SlideShare uma empresa Scribd logo

Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]

RootedCON
RootedCON
1 de 55
Baixar para ler offline
SCADA TROJANS ATTACKING THE GRID RUBEN SANTAMARTA
¿What are we going to talk about? SCADA / EMS TROJANS ATTACKS VECTORS REVERSE ENGINEERING ELECTRICAL ENERGY SYSTEM
THEORY
1. SCADA Supervisory Control And Data Acquisition (Supervisión, Control y Adquisición de Datos). ● FIELD DEVICES ● PLC/RTU/IED ● PROTOCOLS ● HMI / SCADA SERVER
2.Electrical Energy System I Biggest industrial system ever ● TRANSFORMER INVENTION – WIN! +V -I → Transmission over long distances wikipedia
2.Electrical Energy System II Generation Primary Source → Station → Three-Phase AC Generator → Step up Transformer → Transmission lines G ●Nuclear ●Hydroelectric ●Photovoltaic/Wind ●Biomass ●...
2.Electrical Energy System III Transmission Power Lines Substations
2.Electrical Energy System IV Transmission – Substations I RUNNING METASPLOIT AGAINST A SUBST. :)
2.Electrical Energy System IV Transmission – Substations II A Substation is a place where we can found ● Interconnection buses for lines ● Step down transformers ● Measurement, protection, interruption and dispatch equipment ● Disconnect Switches ● Load Break Switches ● Circuit Switchers ● Power Fuses ● Circuit Breakers Types of Substations → Transmission → Distribution → Collector → Switching
2.Electrical Energy System V Transmission – Substation Automation I Remote Connection Level ( Routers,Firewalls, Modems...) HMI Level ( Substation automation software,Server...) Station Level ( LAN, Concentrator,Additional devices...) Bay Level ( IEDs, Protection Devices...) Process Level (Breakers,Switchers,Transformers...)
2.Electrical Energy System V Transmission – Substation Automation II EMS/CC Remote HMI Station Bay Process Substation Equipment (Breakers,Switchers,Transformers...)
2.Electrical Energy System V Transmission – Substation Automation III ● HMI ● One-line diagrams
2.Electrical Energy System V Transmission – Substation Automation IV ● Protocols ● DNP3 ● Modbus ● IEC 60870-5-10(1,3,4) ● IEC 61850 ● ICCP ● OPC ● RS-232/485 ● UCA2 MMS ● Vendor specific ● Harris ● Westinhouse ● ABB ● ...
2.Electrical Energy System V Distribution www.mrsite.com
3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS I Computer based tools for... ● Monitoring ● Generation ● Coordinating ● Transmission ● Controlling ● Distribution KEY CONCEPT: DECISSION SUPPORT TO OPERATORS
2. EMS / SCADA I ENERGY MANAGEMENT SYSTEMS II CC CONTROL CENTER FRONT-END SCADA FRONT- ENDs Substation IEDs … RTUs PowerPlant
3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS III LOAD MANAGEMENT Data Acquisition ENERGY MANAGEMENT SCADA FRONT END AUTO. GEN.CONTROL SECURITY CONTROL Supervisory Control
3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS III THE SYSTEM MUST SURVIVE IN ANY CASE SECURITY CONTROL DETERMINE THE STATE OF THE SYSTEM PROCESS CONTINGENCIES DETERMINE PROPER ACTIONS
3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS IV SECURITY CONTROL FUNCTIONS TOPOLOGY PROCESSOR STATE ESTIMATOR POWER FLOW OPTIMAL POWER FLOW CONTINGENCY ANALYSIS SECURITY ENHACEMENT ... BUS LOAD FORECASTING
PRACTICE
4.SCADA TROJANS I YOU'RE NOT A TARGET SPONSORED BY STATES, LARGE CORPORATIONS AND/OR 4CHAN TWO-STAGE TROJANS AUTONOMOUS AGENTS INTELLIGENCE INSIDE... AND OUTSIDE
4.SCADA TROJANS II YOU NEED TO P0WN THE RIGHT PEOPLE OBTAIN NEEDED INFO REPLICATE THE TARGET DEPLOYMENT YOU CAN USE MONEY,TECHNOLOGY OR BOTH nd SOME DAY, SOMEWHERE THE 2 STAGE WILL BE TRIGGERED
4.SCADA TROJANS III ATTACK VECTORS HARDWARE PEOPLE SOFTWARE
4.SCADA TROJANS IV CONTEXT TWO LITTLE COUNTRIES IN CONFLICT RUBENHISTAN REGGAETONIA Tiramisú Gasolinia ● REGGAETONIA PLANS TO HOLD THE BIGGEST REGGAETON FESTIVAL EVER. ● RUBENHISTAN IS DETERMINED TO STOP IT.
4.SCADA TROJANS V OPERATION SNOW-HAMS RUBENHISTAN's Secret Service maintains a list of companies that operate Reguetonia's facilities. RUBENHISTAN's Secret Service also consults public open source intelligence sources as a city's urban planning to determine substations coverage. RUBENHISTAN's Secret Service launches a Targeted attack against the operators who control a key substation and even the Reguetonia's EMS LET'S SEE HOW TO PROCEED
4.SCADA TROJANS VI P0WNING THE SUBSTATION I PURE FICTION It's known the company who operates the SubStation implements a HMI client/server software from Advantech. Advantech WebAccess
4.SCADA TROJANS VI P0WNING THE SUBSTATION II c:windowssystem32bwocxrun.ocx [WebAccess Client] Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data IPersist Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data
4.SCADA TROJANS VI P0WNING THE SUBSTATION III After enticing one of the operators into visiting a specially crafted web, our bwocxrun.ocx exploit worked. We landed. Time to map the Substation network. At Bay level we find CSE-Semaphore RTUs/IEDs http://www.cse-semaphore.com/
TBOX LITE 200 - Ethernet 2 counters (I) 6 Analog (I) 4/20mA 8 digital (I/O) 2 Temperature (I) 4 relays 230 V ac 3A(O) EMBEDDED HTTP Server, FTP, SNMP, EMAIL ... DNP3, IEC 60870-5 MODBUS ... +40 Drivers http://www.cse-semaphore.com/pdf/brochure_T-BOX-Lite.pdf
4.SCADA TROJANS VI P0WNING THE SUBSTATION IV TVIEW Basic COMPILER Ladder Logic SECURITY ●MODBUS: (Optional) ACCESS CODE- 4 Hexa Chars. ●HTTP AUTH (Optional) ●CUSTOM PASSWORD PROTECTION VIA SOURCE CODE
