jonathan pollet conference part 1 control system
play

Jonathan Pollet conference Part 1: Control System Vulnerabilities - PowerPoint PPT Presentation

May 28, 2023 •201 likes •413 views

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities > analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

  1. Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities

  2. control system vulnerabilities > analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP program - contract #240704] 1

  3. Jonathan Pollet – CISSP, PCIP, CAP — 12 Years of Electrical Engineering, SCADA, Industrial Controls, and IT Experience PLC Programming and SCADA System Design and Commissioning — Wireless RF and Telecommunications Design and Startup — Front-end Web Development for SCADA data — Backend Database design for SCADA data — Acting CIO for Major Oil Company for 2 years – Enterprise IT Management — — Last 8 Years Focused on SCADA and IT Security Published White Papers on SCADA Security early in 2001 — Focused research and standards development for SCADA Security since 2002 — Conducted over 120 security assessments on Critical Infrastructure systems — Conducted over 75 International conferences and workshops on CIP — Developed safe security assessment methodology for live SCADA Systems — Co-developed the SCADA Security Advanced 5-day training course — 2

  4. outline — background on the project — review of ISA99 architecture model — source for data used in the analysis — interesting results — avg. # of days between vulnerability disclosure and discovery — where in the architecture are most vulns being discovered — does the type of vulnerabilities change throughout the architecture — workstation HMI vulnerabilities ranked by OS — network vs. host/application vulns throughout the architecture — interesting security findings on control system networks — Q & A 3

  5. project background — Over 38,000 control system vulnerabilities collected over 5 years from mid-2002 to 2008 — Over 100 security assessments performed on critical infrastructure facilities such as electric power generation plants, transmission energy control centers, chemical plants, water plants, and oil/gas production, refining, and pipeline systems — Vulnerability analysis and classification conducted under research project facilitated by INL and funded through the DHS Control Systems Security Program contract #240704 — ISA99 architecture model used to classify where the vulnerabilities were discovered in the systems 4

  6. 5

  7. data source – what was collected? — From mid-2002 to 2008, vulnerability data was stripped of any client information and the raw vulnerabilities were captured in a database — Vulnerability ID (auto-numbered from entry number 1) — Vulnerability Title (title for the vulnerability) — Security Zone or Location (location based on the ISA99 model where the vulnerability was located) — Disclosure Date (date when vulnerability was disclosed) — Discovery Date (date when vulnerability was discovered by the team and entered into the database) — Days Between Disclosure and Discovery (time between disclosure and detection) — Vulnerability Detailed Description — Vulnerability Suggested Remediation Steps 6

  8. interesting results — avg. # of days between vulnerability disclosure and discovery — all field data was exported from the database to an excel spreadsheet containing over 38,000 rows, and much of the analysis had to be performed manually — since we captured when the vulnerability was disclosed in the public, and also captured when the vulnerability was discovered and entered into the database, we were able to perform a simple diff against these two fields — vulnerabilities that were never disclosed in the public were thrown out of this particular exercise since negative or zero entries would throw off the calculations — the maximum number of days between when a vulnerability was disclosed in the public and when it was found during an assessment was over 3 years! — the average was 331 days, or close to 1 year. this means that on average most SCADA and process control environments contained latent vulnerabilities, probably with compiled exploits, and were not discovered until almost a year later, and would not have been discovered had not the asset owner funded the assessment. 7

  9. where are the vulnerabilities being discovered? Vulnerabilities by Location in Architecture 0,3% 0,0% Level 5 - Internet DMZ zone 11,8% 16,9% Level 4 - Enterprise LAN zone Level 3 - Operations DMZ Level 2 - Supervisory HMI LAN 24,7% Level 1 - Controller LAN 46,3% Level 0 - Instrumentations bus network 8

  10. does the type of vulnerabilities change throughout the architecture? — classified each vulnerability by the system that was impacted and where the vulnerability was found in the architecture — The data set emerged a common set of system types at each network zone or segment: Email Server Applications — Web Server Platforms (Apache and IIS) — Business Applications — Shopping Cart Applications — Applications written on PHP platform — Applications written on ASP or .NET platform — Database Servers (MS SQL, mySQL, and Oracle) — FTP Servers — Portal Servers (Blogs, Forums, etc…) — Workstation (client) vulnerabilities — 9

  11. systems impacted at the Internet DMZ zone Internet DMZ Vulnerabilities Email Server Applications 0,0% Web Server Platforms (Apache and IIS) 11,4% 12,7% 1,2% Business Applications 5,6% Shopping Chart Applications Applications written on PHP platform 10,0% 23,3% Applications written on ASP or .NET platform Database Servers (MS SQL, mySQL, and Oracle) FTP Servers 25,8% 7,8% Portal Servers (Blogs and Forums) Workstation (client) vulnerabilities 2,2% 10

