scada strangelove: too smart grid in da cloud [31c3]
TRANSCRIPT
![Page 1: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/1.jpg)
*All pictures are taken from Dr StrangeLove movie and other Internets
Sergey GordeychikAleksandr Timorin
![Page 2: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/2.jpg)
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster
and to keep Purity Of Essence
Alexander TimorinAlexander TlyapovAlexander ZaitsevAlexey OsipovAndrey MedovArtem ChaykinDenis BaranovDmitry EfanovDmitry Nagibin
Dmitry SerebryannikovDmitry SklyarovEvgeny ErmakovGleb GritsaiIlya KarpovIvan PoliyanchukKirill NesterovRoman IlinSergey Bobrov
Sergey DrozdovSergey GordeychikSergey ScherbelTimur YunusovValentin ShilnenkovVladimir KochetkovVyacheslav EgoshinYuri GoltsevYuriy Dyachenko
![Page 3: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/3.jpg)
![Page 4: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/4.jpg)
https://icsmap.shodan.io/
![Page 5: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/5.jpg)
![Page 6: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/6.jpg)
![Page 7: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/7.jpg)
![Page 8: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/8.jpg)
![Page 9: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/9.jpg)
![Page 10: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/10.jpg)
![Page 11: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/11.jpg)
![Page 12: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/12.jpg)
― Google dorks
― Configuration scripts
― FS structure
― etc
![Page 13: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/13.jpg)
![Page 14: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/14.jpg)
![Page 15: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/15.jpg)
![Page 16: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/16.jpg)
![Page 17: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/17.jpg)
![Page 18: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/18.jpg)
--snip--
Comment to PT-SOL-2014001:The upload path has been changed. It is still possible to upload files, but they can't overwrite system critical parts any more.
Comment to PT-SOL-2014002:The system backup is created in a randomly chosen path an deleted afterwards. Therefore an unauthorized access is made much more difficult and very unlikely.
Second comment to PT-SOL-2014002:In order to compensate the weak encryption in the configuration file, the whole configuration file is now encrypted via the new HTTP transmission.
--snip--
![Page 19: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/19.jpg)
![Page 20: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/20.jpg)
![Page 21: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/21.jpg)
![Page 22: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/22.jpg)
![Page 23: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/23.jpg)
![Page 24: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/24.jpg)
![Page 25: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/25.jpg)
![Page 26: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/26.jpg)
![Page 27: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/27.jpg)
![Page 28: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/28.jpg)
![Page 29: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/29.jpg)
![Page 30: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/30.jpg)
![Page 31: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/31.jpg)
![Page 32: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/32.jpg)
![Page 33: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/33.jpg)
To hack what? Grandmom’s reel 2 reel recorder?
![Page 34: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/34.jpg)
![Page 35: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/35.jpg)
![Page 36: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/36.jpg)
![Page 37: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/37.jpg)
Spot the Similarities
![Page 38: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/38.jpg)
Popular HMI
Relatively new system
Platform independent
Custom webserver
![Page 39: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/39.jpg)
http://cvedetails.com for Apache HTTP Server
![Page 40: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/40.jpg)
![Page 41: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/41.jpg)
![Page 42: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/42.jpg)
![Page 43: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/43.jpg)
![Page 44: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/44.jpg)
http://www.digitalbond.com/blog/2013/03/21/s4x13-video-wincc-under-x-rays-by-sergey-gordeychik/
![Page 45: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/45.jpg)
1 2 9 7 6 10 11 14 17
73 100 96
899
94135
285
81
0
100
200
300
400
500
600
700
800
900
1000
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
![Page 46: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/46.jpg)
![Page 47: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/47.jpg)
![Page 48: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/48.jpg)
![Page 49: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/49.jpg)
![Page 50: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/50.jpg)
