SlideShare uma empresa Scribd logo

"The Great Train Cyber Robbery" SCADAStrangeLove

Aleksandr Timorin
Aleksandr Timorin

32C3 conference talk

Apresentações e oratória
1 de 110
Baixar para ler offline
*AllpicturesaretakenfromDr StrangeLovemovieandother Internets Sergey Gordeychik Alexander Timorin Gleb Gritsai
¨ Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Sidorov Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
Please note, that this talk is by SCADA StrangeLove team. We don’t speak for our employers. All the opinions and information here are of our responsibility (actually no one ever saw this talk before). So, mistakes and bad jokes are all OUR responsibilities.
9260 km 6 day 1:59
A signal is a mechanical or electricaldevice erected beside a railway line to pass information relating to the state of the line ahead to train/engine drivers. A railroad switch, turnout or [set of] points is a mechanical installation enabling railway trains to be guided from one track to another, such as at a railway junction or where a spur or siding branches off.
http://www.railway-technical.com/sigtxt5.shtml
https://www.youtube.com/watch?v=Mjx3S3UjmnA
https://en.wikipedia.org/wiki/File:Clear_track_circuit.svg
https://en.wikipedia.org/wiki/File:Occupied_track_circuit.svg
Weld resistance Weld no transfer contacts Solid gold and bifurcated contacts -40 °C...+70 °C operating temperature Vital relays are gravity-operated devices
Locomotive Traction motors control/Cab Signaling Automatic Train Control Passenger Information and Entertainment Wayside/Stations Computer base interlocking / Centralized traffic control Marshalling yard automation Automated railway level crossing protection system Other systems Traction substations Tickets / Passenger Information Telemetry
The train's signalling, control and train protection systems include a Transmission Voie-Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train ControlSystem Sibas 32 train control system guarantees a safe and smooth transfer of data via the Train Communication Network (TCN), which consists of the train bus (WTB) and vehicle bus (MVB)
The train's signalling, control and train protection systems include a Transmission Voie-Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European bus (MVB) Train!
¨ Loco’s internals ¡ Traction control ¡ Braking system ¡ Cab signaling ¡ Train protection system ¡ Automatic train control ¡ Passenger Information and Entertainment ¨ Software not available in public ¡ True for the all railroad software
¨ SIBAS 32 ¡ Eurostar e320 high-speedtrains ¡ class 120.1 locomotive of German Rail ¡ S 252 of Spanish National Railways (RENFE) ¡ LE 5600 of Portuguese Railways (CP) ¡ Velaro ¡ class 182 2nd gene EuroSprinter ¡ EG 3100 in Sweden, Germany and Denmark ¨ SIBAS PN ¡ New DB ICE trains
¨ SIBAS 32 updates to SIBAS PN ¨ Proprietary SIBAS OS to VxWorks + WinAC RTX ¨ S7 controllers to PC-based controllers with WinAC RTX software ¡ “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller” ¨ WTB (Wire Train Bus) to ETB (Ethernet Train Bus) ¡ And PROFINET ¨ Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc
Follow https://github.com/scadastrangelove to get WinAC FeatureServer scanning and controlling tool very soon
¨ Hardcodes ¡ No, hardcodes are for the authentication ¨ Known protocols ¡ XML over HTTP, S7 ¨ Secure networkfacing services ¡ Self-written web server ¡ Self-written xml parser ¡ … ¨ Heavily based on WinCC code ¨ Runs on Windows x86 ¨ Vulnerabilities ¡ Probably
