Scada Security & Penetration Testing

SCADA SecuritySCADA Security

SCADA Security | Ahmed Sherif 2014SCADA Security | Ahmed Sherif 2014

AgendaAgenda

Industrial Control SystemsIndustrial Control Systems ● What is it ?What is it ?

PLCPLC● DefinitionsDefinitions● How Does it work ?How Does it work ?

SCADA SCADA ● DefinitionsDefinitions● How Does it work ?How Does it work ?

SCADA Security | Ahmed Sherif 2014

AgendaAgenda

● Some Incidents● Stuxnet VS PLC ● Security Best Practices


Industrial Control SystemsIndustrial Control Systems ● Industrial control system (ICS) is a general term that

encompasses several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures.


PLCPLC

● A Programmable Logic Controller, PLC or Programmable Controller is a digital computer used for automation of typically industrial electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures. PLCs are used in many industries and machines


PLC – How Does it Work ?PLC – How Does it Work ?

1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or RS-422 cabling .

2. The programming software allows entry and editing of the ladder-style logic

3. the program is transferred from a personal computer to the PLC through a programming board which writes the program into a removable chip such as an EEPROM

4. The Program Then Can Be Run and Executed.


PLC – How Does it Work ?

1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or RS-422 cabling .



2. The programming software allows entry and editing of the ladder-style logic



3. the program is transferred from a personal computer to the PLC through a programming board which writes the program into a removable chip such as an EEPROM



4. The Program Then Can Be Run and Executed.


PLC – Simulation


SCADASCADA is ....

Industrial Control Systems (ICS), commonly referred to as SCADA underlie much of the infrastructure that makes every day life possible in the modern world.


SCADASCADA is ....SCADA is ....

● Industrial Control Systems (ICS), commonly referred to as

● SCADA underlie much of the infrastructure that makes every day

● life possible in the modern world.● Supervisory Control and Data Acquisition


SCADASCADA is used For ....

POWER GridsPOWER Grids


SCADASCADA is used For ....SCADA is used For ....

PipeLinesPipeLines



Inter-Inter-connectedconnectedsensors andsensors andcontrolscontrolsunderundercentralcentralmanagementmanagement



chemical plant,chemical plant,power plant,power plant,manufacturingmanufacturingfacilityfacility



Inter-Inter-connectedconnectedsensors andsensors andcontrolscontrolsunderundercentralcentralmanagementmanagement



Traffic SignalTraffic Signal


How Does Scada Works ?How Does Scada Works ?

Physical Measurement/control endpoints:Physical Measurement/control endpoints:● RTU, PLC

● Measure voltage, adjust valve, flip switch

Intermediate processingIntermediate processing● Usually based on a commonly used Oses

● *nix, Windows, VMS


How Does Scada Works ?How Does Scada Works ?

Communication InfrastructureCommunication Infrastructure

● Serial, Internet, Wifi● Modbus, DNP3, OPC, ICCP



Components of a SCADA networkComponents of a SCADA network

● RTU / PLC – Reads information on voltage, flow, the status of switches or valves. Controls pumps, switches, valves

● MTU – Master Terminal Unit – Processes data to send to HMI

● HMI – Human Machine Interface – GUI, Windows – Information traditionally presented in the form of a mimic diagram

● Communication network – LAN, Wireless, Fiber etc etc


Protocols of Scada NetworkProtocols of Scada Network

Raw Data Protocols – Modbus / DNP3Raw Data Protocols – Modbus / DNP3● For serial radio links mainly, but you can run anything over ● anything these days, especially TCP/IP (for better or worse)● Reads data (measures voltage / fluid flow etc)● Sends commands (flips switches, starts pumps) / alerts (it’s ● broken!)

High Level Data Protocols – ICCP / OCPHigh Level Data Protocols – ICCP / OCP● Designed to send data / commands between apps / databases● Provides info for humans● These protocols often bridge between office and control ● networks


Testing Scada NetworksTesting Scada Networks


Script KiddiesScript Kiddies vsvs ScadaScada

Sometimes it Doesn't require High Sometimes it Doesn't require High Skills coz ...Skills coz ...

● Tenable has released 32 plug-insTenable has released 32 plug-ins

for Nessus which specifically test for Nessus which specifically test SCADA devicesSCADA devices

● Core-Impact and Metasploit nowCore-Impact and Metasploit now

include SCADA hacks (Sinceinclude SCADA hacks (Since

August 2008)August 2008)


SCADA (in) securitySCADA (in) security

Lack of Authentication Lack of Authentication

● I don’t mean lack of strong authentication. I mean NO AUTH!!● There’s no “users” on an automated system● OPC on Windows requires anonymous login rights for DCOM ● (XPSP2 breaks SCADA because anonymous DCOM off by ● default)● Normal policies regarding user management, password rotation ● etc etc do not apply


SCADA (in) securitySCADA (in) security

Can’t Patch, Won’t patchCan’t Patch, Won’t patch● SCADA systems traditionally aren’t patched● Install the system, replace the system a decade later● Effects of patching a system can be worse than the

effects of ● compromise?● Very large vulnerability window


Incidents ! ! Incidents ! !