4.SCADA TROJANS VI P0WNING THE SUBSTATION V IP HEY, I'M HERE TO POWN YOU OK, BUT FIRST INSTALL THIS ACTIVEX OK, DONE. COOL. DOWNLOAD THESE .TWF FILES
4.SCADA TROJANS VI P0WNING THE SUBSTATION VI TWF FILES ● Compressed ● Contains code compiled by the original programmer ● VBasic Script code → executed by vbscript.dll ● Propietary Format. Parsed by WebFormParser.dll ● Contains fixed “classes” ● CStationList ● CTagList ● CTag... Inside the TWF, each CTag entry contains its name, MODBUS address and length.
4.SCADA TROJANS VI P0WNING THE SUBSTATION VII HEY, TCOMM.DLL USES MODBUS AGAINST YOU THAT'S RIGHT. IT'S HOW YOU CAN INTERACT WITH ME MMM, BASIC CODE IS COMPILED AND EXECUTED AT CLIENT-SIDE, EVEN AUTH ROUTINES! WHAT IS CLIENT-SIDE?
4.SCADA TROJANS VI P0WNING THE SUBSTATION VIII Break on vbscript!COleScript::Compile to modify TWF's basic code before being compiled. compiled REAL EXAMPLE If txt_Password.Text <> Dlb_SMSPassword.Value Or txt_password.text = "" Then msgbox "The Password is incorrect!!" & vbCrlf & "A passord is ...." & vbCrlf & "Contact your local distributor to get the password.",Vbexclamation,"Password" Exit Sub End If CHANGE “<>” BY “=” ... WE ARE IN!
4.SCADA TROJANS VI P0WNING THE SUBSTATION IX YOU REALIZE EVERYONE CAN SEND YOU RAW MODBUS REQUESTS? DON'T BE EVIL! Tcomm.dll
4.SCADA TROJANS VI P0WNING THE SUBSTATION X We are already controlling Bay Level and Station Level However, still needed a vector to the EMS SCADA Front-End + Network Service ( webvrpcs.exe ) MIDA.plw + MIDL.exe + Opcode 0x00 + others... void sub_401000( /* [in] */ handle_t arg_1, /* [in] */ long arg_2, /* [in] */ long arg_3, /* [in] */ long arg_4, /* [size_is][ref][in] */ unsigned char *arg_5, /* [in] */ long arg_6, /* [size_is][ref][out] */ unsigned char *arg_7, /* [ref][out] */ long *arg_8)
4.SCADA TROJANS VI P0WNING THE SUBSTATION XI webvrpcs.exe port 4592 LANDED!
4.SCADA TROJANS VII Recalling Station/Operator p0wned via bwocxrun.ocx 0day Bay Level p0wned via TBOX flawed logic 0day SCADA Front-End p0wned via webvrpcs.exe RPC 0day 3 0days! Almost Stuxnet! ;)
ALL AT ONCE
4.SCADA TROJANS VIII nd THE 2 STAGE I We deploy an autonomous agent to attack the State Estimator. Its goal is generating unexpected contingencies, which may end up causing a blackout. Operators will deal with fake results. Only “in memory”. Everything else is correct. The entire EMS is no longer operating within a secure state.
4.SCADA TROJANS VIII nd THE 2 STAGE II States Static Data Dynamic data Measurements Topology Prefiltering Processor State Observability Estimation analysis Nonobservable zones Error Error Detection Identification Estimated state Errors HMI
4.SCADA TROJANS VIII nd THE 2 STAGE III Why an State Estimator? Flows → real + reactive Injections → real + reactive Voltage Current Virtual Measurements Pseudomeasurements
4.SCADA TROJANS VIII nd THE 2 STAGE IV We can describe previous measurements as a function of the system states. hi are nonlinear.
4.SCADA TROJANS VIII nd THE 2 STAGE V Given the state vector The following h (x) are used i Injections Flows
4.SCADA TROJANS VIII nd THE 2 STAGE VI ^ = h(x) and ^ = z – z z ^ r ^ ... WLS ALGORITHM
4.SCADA TROJANS VIII nd THE 2 STAGE VII WLS BASED S.E ALGORITHM (Weighted Least Squares ) 1.Initialize the state vector x =x0 with the flat voltage profile (Vi =1 pu, θi =0) and the 1. iteration counter (k =0). 2. Compute the measurement residuals r =z−h(xk ). 3. Obtain H and G=HTWH. 4. Solve the linear system: ∆xk =G-1 HTW r 5. Update the state vector (xk+1 =xk +∆xk ) and the iteration counter (k =k +1). 6. If any of the elements of x exceeds the specified convergence threshold then return to step 2. Otherwise, stop.
4.SCADA TROJANS VIII nd THE 2 STAGE VIII Our trojan must be triggered during the WLS algorithm. So we have to reverse engineering the target EMS Software to find out where it performs the operations we have been seeing. Due to the complexity of EMS products, we should use tools for “differential debugging”. A great/free tool is “myNav”, implemented as an IDA plugin developed by Joxean Koret. http://code.google.com/p/mynav/
// Step 6 - WLS Algorithm - Obtain max value from ∆xk for ( dword_61C068[0] = 1; v9 > 0; --v9 ) { dbl_61BFC8 = fabs(*(double *)&dword_61C6A8[2 * dword_61C068[0]]); if ( dbl_61BFC8 > dbl_61BFD0 ) { dbl_61BFD0 = dbl_61BFC8; dword_61C030 = dword_61C068[0]; } ++dword_61C068[0]; } v3 = dbl_61BFD0; if ( dbl_61BFD0 < dbl_937300[0] ) //Max val from ∆xk < Tolerance { dword_61C02C = 1; v43 = 0; goto No_More_iters; } ++dword_94EDF4; --g_K; // iterations if ( g_K <= 0 ) goto No_More_iters; // It didn't converge
TRY IT YOURSELF. PET http://www.ece.neu.edu/~abur/pet.htm l
5.SCADA TROJANS IX MISSION COMPLETED After the successful attack, Reggaetonia suffered random blackouts for months till its own people ,tired of the situation, assaulted the institutions. Every attempt to contract a considerable amount of MW for reggaeton festivals, ended up in an partial blackout. RUBENHISTAN WINS.
6.CONCLUSIONS Trojans designed for SCADA environments, should do their job stealthly,quietly... letting operators think still can trust their HMI/equipment. Combined attacks against State Estimators give you 100% success guaranteed. In the near future, a massive adoption of PMU could set a point of inflection. False data injection, nowadays, is more an academic attack than a real world attack IMHO. We have presented a general attack against SE.
HACK THE PLANET TAKE YOUR MW! RUBEN SANTAMARTA @reversemode