How to access PC-based controllers (WinAC RTX)? ¨ We don’t know ¨ We don’t want to know ¨ We will never know ¨ Yet to not know ¨ Yet to don’t know ¨ Not yet to know
Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
1. Safety (Cyber Physical Threats) • set a less restrictive signal light • operate a switch with a train passing over it • set conflicting routes … 2. Economics (freight efficiency) • CBI CPU crash • Blocking of control • False indication… 3. Reliability and functional safety • CBI CPU reboot • Network crash… Automation Communication Informatics, №7, 2015, CBI Threat Model
Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
Validation and generation of geographical data using a domain theory, Lars-Henrik Eriksson, Uppsala University (c)
¨ Interlocking security (by Jakob Lyng Petersen) ¡ Trains must not collide ¡ Trains must not derail ¡ Trains must not hit person working the tracks ¨ Formal methods and verification (rtfm) ¡ B Method, Event B ú Underground rail network in Beijing, Milan and Sao Paulo ¡ Prover.com ú Sweden, USA
¨ Safety critical systems ¨ Abstract machines + formal methods ¨ Atelier B ¡ Available IDE and C translator ¡ No Ada translator ¨ Newer version – Event-B ¡ See Rodin framework
¨ “Everything will be C in the end. If it's not C, it's not the end.” – almost John Lennon
¨ KVB: Alstom ¡ Automatic Train Protection for the French railway company (SNCF), installed on 6,000 trains since 1993 ú 60,000 lines of B; 10,000 proofs; 22,000 lines of Ada ¨ SAET METEOR: Siemens Transportation Systems ¡ Automatic Train Control: new driverless metro line 14 in Paris (RATP), 1998. 3 safety-critical software parts: onboard, section, line ú 107,000 lines of B; 29,000 proofs; 87,000 lines of Ada ¨ Roissy VAL: ClearSy (for STS) ¡ Section Automatic Pilot: light driverless shuttle for Paris-Roissy airport (ADP), 2006 ú 28,000+155,000 lines of B; 43,000 proofs; 158,000 lines of Ada
Communication services, Interlocking logic, Objects database, Diagnostic, etc Railroad site HMI User interaction and monitoring Commands Site objects state Commands Site objects indication Stationnetwork(Ethernet,RSxxx,…) Controllers
Communication services, Interlocking logic, Objects database, Diagnostic, etc Railroad site HMI User interaction and monitoring Commands Site objects state Commands Site objects indication Stationnetwork(Ethernet,RSxxx,…) Controllers C/C++ Ada
Boundaries between ETCS and the GSM-R Network
28C3: Stefan Katzenbeisser: Can trains be hacked? • ERTMS Euroradio Safety Layer • RBC-RBC Safe Communication Interface • VPN over GSM
In areas where the European Train Control System (ETCS) Level 2 or 3 is used, the train maintains a circuit switched digital modem connection to the train control centre at all times. … If the modem connection is lost, the train will automatically stop.
http://www.era.europa.eu/Document-Register/Documents/P38T9001%204.2%20FFFIS%20for%20GSM-R%20SIM-CARD.pdf
― Remote data recovery (Kc,TIMSI) • Chanel decryption (including A5/3) • «Clone» the SIM and mobile station ― SIM “malware” ― Block SIM via PIN/PUK brute ― Extended OTA features (FOTA) Karsten Nohl, https://srlabs.de/rooting-sim-cards/ Alexander Zaitsev, Sergey Gordeychik , Alexey Osipov, PacSec, Tokyo, Japan, 2014
Attack host
Control
Travis Goodspeed, Sergey Bratus, https://www.troopers.de/wp-content/uploads/2012/12/TROOPERS13- You_wouldnt_share_a_syringe_Would_you_share_a_USB_port-Sergey_Bratus+Travis_Goodspeed.pdf HITB 2015, Bootkit via SMS by Timur Yunusov and Kirill Nesterov.
Control Attack the ATC
Source: moxa.com
