*All pictures are taken from Dr StrangeLove movie and other Internets
Sergey GordeychikAleksandr TimorinGleb Gritsai
SCADA STRANGELOVE
SCADA.SL
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster
and to keep Purity Of Essence
Alexander TimorinAlexander TlyapovAlexander ZaitsevAlexey OsipovAndrey MedovArtem ChaykinDenis BaranovDmitry EfanovDmitry Nagibin
Dmitry SerebryannikovDmitry SklyarovEvgeny ErmakovGleb GritsaiIlya KarpovIvan PoliyanchukKirill NesterovRoman IlinSergey Bobrov
Sergey DrozdovSergey GordeychikSergey ScherbelTimur YunusovValentin ShilnenkovVladimir KochetkovVyacheslav EgoshinYuri GoltsevYuriy Dyachenko
Aleksandr Timorin
ICS security researcher
Industrial protocols fan and 0-day PLC hunter
SCADAStrangeLove team member
The Ocean band fan
atimorin
ICS basics 101
Vulnerabilities
• Input validation
• Design and architecture
Safety and security as a whole
What is ICS world and why we should develop carefully
Today is the digital era (welcome back captain obvious!)
Automated processes is everywhere – from home
automation to big energy plants, from brewery to traffic
control systems
What is ICS world and why we should develop carefully
Industry automatization processes becoming more
comfortably for engineers and operators
What is ICS world and why we should develop carefully
Switching from analog to digital brings old and absolutely not
secure software development process
What type of ICS products are vulnerable:
• Client/Server software
• Field devices: RTU, PLC, protective relays, power meters,
converters, actuators and so on
• Network switches, gateways
• GSM/GPRS modems, wireless AP
• Mobile applications
• Industrial protocols
• Human factor
Analytics and statistics of ICS vulnerabilities
• Analyzed CVE since ~2010
• Data source: ics-cert.us-cert.gov
• CVE details: NVD
• Total unique CVE: 689
• CVSS 2.0: min score 1.7 , max score 10.0 , avg score 6.5 ,
high and critical count of scores 285 (41%)
Analytics and statistics of ICS vulnerabilities
• CWE statistics:
CWE - Common Weakness Enumeration
Definitions and full detailed description at
https://nvd.nist.gov/cwe.cfm
Unique number of CWE = 43
Analytics and statistics of ICS vulnerabilities
• CWE statistics (TOP 20):$ sort cwe.all.raw | uniq -c | sort –nr | head -20
Analytics and statistics of ICS vulnerabilities
• CWE statistics (TOP 20):
Buffer Errors
Information Leak / Disclosure
Input Validation
Permissions, Privileges, and Access ControlXSSCryptographic Issues
Credentials Management
Resource Management Errors
Path Traversal
Authentication Issues
Use of Hard-coded Credentials
CSRF
Improper Access Control
SQL Injection
Unrestricted Upload of File with Dangerous Type
Untrusted Search Path
Security FeaturesCode Injection
NULL Pointer DereferenceNumeric Errors
Other (after TOP20)
• Honeywell EPKS, CVE-2014-9189
• Honeywell EPKS, CVE-2014-9187
• cb is a buffer size
• SpiderControl SCADA Web Server, stack-based bof, CVE-
2015-1001
• Siemens SIPROTEC 7SJ64 (protective relay) XSS
• Siemens WinCC
PLC1
PLC2
PLC3
Some networks
WinCC Web-Client
WinCC SCADA-Clients
WinCC SCADA-Client +Web-Server
WinCC DataMonitor
WinCC Web-Client
WinCC DataMonitor
WinCC Servers
LAN
PROFINET
PROFIBUS
Internet, corp lan, vpn’s
Engineering station(TIA portal/PCS7)
WinCCExplorer.exe/PdlRt.exe
Create and use your own security featuresInstead of standard features – that’sA bad idea!
• Hardcodes are for protocols with auth: SNMP, telnet, HTTP,
etc.
• You can hardcode keys, certificates, passwords
• SMA Sunny WebBox
• Siemens SIPROTEC 4 protective relay confirmation code
“311299”:
- System log
- Device info
- Stack and other
parts of memory
- More ?
• Siemens SIPROTEC 4 protective relay confirmation code
“311299”:
“SIPROTEC 4 and SIPROTEC Compact devices allow the
display of extended internal statistics and test information…
To access this information, the confirmation code “311299” needs
to be provided when prompted.”
“...Siemens does not publish official documentation on these
statistics. It is strongly recommended to work together with
Siemens SIPROTEC customer care or commissioning experts to
retrieve and interpret the statistics and test information...”
