reservoiers
Padmakar Mangrule
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
PROIDEA
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Electronic DIY project book
Electronic DIY project book Electronic DIY project book
Electronic DIY project book
Raghav Shetty
 
Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0
Gautam Ahuja
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
Jose Palanco
 
Alcohol report
Alcohol reportAlcohol report
Alcohol report
chandan kumar
 
Tech
TechTech
Tech
Orafu James
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken drivers
Vinny Chweety
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Stuxnet
StuxnetStuxnet
Stuxnet
bueno buono good
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
P1111141868
P1111141868P1111141868
P1111141868
Ashraf Aboshosha
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Dominik Obermaier
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
 

Más contenido relacionado

Similar a Experience with testing industrial cybersecurity solutions against real-world attack scenarios

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Dominik Obermaier
 

Similar a Experience with testing industrial cybersecurity solutions against real-world attack scenarios (20)

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Electronic DIY project book
Electronic DIY project book Electronic DIY project book
Electronic DIY project book
 
Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Alcohol report
Alcohol reportAlcohol report
Alcohol report
 
Tech
TechTech
Tech
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken drivers
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
P1111141868
P1111141868P1111141868
P1111141868
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Experience with testing industrial cybersecurity solutions against real-world attack scenarios

  • 1.
  • 2. • Industrial Cybersecurity Business Development at Kaspersky Lab • Head of program committee of Kaspersky Industrial Cybersecurity Conference • Coordinator for Russia at Industrial Cybersecurity Center (CCI) • Co-Founder of ICS Cyber Security community RUSCADASEC • Certified SCADA Security Architect (CSSA), CISSP, CEH • @shipulin_anton
  • 12. Full details on the testbed https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/ 6 stages: ►P1: RAW water Supply and storage ►P2: Pre‐treatment ►P3: Ultrafiltration and backwash ►P4: De‐Chlorination System ►P5: Reverse Osmosis (RO) ►P6: RO Permeate Transfer, UF Backwash and Cleaning
  • 13. Cybercriminal Attacker Model - Control of the PLC through the Bridged Man-in-the-Middle (MiTM) at Level 0 - Control of the chemical dosing system through a Python script (pycomm) - Control of the Historian through the Aircrack WiFi - Control of the pressure through the Server Message Block (SMB) - Control of the water level in the tank through the Metasploit VNC Scanner - Control of the pump through a rogue router - Control of the pump through the FactoryTalk and password vulnerability - Control of the pressure pump through Python script (pycomm) - Control of the pump through the compromised HMI - Overwriting data stored at Historian - Control of the Historian through MiTM using ARP Insider Attacker Model - Control of the Motorised Valve through Manual Intervention - Control of the RIO/Display through manual configuration on the sensor - Control of the water pump P101 through the Python script (pycomm) - Control of the water pump P101 through manual operation of the HMI - Control of the pressure pump through Python script (pycomm) - Control of the water tank level LIT101 through Python script (pycomm) - Control of chemical dosing through modified PLC Logic - Control of the RIO through disconnecting Analogue Input/Output pin - Control of the amount of chemical dosing through Python script - Control of the PLC through the modification of PLC logic in Studio 5000 - Control of the motorised valve through modification of PLC logic in Studio 5000 - Control of the motorised valve MV201 through the modification of PLC logic - Control of the water tank level LIT301 through adjusting alarm levels - Control of the chemical dosing pump P205 through manual operation of the dosing meter - Control of the HMI/SCADA through simulation control - Control of the PLC through disconnected network cables Details: https://goo.gl/y1Pxre
  • 14. • Out of the box installation with no learning mode • Only L1 monitoring / L0 attacks was out of scope • Didn’t monitor physical attacks Detection results Details: https://goo.gl/y1Pxre
  • 15. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 Attempt to do bridge in primary plc to RIO 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. Spoof water level to 390 2:54 - Attack Successful! 2:59 - Attack: Download modified P2 PLC code. 3:01 - Attack Unsuccessful! 3:18 - Attack: Downloading modified P2 PLC code. Attack Unsuccessful! 3:19 - Attack: Trying to breach the firewall. 3:22 - Attack: Overwriting PLC code. Attack Unsuccessful! 3:38 - Attack: Attempting to set LIT101 to 300. Attack Unsuccessful! 4:16 - Spoofing attack LIT101 at HMI Successful! 4:45 - Download of PLC code failed! 5:07 - Launch on DPIT pressure successful! 5:18 - Attempt to change plant to manual mode. 5:19 - Attempt successful! 5:20 - Attempt to stop plant process. 5:23 - Attempt to stop/start plant successful! 5:28 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 5:36 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:18 - Attack: Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:20 - Eternal Blue attack: Time Out! https://itrust.sutd.edu.sg/ciss-2019/
  • 16. Overview of dataset requests by country (left) and year (right) • Secure Water Treatment (SWaT) • SWaT Security Showdown (S317) • Water Distribution (WADI) • BATtle of Attack Detection Algorithms (BATADAL) • Electric Power and Intelligent Control (EPIC) • Blaq_0 https://itrust.sutd.edu.sg/research/dataset/ Visit by Kaspersky LabDetected attack: 23 out of 34 Not detected: 9 with small impacts Correct interpretation: 22 out of 23 False positive: 3 as attack continuation New anomalies: 7 anomalies Kaspersky Machine Learning for Anomaly Detection Results on the SWaT Dataset https://tinyurl.com/mlad2018
  • 17. • WMI Lateral Movement • Reconnaissance / Network Scan • Reconnaissance / Reading Project from PLC / Modbus • Reconnaissance / Modbus Scan • Transfer Malicious Firmware to Rockwell Automation PLC • Modbus Write Attempt from an Internet address • “Stuxnet” Malware Network Activity • “Havex” Malware Network Activity • “Greyenergy” Malware Network Activity https://www.youtube.com/watch?v=vSd8hoRqnF4&list=PLPmbqO785Hlt3yFvW-EZhvRq53EcCjmZc https://www.youtube.com/watch?v=A2tQo4t4ibo
  • 18.
  • 19. KICS 60870-5-104 Protocol Events https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
  • 20.
  • 21. Endpoint activities at different levels and stages Powershell, Python SSH clients (Putty/Plinks) Netcat/Cryptocat Mmikatz, PsExec AdExplorer, ShareEnum, PsGetSid Nmap, iPerf Trilog.exe Network activities at different levels and stages DNS SSH RDP RPC/SMB (PsExec) HTTP (Webshell) TCP/UDP (Nmap, iPerf) VPN Tristation (UDP) PLC Fieldbus Control Network SCADA/DCS Network Plant DMZ Network Office Network PLC SCADA SCADA SCADA SCADA SIS SIS Safety Instrumented System SIS EWS SIS Internet Attacker • Trilog.exe • Tristation (UDP)
  • 23. Unusual time for an engineering connection
  • 25. • plaintext passwords • user authentication failures • new network devices • abnormal network traffic between devices • internet connectivity • data exfiltration • unauthorized software installations • PLC firmware modifications • unauthorized PLC logic modifications • file transfers between devices • abnormal ICS protocol communications • malware • denial of service (DoS) • abnormal manufacturing system operations • port scans/probes • environmental changes https://csrc.nist.gov/publications/detail/nistir/8219/draft
  • 27. Kaspersky HQ 39A/3 Leningradskoe Shosse, Moscow Т: +7 (495) 797 8700 #1746 Anton.Shipulin@kaspersky.com @shipulin_anton Anton Shipulin CISSP, CEH, CSSA Global Presales Manager Industrial Cybersecurity Business Development