And tend to fly in the CLOUDs. And become an IoT. But without strong secure approach. Source: moxa.com
Analyzed vendors: Bintec elmeg Digi Moxa Netmodule Sierra Wireless etc.
SSH ? okay
Impact: ¨ When private is publicly available it’s not a private (Oh hello, captain obvious!) ¨ It’s not secure and safe communications (MiTM) ¨ Remote login (SSH) ¨ Fingerprint devices (extract public key from private, make md5/sha1, search on shodan/censys)
Not only web management, but also ssh/telnet
Dear customer warned!
1 5 ms 192.168.X.1 //SSH, Telnet 2 5 ms 192.168.X.1 //SSH, Web, Telnet 3 * Request timed out. 4 54 ms 10.112.X.237 //… 5 54 ms 10.112.X.1 //… 6 50 ms 10.112.X.2 7 66 ms 10.12.X.234 8 365 ms 10.12.X.226 9 51 ms 203.11.X.113 10 52 ms 1.2.X.165 Train Wayside Telecom
Kudos Semyon Rozhkov @sam_in_cube Fixed NetModule 3.7.xxxx firmware
http://scadastrangelove.blogspot.com/2014/12/31c3-too-smart-grid-in-da-cloud.html
http://scadastrangelove.blogspot.com/2014/12/sos-secure-open-smartgrids.html Q: WTF SACADSOS? A: SCADASOS - (un)Secure Open SmartGrids is open initiative to rise awareness on insecurities of SmartGrid, Photovoltaic Power Stations and Wind Farms. Q: How to participate A: Find Internet-connected PV and Wind power stations and notify vendors/CERTs/community.
• 60 000+ SmartGrid devices disconnected from the Internet • Two Advisories • XZERES 442SR Wind Turbine CSRF • SMA Solar Technology AG Sunny WebBox Hard-Coded Account Vulnerability Kudos @mmrupp!!!
• Release 1.0 • 37 vendors • PLC, RTU, HMI, gateways, switches, servers, wireless ap, etc • http://scadastrangelove.blogspot.com/2015/12/s cadapass.html • kudos to Oxana Andreeva • Contribute!
As a side note, there is about a 3GW buffer in the European energy grids -- take 3GW off the net within a couple of seconds (or add them), and lights will go out. For quite a long while.
http://scadastrangelove.blogspot.com/2013/11/scada-security-deep-inside.html IEC 61850 tools:
http://www.phdays.com/press/news/41213/ •Siemens SICAM PAS v. 7.0,SIPROTEC v4, protective relays and switches •GPS and GLONASS time servers •industrial switches.
Relay Protection
Specially crafted packets sent to port 50000/udp could cause a denial-of-service of the affected device. A manual reboot is required to recover the service of the device.
To access this information, the confirmation code “311299” needs to be provided when prompted." ...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information..."
http://scadastrangelove.blogspot.com/2015/12/now-declared-capabilities.html
For some context,it would have been interestingto hear about German legislation on the topic of green energy, especially as it relates to the increasing requirementsfor wind and solar plants to have the capability not just to read the current status but also to actually shut them down or reduce their output by a set percentage.In a few months, all the solar/wind plants that are marketedthrough the "Direktvermarktung". 01.08.2014 500 kW 01.01.2016 100 kW
*Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Sergey Sidorov Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev
*Allpicturesaretakenfrom googleandotherInternets
…We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity…
The Chaos Computer Club is, by its chapter and by common consent, a galactic organization of all life forms, regardless of their age, gender or upbringing. The Congress has always been a place where people can enjoy technology and culture, no matter what their background is.
"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove

