Scada Security & Penetration Testing

SSCCAADDAA SSeeccuurriittyy
SSCCAADDAA SSeeccuurriittyy || AAhhmmeedd SShheerriiff 22001144

AAggeennddaa
IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss
● WWhhaatt iiss iitt ??
PPLLCC
● DDeeffiinniittiioonnss
● HHooww DDooeess iitt wwoorrkk ??
SSCCAADDAA
● DDeeffiinniittiioonnss
● HHooww DDooeess iitt wwoorrkk ??
SCADA Security | Ahmed Sherif 2014

AAggeennddaa
● Some Incidents
● Stuxnet VS PLC
● Security Best Practices

IInndduussttrriiaall CCoonnttrrooll SSyysstteemmss
● Industrial control system (ICS) is a general term that
encompasses several types of control systems used
in industrial production, including supervisory control
and data acquisition (SCADA) systems, distributed
control systems (DCS), and other smaller control
system configurations such as programmable logic
controllers (PLC) often found in the industrial sectors
and critical infrastructures.

PPLLCC
● A Programmable Logic Controller, PLC or
Programmable Controller is a digital computer
used for automation of typically industrial
electromechanical processes, such as control
of machinery on factory assembly lines,
amusement rides, or light fixtures. PLCs are
used in many industries and machines

PPLLCC –– HHooww DDooeess iitt WWoorrkk ??
1. Computer is Connected to PLC unit Through Ethernet, RS-232, RS-485 or
RS-422 cabling .
2. The programming software allows entry and editing of the ladder-style logic
3. the program is transferred from a personal computer to the PLC through a
programming board which writes the program into a removable chip such as an
EEPROM
4. The Program Then Can Be Run and Executed.

PLC – How Does it Work ?
1. Computer is Connected to PLC unit Through Ethernet, RS-232,
RS-485 or RS-422 cabling .

2. The programming software allows entry and editing of the
ladder-style logic

3. the program is transferred from a personal computer to the PLC
through a programming board which writes the program into a
removable chip such as an EEPROM

4. The Program Then Can Be Run and Executed.

PLC – Simulation

SCADA
SCADA is ....
Industrial Control Systems (ICS), commonly referred to as
SCADA underlie much of the infrastructure that makes every day
life possible in the modern world.

SCADA
SSCCAADDAA iiss ........
● Industrial Control Systems (ICS), commonly
referred to as
● SCADA underlie much of the infrastructure that
makes every day
● life possible in the modern world.
● Supervisory Control and Data Acquisition

SCADA
SCADA is used For ....
PPOOWWEERR GGrriiddss

SCADA
SSCCAADDAA iiss uusseedd FFoorr ........
PPiippeeLLiinneess

SCADA
IInntteerr--
ccoonnnneecctteedd
sseennssoorrss aanndd
ccoonnttrroollss
uunnddeerr
cceennttrraall
mmaannaaggeemmeenntt

SCADA
cchheemmiiccaall ppllaanntt,,
ppoowweerr ppllaanntt,,
mmaannuuffaaccttuurriinngg
ffaacciilliittyy

SCADA
TTrraaffffiicc SSiiggnnaall

HHooww DDooeess SSccaaddaa WWoorrkkss ??
PPhhyyssiiccaall MMeeaassuurreemmeenntt//ccoonnttrrooll eennddppooiinnttss::
● RTU, PLC
● Measure voltage, adjust valve, flip switch
IInntteerrmmeeddiiaattee pprroocceessssiinngg
● Usually based on a commonly used Oses
● *nix, Windows, VMS

HHooww DDooeess SSccaaddaa WWoorrkkss ??
CCoommmmuunniiccaattiioonn IInnffrraassttrruuccttuurree
● Serial, Internet, Wifi
● Modbus, DNP3, OPC, ICCP

Components ooff aa SSCCAADDAA nneettwwoorrkk
● RTU / PLC – Reads information on voltage, flow, the
status of
switches or valves. Controls pumps, switches, valves
● MTU – Master Terminal Unit – Processes data to send
to HMI
● HMI – Human Machine Interface – GUI, Windows –
Information
traditionally presented in the form of a mimic diagram
● Communication network – LAN, Wireless, Fiber etc etc

