SlideShare una empresa de Scribd logo
1 de 82
All pictures are taken from
Dr StrangeLove movie
 Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Roman Ilin Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin
Roman Ilin Alexander Tlyapov
Scada strange love   uwn-stuxnet
 Goals
to automate security assessment of ICS
platforms and environment
 Objectives
to understand system
to assess built-in security features
to create security audit/hardening guides
to automate process
Vulnerabilities – waste production
 Goal
to create PoC of Stuxnet-style attack
 Initial conditions
common ICS components and configuration
common ICS security tools
only ICS components weakness
vulnerabilities by SCADA StrangeLove team
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
 Engineering tools
 STEP 7
 PCS7
 TIA PORTAL
 SCADA/HMI
 WinCC (Windows)
 WinCC Flexible/Advanced (Windows/Win CE)
 S7 family PLC
 Old line (200, 300, 400)
 New line (1200, 1500)
 WinCC Server
 Windows/MSSQL based SCADA
 WinCC Client (HMI)
 WinCC runtime + Project + OPC
 WinCC Web Server (WebNavigator)
 IIS/MSSQL/ASP/ASP.NET/SOAP
 WinCC WebClient (HMI)
 ActiveX/HTML/JS
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
1 2 9 7 6
10 11
14 17
73
100 96
899
94
135
285
81
0
100
200
300
400
500
600
700
800
900
1000
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Scada strange love   uwn-stuxnet
 Cyber Weapon
 Tactics, Techniques, and Procedures (TTP's)
 APT1
 APT 2.0
 Cyber Kill Chain
 ChinJa (R) (tm)
 Breaking through
 Harvesting
 Creeping death
 Chaos
Scada strange love   uwn-stuxnet
That is a question!
http://bit.ly/RI6FtQ
http://bit.ly/UXn7d1
http://www.surfpatrol.ru/en/report
 A lot of “WinCCed” IE from
countries/companies/industries
 Special prize to guys from US for
WinCC 6.X at 2012
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
 XPath Injection (CVE-2012-2596)
 Path Traversal (CVE-2012-2597)
 XSS ~ 20 Instances (CVE-2012-2595)
Fixed in Update 2 for WinCC V7.0 SP3
http://support.automation.siemens.com/WW/view/en/60984587
 Lot of XSS and CSRF
 CVE-2012-3031
 CVE-2012-3028
 Lot of arbitrary file reading
 CVE-2012-3030
 SQL injection over SOAP
 CVE-2012-3032
 Username and password disclosure via ActiveX
abuse
 CVE-2012-3034
Fixed in Update 3 for WinCC V7.0 SP3
http://support.automation.siemens.com/WW/view/en/63472422
 Path Traversal
 CVE-2013-0679
 Buffer overflow in ActiveX
 CVE-2013-0674
 XXE OOB
 CVE-2013-0677
 Missing encryption of sensitive data
 CVE-2013-0678
 Improper authorization
 CVE-2013-0676f
Fixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1
http://www.siemens.com/corporate-
technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-
714398.pdf
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
 Network-level
 Active scan
 S7, Modbus, MSSQL (WinCC Instance), HTTP(S)
 SNMP (public/private hardcoded for PLC and HMI
Panels)
 Passive scan
 Profinet
 Host-level
 WinCC forensic
Dmitry Efanov
http://scadastrangelove.blogspot.ru/2012/11/plcscan.html
Alexander Timorin
PHDays III release
Scada strange love   uwn-stuxnet
 PdlRt.exe – graphic runtime
 CCRtsLoader.EXE – loader
 s7otbxsx.exe – network
 Inter process communication:
 RPC
 Sections (memory mapped files)
 BaseNamedObjectsTCPSharedMm and other
interesting stuff
 Detecting active project:
HKCUSoftwareSIEMENSWINCCControl
CenterDefault Settings
 LastOpenPath
 LastProject
 Detecting MS SQL database name (timestamp)
ArchiveManagerAlarmLogging
ArchiveManagerTagLogging*
Obtaining information from database and system
objects
• {Hostname}_{Project}_TLG*
• TAG data
• СС_{Project}_{Timestamp}*
• Project data and configuration
• Users, PLCs, Privileges
• Managed by UM app
• Stored in dbo.PW_USER
CVE-2013-0676