Recomendados

Abusing the Train Communication Network or What could have derailed the North...
Abusing the Train Communication Network or What could have derailed the North...Abusing the Train Communication Network or What could have derailed the North...
Abusing the Train Communication Network or What could have derailed the North...Moshe Zioni
 
Real-Time ETL in Practice with WSO2 Enterprise Integrator
Real-Time ETL in Practice with WSO2 Enterprise IntegratorReal-Time ETL in Practice with WSO2 Enterprise Integrator
Real-Time ETL in Practice with WSO2 Enterprise IntegratorWSO2
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Lets Encrypt!
Lets Encrypt!Lets Encrypt!
Lets Encrypt!Joerg Henning
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Automated Testing of Autonomous Driving Assistance Systems
Automated Testing of Autonomous Driving Assistance SystemsAutomated Testing of Autonomous Driving Assistance Systems
Automated Testing of Autonomous Driving Assistance SystemsLionel Briand
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 

Recomendados

Abusing the Train Communication Network or What could have derailed the North...
Abusing the Train Communication Network or What could have derailed the North...Abusing the Train Communication Network or What could have derailed the North...
Abusing the Train Communication Network or What could have derailed the North...Moshe Zioni
 
Real-Time ETL in Practice with WSO2 Enterprise Integrator
Real-Time ETL in Practice with WSO2 Enterprise IntegratorReal-Time ETL in Practice with WSO2 Enterprise Integrator
Real-Time ETL in Practice with WSO2 Enterprise IntegratorWSO2
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Lets Encrypt!
Lets Encrypt!Lets Encrypt!
Lets Encrypt!Joerg Henning
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Automated Testing of Autonomous Driving Assistance Systems
Automated Testing of Autonomous Driving Assistance SystemsAutomated Testing of Autonomous Driving Assistance Systems
Automated Testing of Autonomous Driving Assistance SystemsLionel Briand
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsOnBoard Security, Inc. - a Qualcomm Company
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Can Bus communication Protocol
Can Bus communication ProtocolCan Bus communication Protocol
Can Bus communication ProtocolPedro Campana Cueto
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Cybersecurity and Geopolitical Risk.pdf
Cybersecurity and Geopolitical Risk.pdfCybersecurity and Geopolitical Risk.pdf
Cybersecurity and Geopolitical Risk.pdfBenjamin Ang
 
Automotive Security (Connected Vehicle Security Issues)
Automotive Security (Connected Vehicle Security Issues)Automotive Security (Connected Vehicle Security Issues)
Automotive Security (Connected Vehicle Security Issues)Priyanka Aash
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Dynamic and Scalable Systems Using WinCC OA
Dynamic and Scalable Systems Using WinCC OADynamic and Scalable Systems Using WinCC OA
Dynamic and Scalable Systems Using WinCC OADMC, Inc.
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineeringprimeteacher32
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】Hacks in Taiwan (HITCON)
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
TARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxTARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxShriya Rai
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsAlan Tatourian
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
BGP zombie routes
BGP zombie routesBGP zombie routes
BGP zombie routesRedge Technologies
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousSergey Gordeychik
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 

Mais conteúdo relacionado

Mais procurados

SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Cybersecurity and Geopolitical Risk.pdf
Cybersecurity and Geopolitical Risk.pdfCybersecurity and Geopolitical Risk.pdf
Cybersecurity and Geopolitical Risk.pdfBenjamin Ang
 
Automotive Security (Connected Vehicle Security Issues)
Automotive Security (Connected Vehicle Security Issues)Automotive Security (Connected Vehicle Security Issues)
Automotive Security (Connected Vehicle Security Issues)Priyanka Aash
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Dynamic and Scalable Systems Using WinCC OA
Dynamic and Scalable Systems Using WinCC OADynamic and Scalable Systems Using WinCC OA
Dynamic and Scalable Systems Using WinCC OADMC, Inc.
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】Hacks in Taiwan (HITCON)
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
TARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxTARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxShriya Rai
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsAlan Tatourian
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 

Mais procurados (20)

SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Can Bus communication Protocol
Can Bus communication ProtocolCan Bus communication Protocol
Can Bus communication Protocol
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Cybersecurity and Geopolitical Risk.pdf
Cybersecurity and Geopolitical Risk.pdfCybersecurity and Geopolitical Risk.pdf
Cybersecurity and Geopolitical Risk.pdf
 
Automotive Security (Connected Vehicle Security Issues)
Automotive Security (Connected Vehicle Security Issues)Automotive Security (Connected Vehicle Security Issues)
Automotive Security (Connected Vehicle Security Issues)
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Dynamic and Scalable Systems Using WinCC OA
Dynamic and Scalable Systems Using WinCC OADynamic and Scalable Systems Using WinCC OA
Dynamic and Scalable Systems Using WinCC OA
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
TARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptxTARA- Automotive Cybersecurity.pptx
TARA- Automotive Cybersecurity.pptx
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
BGP zombie routes
BGP zombie routesBGP zombie routes
BGP zombie routes
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
 