  12. systems impacted at the Enterprise LAN zone Enterprise LAN Vulnerabilities Email Server Applications Web Server Platforms (Apache and IIS) 9,7% 12,5% Business Applications 5,9% 1,2% Shopping Chart Applications 19,3% Applications written on PHP platform 12,6% Applications written on ASP or .NET platform Database Servers (MS SQL, mySQL, and Oracle) 5,9% FTP Servers 23,4% 4,6% Portal Servers (Blogs and Forums) 5,0% Workstation (client) vulnerabilities 11

  13. systems impacted at the Operations DMZ zone Operations DMZ Vulnerabilities Email Server Applications 3,3% Web Server Platforms (Apache and IIS) 5,5% 6,0% Business Applications 3,9% Shopping Chart Applications Applications written on PHP platform 19,8% Applications written on ASP or .NET platform 41,4% Database Servers (MS SQL, mySQL, and Oracle) FTP Servers 2,3% 1,5% Portal Servers (Blogs and Forums) 1,1% 15,3% Workstation (client) vulnerabilities 12

  14. workstation HMI vulnerabilities ranked by OS Supervisory HMI LAN Vulnerabilities Microsoft-based Operating System or Applications Red Hat Linux Operating System or Applications 1,4% 11,5% Tru64 Operating System or Applications 4,4% HPUX Operating System or Applications 2,4% IBM AIX Operating System or Applications 8,3% FreeBSD Operating System or Applications 6,7% 62,2% SCO UNIX Operating System or Applications 2,2% 0,9% Sun Solaris Operating System or Applications SuSE Linux Operating System or Applications 13

  15. only logged 105 controller LAN vulnerabilities, but QnX showed up as the most typical source Controller LAN Vulnerabilities Vulnerabilities in Controller LAN due to 15,2% 19,0% Phone/Telecom Equip Vulnerabilities in Controller LAN due to QNX Misc. Vulnerabilities 65,7% 14

  16. network vs. host/application vulns throughout the architecture Network versus Host/Application Vulnerabilities by Location in Architecture 100% 90% 80% 70% 64,0% 60% 90,7% Host/Application 95,1% 96,7% 50% 40% 30% Network 20% 35,4% 10% 9,3% 3,4% 3,3% 0% Level 5 - Internet DMZ zone Level 4 - Enterprise LAN Level 3 - Operations DMZ Level 2 - Supervisory HMI zone LAN 15

  17. interesting security findings on control system networks VOIP (Voice over IP) Systems Software license cracking executables (CD-key — — generators) Network Video Recording Devices — Torrent client software on Supervisor HMI LAN — Network Surveillance Equipment and Software — Paging Software Server (i.e. Air Messenger Server — connected to both the SCADA and Internet for Adult Video Directory Scripts — SMTP relay out) Online Dating Service Databases — America Online Clients — Advanced Forensics Format (AFF) archives — MP3 Music and Video Playing Software including — iTunes Gaming Software Servers — aGSM - a freeware game server info monitoring utility — Streaming Music and Radio software with — vulnerabilities Alien Arena 2006 Gold Edition — Counter Strike — BitTorrent Clients (for peer-to-peer file sharing) — Brood Wars — Battlefield 1942 Server and Clients — MSN and other IM chat clients — Quake 2 and Quake 3 Game Servers found in Supervisor — HMI LAN Anonymous FTP Servers running waiting for Soldier of Fortune II — — connections 16

Recommend

Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night

Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night

Rome, May 31, 2011 Jonathan Pollet conference Part 2: Stuxnet APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA 1 speaker Jonathan

223 views • 21 slides
APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan Pollet, CAP, CISSP, PCIP

APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan Pollet, CAP, CISSP, PCIP

APT-Style Attacks on SCADA Systems Stuxnet Night Dragon Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant Red Tiger Security - USA 1 speaker Jonathan Pollet, CISSP, CAP, PCIP Started as a Control Systems Engineer

352 views • 20 slides
Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2

Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2

Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2 Part 2 Introduction to centralized control Independent joint decentralized control may prove inadequate when the user requires high task

673 views • 36 slides
Auditory System & Hearing Chapters 9 part II Lecture 16 Jonathan Pillow Sensation &

Auditory System & Hearing Chapters 9 part II Lecture 16 Jonathan Pillow Sensation &

Auditory System & Hearing Chapters 9 part II Lecture 16 Jonathan Pillow Sensation & Perception (PSY 345 / NEU 325) Spring 2019 1 Phase locking : Firing locked to period of a sound wave example of a temporal code Histogram