![Page 51: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/51.jpg)
![Page 52: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/52.jpg)
![Page 53: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/53.jpg)
![Page 54: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/54.jpg)
![Page 55: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/55.jpg)
PLC1 PLC2 PLC3
Some networ
ks
WinCC Web-
Client
WinCC SCADA-Clients
WinCC SCADA-Client +Web-Server
WinCC DataMonitor
WinCC Web-Client
WinCC DataMonitor
WinCC Servers
LAN
PROFINET
PROFIBUS
Internet, corp lan, vpn’s
Engineering station(TIA portal/PCS7)
![Page 56: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/56.jpg)
WinCCExplorer.exe/PdlRt.exe
![Page 57: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/57.jpg)
![Page 58: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/58.jpg)
![Page 59: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/59.jpg)
![Page 60: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/60.jpg)
![Page 61: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/61.jpg)
![Page 62: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/62.jpg)
![Page 63: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/63.jpg)
![Page 64: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/64.jpg)
![Page 65: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/65.jpg)
+1337
![Page 66: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/66.jpg)
![Page 67: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/67.jpg)
![Page 68: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/68.jpg)
PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM=
uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM=
Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM=
tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM=
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143
32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143
b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143
![Page 69: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/69.jpg)
3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes)
d37fa1c3 - CONST (4 bytes)
0001 - user logout counter (2 bytes)
0001 - counter of issued cookies for this user (2 bytes)
00028ad7 - value that doesn’t matter (4 bytes)
0a00aac8 - user IP address (10.0.170.200) (4 bytes)
00000000000000008ad72143 - value that doesn’t matter (12 bytes)
So, what about 3e6cd1f7bdf743cac6dcba708c21994f ???
![Page 70: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/70.jpg)
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143
3e6cd1f7bdf743cac6dcba708c21994f
MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES)
What is SECRET ?
![Page 71: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/71.jpg)
SECRET is generates after PLC start by PRNG.
PRNG is a little bit harder than standard C PRNG.
SEED in {0x0000 , 0xFFFF}
It’s too much for bruteforce (PLC so tender >_<)
![Page 72: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/72.jpg)
What about SEED ?SEED very often depends on time value
SEED = PLC START TIME + 320
320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time
How to obtain PLC START TIME ?
![Page 73: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/73.jpg)
PLC START TIME = CURRENT TIME – UPTIME
Current time
Uptime
![Page 74: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/74.jpg)
![Page 75: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/75.jpg)
SSA-654382 , SSA-456423
Affected devices:
• Siemens S7-1200 PLC
• Siemens S7-1500 PLC
CVSS Base Score: 8.3
![Page 76: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/76.jpg)
SCADASL:13.01.2013
S7 PLC private/public community string for SNMP protocol can't be changed …
Siemens:06.02.2013
… you cannot change the SNMP community string … This issue has no effect on security, as only non-sensitive information can be changed via SNMP. … community strings changeable in TIA Portal v12.5.
SCADASL:05.08.2013
… vulnerabilities related to S7 1500 and S7 1200 PLC in attached file … including hardcoded SNMP.
Siemens:22.10.2013
Hardcoded SNMP strings are in fact an issue …
We might eventually migrate to SNMPv3 …
![Page 77: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/77.jpg)
![Page 78: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/78.jpg)
0
50
100
150
200
250
ABB Advantech Emerson Honeywell Other Siemens Schneider Electric
Total Total Fix Vulns Fixed
![Page 79: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/79.jpg)
PHDays 2013 Choo Choo Choo Pwn
Security assessment/Pentest
PHDays IV Critical Infrastructure Attack
0-day research
http://bit.ly/1t8poTL http://www.phdays.com/press/news/38171/
![Page 80: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/80.jpg)
Goals ICS components 0-day research Make a disaster 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster)
Mom, I can spoof MODBUS tag = 0 ;)
Tragets Schneider Electric
Wonderware System Platform, Indusoft Web Studio 7.1.4, ClearSCADA, IGSS, MiCOMC264
Siemens Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1 PN), S7-300
(314С-2 DP + CP343), S7-1200 v3, S7-1200 v2.2
Rockwell Automation RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAA
WellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, KepwareKepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3) etc.
