Upload
positive-hack-days
View
1.868
Download
5
Embed Size (px)
DESCRIPTION
A participant will acquire practical experience of searching for vulnerabilities and analyzing SCADA security. The masterclass will cover both common network vulnerabilities, and exceptive cases that can be detected in the process of security assessment of real networks.
Citation preview
Master class(Positive Hack Days)«Analysis of SCADA security protection»
Andrey Komarov(technical manager)
SCADA protection analysis – «what for», «how» and «why»?
Regulations (USA, СК)
Security «Compliance» audit
Prevent security incidents in SCADA
Detect and specify security threats in SCADA
Improvement of software and hardwareсредств
Actualize regulation rules
Consider attacker’s actions and tendency
Improve efficiency of used protection measures
Mismatches in regulations
All checks and coverage area
Application software
Data transferring channels
Network software
System software (OS, ОСРВ)
Hardware
SCADA
Used techniques
Application software(SCADA, RTU)
System software (OS, ОСРВ)
Data transferring channels and
techniques
(Industrial Ethernet, Modbus, DNP3, Profibus, etc.)
Used instruments («Click and Hack» type)
«/exploits/scada»
«+» «CLICK and HACK» model
«-» there are only 5 vulnerabilities
«-» limited set of features
«SCADA»
«+» «CLICK and HACK» model
«-» there are only 15 vulnerabilities
Used instruments (specialized utilities)
Analysis of available NetDDE resources - Neutralbit’s nbDDE tool
Network DDE (NetDDE) is designed by Wonderware company and is an add-on to Microsoft Windows DDE that implements data exchange between computers in LAN
Are there any difficulties?
Web application vulnerabilities (SQL-injection)
User ID = 1' or 1=(select top 1 password from Users)—Password = blank
Active and passive network “secret service”
«The Registered Ports» chapter (Internet Assigned Numbers Authority)ibm-mqisdp 1883/tcp IBM MQSeries SCADAibm-mqisdp 1883/udp IBM MQSeries SCADApnbscada 3875/tcp PNBSCADApnbscada 3875/udp PNBSCADA d-s-n 8086/tcp Distributed SCADA Networking Rendezvous Port
Available resources
- SNMP server scanning results;- detection of solution features (web servers, logged services)
Active detection
- interception of network traffic to find specific requests/responses;(application and network software);- detection of SCADA protocols in available network traffic (DNP3 over an Ethernet, Modbus-TCP);- direct analysis of productive protocols. (by special analyzers, analysis of signal propagation medium).
Passive detection
Detected SCASA object - SIEMENS SIMATIC
Testing of reliability
# denial of service, then recovery ( idle time - 1 minute)ping -f -s 60601 packets transmitted, 150 packets received, 75% packet loss
# denial of service, then recovery (idle time - 1 minute)ping -f -s 600497 packets transmitted, 32 packets received, 93% packet loss
# denial of service, without recovery (have to reload)ping -f -s 6000518 packets transmitted, 0 packets received, 100% packet loss
# denial of service, without recovery (have to reload)ping -f -s 6000 819 packets transmitted, 0 packets received, 100% packet loss
Stress-test (ICMP Ping Flood implementation) – «Reg Tiger Security»
«US Blackout»
Borrowed application software components in SCADA
Реализация отказа в обслуживании в отношении встроенного WEB-сервера
Реализация отказа в обслуживании в отношении встроенного WEB-сервера
Реализация отказа в обслуживании в отношении встроенного WEB-сервера
Denial of service implementation against imbedded web server
Thank you for your attention!
http://ITDEFENCE.ru
Group in LinkedIn «Industrial Automation Security»We discuss SCADA security questions