Recomendados

an introduction to scada.
an introduction to scada.an introduction to scada.
an introduction to scada.Rishabh Srivastava
 
SCADA by K.LIPESH
SCADA by K.LIPESH SCADA by K.LIPESH
SCADA by K.LIPESH LIPESH KAPALA
 
Scada system
Scada systemScada system
Scada systemPulakesh k kalita
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADAPraveen Kumar
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applicationsUchi Pou
 
scada systems
scada systemsscada systems
scada systemsShovana Khan Yusufzai
 
A presentation on scada system
A presentation on scada systemA presentation on scada system
A presentation on scada systemIIT INDORE
 
SCADA
SCADASCADA
SCADASABARINATH C D
 

Recomendados

an introduction to scada.
an introduction to scada.an introduction to scada.
an introduction to scada.Rishabh Srivastava
 
SCADA by K.LIPESH
SCADA by K.LIPESH SCADA by K.LIPESH
SCADA by K.LIPESH LIPESH KAPALA
 
Scada system
Scada systemScada system
Scada systemPulakesh k kalita
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADAPraveen Kumar
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applicationsUchi Pou
 
scada systems
scada systemsscada systems
scada systemsShovana Khan Yusufzai
 
A presentation on scada system
A presentation on scada systemA presentation on scada system
A presentation on scada systemIIT INDORE
 
SCADA
SCADASCADA
SCADASABARINATH C D
 
Scada
ScadaScada
Scadabilly_lx
 
What is SCADA system? SCADA Solutions for IoT
What is SCADA system? SCADA Solutions for IoTWhat is SCADA system? SCADA Solutions for IoT
What is SCADA system? SCADA Solutions for IoTEmbitel Technologies (I) PVT LTD
 
Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distributionSHUBHAM SAINI
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
SCADA
SCADASCADA
SCADAAmit Kumar Shrivastava
 
Scada functions
Scada functionsScada functions
Scada functionsSundarapandy Pillai
 
An introduction to scada fundamentals and implementation
An introduction to scada fundamentals and implementationAn introduction to scada fundamentals and implementation
An introduction to scada fundamentals and implementationRahul Mehra
 
Supervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADASupervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADAAhmed Elsayed
 
Scada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraScada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraRahul Mehra
 
Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1Mohamed Zahran
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
SCADA
SCADASCADA
SCADAalmuamar
 
Introduction to scada systems & power control centres
Introduction to scada systems & power control centresIntroduction to scada systems & power control centres
Introduction to scada systems & power control centresHelder Joaquim Ale Psico
 
SCADA
SCADASCADA
SCADAJ K Shree
 
Scada protocols-and-communications-trends
Scada protocols-and-communications-trendsScada protocols-and-communications-trends
Scada protocols-and-communications-trendsSandip Roy
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTDeepeshK4
 
Scada slide
Scada slideScada slide
Scada slideTowfiqur Rahman
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data CommunicationsDaniel Ehrenreich
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G MgtAnil Patil
 
Scada ppt
Scada pptScada ppt
Scada pptOECLIB Odisha Electronics Control Library
 
FME and IDMS
FME and IDMSFME and IDMS
FME and IDMSSafe Software
 
Alstom High Voltage Training Offer - Technical Institute
Alstom High Voltage Training Offer - Technical InstituteAlstom High Voltage Training Offer - Technical Institute
Alstom High Voltage Training Offer - Technical InstituteThorne & Derrick International
 

Mais conteúdo relacionado

Mais procurados

Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distributionSHUBHAM SAINI
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
An introduction to scada fundamentals and implementation
An introduction to scada fundamentals and implementationAn introduction to scada fundamentals and implementation
An introduction to scada fundamentals and implementationRahul Mehra
 
Supervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADASupervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADAAhmed Elsayed
 
Scada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraScada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraRahul Mehra
 
Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1Mohamed Zahran
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
Introduction to scada systems & power control centres
Introduction to scada systems & power control centresIntroduction to scada systems & power control centres
Introduction to scada systems & power control centresHelder Joaquim Ale Psico
 
Scada protocols-and-communications-trends
Scada protocols-and-communications-trendsScada protocols-and-communications-trends
Scada protocols-and-communications-trendsSandip Roy
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTDeepeshK4
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data CommunicationsDaniel Ehrenreich
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G MgtAnil Patil
 

Mais procurados (20)

Scada
ScadaScada
Scada
 
What is SCADA system? SCADA Solutions for IoT
What is SCADA system? SCADA Solutions for IoTWhat is SCADA system? SCADA Solutions for IoT
What is SCADA system? SCADA Solutions for IoT
 
Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distribution
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 
SCADA
SCADASCADA
SCADA
 
Scada functions
Scada functionsScada functions
Scada functions
 
An introduction to scada fundamentals and implementation
An introduction to scada fundamentals and implementationAn introduction to scada fundamentals and implementation
An introduction to scada fundamentals and implementation
 
Supervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADASupervisory Contro and Data Acquisition - SCADA
Supervisory Contro and Data Acquisition - SCADA
 
Scada Classification By-Rahul Mehra
Scada Classification By-Rahul MehraScada Classification By-Rahul Mehra
Scada Classification By-Rahul Mehra
 
Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1Reliable, cheaper, and modular new scada 1
Reliable, cheaper, and modular new scada 1
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
SCADA
SCADASCADA
SCADA
 
Introduction to scada systems & power control centres
Introduction to scada systems & power control centresIntroduction to scada systems & power control centres
Introduction to scada systems & power control centres
 
SCADA
SCADASCADA
SCADA
 
Scada protocols-and-communications-trends
Scada protocols-and-communications-trendsScada protocols-and-communications-trends
Scada protocols-and-communications-trends
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPT
 
Scada slide
Scada slideScada slide
Scada slide
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data Communications
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G Mgt
 
Scada ppt
Scada pptScada ppt
Scada ppt
 

Destaque

Alstom High Voltage Training Offer - Technical Institute
Alstom High Voltage Training Offer - Technical InstituteAlstom High Voltage Training Offer - Technical Institute
Alstom High Voltage Training Offer - Technical InstituteThorne & Derrick International
 
Петров С.В. - НПП "Динамика"
Петров С.В. - НПП "Динамика"Петров С.В. - НПП "Динамика"
Петров С.В. - НПП "Динамика"DigitalSubstation
 
Сакмарская СЭС и новые разработки Прософт-Системы
Сакмарская СЭС и новые разработки Прософт-СистемыСакмарская СЭС и новые разработки Прософт-Системы
Сакмарская СЭС и новые разработки Прософт-СистемыDigitalSubstation
 
Cisco Connected Grid Solutions
Cisco Connected Grid SolutionsCisco Connected Grid Solutions
Cisco Connected Grid SolutionsAmos Simoes
 
Грибков М.А. - ПАО "МОЭСК"
Грибков М.А. - ПАО "МОЭСК"Грибков М.А. - ПАО "МОЭСК"
Грибков М.А. - ПАО "МОЭСК"DigitalSubstation
 
61850IMU Substation Recorder
61850IMU Substation Recorder61850IMU Substation Recorder
61850IMU Substation RecorderGE Grid Solutions
 
ПС 110 кВ "Приречная"
ПС 110 кВ "Приречная"ПС 110 кВ "Приречная"
ПС 110 кВ "Приречная"DigitalSubstation
 
GE's Grid Solutions Media Presentation
GE's Grid Solutions Media Presentation GE's Grid Solutions Media Presentation
GE's Grid Solutions Media Presentation GE's Grid Solutions
 
Commissioning services for substation and power plants
Commissioning services for substation and power plantsCommissioning services for substation and power plants
Commissioning services for substation and power plantsEvaldas Paliliūnas
 
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)Nitin Balakrishnan
 
Scada substation automation prnsnt
Scada substation automation prnsntScada substation automation prnsnt
Scada substation automation prnsntIIT INDORE
 
IEEE 2014 Project List
IEEE 2014 Project ListIEEE 2014 Project List
IEEE 2014 Project ListHades InfoTech
 
Fire accident avoidance on running train using zigbee wireless sensor network
Fire accident avoidance on running train using zigbee wireless sensor networkFire accident avoidance on running train using zigbee wireless sensor network
Fire accident avoidance on running train using zigbee wireless sensor networkDivakar Triple H
 
132KV SUBSTATION UPPTCL
132KV SUBSTATION UPPTCL132KV SUBSTATION UPPTCL
132KV SUBSTATION UPPTCLAman Rajput
 
Zigbee Based Patient Monitoring System
Zigbee Based Patient Monitoring SystemZigbee Based Patient Monitoring System
Zigbee Based Patient Monitoring SystemAmeer Khan
 

Destaque (20)