Scada strange love   uwn-stuxnet
• Administrator:ADMINISTRATOR
• Avgur2 > Avgur
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
This is my
encryptionkey
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
 Select from MS SQL via COM objects
 “Special” Windows Account
 Shortcuts*
*we don’t know yet, you know
Scada strange love   uwn-stuxnet
Authentication
via SQL-stored
accounts
ServerID magic to
get WebBridge
password
Magic is used for
SCSWebBridgeX
Too hard for me…
Oh! En/c(r)ypt[10]n!
ServerID = Base64(RC2(pass, key)), were key
= MD5(dll hardcode)
Not my department password!
 All other confections use WNUSR for
authentication
 For authorization ID parameter is used
Not yet…
 «Magic» password = MD5(WNUSR_DC92D7179E29.Password)
 WNUSR_DC92D7179E29.Password generated during installation
 Stored in registry via DPAPI
 Good length and chartset but…
Scada strange love   uwn-stuxnet
 WinCC clients use hardcoded account to
communicate with OPC Web bridge
 Password for WNUSR_DC92D7179E29 generated
during installation and probably strong
 MD5(WNUSR_.Password) stored with DPAPI
protection
 “Encrypted” password for WNUSR_DC* can be
obtained by request to WinCCWebBridge.dll
 WNUSR_DC92D7179E29 is only account used for
work with Windows/Database
Scada strange love   uwn-stuxnet
…responsible disclosure
 What is Project?
 Collection of ActiveX/COM/.NET objects
 Event Handlers and other code (C/VB)
 Configuration files, XML and other
 Can Project be trusted?
 Ways to spread malware with Project?
 NO!
 Project itself is dynamic code
 It’s easy to patch it “on the fly”
 Vulnerabilities in data handlers
(CVE-2013-0677)
 How to abuse?
 Simplest way – to patch event
handlers
Scada strange love   uwn-stuxnet
 Hardcoded SNMP community string (unfixed)
 Hardcoded S7 PLC CA certificate (Dmitry Sklarov)
http://scadastrangelove.blogspot.com/2012/09/all-your-plc-
belong-to-us.html
 Multiple vulnerabilities in S7 1200 PLC Web
interface (Dmitriy Serebryannikov, Artem Chaikin, Yury
Goltsev, Timur Yunusov)
http://www.siemens.com/corporatetechnology/pool/de/fors
chungsfelder/siemens_security_advisory_ssa-279823.pdf
 Can be protected by password
 Authentication – simple challenge-
response
 Password hashed (SHA1) on client (TIA
Portal)
 Server (PLC) provide 20 byte challenge
 Client calculate HMAC-
SHA1(challenge, SHA1(password) as
response
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
 Can be protected by password
 Authentication – simple challenge-
response
 Password hashed (SHA1) on client (TIA
Portal)
 Server (PLC) provide 20 byte challenge
 Client calculate HMAC-
SHA1(challenge, SHA1(password)) as
response
 SHA-1 stored in PLC project files
 It can be intercepted during
firmware update/project upload
 It can be extracted from project file
SHA-1(pass)
VS
HMAC-SHA1(challenge, SHA1(pass))
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
 Buffer overflow
 CVE-2013-0669
 Cross-Site Scripting
 CVE-2013-0672/CVE-2013-0670/CVE-2013-0668
 Directory traversal/Response splitting
 CVE-2013-0671
 Server-side script injection
 CVE-2012-3032
Fixed in WinCC (TIA Portal) V12
http://www.siemens.com/corporate-
technology/pool/de/forschungsfelder/siemens_security_advisory_s
sa-212483.pdf
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
Scada strange love   uwn-stuxnet
 Profinet scanner
 WinCC Harvester 2.0
http://scadastrangelove.blogspot.com/search/label/Releases
 TIA portal Security Hardening Guide
 S7 protocol password brute force tool and JtR
 Simatic WinCC Security Hardening Guide
 PLCScan tool
 ICS/SCADA/PLC Google/Shodan Cheat
Sheet
 SCADA Safety in Numbers
http://scadastrangelove.blogspot.com/search/label/Releases
All pictures are taken from
Dr StrangeLove movie

