Electrical Grid is one of the sophisticated systems humanity ever built. New technologies such as IEC 61850 and Europe-wide initiatives to create continent-wide SmartGrid systems makes it more and more complex. Our latest research was devoted to the analysis of the threat landscape, architecture and implementation of the modern Smart Grid elements, including relay protection, wind and solar energy generation. It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security. In this talk, we summarize our practical experience in security assessment of different components of European SmartGrid technologies: from housekeeping and rooftop PV systems to digital substations. We will release new (but responsibly disclosed) vulnerabilities in SmartGrid components, Cloud SCADA technologies as well as new tools for security assessment of SmartGrid industrial protocols.

1. Too Smart Grid
Sergey Gordeychik
Alexander Timorin

2. www.scadasl.org
• Group of security researchers focused on ICS/SCADA
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko

3. Bugs in SCADA/PLC
*ICS Security in 2014, Evgeny Druzhinin, Ilya Karpov, Alexander Timorin,
Gleb Gritsay, Sergey Gordeychik

4. The Word of Power

5. Smartgrid cybersecurity
http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf

6. Smartgrid cybersecurity
http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf

8. IPC@CHIP

9. OSINT

11. Firmware
― Google dorks
― Configuration scripts
― FS structure

12. Direct search

14. ENCRYPTION!!!11

15. Firmware update

16. Fixes
--snip--
Comment to PT-SOL-2014001:
The upload path has been changed. It is still possible to upload files, but they
can't overwrite system critical parts any more.
Comment to PT-SOL-2014002:
The system backup is created in a randomly chosen path an deleted afterwards.
Therefore an unauthorized access is made much more difficult and very unlikely.
Second comment to PT-SOL-2014002:
In order to compensate the weak encryption in the configuration file, the whole
configuration file is now encrypted via the new HTTP transmission.
--snip--

18. osint

19. User manual

20. Admin manual

21. Source code

22. 117.220 MW Googled (1/22)

23. The Wind?

25. Nordex

26. Archaeology

27. CVE Details

28. Pictures from Google

29. 990.390 MW
*Special Bushehr photo for scary ICS security slides
*

31. #SCADASOS
http://scadastrangelove.blogspot.com/2014/12/sos-secure-open-smartgrids.html

33. #SCADASOS Results
• 60 000+ SmartGrid devices disconnected from the Internet
• Two Advisories
• XZERES 442SR Wind Turbine CSRF
• SMA Solar Technology AG Sunny WebBox Hard-Coded Account
Vulnerability

34. Global radio network
• HUGE attack
surface
• TCP/IP networks
• It GLOBAL

35. IP boxes

36. LTE radio security
 Theory
 A5/3 ciphers
 GEA 2
 128 bits keys
 Practice
 Backward compatibility with 2G (MITM)
 Reuse of A5/1 or A5/0

37. Real 4G encryption
Karsten Nohl, CCC, Hamburg, Germany, 2014

38. Vulnerabilities of (u)SIM
― Remote data recovery (Kc, TIMSI)
• Chanel decryption (including A5/3)
• «Clone» the SIM and mobile station
― SIM “malware”
― Block SIM via PIN/PUK bruteforce
Alexander Zaitsev, Sergey Gordeychik ,
PacSec, Tokyo, Japan, 2014

39. Femtoland and 3G sniffer

40. 4G modem
 Mobile computer
 Linux/Android/BusyBox/VxWorks
 Different interfaces
 Storage
 CWID USB SCSI CD-ROM USB Device
 MMC Storage USB Device (MicroSD Card Reader)
 Local management
 COM-Port (UI, AT commands)
 Remote management
 Remote NDIS based Internet Sharing Device
 WiFi Kirill Nesterov, Timur Yunusov,
HITBSec 2015, Amsterdam

42. Attack host

43. Control

45. First one to guess
now to bypass
BIOS secure boot
gets…

46. 133t prize or free beer!

