Control Systems are used to automate and control critical infrastructures which has a significant importance relating to human lives. However Control Systems are not secure by design. In this presentation, I will demonstrate some examples e.g. decoding Control System protocols and exploiting applications.
2. About me
12 years of experience in Cyber Security
Cyber Security Consultant
Ddos and Pen Tests
… Now working on ICS Security
@ozkan_erdogan
ozkerd@gmail.com
3. Agenda
What are Cyber weapons
What is a critical infrastructure
ICS
Cyber weapons on ICS
Protocols
Threats
Attacks and Types of Attacks
Defense principles
4. Cyber Weapon
Computer code
Aiming Threat or damage
Unlike other codes, might have pyhsical and psychological affects
Low cost- High damage
Target: system, people, country, critical infrastructures
6. Utility
Market: 1 trillion $
7391 cyber attack (a successfull attack could cause in average 1.2 milyon$)
Oil and Gas
Market: 2.4 trillion $
5493 cyber attack (a successfull attack could cause in average 4 milyon$)
7. Why we use ICS
A brief description:
Converting signals from digital to analog, controlling equipment so they
automatically function to our needs. i.e. in compliance with a logic that we
program.. Example: Robot, valve, engine, generator, A/C,
Example: move a robot arm, turn on/off a water pump or valve, mix chemicals,
flow control, increase/decrease temperature, measuring voltage, pumping oil
and gas etc..
12. Scada Security (?)
CIA vs. AIC.
No encryption
No authentication
No authorization
Mostly default passwords
Security through obscurity
So called ‘Air gap’
Rule of ‘no touch’
13. Cyber weapons targeted ICS
Most destructive: Stuxnet
A virus directly manipulating the process of uranium enrichment by Iran.
50 malwares targeting only Energy companies- Fireeye.
Havex/ Dragonfly: TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric)
Flame: Cyber espionage (20 times bigger than Havex
BlackEnergy: Variants Targeting critical infrastructure
14. Threat potential
Obama: Nuclear weapon result is either 0 or 1. However, cyber weapon is in a
spectrum of 0-1 and you never know what its gonna cause.
John Kerry: 21.century version of nuclear attacks
Fenghui: Internet , if not controlled, could cause harm more than nuclears do.
16. Scada architecture
Technics:
Many different vendors, protocols and processes.
Need to get over against air-gap
Convergence of OT to IT, protocols using TCP/IP
Patch and upgrade almost impossible (locking, restart issues)
17. An ad
xxxx Bina Otomasyon Sistemi’nin mimarisi, programlanabilir kontrol ünitelerinden
ve farklı nokta tip ve kapasitelerine sahip I/O üniteleri ile HMI (Dokunmatik Ekran)
ünitelerinden oluşmaktadır. xxxxx en nemli özelliği, kontrol ünitelerinin doğrudan
TCP-IP protokolü ile Ethernet’e çıkabilmesi, ftp ve web server özellikleriyle de
INTERNET üzerinden sisteme erişim imkanı verebilmesidir. Bu sayede kullanıcılar
uzaktan her hangi bir özel yazılıma ihtiyaç duymadan, web browser ile sistemle
ilgili değerleri izleyebilmekte ve set değerlerini değiştirebilmektedirler.
xxxx Manager yazılımı kullanılarak, lokal veya uzaktan hatta internet bağlantısı
ile kontrol ünitelerine bağlanıp, programlama yapmak mümkün olmaktadır
19. Scada /ICS protocols
Modbus (Both way traffic, read/write, usually uses TCP/IP with single layer)
Profinet
DNP (Both way traffic, read/write, usually uses TCP/IP with single layer)
Siemens S7
IEC 60870
22. Cont’d
● Nmap, plcscan
● Rule 1: Be gentle
● Nmap -scan-delay=1 (-n omits dns) (Digital Bond has nmap specific scripts)
● Do a tcp scan instead of syn (Don’t use half open)
● Do not use fingerprinting
● Do not use -Sc (scripting)
● Do not use udp scan
● Snmpcheck -t IP
Gives you
● Open udp, tcp ports
● Service details
● Python plcscan.py IP (Scans port 102 and 502)
34. Modbus Case study
PLC Simulator (Modbus PAL) and mbtget
https://youtu.be/jxJ6921qrpE
Exploit via Metasploit
https://youtu.be/1bCrCFqgP-M
Tampering via Mbtget
https://youtu.be/mGixseMvaMM