Master class(Positive Hack Days)«Analysis of SCADA security protection»

Andrey Komarov(technical manager)

SCADA protection analysis – «what for», «how» and «why»?

Regulations (USA, СК)

Security «Compliance» audit

Prevent security incidents in SCADA

Detect and specify security threats in SCADA

Improvement of software and hardwareсредств

Actualize regulation rules

Consider attacker’s actions and tendency

Improve efficiency of used protection measures

Mismatches in regulations

All checks and coverage area

Application software

Data transferring channels

Network software

System software (OS, ОСРВ)

Hardware

SCADA

Used techniques

Application software(SCADA, RTU)

System software (OS, ОСРВ)

Data transferring channels and

techniques

(Industrial Ethernet, Modbus, DNP3, Profibus, etc.)

Used instruments («Click and Hack» type)

«/exploits/scada»

«+» «CLICK and HACK» model

«-» there are only 5 vulnerabilities

«-» limited set of features

«SCADA»

«+» «CLICK and HACK» model

«-» there are only 15 vulnerabilities

Used instruments (specialized utilities)

Analysis of available NetDDE resources - Neutralbit’s nbDDE tool

Network DDE (NetDDE) is designed by Wonderware company and is an add-on to Microsoft Windows DDE that implements data exchange between computers in LAN

Are there any difficulties?

Web application vulnerabilities (SQL-injection)

User ID = 1' or 1=(select top 1 password from Users)—Password = blank

Active and passive network “secret service”

«The Registered Ports» chapter (Internet Assigned Numbers Authority)ibm-mqisdp 1883/tcp IBM MQSeries SCADAibm-mqisdp 1883/udp IBM MQSeries SCADApnbscada 3875/tcp PNBSCADApnbscada 3875/udp PNBSCADA d-s-n 8086/tcp Distributed SCADA Networking Rendezvous Port

Available resources

- SNMP server scanning results;- detection of solution features (web servers, logged services)

Active detection

- interception of network traffic to find specific requests/responses;(application and network software);- detection of SCADA protocols in available network traffic (DNP3 over an Ethernet, Modbus-TCP);- direct analysis of productive protocols. (by special analyzers, analysis of signal propagation medium).

Passive detection

Detected SCASA object - SIEMENS SIMATIC

Testing of reliability

# denial of service, then recovery ( idle time - 1 minute)ping -f -s 60601 packets transmitted, 150 packets received, 75% packet loss

# denial of service, then recovery (idle time - 1 minute)ping -f -s 600497 packets transmitted, 32 packets received, 93% packet loss

# denial of service, without recovery (have to reload)ping -f -s 6000518 packets transmitted, 0 packets received, 100% packet loss

# denial of service, without recovery (have to reload)ping -f -s 6000 819 packets transmitted, 0 packets received, 100% packet loss

Stress-test (ICMP Ping Flood implementation) – «Reg Tiger Security»

«US Blackout»

Borrowed application software components in SCADA

Реализация отказа в обслуживании в отношении встроенного WEB-сервера

Реализация отказа в обслуживании в отношении встроенного WEB-сервера

Реализация отказа в обслуживании в отношении встроенного WEB-сервера

Denial of service implementation against imbedded web server

Thank you for your attention!

http://ITDEFENCE.ru

Group in LinkedIn «Industrial Automation Security»We discuss SCADA security questions