Semelhante a "The Great Train Cyber Robbery" SCADAStrangeLove

The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousSergey Gordeychik
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdfSrinidhirkGowda
 
TCMS Presentation (Train Control & Monitoring Systems)
TCMS Presentation (Train Control & Monitoring Systems)TCMS Presentation (Train Control & Monitoring Systems)
TCMS Presentation (Train Control & Monitoring Systems)Ingeteam Automation Devices
 
Presentation
PresentationPresentation
PresentationVideoguy
 
Presentation
PresentationPresentation
PresentationVideoguy
 
Presentation
PresentationPresentation
PresentationVideoguy
 
Presentation
PresentationPresentation
PresentationVideoguy
 
Presentation
PresentationPresentation
PresentationVideoguy
 
Omar Benjumea - Next Station: Cybersecurity [rooted2019]
Omar Benjumea - Next Station: Cybersecurity [rooted2019]Omar Benjumea - Next Station: Cybersecurity [rooted2019]
Omar Benjumea - Next Station: Cybersecurity [rooted2019]RootedCON
 
Automatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway securityAutomatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway securityRahul Barick
 
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...rashmimabattin28
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...IOSR Journals
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...IOSR Journals
 
Sro Project Brief
Sro Project BriefSro Project Brief
Sro Project Briefenergyvijay
 
Advanced railway security system (arss) based on zigbee communication for tra...
Advanced railway security system (arss) based on zigbee communication for tra...Advanced railway security system (arss) based on zigbee communication for tra...
Advanced railway security system (arss) based on zigbee communication for tra...rashmimabattin28
 
DEFCON-21 - How to Hack Your Mini Cooper, by Jason Staggs
DEFCON-21 - How to Hack Your Mini Cooper, by Jason StaggsDEFCON-21 - How to Hack Your Mini Cooper, by Jason Staggs
DEFCON-21 - How to Hack Your Mini Cooper, by Jason StaggsGuy Boulianne
 
IRJET- Automatic Metro Train to Shuttle Between Two Stations
IRJET- Automatic Metro Train to Shuttle Between Two Stations IRJET- Automatic Metro Train to Shuttle Between Two Stations
IRJET- Automatic Metro Train to Shuttle Between Two Stations IRJET Journal
 

Semelhante a "The Great Train Cyber Robbery" SCADAStrangeLove (20)

The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and Furious
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
 
TCMS Presentation (Train Control & Monitoring Systems)
TCMS Presentation (Train Control & Monitoring Systems)TCMS Presentation (Train Control & Monitoring Systems)
TCMS Presentation (Train Control & Monitoring Systems)
 
Presentation
PresentationPresentation
Presentation
 
Presentation
PresentationPresentation
Presentation
 
Presentation
PresentationPresentation
Presentation
 
Presentation
PresentationPresentation
Presentation
 
Presentation
PresentationPresentation
Presentation
 
Omar Benjumea - Next Station: Cybersecurity [rooted2019]
Omar Benjumea - Next Station: Cybersecurity [rooted2019]Omar Benjumea - Next Station: Cybersecurity [rooted2019]
Omar Benjumea - Next Station: Cybersecurity [rooted2019]
 
Automatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway securityAutomatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway security
 
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
 
Sro Project Brief
Sro Project BriefSro Project Brief
Sro Project Brief
 
Innovation Solutions
Innovation SolutionsInnovation Solutions
Innovation Solutions
 
Advanced railway security system (arss) based on zigbee communication for tra...
Advanced railway security system (arss) based on zigbee communication for tra...Advanced railway security system (arss) based on zigbee communication for tra...
Advanced railway security system (arss) based on zigbee communication for tra...
 