• Siemens S7-1200 PLC, CVE-2014-2252
“An attacker could cause the device to go into defect mode if
specially crafted PROFINET packets are sent to the device. A
cold restart is required to recover the system. ”
Just “set” PROFINET request: set network info (ip, netmask,
gateway) with all zero values.
Not secure by design: default credentials, autocomplete
• Defaults, factory settings (sometimes unchangeable) is
everywhere
SCADA StrangeLove Default/Hardcoded Passwords List
https://github.com/scadastrangelove/SCADAPASS
KIOSK mode:
Limit access to OS
functions
KIOSK mode: Limit access to OS functions
• Wincc accounts: “secret” crypto key
• WinCC accounts: “secret” crypto key fixed
• It’s XOR, they should not bother hardcoding for XOR
PLC password “encryption”
Password (8 bytes)
• TIA Portal PEData.plf passwords history
• Winccwebbridge.dll: please hash your hardcoded account
• Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE-
2014-2251
• Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE-
2014-2251
• Seed = plc_start_time + const
Target – Siemens S7-1200 PLC
Profinet “feature” and PRNG vulnerability - real attack vector.
Result - PLC takeover.
- Hash passwords
- SHA is not good enough
- Put length of plaintext nearby
Redbox_value = len(pwd)*2+1
Architecture looks like ideal (from developers point of view)
Reality looks like ideal too (from attacker point of view)
Reality looks like ideal too (from attacker point of view)
Many vendors tend to develop bicycles own services (ftp,
telnet, ssh, http etc.)
Guten Tag WinCC:
• WinCC Server
Windows/MSSQL based SCADA
• WinCC Client (HMI)
WinCC runtime + project
• WinCC Web Server (WebNavigator)
IIS/MSSQL/ASP/ASP.NET/SOAP
• WinCC WebClient (HMI)
ActiveX/HTML/JS
Third-party services:
• deploying with default and example.config configurations (i.e.
lot of busybox based devices with default root account)
• No patches and updates
Mirai DDos botnet
DVR, NVR, IP cameras
Over 0.5 million IoT devices are vulnerable
What’s the problem? Hardcoded root:xc3511
Moreover, not so easy to change it
to get firmware?to get debug symbols?to debug?..PowerPC
no “operation system”
― Interlocking security (by Jakob Lyng Petersen)
• Trains must not collide
• Trains must not derail
• Trains must not hit person working the tracks
—Sadly, animals can’t handle the interview
― Formal methods and verification (rtfm)
• B Method, Event B
—Underground rail network in Beijing, Milan and Sao Paulo
• Prover.com
—Sweden, USA
― Safety critical systems
― Abstract machines + formal methods
― Atelier B
• Available IDE and C translator
• No Ada translator
― Newer version – Event-B
• See Rodin framework
• “Everything will be C in the end. If it's not C, it's not the end.”
– almost John Lennon
― KVB: Alstom
• Automatic Train Protection for the French railway company (SNCF), installed on 6,000 trains since 1993
—60,000 lines of B; 10,000 proofs; 22,000 lines of Ada
― SAET METEOR: Siemens Transportation Systems
• Automatic Train Control: new driverless metro line 14 in Paris (RATP), 1998. 3 safety-critical software parts: onboard, section, line
—107,000 lines of B; 29,000 proofs; 87,000 lines of Ada
― Roissy VAL: ClearSy (for STS)
• Section Automatic Pilot: light driverless shuttle for Paris-Roissy airport (ADP), 2006
—28,000+155,000 lines of B; 43,000 proofs; 158,000 lines of Ada
• RTFM
• SSDLC
• ICS best practices
• Follow CERTs
• Common Weakness Enumeration at cwe.mitre.org
• More practice: OWASP TOP 10
• TESTING TESTING AND TESTING AGAIN!
Mr. ICS developer, are you creating your products within
SSDLC concepts?
*All pictures are taken from googleand other Internets
Alexander TimorinAlexander TlyapovAlexander ZaitsevAlexey OsipovAndrey MedovArtem ChaykinDenis BaranovDmitry EfanovDmitry NagibinDmitry SerebryannikovDmitry SklyarovEvgeny ErmakovGleb GritsaiIlya KarpovIvan PoliyanchukKirill NesterovRoman IlinSergey BobrovSergey DrozdovSergey GordeychikSergey ScherbelTimur YunusovValentin ShilnenkovVladimir KochetkovVyacheslav EgoshinYuri GoltsevYuriy Dyachenko