Electrical Grid is one of the sophisticated systems humanity ever built. New technologies such as IEC 61850 and Europe-wide initiatives to create continent-wide SmartGrid systems makes it more and more complex.
Our latest research was devoted to the analysis of the threat landscape, architecture and implementation of the modern Smart Grid elements, including relay protection, wind and solar energy generation.
It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security.
In this talk, we summarize our practical experience in security assessment of different components of European SmartGrid technologies: from housekeeping and rooftop PV systems to digital substations. We will release new (but responsibly disclosed) vulnerabilities in SmartGrid components, Cloud SCADA technologies as well as new tools for security assessment of SmartGrid industrial protocols.
16. Fixes
--snip--
Comment to PT-SOL-2014001:
The upload path has been changed. It is still possible to upload files, but they
can't overwrite system critical parts any more.
Comment to PT-SOL-2014002:
The system backup is created in a randomly chosen path an deleted afterwards.
Therefore an unauthorized access is made much more difficult and very unlikely.
Second comment to PT-SOL-2014002:
In order to compensate the weak encryption in the configuration file, the whole
configuration file is now encrypted via the new HTTP transmission.
--snip--
33. #SCADASOS Results
• 60 000+ SmartGrid devices disconnected from the Internet
• Two Advisories
• XZERES 442SR Wind Turbine CSRF
• SMA Solar Technology AG Sunny WebBox Hard-Coded Account
Vulnerability
38. Vulnerabilities of (u)SIM
― Remote data recovery (Kc, TIMSI)
• Chanel decryption (including A5/3)
• «Clone» the SIM and mobile station
― SIM “malware”
― Block SIM via PIN/PUK bruteforce
Alexander Zaitsev, Sergey Gordeychik ,
PacSec, Tokyo, Japan, 2014
60. #CablemeltingBAD
As a side note, there is about a 3GW buffer in the
European energy grids -- take 3GW off the net within a
couple of seconds (or add them), and lights will go out.
For quite a long while.
63. Open Lab @PHDays
PHDays III Choo Choo Choo Pwn
– Security assessment/Pentest
PHDays IV Critical Infrastructure Attack
– 0-day research
http://bit.ly/1t8poTL http://www.phdays.com/press/news/38171/
64. PHDays IV CIA
• Goals
– 0-day research on ICS components
– Make a disaster
– 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster)
• Targets
– Schneider Electric
• Wonderware System Platform, InduSoft Web Studio 7.1.4,
ClearSCADA, IGSS, MiCOM C264
– Siemens
• Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1
PN), S7-300 (314С-2 DP + CP343), S7-1200 v3, S7-1200 v2.2
– Rockwell Automation
• RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAA
– WellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, Kepware
KepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3), etc.
65. Results of PHDays IV CIA
• Winners
– Alisa Esage – SE InduSoft Web Studio
7.1
– Nikita Maximov & Pavel Markov - ICP
DAS RTU
– Dmitry Kazakov - Siemens Simatic S7-
1200 PLC
• 2 days – 10+ 0days
• Responsible disclosure
68. DoS in SIPROTEC 4
Specially crafted packets sent to port 50000/udp could cause a
denial-of-service of the affected device. A manual reboot is
required to recover the service of the device.
73. Kagoshima plant diagram
• SUNNY CENTRAL 500CP-JP
• The 70-megawatt system in Kagoshima is a good example of how important it
is to have the right service partner at your side - someone with broad
experience, who can respond to unexpected events in a flexible manner.
http://www.sma.de/en/products/references/kagoshima.html