PPrroottooccoollss ooff SSccaaddaa NNeettwwoorrkk
RRaaww DDaattaa PPrroottooccoollss –– MMooddbbuuss // DDNNPP33
● For serial radio links mainly, but you can run anything over
● anything these days, especially TCP/IP (for better or worse)
● Reads data (measures voltage / fluid flow etc)
● Sends commands (flips switches, starts pumps) / alerts (it’s
● broken!)
HHiigghh LLeevveell DDaattaa PPrroottooccoollss –– IICCCCPP // OOCCPP
● Designed to send data / commands between apps / databases
● Provides info for humans
● These protocols often bridge between office and control
● networks

TTeessttiinngg SSccaaddaa NNeettwwoorrkkss

SSccrriipptt KKiiddddiieess vvss SSccaaddaa
SSoommeettiimmeess iitt DDooeessnn''tt rreeqquuiirree HHiigghh
SSkkiillllss ccoozz ......
● TTeennaabbllee hhaass rreelleeaasseedd 3322 pplluugg--iinnss
ffoorr NNeessssuuss wwhhiicchh ssppeecciiffiiccaallllyy tteesstt
SSCCAADDAA ddeevviicceess
● CCoorree--IImmppaacctt aanndd MMeettaassppllooiitt nnooww
iinncclluuddee SSCCAADDAA hhaacckkss ((SSiinnccee
AAuugguusstt 22000088))

SSCCAADDAA ((iinn)) sseeccuurriittyy
LLaacckk ooff AAuutthheennttiiccaattiioonn
● I don’t mean lack of strong authentication. I mean NO AUTH!!
● There’s no “users” on an automated system
● OPC on Windows requires anonymous login rights for DCOM
● (XPSP2 breaks SCADA because anonymous DCOM off by
● default)
● Normal policies regarding user management, password rotation
● etc etc do not apply

SSCCAADDAA ((iinn)) sseeccuurriittyy
CCaann’’tt PPaattcchh,, WWoonn’’tt ppaattcchh
● SCADA systems traditionally aren’t patched
● Install the system, replace the system a decade later
● Effects of patching a system can be worse than the
effects of
● compromise?
● Very large vulnerability window

IInncciiddeennttss !! !!

In 2000, in Queensland, Australia. Vitek Boden
released millions of liters of Untreated Sewage
Into fresh water streams using a wireless laptop.

“In August 2003 Slammer infected a private computer network at
the idled DavisBesse
nuclear power plant in Oak Harbor, Ohio,
disabling a safety monitoring system for nearly five hours.”

In 2003, the east coast of America experienced a blackout.
While the Blaster worm was not the cause, many related
systems were found to be infected

In 1997, a teenager broke into NYNEX and cut off Worcester
Airport in Massachusetts for 6 hours by affecting ground and air
communications

TThhee NNiigghhttmmaarree ....SSttuuxxnneett

TTaarrggeettss SSccaaddaa NNeettwwoorrkkss
● Siemens Simatic WinCC specifically.
UUsseess RRoooottKKiitt tteecchhnnoollooggyy ttoo hhiiddee iittsseellff
● Classic Windows rootkit
● PLC rootkit
SSpprreeaaddss vviiaa UUSSBB ssttiicckkss aanndd nneettwwoorrkk sshhaarreess
● Uses 4 Zero-day vulnerabilities

MMaalliicciioouuss ppaayyllooaadd ssiiggnneedd wwiitthh ssttoolleenn
ddiiggiittaall CCeerrttiiffiiccaatteess
● Realtek and Jmicron.
IInnffeecctteedd MMaacchhiinneess bbeeccoommee ppaarrtt ooff
tthhee SSttuuxxnneett bboottnneett
● Can Steal code,documents, Projects designs .
● Can inject and hide code into PLCs – modifying
production processes.

SSttuuxxnneett .... DDeeeeppeerr LLooookk
● MMaaiinn DDrrooppppeerr
This section contains the main stuxnet DLL file. And this DLL contains all stuxnet’s
functions, mechanisms, files and rootkits.

