Kaspersky SAS SCADA in the Cloud
- 2. ¨ Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster
and to keep Purity Of Essence
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko
- 18. -‐-‐snip-‐-‐
Comment
to
PT-‐SOL-‐2014001:
The
upload
path
has
been
changed.
It
is
sAll
possible
to
upload
files,
but
they
can't
overwrite
system
criAcal
parts
any
more.
Comment
to
PT-‐SOL-‐2014002:
The
system
backup
is
created
in
a
randomly
chosen
path
an
deleted
aJerwards.
Therefore
an
unauthorized
access
is
made
much
more
difficult
and
very
unlikely.
Second
comment
to
PT-‐SOL-‐2014002:
In
order
to
compensate
the
weak
encrypAon
in
the
configuraAon
file,
the
whole
configuraAon
file
is
now
encrypted
via
the
new
HTTP
transmission.
-‐-‐snip-‐-‐
- 49. As a side note, there is about a 3GW buffer in the
European energy grids -- take 3GW off the net
within a couple of seconds (or add them), and lights
will go out. For quite a long while.
- 52. ¨ PHDays III Choo Choo Choo Pwn
¡ Security assessment/Pentest
¨ PHDays IV Critical Infrastructure Attack
¡ 0-day research
http://bit.ly/1t8poTL http://www.phdays.com/press/news/38171/
- 53. ¨ Goals
¡ 0-day research on ICS components
¡ Make a disaster
¡ 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster)
ú Mom, I can spoof MODBUS tag = 0 ;)
¨ Tragets
¡ Schneider Electric
ú Wonderware System Platform, InduSoft Web Studio 7.1.4, ClearSCADA, IGSS, MiCOM
C264
¡ Siemens
ú Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1 PN), S7-300
(314С-2 DP + CP343), S7-1200 v3, S7-1200 v2.2
¡ Rockwell Automation
ú RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAA
¡ WellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, Kepware
KepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3), etc.
- 54. ¨ Winners
¡ Alisa Esage – SE InduSoft Web Studio 7.1
¡ Nikita Maximov & Pavel Markov - ICP DAS RTU
¡ Dmitry Kazakov - Siemens Simatic S7-1200 PLC
¨ 2 days – 10+ 0days
¨ Responsible disclosure: in progress
¨ Fixes?
- 58. ¨ Industrial security: directly affect industrial safety, can
cause man-made disaster
¨ Economic efficiency: affect quantitative economic
indicators of the processes, automated with ICS
¨ Other functional safety and reliability issues: affect
qualitative or quantitative indicators of performance,
reliability and security (SIL, MTBF, etc.)
- 59. a process that ensures control object
operation with no dangerous failures or
damage, but with a set economic efficiency
and reliability level maintained in the light
of adverse anthropogenic information
influence
- 65. What is the mean time between
failures (MTBF) for Windows-
based HMI if the operator follows
recommended patch management
practice?
- 73. Alexander @arbitrarycode Zaitsev
Alexey @GiftsUngiven Osipov
Kirill @k_v_nesterov Nesterov
Dmtry @_Dmit Sklyarov
Timur @a66at Yunusov
Gleb @repdet Gritsai
Dmitry Kurbatov
Sergey Puzankov
Pavel Novikov
- 78. *Allpicturesaretakenfrom
googleandotherInternets
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko