scada security why is it so hard? - black hat briefings...frame modbus on tcp/ip mbap header...
TRANSCRIPT
![Page 1: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/1.jpg)
SCADA security
why is it so hard?
Amol Sarwate
Director of Vulnerability Engineering, Qualys Inc.
![Page 2: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/2.jpg)
SCADA DCS
ICS
![Page 3: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/3.jpg)
![Page 4: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/4.jpg)
accidents
liquid pipeline failures http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf
power failures http://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf
other accidents http://en.wikipedia.org/wiki/List_of_industrial_disasters
![Page 5: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/5.jpg)
vandalism
vandals destroy insulators http://www.bpa.gov/corporate/BPAnews/archive/2002/NewsRelease.c
fm?ReleaseNo=297
![Page 6: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/6.jpg)
insider
disgruntle employee http://www.theregister.co.uk/2001/10/31/hacker_jailed_for
_revenge_sewage/
![Page 7: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/7.jpg)
APT
terrorism or espionage http://www.symantec.com/content/en/us/enterprise/
media/security_response/whitepapers/w32_duqu_
the_precursor_to_the_next_stuxnet.pdf
![Page 8: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/8.jpg)
basics
Field Control Center
![Page 9: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/9.jpg)
input output
Convert parameters like light, temperature, pressure or flow to analog signals
![Page 10: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/10.jpg)
remote
Converts analog and discrete measurements to digital information
![Page 11: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/11.jpg)
communication
Front end processors (FEP) and protocols
Wired or wireless communication
Modbus DNP 3 OPC
ICCP ControlNet BBC 7200
ANSI X3.28 DCP 1 Gedac 7020
DeviceNet DH+ ProfiBus
Tejas TRE UCA
![Page 12: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/12.jpg)
master
Control, monitor and alarming using human machine interface (HMI)
![Page 13: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/13.jpg)
threats?
![Page 14: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/14.jpg)
io & remote
require physical access
![Page 15: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/15.jpg)
io & remote
field equipment generally does not contain process knowledge
![Page 16: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/16.jpg)
io & remote
information like valve 16 or breaker 9B
![Page 17: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/17.jpg)
io & remote
without process knowledge leads to nuisance disruption
![Page 18: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/18.jpg)
communication
manipulate FEP directly
![Page 19: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/19.jpg)
communication
change FEP output
which is HMI input
![Page 20: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/20.jpg)
communication
protocol threats
![Page 21: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/21.jpg)
modbus protocol
MODBUS Request - Message sent on the network by the Client to initiate a transaction
MODBUS Indication - Request message received on the Server side
MODBUS Response - Response message sent by the Server
MODBUS Confirmation - Response Message received on the Client side
Modbus Client Modbus Server
Request Indication
Confirmation Response
Master Slave
![Page 22: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/22.jpg)
frame
Additional addresses Function code Data Error Check
ADU
PDU
MODBUS
MODBUS on TCP/IP
MBAP Header Function code Data
MODBUS TCP/IP ADU
PDU
TCP Header IP Header
TCP Packet
IP Packet
![Page 23: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/23.jpg)
frame
Additional addresses Function code Data Error Check
ADU
PDU
MODBUS
MODBUS on TCP/IP
MBAP Header Function code Data
MODBUS TCP/IP ADU
PDU
TCP Header IP Header
TCP Packet
IP Packet
![Page 24: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/24.jpg)
frame MODBUS on TCP/IP
MBAP Header Function code Data
MODBUS TCP/IP ADU
PDU
Transaction ID Protocol ID Length Unit ID
2 bytes 2 bytes 2 bytes 1 byte
![Page 25: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/25.jpg)
frame MODBUS on TCP/IP
MBAP Header Function code Data
MODBUS TCP/IP ADU
PDU
Transaction ID Protocol ID Length Unit ID
2 bytes 2 bytes 2 bytes 1 byte
Read Discrete Inputs 2 Read Holding Registers 3 Read FIFO Queue 24 Get Com Event Counter 11
Read Coils 1 Write Single Register 6 Read File Record 20 Get Com Event Log 12
Write Single Coil 5 Write Multiple Registers 16 Write File Record 21 Report Slave ID 17
Write Multiple Coils 15
Read/Write Multiple
Registers 23 Read Exception Status 7 Read Device Identification 43
Read Input Register 4 Mask Write Register 22 Diagnostic 8 Encapsulated Interface Transport 43
![Page 26: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/26.jpg)
example
$socket = IO::Socket::INET->new (
PeerHost => $ip,
PeerPort => '502',
Proto => 'tcp',
)
$socket->send($data);
# Transaction ID (2 bytes)
$buffer[0] = chr(1);
$buffer[1] = chr(0);
# Protocol ID (2 bytes)
$buffer[2] = chr(0);
$buffer[3] = chr(0);
# Length (2 bytes)
$buffer[4] = chr(0);
$buffer[5] = chr(6);
# Unit ID (1 bye)
$buffer[6] = chr(1);
# Function Code (1 byte)
$buffer[7] = chr(3);
# Data
$buffer[8] = chr(hex (substr $data_val, 0, 2));
$buffer[9] = chr(hex (substr $data_val, 2, 2));
$buffer[10] = chr(0);
$buffer[11] = chr($num_registers);
![Page 27: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/27.jpg)
request
![Page 28: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/28.jpg)
response
![Page 29: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/29.jpg)
what does modbus provide?
![Page 30: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/30.jpg)
ScadaScan (alpha)
![Page 31: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/31.jpg)
DNP 3.0
![Page 32: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/32.jpg)
application layer
![Page 33: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/33.jpg)
transport layer
![Page 34: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/34.jpg)
link layer
![Page 35: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/35.jpg)
example
$socket = IO::Socket::INET->new (
PeerHost => $ip,
PeerPort => ‘20000',
Proto => 'tcp',
)
$socket->send($data);
# DNP 3.0 link layer frame
# Start character (2 bytes)
$buffer[0] = chr(5);
$buffer[1] = chr(100);
# Length field (1 byte)
$buffer[2] = chr(05);
# Control byte (1 byte)
$buffer[3] = chr(201);
# Destination address (2 bytes)
$buffer[4] = chr(241);
$buffer[5] = chr(255);
# Source address (2 bytes)
$buffer[6] = chr(05);
$buffer[7] = chr(00);
# CRC (2 bytes)
$buffer[8] = chr(170);
$buffer[9] = chr(210);
![Page 36: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/36.jpg)
request
![Page 37: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/37.jpg)
response
![Page 38: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/38.jpg)
what does DNP 3.0 provide?
![Page 39: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/39.jpg)
ScadaScan (alpha)
![Page 40: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/40.jpg)
secure DNP 3.0
Version 1.0 specification released in Feb 2007
Authentication
Initialization
Periodic
Critical Function Code Requests
Implementation Specific
Cryptography
Keyed Hashing for Message Authentication (HMAC)
Key Management
New Function Codes
![Page 41: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/41.jpg)
master threats
control system network connected to corporate network or internet
![Page 42: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/42.jpg)
master threats
no authentication or per user authentication
![Page 43: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/43.jpg)
master threats
shared passwords or weak passwords
![Page 44: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/44.jpg)
master threats
no password change policy
![Page 45: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/45.jpg)
master threats
no patching
![Page 46: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/46.jpg)
master threats
not restarted in years
![Page 47: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/47.jpg)
master threats
unnecessary services
![Page 48: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/48.jpg)
master threats
off-the-shelf software
![Page 49: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/49.jpg)
challenges
SCADA system long life cycle
![Page 50: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/50.jpg)
challenges
difficulty and cost of upgrading
![Page 51: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/51.jpg)
challenges
no testing or guidance about OS patches from SCADA vendors
![Page 52: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/52.jpg)
challenges
some systems managed by
SCADA vendors
![Page 53: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/53.jpg)
challenges
data historians and other systems on the
SCADA network
![Page 54: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/54.jpg)
challenges
internal differences between IT and
SCADA engineers
![Page 55: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/55.jpg)
challenges
wrong mentality - SCADA too obscure for
hackers
![Page 56: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/56.jpg)
proposals
strategy for password policy, access control, access roles
![Page 57: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/57.jpg)
proposals
strategy for software upgrades and patches
![Page 58: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/58.jpg)
proposals
SCADA Test environment
![Page 59: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/59.jpg)
proposals
demand from SCADA vendors
expedite testing and approval of OS patches
![Page 60: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/60.jpg)
proposals
demand from SCADA vendors
newer and secure protocols
![Page 61: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/61.jpg)
proposals
apply experience from IT network management and security
![Page 62: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/62.jpg)
proposals
auditing and scanning
![Page 63: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/63.jpg)
ScadaScan
Alpha version Scan network range
Works with TCP/IP
Identifies Modbus TCP slaves
Identifies DNP 3 TCP slaves
Beta version SCADA master vulnerability scanning
SNMP support
HTTP support
1.0 Release User configurable signature files
Authenticated support for Windows and *nix
Code cleanup
![Page 64: SCADA security why is it so hard? - Black Hat Briefings...frame MODBUS on TCP/IP MBAP Header Function code Data MODBUS TCP/IP ADU PDU Transaction ID Protocol ID Length Unit IDRead](https://reader033.vdocument.in/reader033/viewer/2022060319/5f0cb9687e708231d436d1f9/html5/thumbnails/64.jpg)
thank you
http://code.google.com/p/scadascan/
twitter: @amolsarwate
please complete the speaker feedback surveys