![Page 81: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/81.jpg)
Winners
1Alisa Esage – SE Indusoft Web Studio 7.1
Nikita Maximov & Pavel Markov - ICP DAS RTU
Dmitry Kazakov - Siemens Simatic S7-1200 PLC
2 days – 10+ 0days
Responsible disclosure: in progress
Fixes?
![Page 82: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/82.jpg)
In 2013 we reported 9 vulnerabilities PT-EMR-DV-13002 World readable/writable *** (CVSSv2 6.8) PT-EMR-DV-13003 World readable *** (CVSSv2 6.8) PT-EMR-DV-13004 Weak cryptography used to store *** (CVSSv2 9.0) PT-EMR-DV-13005 Multiple SQL injections in *** (CVSSv2 10.0) PT-EMR-DV-13006 Weak cryptography used to *** (CVSSv2 6.8) PT-EMR-DV-13007 Memory corruption in *** (CVSSv2 5.0) PT-EMR-DV-13008 Format string vulnerability in *** (CVSSv2 10.0) PT-EMR-DV-13009 Hardcoded access credentials *** (CVSSv2 10.0)
CVSS form 5.0 to 10.0
![Page 83: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/83.jpg)
Advisory (ICSA-14-133-02) Emerson DeltaV v10-12 Vulnerabilities CVE-2014-2349 Configuration File Manipulation Local Privilege
Escalation
CVSSv2 6.2
CVE-2014-2350 Service Processes Default Hardcoded Credentials
CVSSv2 2.4
http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02
![Page 84: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/84.jpg)
![Page 85: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/85.jpg)
1
2
![Page 86: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/86.jpg)
150 freight cars12 500 tonsSeveral locomotives
![Page 87: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/87.jpg)
![Page 88: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/88.jpg)
![Page 89: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/89.jpg)
Safety Integrity Level
Probability of Failure on Demand (PFD)
Probability of Failure per Hour (PFH)
![Page 90: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/90.jpg)
![Page 91: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/91.jpg)
1
2
![Page 92: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/92.jpg)
http://www.theguardian.com/world/2013/jul/25/spain-train-crash-travelling-so-fast
![Page 93: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/93.jpg)
![Page 94: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/94.jpg)
![Page 95: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/95.jpg)
Modern Smart Grid:
- ICS/SCADA
- Mobile carrier
- Billing/Payment
- IoT
-Cloud
![Page 96: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/96.jpg)
![Page 97: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/97.jpg)
Alexander @arbitrarycode Zaitsev
Alexey @GiftsUngiven Osipov
Kirill @k_v_nesterov Nesterov
Dmtry @_Dmit Sklyarov
Timur @a66at Yunusov
Gleb @repdet Gritsai
Dmitry Kurbatov
Sergey Puzankov
Pavel Novikov
![Page 98: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/98.jpg)
*All pictures are taken from Dr StrangeLove movie and other Internets
![Page 99: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/99.jpg)
![Page 100: SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]](https://reader031.vdocument.in/reader031/viewer/2022020123/55a3252d1a28abc27c8b478c/html5/thumbnails/100.jpg)
*All pictures are taken from googleand other Internets
Alexander TimorinAlexander TlyapovAlexander ZaitsevAlexey OsipovAndrey MedovArtem ChaykinDenis BaranovDmitry EfanovDmitry NagibinDmitry SerebryannikovDmitry SklyarovEvgeny ErmakovGleb GritsaiIlya KarpovIvan PoliyanchukKirill NesterovRoman IlinSergey BobrovSergey DrozdovSergey GordeychikSergey ScherbelTimur YunusovValentin ShilnenkovVladimir KochetkovVyacheslav EgoshinYuri GoltsevYuriy Dyachenko