FME and IDMS
FME and IDMSFME and IDMS
FME and IDMS
 
Alstom High Voltage Training Offer - Technical Institute
Alstom High Voltage Training Offer - Technical InstituteAlstom High Voltage Training Offer - Technical Institute
Alstom High Voltage Training Offer - Technical Institute
 
Петров С.В. - НПП "Динамика"
Петров С.В. - НПП "Динамика"Петров С.В. - НПП "Динамика"
Петров С.В. - НПП "Динамика"
 
Сакмарская СЭС и новые разработки Прософт-Системы
Сакмарская СЭС и новые разработки Прософт-СистемыСакмарская СЭС и новые разработки Прософт-Системы
Сакмарская СЭС и новые разработки Прософт-Системы
 
Cisco Connected Grid Solutions
Cisco Connected Grid SolutionsCisco Connected Grid Solutions
Cisco Connected Grid Solutions
 
ПС 500 кВ "Исеть"
ПС 500 кВ "Исеть"ПС 500 кВ "Исеть"
ПС 500 кВ "Исеть"
 
Грибков М.А. - ПАО "МОЭСК"
Грибков М.А. - ПАО "МОЭСК"Грибков М.А. - ПАО "МОЭСК"
Грибков М.А. - ПАО "МОЭСК"
 
61850IMU Substation Recorder
61850IMU Substation Recorder61850IMU Substation Recorder
61850IMU Substation Recorder
 
ПС 110 кВ "Приречная"
ПС 110 кВ "Приречная"ПС 110 кВ "Приречная"
ПС 110 кВ "Приречная"
 
GE's Grid Solutions Media Presentation
GE's Grid Solutions Media Presentation GE's Grid Solutions Media Presentation
GE's Grid Solutions Media Presentation
 
Commissioning services for substation and power plants
Commissioning services for substation and power plantsCommissioning services for substation and power plants
Commissioning services for substation and power plants
 
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
 
Scada substation automation prnsnt
Scada substation automation prnsntScada substation automation prnsnt
Scada substation automation prnsnt
 
IEEE 2014 Project List
IEEE 2014 Project ListIEEE 2014 Project List
IEEE 2014 Project List
 
Fire accident avoidance on running train using zigbee wireless sensor network
Fire accident avoidance on running train using zigbee wireless sensor networkFire accident avoidance on running train using zigbee wireless sensor network
Fire accident avoidance on running train using zigbee wireless sensor network
 
132KV SUBSTATION UPPTCL
132KV SUBSTATION UPPTCL132KV SUBSTATION UPPTCL
132KV SUBSTATION UPPTCL
 
Zigbee Based Patient Monitoring System
Zigbee Based Patient Monitoring SystemZigbee Based Patient Monitoring System
Zigbee Based Patient Monitoring System
 
ALSTOM – Micom
ALSTOM – MicomALSTOM – Micom
ALSTOM – Micom
 
Zigbee Presentation
Zigbee PresentationZigbee Presentation
Zigbee Presentation
 
PLC SCADA
PLC SCADAPLC SCADA
PLC SCADA
 

Semelhante a Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]

Pms System Training
Pms System TrainingPms System Training
Pms System Trainingvkmalik
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02NiMa Bagheriasl
 
IJSRED-V2I2P7
IJSRED-V2I2P7IJSRED-V2I2P7
IJSRED-V2I2P7IJSRED
 
NXP Functional Safety High Voltage Low voltage
NXP Functional Safety High Voltage Low voltageNXP Functional Safety High Voltage Low voltage
NXP Functional Safety High Voltage Low voltagessuser57b3e5
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scadabhavuksharma10
 
CLOUD BASED NETWORK MANAGEMENT AND CONTROL FOR BUILDING AUTOMATION
CLOUD BASED NETWORK MANAGEMENT AND CONTROL FOR BUILDING AUTOMATIONCLOUD BASED NETWORK MANAGEMENT AND CONTROL FOR BUILDING AUTOMATION
CLOUD BASED NETWORK MANAGEMENT AND CONTROL FOR BUILDING AUTOMATIONAdeel Ahmed
 
Internet of Energy: "Can python prevent California wildfires?"
Internet of Energy: "Can python prevent California wildfires?"Internet of Energy: "Can python prevent California wildfires?"
Internet of Energy: "Can python prevent California wildfires?"Chijioke “CJ” Ejimuda
 
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation PlantsAvoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation PlantsManuel Santander
 
KAGITHALA YASASWINI
KAGITHALA YASASWINIKAGITHALA YASASWINI
KAGITHALA YASASWINIMAHESH294
 
fault detection of transformer using GSM,,,,by YASASWINI.KAGITHALA
fault detection of transformer using GSM,,,,by YASASWINI.KAGITHALAfault detection of transformer using GSM,,,,by YASASWINI.KAGITHALA
fault detection of transformer using GSM,,,,by YASASWINI.KAGITHALAMAHESH294
 
Photovoltaic Training - Session 3 - Plant Operation
Photovoltaic Training - Session 3 - Plant OperationPhotovoltaic Training - Session 3 - Plant Operation
Photovoltaic Training - Session 3 - Plant OperationLeonardo ENERGY
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
Advanced railway security system (arss) based on zigbee communication for tra...
Advanced railway security system (arss) based on zigbee communication for tra...Advanced railway security system (arss) based on zigbee communication for tra...
Advanced railway security system (arss) based on zigbee communication for tra...rashmimabattin28
 
Mine workers protection slides
Mine workers protection slidesMine workers protection slides
Mine workers protection slidesArya Ls
 

Semelhante a Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011] (20)