DEFCON-21 - How to Hack Your Mini Cooper, by Jason Staggs
DEFCON-21 - How to Hack Your Mini Cooper, by Jason StaggsDEFCON-21 - How to Hack Your Mini Cooper, by Jason Staggs
DEFCON-21 - How to Hack Your Mini Cooper, by Jason Staggs
 
poster_Limbree_Ch
poster_Limbree_Chposter_Limbree_Ch
poster_Limbree_Ch
 
IRJET- Automatic Metro Train to Shuttle Between Two Stations
IRJET- Automatic Metro Train to Shuttle Between Two Stations IRJET- Automatic Metro Train to Shuttle Between Two Stations
IRJET- Automatic Metro Train to Shuttle Between Two Stations
 

Último

Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 

Último (20)

Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 

"The Great Train Cyber Robbery" SCADAStrangeLove

  • 2. ¨ Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Sidorov Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
  • 3. Please note, that this talk is by SCADA StrangeLove team. We don’t speak for our employers. All the opinions and information here are of our responsibility (actually no one ever saw this talk before). So, mistakes and bad jokes are all OUR responsibilities.
  • 5.
  • 6.
  • 7. A signal is a mechanical or electricaldevice erected beside a railway line to pass information relating to the state of the line ahead to train/engine drivers. A railroad switch, turnout or [set of] points is a mechanical installation enabling railway trains to be guided from one track to another, such as at a railway junction or where a spur or siding branches off.
  • 8.
  • 13.
  • 14. Weld resistance Weld no transfer contacts Solid gold and bifurcated contacts -40 °C...+70 °C operating temperature Vital relays are gravity-operated devices
  • 15.
  • 16. Locomotive Traction motors control/Cab Signaling Automatic Train Control Passenger Information and Entertainment Wayside/Stations Computer base interlocking / Centralized traffic control Marshalling yard automation Automated railway level crossing protection system Other systems Traction substations Tickets / Passenger Information Telemetry
  • 17. The train's signalling, control and train protection systems include a Transmission Voie-Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train ControlSystem Sibas 32 train control system guarantees a safe and smooth transfer of data via the Train Communication Network (TCN), which consists of the train bus (WTB) and vehicle bus (MVB)
  • 18. The train's signalling, control and train protection systems include a Transmission Voie-Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European bus (MVB) Train!
  • 19. ¨ Loco’s internals ¡ Traction control ¡ Braking system ¡ Cab signaling ¡ Train protection system ¡ Automatic train control ¡ Passenger Information and Entertainment ¨ Software not available in public ¡ True for the all railroad software
  • 20. ¨ SIBAS 32 ¡ Eurostar e320 high-speedtrains ¡ class 120.1 locomotive of German Rail ¡ S 252 of Spanish National Railways (RENFE) ¡ LE 5600 of Portuguese Railways (CP) ¡ Velaro ¡ class 182 2nd gene EuroSprinter ¡ EG 3100 in Sweden, Germany and Denmark ¨ SIBAS PN ¡ New DB ICE trains
  • 21. ¨ SIBAS 32 updates to SIBAS PN ¨ Proprietary SIBAS OS to VxWorks + WinAC RTX ¨ S7 controllers to PC-based controllers with WinAC RTX software ¡ “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller” ¨ WTB (Wire Train Bus) to ETB (Ethernet Train Bus) ¡ And PROFINET ¨ Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc
  • 22. Follow https://github.com/scadastrangelove to get WinAC FeatureServer scanning and controlling tool very soon
  • 23. ¨ Hardcodes ¡ No, hardcodes are for the authentication ¨ Known protocols ¡ XML over HTTP, S7 ¨ Secure networkfacing services ¡ Self-written web server ¡ Self-written xml parser ¡ … ¨ Heavily based on WinCC code ¨ Runs on Windows x86 ¨ Vulnerabilities ¡ Probably