Más contenido relacionado

La actualidad más candente

SCADA StrangeLove 2: We already know
SCADA StrangeLove 2:  We already knowSCADA StrangeLove 2:  We already know
SCADA StrangeLove 2: We already knowqqlan
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
SCADA StrangeLove Kaspersky SAS 2014 - LHC
SCADA StrangeLove Kaspersky SAS 2014 - LHCSCADA StrangeLove Kaspersky SAS 2014 - LHC
SCADA StrangeLove Kaspersky SAS 2014 - LHCqqlan
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2qqlan
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Sergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1   t. yunusov k. nesterov - bootkit via smsD1 t1   t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Positive Hack Days
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
IPv6 Security Potpourri
IPv6 Security PotpourriIPv6 Security Potpourri
IPv6 Security Potpourri_xhr_
 

La actualidad más candente (20)

SCADA StrangeLove 2: We already know
SCADA StrangeLove 2:  We already knowSCADA StrangeLove 2:  We already know
SCADA StrangeLove 2: We already know
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
SCADA StrangeLove Kaspersky SAS 2014 - LHC
SCADA StrangeLove Kaspersky SAS 2014 - LHCSCADA StrangeLove Kaspersky SAS 2014 - LHC
SCADA StrangeLove Kaspersky SAS 2014 - LHC
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1   t. yunusov k. nesterov - bootkit via smsD1 t1   t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
 
IPv6 Security Potpourri
IPv6 Security PotpourriIPv6 Security Potpourri
IPv6 Security Potpourri
 

Similar a Scada strange love uwn-stuxnet

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychikqqlan
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561RAKESH_CSU
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIGEEKS TECHNOLOGIES
 
final year diploma projects training institutes bangalore
final year diploma projects training institutes bangalorefinal year diploma projects training institutes bangalore
final year diploma projects training institutes bangaloreIGEEKS TECHNOLOGIES
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...James A. Savage
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfDmitri Shiryaev
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...CODE BLUE
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Louis Göhl
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...PROIDEA
 

Similar a Scada strange love uwn-stuxnet (20)

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychik
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
 
final year diploma projects training institutes bangalore
final year diploma projects training institutes bangalorefinal year diploma projects training institutes bangalore
final year diploma projects training institutes bangalore
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 

Más de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Más de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 

Último (20)