Pms System Training
Pms System TrainingPms System Training
Pms System Training
 
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02
 
IJSRED-V2I2P7
IJSRED-V2I2P7IJSRED-V2I2P7
IJSRED-V2I2P7
 
NXP Functional Safety High Voltage Low voltage
NXP Functional Safety High Voltage Low voltageNXP Functional Safety High Voltage Low voltage
NXP Functional Safety High Voltage Low voltage
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
 
CLOUD BASED NETWORK MANAGEMENT AND CONTROL FOR BUILDING AUTOMATION
CLOUD BASED NETWORK MANAGEMENT AND CONTROL FOR BUILDING AUTOMATIONCLOUD BASED NETWORK MANAGEMENT AND CONTROL FOR BUILDING AUTOMATION
CLOUD BASED NETWORK MANAGEMENT AND CONTROL FOR BUILDING AUTOMATION
 
Internet of Energy: "Can python prevent California wildfires?"
Internet of Energy: "Can python prevent California wildfires?"Internet of Energy: "Can python prevent California wildfires?"
Internet of Energy: "Can python prevent California wildfires?"
 
P1111141868
P1111141868P1111141868
P1111141868
 
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation PlantsAvoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
 
KAGITHALA YASASWINI
KAGITHALA YASASWINIKAGITHALA YASASWINI
KAGITHALA YASASWINI
 
fault detection of transformer using GSM,,,,by YASASWINI.KAGITHALA
fault detection of transformer using GSM,,,,by YASASWINI.KAGITHALAfault detection of transformer using GSM,,,,by YASASWINI.KAGITHALA
fault detection of transformer using GSM,,,,by YASASWINI.KAGITHALA
 
Scada System
Scada SystemScada System
Scada System
 
Photovoltaic Training - Session 3 - Plant Operation
Photovoltaic Training - Session 3 - Plant OperationPhotovoltaic Training - Session 3 - Plant Operation
Photovoltaic Training - Session 3 - Plant Operation
 
Plc & Scada
Plc & ScadaPlc & Scada
Plc & Scada
 
Gemini_3__3008_web
Gemini_3__3008_webGemini_3__3008_web
Gemini_3__3008_web
 
Ff25965968
Ff25965968Ff25965968
Ff25965968
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
 
Scada-PPT 1.pptx
Scada-PPT 1.pptxScada-PPT 1.pptx
Scada-PPT 1.pptx
 
Advanced railway security system (arss) based on zigbee communication for tra...
Advanced railway security system (arss) based on zigbee communication for tra...Advanced railway security system (arss) based on zigbee communication for tra...
Advanced railway security system (arss) based on zigbee communication for tra...
 
Mine workers protection slides
Mine workers protection slidesMine workers protection slides
Mine workers protection slides
 

Mais de RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

Mais de RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]