  • 24. How to access PC-based controllers (WinAC RTX)? ¨ We don’t know ¨ We don’t want to know ¨ We will never know ¨ Yet to not know ¨ Yet to don’t know ¨ Not yet to know
  • 25.
  • 26. Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
  • 27. Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
  • 28. Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
  • 29. Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
  • 30.
  • 31. 1. Safety (Cyber Physical Threats) • set a less restrictive signal light • operate a switch with a train passing over it • set conflicting routes … 2. Economics (freight efficiency) • CBI CPU crash • Blocking of control • False indication… 3. Reliability and functional safety • CBI CPU reboot • Network crash… Automation Communication Informatics, №7, 2015, CBI Threat Model
  • 32.
  • 33.
  • 34.
  • 35. Notation in a chart WD Wayside devices OC Object controller(s) CP/CPU Central Processing Unit IPU Interlocking processing unit YW Yardmaster’s workstation IG Integration gateway EMW Electrical mechanic’s workstation CTC Centralized traffic control CM Centralized monitoring ABS Automatic block system CBI Computer-based interlocking DN Data networks
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41. Validation and generation of geographical data using a domain theory, Lars-Henrik Eriksson, Uppsala University (c)
  • 42. ¨ Interlocking security (by Jakob Lyng Petersen) ¡ Trains must not collide ¡ Trains must not derail ¡ Trains must not hit person working the tracks ¨ Formal methods and verification (rtfm) ¡ B Method, Event B ú Underground rail network in Beijing, Milan and Sao Paulo ¡ Prover.com ú Sweden, USA
  • 43. ¨ Safety critical systems ¨ Abstract machines + formal methods ¨ Atelier B ¡ Available IDE and C translator ¡ No Ada translator ¨ Newer version – Event-B ¡ See Rodin framework
  • 44.
  • 45.
  • 46. ¨ “Everything will be C in the end. If it's not C, it's not the end.” – almost John Lennon
  • 47. ¨ KVB: Alstom ¡ Automatic Train Protection for the French railway company (SNCF), installed on 6,000 trains since 1993 ú 60,000 lines of B; 10,000 proofs; 22,000 lines of Ada ¨ SAET METEOR: Siemens Transportation Systems ¡ Automatic Train Control: new driverless metro line 14 in Paris (RATP), 1998. 3 safety-critical software parts: onboard, section, line ú 107,000 lines of B; 29,000 proofs; 87,000 lines of Ada ¨ Roissy VAL: ClearSy (for STS) ¡ Section Automatic Pilot: light driverless shuttle for Paris-Roissy airport (ADP), 2006 ú 28,000+155,000 lines of B; 43,000 proofs; 158,000 lines of Ada
  • 48. Communication services, Interlocking logic, Objects database, Diagnostic, etc Railroad site HMI User interaction and monitoring Commands Site objects state Commands Site objects indication Stationnetwork(Ethernet,RSxxx,…) Controllers
  • 49. Communication services, Interlocking logic, Objects database, Diagnostic, etc Railroad site HMI User interaction and monitoring Commands Site objects state Commands Site objects indication Stationnetwork(Ethernet,RSxxx,…) Controllers C/C++ Ada
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57. Boundaries between ETCS and the GSM-R Network
  • 58. 28C3: Stefan Katzenbeisser: Can trains be hacked? • ERTMS Euroradio Safety Layer • RBC-RBC Safe Communication Interface • VPN over GSM
  • 59. In areas where the European Train Control System (ETCS) Level 2 or 3 is used, the train maintains a circuit switched digital modem connection to the train control centre at all times. … If the modem connection is lost, the train will automatically stop.
  • 60.