47. USB Drivers Bugs Over network
Travis Goodspeed, Sergey Bratus,
https://www.troopers.de/wp-content/uploads/2012/12/TROOPERS13-
You_wouldnt_share_a_syringe_Would_you_share_a_USB_port-
Sergey_Bratus+Travis_Goodspeed.pdf

48. BADUSB via the Internet
scadastrangelove.blogspot.com/2015/10/badusb-over-internet.html

49. SCADA with Antenna

51. The POWERful social network

56. Don’t patch too much

58. Some kWs only

60. #CablemeltingBAD
As a side note, there is about a 3GW buffer in the
European energy grids -- take 3GW off the net within a
couple of seconds (or add them), and lights will go out.
For quite a long while.

61. Smartgrid cybersecurity
http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf

62. Digital Substations
http://scadastrangelove.blogspot.com/2013/11/scada-security-deep-inside.html
IEC 61850 tools:

63. Open Lab @PHDays
PHDays III Choo Choo Choo Pwn
– Security assessment/Pentest
PHDays IV Critical Infrastructure Attack
– 0-day research
http://bit.ly/1t8poTL http://www.phdays.com/press/news/38171/

64. PHDays IV CIA
• Goals
– 0-day research on ICS components
– Make a disaster
– 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster)
• Targets
– Schneider Electric
• Wonderware System Platform, InduSoft Web Studio 7.1.4,
ClearSCADA, IGSS, MiCOM C264
– Siemens
• Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1
PN), S7-300 (314С-2 DP + CP343), S7-1200 v3, S7-1200 v2.2
– Rockwell Automation
• RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAA
– WellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, Kepware
KepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3), etc.

65. Results of PHDays IV CIA
• Winners
– Alisa Esage – SE InduSoft Web Studio
7.1
– Nikita Maximov & Pavel Markov - ICP
DAS RTU
– Dmitry Kazakov - Siemens Simatic S7-
1200 PLC
• 2 days – 10+ 0days
• Responsible disclosure

66. Digital Substation Takeover
https://www.youtube.com/watch?v=w8T-bbO3Qec

67. Digital Substation Takeover

68. DoS in SIPROTEC 4
Specially crafted packets sent to port 50000/udp could cause a
denial-of-service of the affected device. A manual reboot is
required to recover the service of the device.

69. The Power of Japan

70. Japan energy stations map:
megawatts and location

71. Ukishima solar power plant

72. Kagoshima solar power plant

73. Kagoshima plant diagram
• SUNNY CENTRAL 500CP-JP
• The 70-megawatt system in Kagoshima is a good example of how important it
is to have the right service partner at your side - someone with broad
experience, who can respond to unexpected events in a flexible manner.
http://www.sma.de/en/products/references/kagoshima.html

74. Kagoshima plant diagram

75. ICS Security in Japan
• 600+ SCADA/PLC on the Internet
20
129
408
19
8 13
ethernetip http modbus snmp s7 other

76. ICS Security in Japan

77. PS

78. Spot the difference
1
2

79. Super Heavy Trains
150 freight cars
12 500 tons
Several locomotives

80. Super Heavy Jam

81. Automatic train protection - SIL 4!

82. SIL 4?!
Safety Integrity Level
Probability of Failure on Demand (PFD)
Probability of Failure per Hour (PFH)

83. SIL 4? Root in 15 minutes!

84. We know the difference
1
2

85. Need for speed?
http://www.theguardian.com/world/2013/jul/25/spain-train-crash-travelling-so-fast

86. PPS

87. Network Convergence?

88. OT Convergence?
Modern Smart Grid:
- ICS/SCADA
- Mobile carrier
- Billing/Payment
- IoT
-Cloud

90. root via SMS
Alexander @arbitrarycode Zaitsev
Alexey @GiftsUngiven Osipov
Kirill @k_v_nesterov Nesterov
Dmtry @_Dmit Sklyarov
Timur @a66at Yunusov
Gleb @repdet Gritsai
Dmitry Kurbatov
Sergey Puzankov
Pavel Novikov

91. *AllpicturesaretakenfromDr
StrangeLovemovieandother
Internets
The Great Train Cyber
Robbery

92. We already know:
Reverse perimeter

93. 93

94. HACK from the network
94

95. OPEN ATM in the internet
95

96. Thank you
*Allpicturesaretakenfrom
googleandotherInternets
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel

97. Too Smart Grid
Sergey Gordeychik
Alexander Timorin