  • 1. SCADA TROJANS ATTACKING THE GRID RUBEN SANTAMARTA
  • 2. ¿What are we going to talk about? SCADA / EMS TROJANS ATTACKS VECTORS REVERSE ENGINEERING ELECTRICAL ENERGY SYSTEM
  • 4. 1. SCADA Supervisory Control And Data Acquisition (Supervisión, Control y Adquisición de Datos). ● FIELD DEVICES ● PLC/RTU/IED ● PROTOCOLS ● HMI / SCADA SERVER
  • 5. 2.Electrical Energy System I Biggest industrial system ever ● TRANSFORMER INVENTION – WIN! +V -I → Transmission over long distances wikipedia
  • 6. 2.Electrical Energy System II Generation Primary Source → Station → Three-Phase AC Generator → Step up Transformer → Transmission lines G ●Nuclear ●Hydroelectric ●Photovoltaic/Wind ●Biomass ●...
  • 7. 2.Electrical Energy System III Transmission Power Lines Substations
  • 8. 2.Electrical Energy System IV Transmission – Substations I RUNNING METASPLOIT AGAINST A SUBST. :)
  • 9. 2.Electrical Energy System IV Transmission – Substations II A Substation is a place where we can found ● Interconnection buses for lines ● Step down transformers ● Measurement, protection, interruption and dispatch equipment ● Disconnect Switches ● Load Break Switches ● Circuit Switchers ● Power Fuses ● Circuit Breakers Types of Substations → Transmission → Distribution → Collector → Switching
  • 10. 2.Electrical Energy System V Transmission – Substation Automation I Remote Connection Level ( Routers,Firewalls, Modems...) HMI Level ( Substation automation software,Server...) Station Level ( LAN, Concentrator,Additional devices...) Bay Level ( IEDs, Protection Devices...) Process Level (Breakers,Switchers,Transformers...)
  • 11. 2.Electrical Energy System V Transmission – Substation Automation II EMS/CC Remote HMI Station Bay Process Substation Equipment (Breakers,Switchers,Transformers...)
  • 12. 2.Electrical Energy System V Transmission – Substation Automation III ● HMI ● One-line diagrams
  • 13.
  • 14. 2.Electrical Energy System V Transmission – Substation Automation IV ● Protocols ● DNP3 ● Modbus ● IEC 60870-5-10(1,3,4) ● IEC 61850 ● ICCP ● OPC ● RS-232/485 ● UCA2 MMS ● Vendor specific ● Harris ● Westinhouse ● ABB ● ...
  • 15. 2.Electrical Energy System V Distribution www.mrsite.com
  • 16. 3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS I Computer based tools for... ● Monitoring ● Generation ● Coordinating ● Transmission ● Controlling ● Distribution KEY CONCEPT: DECISSION SUPPORT TO OPERATORS
  • 17. 2. EMS / SCADA I ENERGY MANAGEMENT SYSTEMS II CC CONTROL CENTER FRONT-END SCADA FRONT- ENDs Substation IEDs … RTUs PowerPlant
  • 18.
  • 19. 3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS III LOAD MANAGEMENT Data Acquisition ENERGY MANAGEMENT SCADA FRONT END AUTO. GEN.CONTROL SECURITY CONTROL Supervisory Control
  • 20. 3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS III THE SYSTEM MUST SURVIVE IN ANY CASE SECURITY CONTROL DETERMINE THE STATE OF THE SYSTEM PROCESS CONTINGENCIES DETERMINE PROPER ACTIONS
  • 21. 3. EMS / SCADA ENERGY MANAGEMENT SYSTEMS IV SECURITY CONTROL FUNCTIONS TOPOLOGY PROCESSOR STATE ESTIMATOR POWER FLOW OPTIMAL POWER FLOW CONTINGENCY ANALYSIS SECURITY ENHACEMENT ... BUS LOAD FORECASTING
  • 23. 4.SCADA TROJANS I YOU'RE NOT A TARGET SPONSORED BY STATES, LARGE CORPORATIONS AND/OR 4CHAN TWO-STAGE TROJANS AUTONOMOUS AGENTS INTELLIGENCE INSIDE... AND OUTSIDE
  • 24. 4.SCADA TROJANS II YOU NEED TO P0WN THE RIGHT PEOPLE OBTAIN NEEDED INFO REPLICATE THE TARGET DEPLOYMENT YOU CAN USE MONEY,TECHNOLOGY OR BOTH nd SOME DAY, SOMEWHERE THE 2 STAGE WILL BE TRIGGERED
  • 25. 4.SCADA TROJANS III ATTACK VECTORS HARDWARE PEOPLE SOFTWARE
  • 26. 4.SCADA TROJANS IV CONTEXT TWO LITTLE COUNTRIES IN CONFLICT RUBENHISTAN REGGAETONIA Tiramisú Gasolinia ● REGGAETONIA PLANS TO HOLD THE BIGGEST REGGAETON FESTIVAL EVER. ● RUBENHISTAN IS DETERMINED TO STOP IT.
  • 27. 4.SCADA TROJANS V OPERATION SNOW-HAMS RUBENHISTAN's Secret Service maintains a list of companies that operate Reguetonia's facilities. RUBENHISTAN's Secret Service also consults public open source intelligence sources as a city's urban planning to determine substations coverage. RUBENHISTAN's Secret Service launches a Targeted attack against the operators who control a key substation and even the Reguetonia's EMS LET'S SEE HOW TO PROCEED
  • 28. 4.SCADA TROJANS VI P0WNING THE SUBSTATION I PURE FICTION It's known the company who operates the SubStation implements a HMI client/server software from Advantech. Advantech WebAccess
  • 29.
  • 30. 4.SCADA TROJANS VI P0WNING THE SUBSTATION II c:windowssystem32bwocxrun.ocx [WebAccess Client] Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data IPersist Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data
  • 31. 4.SCADA TROJANS VI P0WNING THE SUBSTATION III After enticing one of the operators into visiting a specially crafted web, our bwocxrun.ocx exploit worked. We landed. Time to map the Substation network. At Bay level we find CSE-Semaphore RTUs/IEDs http://www.cse-semaphore.com/
  • 32. TBOX LITE 200 - Ethernet 2 counters (I) 6 Analog (I) 4/20mA 8 digital (I/O) 2 Temperature (I) 4 relays 230 V ac 3A(O) EMBEDDED HTTP Server, FTP, SNMP, EMAIL ... DNP3, IEC 60870-5 MODBUS ... +40 Drivers http://www.cse-semaphore.com/pdf/brochure_T-BOX-Lite.pdf
  • 33. 4.SCADA TROJANS VI P0WNING THE SUBSTATION IV TVIEW Basic COMPILER Ladder Logic SECURITY ●MODBUS: (Optional) ACCESS CODE- 4 Hexa Chars. ●HTTP AUTH (Optional) ●CUSTOM PASSWORD PROTECTION VIA SOURCE CODE
  • 34. 4.SCADA TROJANS VI P0WNING THE SUBSTATION V IP HEY, I'M HERE TO POWN YOU OK, BUT FIRST INSTALL THIS ACTIVEX OK, DONE. COOL. DOWNLOAD THESE .TWF FILES
