SlideShare uma empresa Scribd logo

Scada strange love.

Positive Hack Days
Positive Hack Days
Tecnologia
1 de 82
All pictures are taken from Dr StrangeLove movie
 Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Roman Ilin Alexander Tlyapov
 Goals to automate security assessment of ICS platforms and environment  Objectives to understand system to assess built-in security features to create security audit/hardening guides to automate process Vulnerabilities – waste production
 Goal to create PoC of Stuxnet-style attack  Initial conditions common ICS components and configuration common ICS security tools only ICS components weakness vulnerabilities by SCADA StrangeLove team
 Engineering tools  STEP 7  PCS7  TIA PORTAL  SCADA/HMI  WinCC (Windows)  WinCC Flexible/Advanced (Windows/Win CE)  S7 family PLC  Old line (200, 300, 400)  New line (1200, 1500)
 WinCC Server  Windows/MSSQL based SCADA  WinCC Client (HMI)  WinCC runtime + Project + OPC  WinCC Web Server (WebNavigator)  IIS/MSSQL/ASP/ASP.NET/SOAP  WinCC WebClient (HMI)  ActiveX/HTML/JS
1 2 9 7 6 10 11 14 17 73 100 96 899 94 135 285 81 0 100 200 300 400 500 600 700 800 900 1000 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
 Cyber Weapon  Tactics, Techniques, and Procedures (TTP's)  APT1  APT 2.0  Cyber Kill Chain
 ChinJa (R) (tm)  Breaking through  Harvesting  Creeping death  Chaos
That is a question!
http://bit.ly/RI6FtQ http://bit.ly/UXn7d1
http://www.surfpatrol.ru/en/report
 A lot of “WinCCed” IE from countries/companies/industries  Special prize to guys from US for WinCC 6.X at 2012
 XPath Injection (CVE-2012-2596)  Path Traversal (CVE-2012-2597)  XSS ~ 20 Instances (CVE-2012-2595) Fixed in Update 2 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/60984587
 Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028  Lot of arbitrary file reading  CVE-2012-3030  SQL injection over SOAP  CVE-2012-3032  Username and password disclosure via ActiveX abuse  CVE-2012-3034 Fixed in Update 3 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/63472422
 Path Traversal  CVE-2013-0679  Buffer overflow in ActiveX  CVE-2013-0674  XXE OOB  CVE-2013-0677  Missing encryption of sensitive data  CVE-2013-0678  Improper authorization  CVE-2013-0676f Fixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_ssa- 714398.pdf
 Network-level  Active scan  S7, Modbus, MSSQL (WinCC Instance), HTTP(S)  SNMP (public/private hardcoded for PLC and HMI Panels)  Passive scan  Profinet  Host-level  WinCC forensic
Dmitry Efanov http://scadastrangelove.blogspot.ru/2012/11/plcscan.html
Alexander Timorin PHDays III release
 PdlRt.exe – graphic runtime  CCRtsLoader.EXE – loader  s7otbxsx.exe – network  Inter process communication:  RPC  Sections (memory mapped files)  BaseNamedObjectsTCPSharedMm and other interesting stuff
 Detecting active project: HKCUSoftwareSIEMENSWINCCControl CenterDefault Settings  LastOpenPath  LastProject  Detecting MS SQL database name (timestamp) ArchiveManagerAlarmLogging ArchiveManagerTagLogging* Obtaining information from database and system objects
• {Hostname}_{Project}_TLG* • TAG data • СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Privileges
• Managed by UM app • Stored in dbo.PW_USER
CVE-2013-0676
• Administrator:ADMINISTRATOR • Avgur2 > Avgur
This is my encryptionkey
 Select from MS SQL via COM objects  “Special” Windows Account  Shortcuts* *we don’t know yet, you know
Authentication via SQL-stored accounts ServerID magic to get WebBridge password Magic is used for SCSWebBridgeX
Too hard for me…
Oh! En/c(r)ypt[10]n! ServerID = Base64(RC2(pass, key)), were key = MD5(dll hardcode)
Not my department password!
 All other confections use WNUSR for authentication  For authorization ID parameter is used
Not yet…
 «Magic» password = MD5(WNUSR_DC92D7179E29.Password)  WNUSR_DC92D7179E29.Password generated during installation  Stored in registry via DPAPI  Good length and chartset but…
 WinCC clients use hardcoded account to communicate with OPC Web bridge  Password for WNUSR_DC92D7179E29 generated during installation and probably strong  MD5(WNUSR_.Password) stored with DPAPI protection  “Encrypted” password for WNUSR_DC* can be obtained by request to WinCCWebBridge.dll  WNUSR_DC92D7179E29 is only account used for work with Windows/Database
…responsible disclosure
 What is Project?  Collection of ActiveX/COM/.NET objects  Event Handlers and other code (C/VB)  Configuration files, XML and other  Can Project be trusted?  Ways to spread malware with Project?
 NO!  Project itself is dynamic code  It’s easy to patch it “on the fly”  Vulnerabilities in data handlers (CVE-2013-0677)  How to abuse?  Simplest way – to patch event handlers
 Hardcoded SNMP community string (unfixed)  Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all-your-plc- belong-to-us.html  Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/de/fors chungsfelder/siemens_security_advisory_ssa-279823.pdf
 Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password) as response
 Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password)) as response
 SHA-1 stored in PLC project files  It can be intercepted during firmware update/project upload  It can be extracted from project file SHA-1(pass) VS HMAC-SHA1(challenge, SHA1(pass))
 Buffer overflow  CVE-2013-0669  Cross-Site Scripting  CVE-2013-0672/CVE-2013-0670/CVE-2013-0668  Directory traversal/Response splitting  CVE-2013-0671  Server-side script injection  CVE-2012-3032 Fixed in WinCC (TIA Portal) V12 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_s sa-212483.pdf
 Profinet scanner  WinCC Harvester 2.0 http://scadastrangelove.blogspot.com/search/label/Releases
 TIA portal Security Hardening Guide  S7 protocol password brute force tool and JtR  Simatic WinCC Security Hardening Guide  PLCScan tool  ICS/SCADA/PLC Google/Shodan Cheat Sheet  SCADA Safety in Numbers http://scadastrangelove.blogspot.com/search/label/Releases
All pictures are taken from Dr StrangeLove movie

