PT-DTS SCADA Security using MaxPatrol
5 likes3,637 views
This document discusses securing ICS/SCADA systems. It provides an overview of Positive Technologies, a security company focusing on vulnerability management, penetration testing, and research. The document discusses common myths about SCADA security and research finding vulnerabilities across many systems. Positive Technologies' MaxPatrol product is presented for vulnerability and compliance management. Services include auditing ICS infrastructure and SCADA applications to identify risks.
PT-DTS SCADA Security using MaxPatrol
- 2. Agenda Positive Technologies Company overview ICS/SCADA security myths Positive Research on SCADA Security MaxPatrol for SCADA Positive Services for SCADA Questions?
- 4. About Positive Technologies 10+ Years of experience 300+ Employees Offices • London, UK • Moscow, Russia • Seoul, Korea • Tunis, Tunisia • Rome, Italy 1000+ Customers & Partners globally Partnerships with major software vendors
- 5. Positive Technologies Focus MaxPatrol - Vulnerability & Compliance Management System Positive Services – a unique team of experts in practical security Positive Research – one of the biggest research centers in Europe Positive Hack Days – the annual information security international Forum
- 6. Positive Services We conduct more than 20 large-scale penetration tests each year We perform a consistently high volume of web application security assessments Security assessment • Penetration testing • Infrastructure analysis • Custom applications assessment Security management processes • KPI development • Technical standards and compliance • Audit & IT security risks of business processes
- 7. Positive Research Center One of the biggest security research labs in Europe • 100+ new 0-day vulnerabilities discovered per year • Our research is used by key industry bodies We help global IT players to secure their products We are involved in the development of industry standards Our portal Securitylab.ru – a leading Eastern European security portal
- 8. Positive Hack Days Forum 2012 1,500 Participants 6 Tracks 10 Workshops 8 Challenges Hacking CTF Contest Keynote by Bruce Schneier
- 10. Our Customers Industrial enterprises Energia Space Corporation Tactical missiles corp. Sukhoi (aircraft building enterprise) Magnitogorsk Iron & Steel Nizhnekamsk (Petrochemicals) AEP (Nuclear Technologies)
- 12. Why should we care about SCADA security? SCADA network is isolated and is not connected to other networks, all the more so to Internet MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it HMI has limited functionality and does not allow to mount attack …
- 13. PT security assessment experience 100% of tested SCADA networks are exposed to Internet/Corporate network Network equipment/firewalls misconfiguration MES/OPC/ERP integration gateways HMI external devices (Phones/Modems/USB Flash) abuse VPN/Dialup remote access 90% of tested SCADA can be hacked with Metasploit Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…) Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…) Standard bugs (patch management, passwords, firewalling, application vulnerabilities)
- 14. PT security assessment experience 70% of HMI/Engineering stations are also used as desktops Kiosk mode bypass (Secret) Internet access games/”keygens”/trojans and other useful software Overall SCADA security level = Internet security in the beginning of XXI century VS
- 15. Positive Research on ICS/SCADA Security
- 16. Activities in 2012 SCADA Security in Numbers – research on ICS/SCADA attack surface SCADA applications security assessment – deep analysis of different automation systems Security Hardening guides development – security configuration guides and benchmark checklists for SCADA Community collaboration
- 17. SCADA Security in Numbers Deep technical analysis of ICS/SCADA attack surface (2005 – August 2012) Statistics of Vulnerabilities and Exploits • Vulnerabilities in PLC/SACDA/MES systems • Risks and exploits • Vulnerability management effectiveness • Attack vectors and impact SCADA in the Internet • Analysis of SCADA systems exposed to the Internet • Distribution by vendor • Security level
- 19. Risk level by vendor
- 20. Risk level (%)
- 22. % of Exploits
- 23. SCADA applications security assessment Deep technical analysis of different automation systems • Siemens automation solutions SIMATIC WINCC S7 PLCs TIA Portal • Wonderware InTouch • … Methodologies • BlackBox Penetration testing/fuzzing • Web Application code review • Firmware reversing and static analysis • Forensic analysis
- 24. SCADA applications security assessment: Results >50 vulnerabilities detected • Client-side (XSS, CSRF etc) • SQL/XPath injections • Arbitrary file reading • Username/passwords disclosure • Weak encryption • Hardcoded crypto keys • … Results • Partially fixed by vendors • Assessment and fixing roadmap with Siemens Product CERT 50 is a quarter of currently known SCADA vulnerabilities!