  • 35. 4.SCADA TROJANS VI P0WNING THE SUBSTATION VI TWF FILES ● Compressed ● Contains code compiled by the original programmer ● VBasic Script code → executed by vbscript.dll ● Propietary Format. Parsed by WebFormParser.dll ● Contains fixed “classes” ● CStationList ● CTagList ● CTag... Inside the TWF, each CTag entry contains its name, MODBUS address and length.
  • 36. 4.SCADA TROJANS VI P0WNING THE SUBSTATION VII HEY, TCOMM.DLL USES MODBUS AGAINST YOU THAT'S RIGHT. IT'S HOW YOU CAN INTERACT WITH ME MMM, BASIC CODE IS COMPILED AND EXECUTED AT CLIENT-SIDE, EVEN AUTH ROUTINES! WHAT IS CLIENT-SIDE?
  • 37. 4.SCADA TROJANS VI P0WNING THE SUBSTATION VIII Break on vbscript!COleScript::Compile to modify TWF's basic code before being compiled. compiled REAL EXAMPLE If txt_Password.Text <> Dlb_SMSPassword.Value Or txt_password.text = "" Then msgbox "The Password is incorrect!!" & vbCrlf & "A passord is ...." & vbCrlf & "Contact your local distributor to get the password.",Vbexclamation,"Password" Exit Sub End If CHANGE “<>” BY “=” ... WE ARE IN!
  • 38. 4.SCADA TROJANS VI P0WNING THE SUBSTATION IX YOU REALIZE EVERYONE CAN SEND YOU RAW MODBUS REQUESTS? DON'T BE EVIL! Tcomm.dll
  • 39. 4.SCADA TROJANS VI P0WNING THE SUBSTATION X We are already controlling Bay Level and Station Level However, still needed a vector to the EMS SCADA Front-End + Network Service ( webvrpcs.exe ) MIDA.plw + MIDL.exe + Opcode 0x00 + others... void sub_401000( /* [in] */ handle_t arg_1, /* [in] */ long arg_2, /* [in] */ long arg_3, /* [in] */ long arg_4, /* [size_is][ref][in] */ unsigned char *arg_5, /* [in] */ long arg_6, /* [size_is][ref][out] */ unsigned char *arg_7, /* [ref][out] */ long *arg_8)
  • 40. 4.SCADA TROJANS VI P0WNING THE SUBSTATION XI webvrpcs.exe port 4592 LANDED!
  • 41. 4.SCADA TROJANS VII Recalling Station/Operator p0wned via bwocxrun.ocx 0day Bay Level p0wned via TBOX flawed logic 0day SCADA Front-End p0wned via webvrpcs.exe RPC 0day 3 0days! Almost Stuxnet! ;)
  • 43. 4.SCADA TROJANS VIII nd THE 2 STAGE I We deploy an autonomous agent to attack the State Estimator. Its goal is generating unexpected contingencies, which may end up causing a blackout. Operators will deal with fake results. Only “in memory”. Everything else is correct. The entire EMS is no longer operating within a secure state.
  • 44. 4.SCADA TROJANS VIII nd THE 2 STAGE II States Static Data Dynamic data Measurements Topology Prefiltering Processor State Observability Estimation analysis Nonobservable zones Error Error Detection Identification Estimated state Errors HMI
  • 45. 4.SCADA TROJANS VIII nd THE 2 STAGE III Why an State Estimator? Flows → real + reactive Injections → real + reactive Voltage Current Virtual Measurements Pseudomeasurements
  • 46. 4.SCADA TROJANS VIII nd THE 2 STAGE IV We can describe previous measurements as a function of the system states. hi are nonlinear.
  • 47. 4.SCADA TROJANS VIII nd THE 2 STAGE V Given the state vector The following h (x) are used i Injections Flows
  • 48. 4.SCADA TROJANS VIII nd THE 2 STAGE VI ^ = h(x) and ^ = z – z z ^ r ^ ... WLS ALGORITHM
  • 49. 4.SCADA TROJANS VIII nd THE 2 STAGE VII WLS BASED S.E ALGORITHM (Weighted Least Squares ) 1.Initialize the state vector x =x0 with the flat voltage profile (Vi =1 pu, θi =0) and the 1. iteration counter (k =0). 2. Compute the measurement residuals r =z−h(xk ). 3. Obtain H and G=HTWH. 4. Solve the linear system: ∆xk =G-1 HTW r 5. Update the state vector (xk+1 =xk +∆xk ) and the iteration counter (k =k +1). 6. If any of the elements of x exceeds the specified convergence threshold then return to step 2. Otherwise, stop.
  • 50. 4.SCADA TROJANS VIII nd THE 2 STAGE VIII Our trojan must be triggered during the WLS algorithm. So we have to reverse engineering the target EMS Software to find out where it performs the operations we have been seeing. Due to the complexity of EMS products, we should use tools for “differential debugging”. A great/free tool is “myNav”, implemented as an IDA plugin developed by Joxean Koret. http://code.google.com/p/mynav/
  • 51. // Step 6 - WLS Algorithm - Obtain max value from ∆xk for ( dword_61C068[0] = 1; v9 > 0; --v9 ) { dbl_61BFC8 = fabs(*(double *)&dword_61C6A8[2 * dword_61C068[0]]); if ( dbl_61BFC8 > dbl_61BFD0 ) { dbl_61BFD0 = dbl_61BFC8; dword_61C030 = dword_61C068[0]; } ++dword_61C068[0]; } v3 = dbl_61BFD0; if ( dbl_61BFD0 < dbl_937300[0] ) //Max val from ∆xk < Tolerance { dword_61C02C = 1; v43 = 0; goto No_More_iters; } ++dword_94EDF4; --g_K; // iterations if ( g_K <= 0 ) goto No_More_iters; // It didn't converge
  • 52. TRY IT YOURSELF. PET http://www.ece.neu.edu/~abur/pet.htm l
  • 53. 5.SCADA TROJANS IX MISSION COMPLETED After the successful attack, Reggaetonia suffered random blackouts for months till its own people ,tired of the situation, assaulted the institutions. Every attempt to contract a considerable amount of MW for reggaeton festivals, ended up in an partial blackout. RUBENHISTAN WINS.
  • 54. 6.CONCLUSIONS Trojans designed for SCADA environments, should do their job stealthly,quietly... letting operators think still can trust their HMI/equipment. Combined attacks against State Estimators give you 100% success guaranteed. In the near future, a massive adoption of PMU could set a point of inflection. False data injection, nowadays, is more an academic attack than a real world attack IMHO. We have presented a general attack against SE.
  • 55. HACK THE PLANET TAKE YOUR MW! RUBEN SANTAMARTA @reversemode