Recomendados

MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Positive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening GuidePositive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening Guideqqlan
 
CHRISTOPHER HADDON3
CHRISTOPHER HADDON3CHRISTOPHER HADDON3
CHRISTOPHER HADDON3Christopher Haddon
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)José Ferreiro
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the corePositive Hack Days
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 

Recomendados

MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Positive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening GuidePositive Technologies WinCC Security Hardening Guide
Positive Technologies WinCC Security Hardening Guideqqlan
 
CHRISTOPHER HADDON3
CHRISTOPHER HADDON3CHRISTOPHER HADDON3
CHRISTOPHER HADDON3Christopher Haddon
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)José Ferreiro
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the corePositive Hack Days
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat ScenariosLuigi Auriemma
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowqqlan
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloudqqlan
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA Jeffrey Wang , P.Eng
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADAJeffrey Wang , P.Eng
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychikqqlan
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561RAKESH_CSU
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
final year diploma projects training institutes bangalore
final year diploma projects training institutes bangalorefinal year diploma projects training institutes bangalore
final year diploma projects training institutes bangaloreIGEEKS TECHNOLOGIES
 
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIGEEKS TECHNOLOGIES
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...James A. Savage
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfDmitri Shiryaev
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...CODE BLUE
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 

Mais conteúdo relacionado

Semelhante a Scada strange love.