- 25. Security Hardening guides development Technical guides for built-in and external security features Useful for configuration management and security assessment First public release - Siemens SIMATIC WinCC • To be: • TIA Portal • HMI Kiosk Mode • Intouch
- 26. Community collaboration Collaboration with Siemens Product CERT and other vendors Reports on security conferences
- 28. MaxPatrol in Figures checks of known vulnerabilities systems to work across configuration parameters new 0-day vulnerabilities per year 30,000+ 1,000+ 5,000+ 100+
- 29. MaxPatrol – An All-in-One Solution
- 30. MaxPatrol Highlights Password Policy Audit Malware Detection Integrity Monitoring Sensitive Data Detection Agentless & low-privileged Assessment Web-Application Security
- 31. Our approach Defense in Depth strategy Network Layer OS and DBMS SCADA/HMI/PLCs MES/ERP Compliance management support
- 32. Network Layer Vulnerabilities checks of different platforms • Cisco, Juniper, Check Point, Arbor, Huawei, Nortel, Alcatel Configuration analysis • Authentication checks • ACLs analysis • Special checks of industrial protocols configuration (Cisco Connected Grid, etc)
- 33. OS and DBMS Exhaustive vulnerability and configuration analysis Operating Systems: Windows, Mac OS X, Linux, IBM AIX, HP- UX and Oracle Solaris Databases: Microsoft SQL, Oracle, IBM DB2, PostgreSQL, MySQL and Sybase Offline USB/CD Scanner • Useful for HMI/SCADA audits • Not require network connections • Full-featured reporting with MaxPatrol Server
- 34. SCADA/HMI/PLC Support of automation protocols • ModBus/S7/DNP3/OPC Vulnerabilities checks of PLC/SCADA/MES Predefined (Safe mode) assessment for SCADA Configuration check of SCADA HMI Kiosk mode checks Mobile/Wireless/Internet access Software whitelist/blacklist Antivirus/HIPS checks
- 35. MES/ERP Best among vulnerability and compliance assessment of ERP system Support of SAP Netweaver and Oracle EBS • Complete analysis on OS/DBMS/Application levels • Black box and White box vulnerability checks • SAP Notes and OEBS patches checks • Configuration analysis • SAP Security Guide compliances
- 36. NERC Critical Infrastructure Protection Compliance CIP-002-1: Critical Cyber Asset Identification • Hardware and software discovery, network and system asset inventory CIP-003-1: Security Management Controls • Built-in configuration compliance checklists, automated vulnerability assessment CIP-005-1 Electronic Security Perimeter(s) • Control network security via network scan configuration checks
- 37. NERC Critical Infrastructure Protection Compliance CIP-007-1 Systems Security Management • Automated assessment of security controls (antivirus, SIEM, Firewall, etc.) CIP-008-1 Incident Reporting and Response Planning • Control of risky configurations and compromise detection
- 38. Key Features: Flexibility & Integration Asset Management Help Desk Ticketing Risk Management Patch Management SIM/SIEM IPS and WAF Penetration Testing NAC/NAP
- 40. Positive Services ICS Infrastructure Security Audit Complex assessment of technical and organizational security means. From PLC to ERP. From Pentest to Checklists. SCADA application security assessment Deep technical inspection of SCADA security on Network/OS/Database and Application levels. Security policy and configuration checklist development Vulnerability and compliance management process implementation
- 41. Resume Positive Technologies approach Research: to understand vulnerabilities and to find new Audit: to discover risks and select countermeasures Automate: vulnerability and compliance management with MaxPatrol Control: security process efficiency Consolidate: vendors, researchers and customers to create safe ICS/SCADA infrastructure and solutions