● After finding this section, it loads stuxnet DLL file in a special way.
11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww
PPrroocceessss..
● It checks if the configuration data is correct and recent and then it checks the admin rights. If
it’s not running on administrator level, it uses one of two zero-day vulnerabilities to escalate
the privileges and run in the administrator level.
● CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout Vulnerability
● CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler Vulnerability
● These two vulnerabilities allow the worm to escalate the privileges and run in a new
● process (“csrss.exe” in case of Win32K.sys) or as a new task in the Task Scheduler case

11..EEssccaallaattiinngg tthhee PPrriivviilleeggeess aanndd IInnjjeeccttiinngg IInnttoo aa NNeeww
PPrroocceessss..
After everything goes right and the environment is prepared to be infected by stuxnet, it
injects itself into another process to install itself from that process.
The injection begins by searching for an Antivirus application installed in the machine
Depending on the antivirus application (AVP or McAfee or what?), stuxnet chooses the
process to inject itself into. If there’s no antivirus program it chooses “lsass.exe”

22..IInnssttaalllliinngg SSttuuxxnneett iinnttoo tthhee
IInnffeecctteedd MMaacchhiinnee..
The Function #16 begins by checking the configuration data and be sure that everything
is ready to begin the installation. And also, it checks if the there’s a value in the registry
with this name “NTVDM TRACE” in
SOFTWAREMicrosoftWindowsCurrentVersionMS-DOS Emulation
And then, it checks if this value equal to “19790509”.
This special number seems a date “May 9, 1979” and this date has a historical meaning
(by Wikipedia) “Habib Elghanian was executed by a firing squad in Tehran sending
shock waves through the closely knit Iranian Jewish community”

33..TThhee UUSSBB DDrriivveess IInnffeeccttiioonn
For infecting USB Flash memory, Stuxnet creates a new hidden window “AFX64c313”
and get notified of any new USB flash memory inserted to the computer by waiting for “WM_DEVICECHANGE”
Windows Message.
● After getting notified of a new drive added to the computer (USB Flash Memory),
stuxnet writes 6 files into the flash memory drive:
● Copy of Shortcut to.lnk
● Copy of Copy of Shortcut to.lnk
● Copy of Copy of Copy of Shortcut to.lnk
● Copy of Copy of Copy of Copy of Shortcut to.lnk
● And 2 executable files (DLL files):
● ~WTR4141.tmp
● ~WTR4132.tmp
These malformed shortcut files use vulnerability in Windows Shell named:
● CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability

WWaass iitt aa ssuucccceessss ??

SSeeccuurriittyy BBeesstt PPrraaccttiicciieess
● Real World Scenario

SShhooddaann && SSCCAADDAA
port:161 country:US simatic

SShhooddaann && SSCCAADDAA
Python shodan_scan.py user.list pass.list

IInnffoorrmmaattiioonn PPrrootteeccttiioonn GGuuiiddeelliinneess::
● Create strong passwords and protect those passwords.
● Use a security token (or some other additional protection method) with a
password to provide much stronger protection than a password alone.
● Take great care in what you publish on the internet and your company intranet.
● Sanitize or destroy all equipment that may contain critical information.
● Follow your company's reporting procedures if you observe any suspicious or
abnormal activity.

PPhhyyssiiccaall PPrrootteeccttiioonn GGuuiiddeelliinneess::
● Limit access to systems you're responsible for to those who have a need to know.
● Protect systems and information (use password-protected screen savers, lock office
doors, lock information in cabinets, etc.) when leaving them unattended.
● When traveling, pay special attention when going through airport security. Thieves
may be able to steal your laptop while you are focusing on getting through the
security checkpoint.
● Never leave systems or storage media in your vehicle.
● Protect work systems and information at home at the same level or higher as you
would at work.

SSoo,, IIss SSccaaddaa IImmppoorrttaanntt ??
● No ...
● Why ?! ...

Any Questions ?

Scada Security & Penetration Testing

More Related Content

What's hot (20)

Similar to Scada Security & Penetration Testing (20)

Recently uploaded (20)

Scada Security & Penetration Testing