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowqqlan
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloudqqlan
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychikqqlan
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561RAKESH_CSU
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
final year diploma projects training institutes bangalore
final year diploma projects training institutes bangalorefinal year diploma projects training institutes bangalore
final year diploma projects training institutes bangaloreIGEEKS TECHNOLOGIES
 
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIGEEKS TECHNOLOGIES
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...James A. Savage
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfDmitri Shiryaev
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...CODE BLUE
 

Semelhante a Scada strange love. (20)

Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
ICS Threat Scenarios
ICS Threat ScenariosICS Threat Scenarios
ICS Threat Scenarios
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Web-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey GordeychikWeb-style Wireless IDS attacks, Sergey Gordeychik
Web-style Wireless IDS attacks, Sergey Gordeychik
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
final year diploma projects training institutes bangalore
final year diploma projects training institutes bangalorefinal year diploma projects training institutes bangalore
final year diploma projects training institutes bangalore
 
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects BangaloreIEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
IEEE 2014 DIPLOMA(ECE,E&I,EEE,CS,IS) Projects Bangalore
 
Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...Detecting virtual machine co residency in cloud computing with active traffic...
Detecting virtual machine co residency in cloud computing with active traffic...
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BL...
 

Mais de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Mais de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Scada strange love.

  • 1. All pictures are taken from Dr StrangeLove movie
  • 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Roman Ilin Alexander Tlyapov
  • 3.
  • 4.  Goals to automate security assessment of ICS platforms and environment  Objectives to understand system to assess built-in security features to create security audit/hardening guides to automate process Vulnerabilities – waste production
  • 5.  Goal to create PoC of Stuxnet-style attack  Initial conditions common ICS components and configuration common ICS security tools only ICS components weakness vulnerabilities by SCADA StrangeLove team
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.  Engineering tools  STEP 7  PCS7  TIA PORTAL  SCADA/HMI  WinCC (Windows)  WinCC Flexible/Advanced (Windows/Win CE)  S7 family PLC  Old line (200, 300, 400)  New line (1200, 1500)
  • 13.  WinCC Server  Windows/MSSQL based SCADA  WinCC Client (HMI)  WinCC runtime + Project + OPC  WinCC Web Server (WebNavigator)  IIS/MSSQL/ASP/ASP.NET/SOAP  WinCC WebClient (HMI)  ActiveX/HTML/JS
  • 14.
  • 15.
  • 16. 1 2 9 7 6 10 11 14 17 73 100 96 899 94 135 285 81 0 100 200 300 400 500 600 700 800 900 1000 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  • 17.
  • 18.  Cyber Weapon  Tactics, Techniques, and Procedures (TTP's)  APT1  APT 2.0  Cyber Kill Chain
  • 19.  ChinJa (R) (tm)  Breaking through  Harvesting  Creeping death  Chaos
  • 20.
  • 21. That is a question!
  • 24.  A lot of “WinCCed” IE from countries/companies/industries  Special prize to guys from US for WinCC 6.X at 2012
  • 25.
  • 26.
  • 27.  XPath Injection (CVE-2012-2596)  Path Traversal (CVE-2012-2597)  XSS ~ 20 Instances (CVE-2012-2595) Fixed in Update 2 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/60984587
  • 28.  Lot of XSS and CSRF  CVE-2012-3031  CVE-2012-3028  Lot of arbitrary file reading  CVE-2012-3030  SQL injection over SOAP  CVE-2012-3032  Username and password disclosure via ActiveX abuse  CVE-2012-3034 Fixed in Update 3 for WinCC V7.0 SP3 http://support.automation.siemens.com/WW/view/en/63472422
