Control Systems are used to automate and control critical infrastructures which has a significant importance relating to human lives. However Control Systems are not secure by design. In this presentation, I will demonstrate some examples e.g. decoding Control System protocols and exploiting applications.

1. ICS and Cyber Security
Özkan Erdoğan

2. About me
12 years of experience in Cyber Security
Cyber Security Consultant
Ddos and Pen Tests
… Now working on ICS Security
@ozkan_erdogan
ozkerd@gmail.com

3. Agenda
What are Cyber weapons
What is a critical infrastructure
ICS
Cyber weapons on ICS
Protocols
Threats
Attacks and Types of Attacks
Defense principles

4. Cyber Weapon
Computer code
Aiming Threat or damage
Unlike other codes, might have pyhsical and psychological affects
Low cost- High damage
Target: system, people, country, critical infrastructures

5. Critical Infrastructure
Energy
Water treatment
Hospitals
Nuclear reactors
Communication lines

6. Utility
Market: 1 trillion $
7391 cyber attack (a successfull attack could cause in average 1.2 milyon$)
Oil and Gas
Market: 2.4 trillion $
5493 cyber attack (a successfull attack could cause in average 4 milyon$)

7. Why we use ICS
A brief description:
Converting signals from digital to analog, controlling equipment so they
automatically function to our needs. i.e. in compliance with a logic that we
program.. Example: Robot, valve, engine, generator, A/C,
Example: move a robot arm, turn on/off a water pump or valve, mix chemicals,
flow control, increase/decrease temperature, measuring voltage, pumping oil
and gas etc..

8. Scada in Enterprise Network

9. ICS, Scada and PLC Definition
Industrial Control System

10. HMI

11. PLC

12. Scada Security (?)
CIA vs. AIC.
No encryption
No authentication
No authorization
Mostly default passwords
Security through obscurity
So called ‘Air gap’
Rule of ‘no touch’

13. Cyber weapons targeted ICS
Most destructive: Stuxnet
A virus directly manipulating the process of uranium enrichment by Iran.
50 malwares targeting only Energy companies- Fireeye.
Havex/ Dragonfly: TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric)
Flame: Cyber espionage (20 times bigger than Havex
BlackEnergy: Variants Targeting critical infrastructure

14. Threat potential
Obama: Nuclear weapon result is either 0 or 1. However, cyber weapon is in a
spectrum of 0-1 and you never know what its gonna cause.
John Kerry: 21.century version of nuclear attacks
Fenghui: Internet , if not controlled, could cause harm more than nuclears do.

15. Aurora
Aurora Project: 2007.

16. Scada architecture
Technics:
Many different vendors, protocols and processes.
Need to get over against air-gap
Convergence of OT to IT, protocols using TCP/IP
Patch and upgrade almost impossible (locking, restart issues)

17. An ad
xxxx Bina Otomasyon Sistemi’nin mimarisi, programlanabilir kontrol ünitelerinden
ve farklı nokta tip ve kapasitelerine sahip I/O üniteleri ile HMI (Dokunmatik Ekran)
ünitelerinden oluşmaktadır. xxxxx en nemli özelliği, kontrol ünitelerinin doğrudan
TCP-IP protokolü ile Ethernet’e çıkabilmesi, ftp ve web server özellikleriyle de
INTERNET üzerinden sisteme erişim imkanı verebilmesidir. Bu sayede kullanıcılar
uzaktan her hangi bir özel yazılıma ihtiyaç duymadan, web browser ile sistemle
ilgili değerleri izleyebilmekte ve set değerlerini değiştirebilmektedirler.
xxxx Manager yazılımı kullanılarak, lokal veya uzaktan hatta internet bağlantısı
ile kontrol ünitelerine bağlanıp, programlama yapmak mümkün olmaktadır

18. Scada Manufacturers
Siemens.
Honeywell.
Tecnomatix (USDATA)
ABB
Tibbo Systems (AggreGate SCADA/HMI)
Schneider Electric (Wonderware, Televent Citect)
Survalent Technology Company (STC)
Rockwell

19. Scada /ICS protocols
Modbus (Both way traffic, read/write, usually uses TCP/IP with single layer)
Profinet
DNP (Both way traffic, read/write, usually uses TCP/IP with single layer)
Siemens S7
IEC 60870

20. ICS-Attack Vectors
Information Gathering
Scan (nmap, plcscan)
Arp poisoning
Traffic Capture/Replay
Exploit (Nessus plugins and Metasploit modules)
Brute force

21. Information Gathering
Shodan, censys
Nmap
PLCScan
Masscan
Google hacking

22. Cont’d
● Nmap, plcscan
● Rule 1: Be gentle
● Nmap -scan-delay=1 (-n omits dns) (Digital Bond has nmap specific scripts)
● Do a tcp scan instead of syn (Don’t use half open)
● Do not use fingerprinting
● Do not use -Sc (scripting)
● Do not use udp scan
● Snmpcheck -t IP
Gives you
● Open udp, tcp ports
● Service details
● Python plcscan.py IP (Scans port 102 and 502)

23. ICS on Internet

24. Shodan findings
Siemens S7- 100 x 102.port
DNP: 20 xport:20000
Modbus: 338 x port:502
IEC 60870: 38 x port: 2404

25. Google dork

26. Physical Attacks
Physical attacks against
PLC
RTU -
Smart meter
Relays
Circuit breakers
.

27. Black box attacks
Web and ftp servers, field devices
Web based attacks
SQL injection
Privilege escalation
Trojan, Backdoor
Ddos

28. Internal attacks
Traffic capture and replay
Man in the middle
Arp poisoning
Nessus (Scada Policy & Credential Check)
Metasploit
Wireshark
Python

29. Defense
Patch management
DPI ?
Data diodes ?
Nw segmentation-Isolation
Awareness
Incident Response

30. Fuzzers
Commercial
Codemicon
Wurdtech Achilles
peachfuzzer.com
Open:
Aegis ( https://www.automatak.com/aegis/)

31. Modbus - tcp
Encryption: None
Authentication: None

32. Modbus Protocol Fields

33. Modbus request packet

34. Modbus Case study
PLC Simulator (Modbus PAL) and mbtget
https://youtu.be/jxJ6921qrpE
Exploit via Metasploit
https://youtu.be/1bCrCFqgP-M
Tampering via Mbtget
https://youtu.be/mGixseMvaMM

35. Vulnerabilities
...and counting!!

36. Case Study: Ukraine power outage

37. Exploitation Tools
or buy from
Agora Scada +
‘Made in Russia’

38. The End-
Thank you...
Questions?