  • 62. ― Remote data recovery (Kc,TIMSI) • Chanel decryption (including A5/3) • «Clone» the SIM and mobile station ― SIM “malware” ― Block SIM via PIN/PUK brute ― Extended OTA features (FOTA) Karsten Nohl, https://srlabs.de/rooting-sim-cards/ Alexander Zaitsev, Sergey Gordeychik , Alexey Osipov, PacSec, Tokyo, Japan, 2014
  • 63.
  • 64.
  • 65.
  • 68.
  • 69. Travis Goodspeed, Sergey Bratus, https://www.troopers.de/wp-content/uploads/2012/12/TROOPERS13- You_wouldnt_share_a_syringe_Would_you_share_a_USB_port-Sergey_Bratus+Travis_Goodspeed.pdf HITB 2015, Bootkit via SMS by Timur Yunusov and Kirill Nesterov.
  • 71.
  • 73. And tend to fly in the CLOUDs. And become an IoT. But without strong secure approach. Source: moxa.com
  • 75.
  • 77. Impact: ¨ When private is publicly available it’s not a private (Oh hello, captain obvious!) ¨ It’s not secure and safe communications (MiTM) ¨ Remote login (SSH) ¨ Fingerprint devices (extract public key from private, make md5/sha1, search on shodan/censys)
  • 78. Not only web management, but also ssh/telnet
  • 80.
  • 81.
  • 82. 1 5 ms 192.168.X.1 //SSH, Telnet 2 5 ms 192.168.X.1 //SSH, Web, Telnet 3 * Request timed out. 4 54 ms 10.112.X.237 //… 5 54 ms 10.112.X.1 //… 6 50 ms 10.112.X.2 7 66 ms 10.12.X.234 8 365 ms 10.12.X.226 9 51 ms 203.11.X.113 10 52 ms 1.2.X.165 Train Wayside Telecom
  • 83.
  • 84.
  • 85. Kudos Semyon Rozhkov @sam_in_cube Fixed NetModule 3.7.xxxx firmware
  • 86.
  • 87.
  • 89. http://scadastrangelove.blogspot.com/2014/12/sos-secure-open-smartgrids.html Q: WTF SACADSOS? A: SCADASOS - (un)Secure Open SmartGrids is open initiative to rise awareness on insecurities of SmartGrid, Photovoltaic Power Stations and Wind Farms. Q: How to participate A: Find Internet-connected PV and Wind power stations and notify vendors/CERTs/community.
  • 90.
  • 91. • 60 000+ SmartGrid devices disconnected from the Internet • Two Advisories • XZERES 442SR Wind Turbine CSRF • SMA Solar Technology AG Sunny WebBox Hard-Coded Account Vulnerability Kudos @mmrupp!!!
  • 92. • Release 1.0 • 37 vendors • PLC, RTU, HMI, gateways, switches, servers, wireless ap, etc • http://scadastrangelove.blogspot.com/2015/12/s cadapass.html • kudos to Oxana Andreeva • Contribute!
  • 93. As a side note, there is about a 3GW buffer in the European energy grids -- take 3GW off the net within a couple of seconds (or add them), and lights will go out. For quite a long while.
  • 95. http://www.phdays.com/press/news/41213/ •Siemens SICAM PAS v. 7.0,SIPROTEC v4, protective relays and switches •GPS and GLONASS time servers •industrial switches.
  • 96.
  • 98. Specially crafted packets sent to port 50000/udp could cause a denial-of-service of the affected device. A manual reboot is required to recover the service of the device.
  • 99. To access this information, the confirmation code “311299” needs to be provided when prompted." ...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information..."
  • 100.
  • 102. For some context,it would have been interestingto hear about German legislation on the topic of green energy, especially as it relates to the increasing requirementsfor wind and solar plants to have the capability not just to read the current status but also to actually shut them down or reduce their output by a set percentage.In a few months, all the solar/wind plants that are marketedthrough the "Direktvermarktung". 01.08.2014 500 kW 01.01.2016 100 kW
  • 103.
  • 104. *Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Sergey Sidorov Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev
  • 106. …We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity…
  • 107. The Chaos Computer Club is, by its chapter and by common consent, a galactic organization of all life forms, regardless of their age, gender or upbringing. The Congress has always been a place where people can enjoy technology and culture, no matter what their background is.