Techniques of attacking ICS systems
- 1. All pictures are taken from Dr StrangeLove movie Alexander Timorin Ilya Karpov Yuri Goltsev Sergey Gordeychik
- 2. Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Ilya Karpov Artem Chaykin Dmitry Efanov Andrey Medov Alexander Zaitsev Dmitry Sklyarov _ Gleb Gritsai Sergey Bobrov Yuriy Dyachenko Yuri Goltsev Sergey Scherbel Dmitry Serebryannikov Alexander Tlyapov Denis Baranov Alexander Timorin Sergey Drozdov Vladimir Kochetkov Timur Yunusov Dmitry Nagibin
- 3. Goals to automate security assessment of ICS platforms and environment Objectives to understand system to assess built-in security features to create security audit/hardening guides to automate process Vulnerabilities – waste production
- 5. Tilting at windmills: ICS pentest project management Playing with networks Rooting the PLC: don't even try OS/DB/Application I'm the Lord of the SCADA Hunting the operator: ICS network "forensic“
- 17. Typical network devices with default/crappy settings Unpatched, old as dirt, full of junk software [malware] engineering workstations Wireless AP with WEP ( if the best happened ) Low physical security … and Industrial protocols
- 18. Typical network devices with default/crappy settings Unpatched, old as dirt, full of junk software [malware] engineering workstations Wireless AP with WEP ( if the best happened ) Low physical security … and Industrial protocols
- 20. Full expanse Not blocked by firewalls/switches Accessible between LAN segments Works from data link to application layers Easy for detecting Easy for intercepting and analyzing ( but not all! ) And what we know about protocols ?
- 21. Modbus Profinet family DNP3 IEC 61850-8-1 ( MMS ) IEC 60870-5-104 ( IEC 104 ) Siemens S7 … and much more And most of them INSECURE BY DESIGN
- 23. http://www.modbus.org/ Diagnostic functions Read/Write data/registers/tags Read/Write files Toolkit: PLCSCAN by Dmitry Efanov http://code.google.com/p/plcscan/
- 24. IEC 61158, IEC 61784
- 25. Profinet CBA/IO/PTCP/DCP Ethernet type 0x8892 Exchange data in real-time cycles Multicast discovery devices and stations No encryption, no auth, no security We can change settings: name of the station, ip, netmask, gateway We can simulate and real DoS of PLC, HMI Toolkit: http://scadastrangelove.blogspot.kr/2013/11/po wer-of-community-2013-special-release.html
- 26. http://www.dnp.org Spread and popular Useful info: http://www.digitalbond.com/scadapedia/pro tocols/dnp3/ http://blog.iec61850.com/search/label/DNP3 Secure DNP3 specification Toolkit: coming soon ….
- 28. ISO 9506-1:2003 Based on ISO-TSAP TCP/102 Read/write PLC tags, variables, domains (large unstructured data, i.e. code) Start/Stop/Rewrite firmware of PLC Read/Write/Del files and dirs Poor security mechanism: simply methods whitelist No auth, no encryption Toolkit: python and nmap scripts
- 29. Python and Nmap identify scripts: https://github.com/atimorin/PoC2013/tree/ master/iec-61850-8-1
- 30. TCP/2404 HEADER: 1st byte: 0x68 2nd byte: APDU len
- 31. Huge list of functions. Depends on vendors implementation Read/write tags, upload/download files, broadcast connected devices discovery, time sync, reset process command, query log files etc. No auth, no encryption Poor security mechanism: ip address whitelist Toolkit: python and nmap scripts
- 32. Python and Nmap identify scripts: https://github.com/atimorin/PoC2013/tree/ma ster/iec-60870-5-104
- 33. I love this protocol! Proprietary communication protocol supported by Siemens SCADA Software, PLC, HMI We can: detect protocol, extract some useful info (device serial number, type of station, firmware info etc.), extract and bruteforce (thanks to JtR community) authentication challenge-response hashes http://www.slideshare.net/phdays/timorinalexander-efanov-dmitry
- 34. Toolkit: http://scadastrangelove.blogspot.kr/2013/11/po wer-of-community-2013-special-release.html
- 35. Welcome to our workshop!
- 36. Rooting the PLC: don't even try
- 37. Pwn OS (often VxWorks, QNX) Reverse internal architecture Find bugs in services Snatch device BUT FOR WHAT ?
- 38. It is a universal and complex approach You can: detect devices and protocols monitor state, commands, exchanging data inject, modify, replay packets in real-time Because most of them INSECURE BY DESING Real example ?
- 39. Simple UDP packet that set “speed” of turbine to 57 (min=1, max=100)
- 43. Rise your hand up if ever thought about it
- 44. You absolutely don’t need it, because you already have it If you got an access to Windows machine – you have access to SCADA system. Why ? • Default/weak passwords • Network shares (C$, Trash ) • Undocumented accounts • Vulnerabilities in third-party software • Windows vulnerabilities * That’s enough, true story
- 45. Build your own if you want. And commit it to github, like our guy @atimorin do Ok, you got it. What’s next ? Contribute
- 46. As usually - you build the system, you investigate it, learn it, fuzz it, reverse it Find a vulnerability ? Easy Build your own testlab ? Nightmare
- 47. • • • Find a vulnerability ? Easy What you probably want to find: (Where the droids we are looking for?) OWASP TOP 10 Logic errors Protocol analysis
- 48. • • • Build your own testlab ? Nightmare Everyone can install software, BUT: You should have very specific knowledge how to configure such systems You should know specific programming languages like LAD or STL to start applications You should know specific syntaxes of address stack (tags)
- 49. • • • Build your own testlab ? Nightmare Everyone can install software, BUT: Every vendor has own tools for engineers and developers Every vendor has own rules, own protocols (most of them) SCADA systems are the same like different operation systems – used for the same, but different ways
- 52. I'm the Lord of the SCADA
- 53. Please, _DO NOT_ click on any buttons at production I suppose you know why First, to control SCADA you need to know how that stuff really works Build your own testlab, read some docs from vendor Understand how it should work You ready for production
- 54. PLC/RTU often without password protection Second (additional) network interface for PLC/RTU network. Secure, isn’t it ? Big red emergency button. Sometimes pressed accidentally Rare backups Web interfaces with default credentials especially on PLC/RTU Rare firmware updates
- 56. APC. Turn UPS Off!
- 57. Hunting the operator: ICS network "forensic"
- 58. Passwords on sticks (again)
- 59. No passwords or easy top10 passwords Disabled Windows firewall No AV Network shares without permissions (C: RW for all) Typical user with administrator rights “Secret” internet connecion Tons of shareware, personal software, adult content (agrhhhhhh!) Low physical security restrictions
- 61. Connect to ICS from home through RDP Wi-Fi/3G/4G connections from/to ICS
- 65. All pictures are taken from Dr StrangeLove movie