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 

Scada strange love uwn-stuxnet

  • 1. All pictures are taken from Dr StrangeLove movie
  • 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Roman Ilin Alexander Tlyapov
  • 4.  Goals to automate security assessment of ICS platforms and environment  Objectives to understand system to assess built-in security features to create security audit/hardening guides to automate process Vulnerabilities – waste production
  • 5.  Goal to create PoC of Stuxnet-style attack  Initial conditions common ICS components and configuration common ICS security tools only ICS components weakness vulnerabilities by SCADA StrangeLove team
  • 12.  Engineering tools  STEP 7  PCS7  TIA PORTAL  SCADA/HMI  WinCC (Windows)  WinCC Flexible/Advanced (Windows/Win CE)  S7 family PLC  Old line (200, 300, 400)  New line (1200, 1500)
  • 13.  WinCC Server  Windows/MSSQL based SCADA  WinCC Client (HMI)  WinCC runtime + Project + OPC  WinCC Web Server (WebNavigator)  IIS/MSSQL/ASP/ASP.NET/SOAP  WinCC WebClient (HMI)  ActiveX/HTML/JS
  • 16. 1 2 9 7 6 10 11 14 17 73 100 96 899 94 135 285 81 0 100 200 300 400 500 600 700 800 900 1000 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  • 18.  Cyber Weapon  Tactics, Techniques, and Procedures (TTP's)  APT1  APT 2.0  Cyber Kill Chain
  • 19.  ChinJa (R) (tm)  Breaking through  Harvesting  Creeping death  Chaos
  • 21. That is a question!
  • 24.  A lot of “WinCCed” IE from countries/companies/industries  Special prize to guys from US for WinCC 6.X at 2012
  • 27.  XPath Injection (CVE-2012-2596)  Path Traversal (CVE-2012-2597)  XSS ~ 20 Instances (CVE-2012-2595) Fixed in Update 2 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/60984587
  • 28.  Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028  Lot of arbitrary file reading  CVE-2012-3030  SQL injection over SOAP  CVE-2012-3032  Username and password disclosure via ActiveX abuse  CVE-2012-3034 Fixed in Update 3 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/63472422
  • 29.  Path Traversal  CVE-2013-0679  Buffer overflow in ActiveX  CVE-2013-0674  XXE OOB  CVE-2013-0677  Missing encryption of sensitive data  CVE-2013-0678  Improper authorization  CVE-2013-0676f Fixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_ssa- 714398.pdf
  • 32.  Network-level  Active scan  S7, Modbus, MSSQL (WinCC Instance), HTTP(S)  SNMP (public/private hardcoded for PLC and HMI Panels)  Passive scan  Profinet  Host-level  WinCC forensic
  • 36.  PdlRt.exe – graphic runtime  CCRtsLoader.EXE – loader  s7otbxsx.exe – network  Inter process communication:  RPC  Sections (memory mapped files)  BaseNamedObjectsTCPSharedMm and other interesting stuff
  • 37.  Detecting active project: HKCUSoftwareSIEMENSWINCCControl CenterDefault Settings  LastOpenPath  LastProject  Detecting MS SQL database name (timestamp) ArchiveManagerAlarmLogging ArchiveManagerTagLogging* Obtaining information from database and system objects
  • 38. • {Hostname}_{Project}_TLG* • TAG data • СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Privileges
  • 39. • Managed by UM app • Stored in dbo.PW_USER
  • 50.  Select from MS SQL via COM objects  “Special” Windows Account  Shortcuts* *we don’t know yet, you know
  • 52. Authentication via SQL-stored accounts ServerID magic to get WebBridge password Magic is used for SCSWebBridgeX
  • 53. Too hard for me…
  • 54. Oh! En/c(r)ypt[10]n! ServerID = Base64(RC2(pass, key)), were key = MD5(dll hardcode)
  • 55. Not my department password!
  • 56.  All other confections use WNUSR for authentication  For authorization ID parameter is used
  • 58.  «Magic» password = MD5(WNUSR_DC92D7179E29.Password)  WNUSR_DC92D7179E29.Password generated during installation  Stored in registry via DPAPI  Good length and chartset but…
  • 60.  WinCC clients use hardcoded account to communicate with OPC Web bridge  Password for WNUSR_DC92D7179E29 generated during installation and probably strong  MD5(WNUSR_.Password) stored with DPAPI protection  “Encrypted” password for WNUSR_DC* can be obtained by request to WinCCWebBridge.dll  WNUSR_DC92D7179E29 is only account used for work with Windows/Database
  • 63.  What is Project?  Collection of ActiveX/COM/.NET objects  Event Handlers and other code (C/VB)  Configuration files, XML and other  Can Project be trusted?  Ways to spread malware with Project?
  • 64.  NO!  Project itself is dynamic code  It’s easy to patch it “on the fly”  Vulnerabilities in data handlers (CVE-2013-0677)  How to abuse?  Simplest way – to patch event handlers
  • 66.  Hardcoded SNMP community string (unfixed)  Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all-your-plc- belong-to-us.html  Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/de/fors chungsfelder/siemens_security_advisory_ssa-279823.pdf
  • 67.  Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password) as response
  • 70.  Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password)) as response
  • 71.  SHA-1 stored in PLC project files  It can be intercepted during firmware update/project upload  It can be extracted from project file SHA-1(pass) VS HMAC-SHA1(challenge, SHA1(pass))
  • 76.  Buffer overflow  CVE-2013-0669  Cross-Site Scripting  CVE-2013-0672/CVE-2013-0670/CVE-2013-0668  Directory traversal/Response splitting  CVE-2013-0671  Server-side script injection  CVE-2012-3032 Fixed in WinCC (TIA Portal) V12 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_s sa-212483.pdf
  • 80.  Profinet scanner  WinCC Harvester 2.0 http://scadastrangelove.blogspot.com/search/label/Releases
  • 81.  TIA portal Security Hardening Guide  S7 protocol password brute force tool and JtR  Simatic WinCC Security Hardening Guide  PLCScan tool  ICS/SCADA/PLC Google/Shodan Cheat Sheet  SCADA Safety in Numbers http://scadastrangelove.blogspot.com/search/label/Releases
  • 82. All pictures are taken from Dr StrangeLove movie