SCADA security

Positive Hack Days.

Industrial systems. Threats

GLEG ltd - SCADA+

Pack for CANVAS developer

audit@gleg.net

http://www.gleg.net

SCADA security

Plan

Attacks against SCADA: how could it look like ?

Intro — are SCADAs accessible from Internet...

Exploration — Searching the vulnerable systems available from the web

Exploitation Post exploitation Summary

SCADA security

SCADA — events timeline

< June 2010 — seems like there were NO (?) real world examples of SCADA targeted attacks (just worm infections ...)

June 2010 — Stuxnet! The milestone in SCADA security...

> June 2010 — Hackers realized that there are there are accessible SCADA systems with vulnsaccessible SCADA systems with vulns …

– Dozens of new vulnerabilities uncovered

– Potential risk has greatly increased

SCADA security

SCADA ON THE WEB

THERE ARE HUNDREDS OF SCADA SYSTEMS ALREADY EXPOSED TO INTERNET!

Let us show «banners» for two SCADA systems,

And SHODAN search results for them....

SCADa

SCX SCADa

e.g. SCX SCADA:

SCX ADVANCED INDUSTRIAL AUTOMATION SOFTWARE

...the integrated SCX Web server is a standard component of the SCX product. Web Clients have access to all SCADA system functions...

SCADA

SCX SCADA banner

1) “SCXWebServer”****************************HTTP/1.1 200 OKContent-Encoding: deflateDate: Tue, 14 Dec 2010 19:09:52 GMTExpires: Tue, 14 Dec 2010 19:09:52 GMTCache-Control: no-cacheServer: SCXWebServer/6.0 — here is bannerContent-Type: text/xmlContent-Length: 1504***********************Search results for this:

SCADA security

Codesys ENI server exploit

CoDeSys Eni server:

In this case the banner looks like: «ENIServer»

(though there are many same kind servers available from different SCADA developers... all seems to be based on codesys...?)

Again, let's search it on the web ...and show how it could be exploited using SCADA+ Pack 0day exploit for CoDeSys Eni Server.

SCADA

SCADA

Video of exploitation:

http://pentesting.ru/eniserver.rar

SCADA security

Postexploitation:

Typical postexploitation:

Troyan

Keylogger

Hiding activities... and waiting

for login+pwd...

SCADA security

SCADA vulns

Of course there could be other vulns types... other explore and exploitation tools and techniques...

Example 2:

Some common situation for SCADA is … that local access is granted without auth by def.

e.g. in IGSS scada we have the following default project settings.... (disable access control is checked!)

SCADA

SCADA attack

This could be helpfull for hacker... you could exloit some buffer overfow, enable Rdesktop and have fun with SCADA devices

SCADA security

SCADA

Current tools has limited Functionality for SCADA... e.g. Shodan — searches only 80, 21, 22, 161, 5060

ports...

But, e.g. Realwin has vuln services on 910, 912 port

In that case you will need to search yourself... but as long as there are dozens of scanners — this is not a problem. Also you could write your own.

Безопасность АСУ

Measures:

What you should know and do: SCADA systems are already on the Internet... One should be ready for situation when SCADA

«suddenly» becomes accessible ( e.g. it is very convenient for engineers to have remote access )

Should minimize internal threats - end-point security + IDS

Keep an eye on news for scada vulns, especially those leading to possible remote access to scada functions (eg login pwd steal)!

For scada it is not good to rely on local auth, database auth, has unauth local access!

SCADA security

CounterMeasures:

Of course SCADA should be properly designed (hope it is so :) with redundancy , possibly involving different manufacturers equipment etc...

Some typical measures could also be helpfull:

Security policies and culture of personel (resistance to social eng.),

good pwds,

Penetration tests

SCADA security

Resume:

We have shown that SCADA systems ARE ALREADY AVAILABLE FROM THE INTERNET... and some could be exploited right now...

SCADA

Positive Hack Days.

Thanks for your attention

audit@gleg.net

http://www.gleg.net