Tech f43
- 1. Session ID: Session Classification: Amol Sarwate Qualys Inc. TECH-F43 Intermediate WHY IS ‘SCADA’ SECUIRTY AN UPHILL BATTLE?
- 2. ► SCADA Basics ► Threats (where, why & how) ► Challenges ► Recommendations and Proposals ► ScadaScan tool Agenda
- 3. SCADA – DCS – ICS
- 4. accidents liquid pipeline failures http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf power failures http://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf other accidents http://en.wikipedia.org/wiki/List_of_industrial_disasters
- 8. SCADA Basics Field Control Center
- 9. Acquisition Convert parameters like light, temperature, pressure or flow to analog signals
- 10. Conversion Converts analog and discrete measurements to digital information
- 11. Communication Front end processors (FEP) and protocols Wired or wireless communication Modbus DNP 3 OPC ICCP ControlNet BBC 7200 ANSI X3.28 DCP 1 Gedac 7020 DeviceNet DH+ ProfiBus Tejas TRE UCA
- 12. Presentation and Control Control, monitor and alarming using human machine interface (HMI)
- 13. Where are the threats?
- 14. I/O and Remote Requires physical access
- 15. I/O and Remote Field equipment generally does not contain process knowledge
- 16. I/O and Remote Information like valve 16 or breaker 9B
- 17. I/O and Remote Without process knowledge leads to nuisance disruption
- 19. Communication Change FEP output which is HMI input
- 21. Example 1: Modbus protocol MODBUS Request - Message sent on the network by the Client to initiate a transaction MODBUS Indication - Request message received on the Server side MODBUS Response - Response message sent by the Server MODBUS Confirmation - Response Message received on the Client side Modbus Client Modbus Server Request Indication Confirmation Response Master Slave
- 22. Example 1: Modbus protocol request
- 23. Example 1: Modbus protocol response
- 24. What does Modbus provide?
- 25. ScadaScan
- 26. Example 2: DNP 3.0 protocol
- 27. Example 2: DNP 3.0 protocol request
- 28. Example 2: DNP 3.0 protocol response
- 29. What does DNP 3.0 provide?
- 31. Secure DNP 3.0 ► New specification released in 2007 ► Authentication ► Cryptography ► Keyed Hashing for Message Authentication (HMAC) ► Key Management ► New Function Codes
- 32. Master Threats Control system network connected to corporate network or internet
- 33. Master Threats No authentication or per user authentication
- 36. Shared passwords or default passwords Master Threats
- 37. Not restarted in years Master Threats
- 39. Biggest Challenge Long life expectancy of SCADA systems Difficult and costly to upgrade
- 40. Proposals ► Strategy for password policy, access control and access roles ► Strategy for software upgrades and patches ► SCADA test environment ► Demand expedite testing, guidance and approval of OS patched from SCADA vendors ► Regular auditing and vulnerability scanning ► Apply security experience from IT network management
- 41. Alpha version - http://code.google.com/p/scadascan/ Scan network range Works with TCP/IP Identifies Modbus TCP slaves Identifies DNP 3 TCP slaves Beta version SCADA master vulnerability scanning SNMP support HTTP support 1.0 Release User configurable signature files Authenticated support for Windows and *nix Code cleanup ScadaScan Twitter @amolsarwate