In 2000, in Queensland, Australia. Vitek Bodenreleased millions of liters of Untreated SewageInto fresh water streams using a wireless laptop.



“In August 2003 Slammer infected a private computer network at the idled DavisBesse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours.”



In 2003, the east coast of America experienced a blackout. While the Blaster worm was not the cause, many related systems were found to be infected



In 1997, a teenager broke into NYNEX and cut off Worcester Airport in Massachusetts for 6 hours by affecting ground and air communications


The Nightmare ..StuxnetThe Nightmare ..Stuxnet



Targets Scada NetworksTargets Scada Networks● Siemens Simatic WinCC specifically.

Uses RootKit technology to hide itselfUses RootKit technology to hide itself

● Classic Windows rootkit

● PLC rootkit

Spreads via USB sticks and network sharesSpreads via USB sticks and network shares

● Uses 4 Zero-day vulnerabilities



Malicious payload signed with stolen Malicious payload signed with stolen digital Certificates digital Certificates

● Realtek and Jmicron.

Infected Machines become part of Infected Machines become part of the Stuxnet botnet the Stuxnet botnet

● Can Steal code,documents, Projects designs .

● Can inject and hide code into PLCs – modifying production processes.


Stuxnet .. Deeper LookStuxnet .. Deeper Look

● Main DropperMain Dropper

This section contains the main stuxnet DLL file. And this DLL contains all stuxnet’sfunctions, mechanisms, files and rootkits.



● After finding this section, it loads stuxnet DLL file in a special way.

1.Escalating the Privileges and Injecting Into a New 1.Escalating the Privileges and Injecting Into a New Process.Process.

● It checks if the configuration data is correct and recent and then it checks the admin rights. If it’s not running on administrator level, it uses one of two zero-day vulnerabilities to escalate the privileges and run in the administrator level.

● CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability● CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability● These two vulnerabilities allow the worm to escalate the privileges and run in a new● process (“csrss.exe” in case of Win32K.sys) or as a new task in the Task Scheduler case



1.Escalating the Privileges and Injecting Into a New 1.Escalating the Privileges and Injecting Into a New Process.Process.

After everything goes right and the environment is prepared to be infected by stuxnet, it

injects itself into another process to install itself from that process.

The injection begins by searching for an Antivirus application installed in the machine

Depending on the antivirus application (AVP or McAfee or what?), stuxnet chooses the

process to inject itself into. If there’s no antivirus program it chooses “lsass.exe”



2.Installing Stuxnet into the2.Installing Stuxnet into the

Infected Machine.Infected Machine.The Function #16 begins by checking the configuration data and be sure that everything

is ready to begin the installation. And also, it checks if the there’s a value in the registry

with this name “NTVDM TRACE” in

SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation

And then, it checks if this value equal to “19790509”.

This special number seems a date “May 9, 1979” and this date has a historical meaning

(by Wikipedia) “Habib Elghanian was executed by a firing squad in Tehran sending

shock waves through the closely knit Iranian Jewish community”



3.The USB Drives Infection3.The USB Drives Infection

For infecting USB Flash memory, Stuxnet creates a new hidden window “AFX64c313”and get notified of any new USB flash memory inserted to the computer by waiting for “WM_DEVICECHANGE” Windows Message.

● After getting notified of a new drive added to the computer (USB Flash Memory),stuxnet writes 6 files into the flash memory drive:

● Copy of Shortcut to.lnk● Copy of Copy of Shortcut to.lnk● Copy of Copy of Copy of Shortcut to.lnk● Copy of Copy of Copy of Copy of Shortcut to.lnk● And 2 executable files (DLL files):● ~WTR4141.tmp● ~WTR4132.tmp

These malformed shortcut files use vulnerability in Windows Shell named:● CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability


Was it a success ?Was it a success ?


Security Best PracticiesSecurity Best Practicies

● Real World Scenario























Shodan & SCADAShodan & SCADA

port:161 country:US simatic


Shodan & SCADAShodan & SCADA

Python shodan_scan.py user.list pass.list



Information Protection Guidelines:Information Protection Guidelines:

● Create strong passwords and protect those passwords. ● Use a security token (or some other additional protection method) with a

password to provide much stronger protection than a password alone. ● Take great care in what you publish on the internet and your company intranet. ● Sanitize or destroy all equipment that may contain critical information. ● Follow your company's reporting procedures if you observe any suspicious or

abnormal activity.



Physical Protection Guidelines:Physical Protection Guidelines:

● Limit access to systems you're responsible for to those who have a need to know.● Protect systems and information (use password-protected screen savers, lock office

doors, lock information in cabinets, etc.) when leaving them unattended. ● When traveling, pay special attention when going through airport security. Thieves

may be able to steal your laptop while you are focusing on getting through the security checkpoint.

● Never leave systems or storage media in your vehicle. ● Protect work systems and information at home at the same level or higher as you

would at work.


So, Is Scada Important ? So, Is Scada Important ?

● No ... ● Why ?! ...


Any Questions ?


Date post:	02-Jul-2015
Category:	Engineering
Upload:	ahmed-sherif
View:	1,541 times
Download:	11 times

Scada Security & Penetration Testing

Engineering