  • 29.  Path Traversal  CVE-2013-0679  Buffer overflow in ActiveX  CVE-2013-0674  XXE OOB  CVE-2013-0677  Missing encryption of sensitive data  CVE-2013-0678  Improper authorization  CVE-2013-0676f Fixed in WinCC 7.2/SIMATIC PCS7 V8.0 SP 1 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_ssa- 714398.pdf
  • 30.
  • 31.
  • 32.  Network-level  Active scan  S7, Modbus, MSSQL (WinCC Instance), HTTP(S)  SNMP (public/private hardcoded for PLC and HMI Panels)  Passive scan  Profinet  Host-level  WinCC forensic
  • 35.
  • 36.  PdlRt.exe – graphic runtime  CCRtsLoader.EXE – loader  s7otbxsx.exe – network  Inter process communication:  RPC  Sections (memory mapped files)  BaseNamedObjectsTCPSharedMm and other interesting stuff
  • 37.  Detecting active project: HKCUSoftwareSIEMENSWINCCControl CenterDefault Settings  LastOpenPath  LastProject  Detecting MS SQL database name (timestamp) ArchiveManagerAlarmLogging ArchiveManagerTagLogging* Obtaining information from database and system objects
  • 38. • {Hostname}_{Project}_TLG* • TAG data • СС_{Project}_{Timestamp}* • Project data and configuration • Users, PLCs, Privileges
  • 39. • Managed by UM app • Stored in dbo.PW_USER
  • 41.
  • 43.
  • 44.
  • 45.
  • 47.
  • 48.
  • 49.
  • 50.  Select from MS SQL via COM objects  “Special” Windows Account  Shortcuts* *we don’t know yet, you know
  • 51.
  • 52. Authentication via SQL-stored accounts ServerID magic to get WebBridge password Magic is used for SCSWebBridgeX
  • 53. Too hard for me…
  • 54. Oh! En/c(r)ypt[10]n! ServerID = Base64(RC2(pass, key)), were key = MD5(dll hardcode)
  • 55. Not my department password!
  • 56.  All other confections use WNUSR for authentication  For authorization ID parameter is used
  • 58.  «Magic» password = MD5(WNUSR_DC92D7179E29.Password)  WNUSR_DC92D7179E29.Password generated during installation  Stored in registry via DPAPI  Good length and chartset but…
  • 59.
  • 60.  WinCC clients use hardcoded account to communicate with OPC Web bridge  Password for WNUSR_DC92D7179E29 generated during installation and probably strong  MD5(WNUSR_.Password) stored with DPAPI protection  “Encrypted” password for WNUSR_DC* can be obtained by request to WinCCWebBridge.dll  WNUSR_DC92D7179E29 is only account used for work with Windows/Database
  • 61.
  • 63.  What is Project?  Collection of ActiveX/COM/.NET objects  Event Handlers and other code (C/VB)  Configuration files, XML and other  Can Project be trusted?  Ways to spread malware with Project?
  • 64.  NO!  Project itself is dynamic code  It’s easy to patch it “on the fly”  Vulnerabilities in data handlers (CVE-2013-0677)  How to abuse?  Simplest way – to patch event handlers
  • 65.
  • 66.  Hardcoded SNMP community string (unfixed)  Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all-your-plc- belong-to-us.html  Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/de/fors chungsfelder/siemens_security_advisory_ssa-279823.pdf
  • 67.  Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password) as response
  • 68.
  • 69.
  • 70.  Can be protected by password  Authentication – simple challenge- response  Password hashed (SHA1) on client (TIA Portal)  Server (PLC) provide 20 byte challenge  Client calculate HMAC- SHA1(challenge, SHA1(password)) as response
  • 71.  SHA-1 stored in PLC project files  It can be intercepted during firmware update/project upload  It can be extracted from project file SHA-1(pass) VS HMAC-SHA1(challenge, SHA1(pass))
  • 72.
  • 73.
  • 74.
  • 75.
  • 76.  Buffer overflow  CVE-2013-0669  Cross-Site Scripting  CVE-2013-0672/CVE-2013-0670/CVE-2013-0668  Directory traversal/Response splitting  CVE-2013-0671  Server-side script injection  CVE-2012-3032 Fixed in WinCC (TIA Portal) V12 http://www.siemens.com/corporate- technology/pool/de/forschungsfelder/siemens_security_advisory_s sa-212483.pdf
  • 77.
  • 78.
  • 79.
  • 80.  Profinet scanner  WinCC Harvester 2.0 http://scadastrangelove.blogspot.com/search/label/Releases
  • 81.  TIA portal Security Hardening Guide  S7 protocol password brute force tool and JtR  Simatic WinCC Security Hardening Guide  PLCScan tool  ICS/SCADA/PLC Google/Shodan Cheat Sheet  SCADA Safety in Numbers http://scadastrangelove.blogspot.com/search/label/Releases
  • 82. All pictures are taken from Dr StrangeLove movie