698 views • 23 slides
Auditory System & Hearing (Chapters 10, part II) Lecture 18 Jonathan Pillow Sensation &

Auditory System & Hearing (Chapters 10, part II) Lecture 18 Jonathan Pillow Sensation &

Auditory System & Hearing (Chapters 10, part II) Lecture 18 Jonathan Pillow Sensation & Perception (PSY 345 / NEU 325) Spring 2015 1 Q: How do you detect the location of a sound? Main answer: timing differences loudness

1.02k views • 42 slides
Auditory System & Hearing Chapters 9 part II Lecture 17 Jonathan Pillow Sensation &

Auditory System & Hearing Chapters 9 part II Lecture 17 Jonathan Pillow Sensation &

Auditory System & Hearing Chapters 9 part II Lecture 17 Jonathan Pillow Sensation & Perception (PSY 345 / NEU 325) Fall 2017 1 Cochlea: physical device tuned to frequency! place code : tuning of different parts of the cochlea

488 views • 24 slides
How much structure is needed? The case of the Persian VP Pegah Faghiri & Pollet Samvelian

How much structure is needed? The case of the Persian VP Pegah Faghiri & Pollet Samvelian

How much structure is needed? The case of the Persian VP Pegah Faghiri & Pollet Samvelian Universit Sorbonne Nouvelle & CNRS {pegah.faghiri,pollet.samvelian}@univ-paris3.fr HeadLex 2016, Warsaw Poland 1 / 50 Outline Goals and

791 views • 49 slides
EoI on Acc. Control System (PSP 2.14.10) - part of Common Systems by GSI/Germany - Ralph C. Br

EoI on Acc. Control System (PSP 2.14.10) - part of Common Systems by GSI/Germany - Ralph C. Br

CR EoI- -Meeting Meeting CR EoI EoI on Acc. Control System (PSP 2.14.10) - part of Common Systems by GSI/Germany - Ralph C. Br / Udo Krause 08.10.2008 Description on EoI (acc. control system) Description on EoI (acc. control system) The

782 views • 9 slides
Whos In Control of Your Control System? Device Fingerprin<ng for Cyber-Physical Systems David

Whos In Control of Your Control System? Device Fingerprin<ng for Cyber-Physical Systems David

Whos In Control of Your Control System? Device Fingerprin<ng for Cyber-Physical Systems David Formby 1 , Preethi Srinivasan 1 , Andrew Leonard 2 , Jonathan Rogers 2 , Raheem Beyah 1 Communica<ons Assurance and Performance (CAP) Group

269 views • 25 slides
1 Elevator Control Quadrant Elevator Control Quadrant Processes passing Processes that

1 Elevator Control Quadrant Elevator Control Quadrant Processes passing Processes that

Process Selection Case Studies Elevator Control Quadrant Elevator control quadrant: The quadrant is part of the control system for the Aerospace part - Elevator control quadrant wing-elevator of a commercial aircraft. It is to be made of

756 views • 4 slides
Industrial Robots Industrial Robots Control Control Part 1 Control Control Part 1 Part 1

Industrial Robots Industrial Robots Control Control Part 1 Control Control Part 1 Part 1

Industrial Robots Industrial Robots Control Control Part 1 Control Control Part 1 Part 1 Part 1 Introduction to robot control The motion control problem motion control problem consists in the design of control algorithms for the robot

822 views • 46 slides
What is process control system Why a new control system? Aiming control system field main flaws

What is process control system Why a new control system? Aiming control system field main flaws

What is process control system Why a new control system? Aiming control system field main flaws Fully-featured systems are expensive and not available to general public - professional individuals, schools, small companies... AIMING: WIDE USE

350 views • 9 slides
Whos In Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems David

Whos In Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems David

Whos In Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems David Formby , Preethi Srinivasan, Andrew Leonard, Jonathan Rogers, Raheem Beyah NDSS 2016 Presented by: Yi Zhang October 18 th , 2016 Cyber Physical

481 views • 20 slides
An introduction to Control Groups (cgroups) (plus some systemd evangelizing) Who am I? Jonathan

An introduction to Control Groups (cgroups) (plus some systemd evangelizing) Who am I? Jonathan

An introduction to Control Groups (cgroups) (plus some systemd evangelizing) Who am I? Jonathan maw (not James Thomas) jonathan.maw@codethink.co.uk Responsibilities: GENIVI Node Startup Controller AGL Distro OS/Common Libs

426 views • 8 slides
The ELT Site Control System Nick Kornweibel Control System Project Manager RTI Connext

The ELT Site Control System Nick Kornweibel Control System Project Manager RTI Connext

The ELT Site Control System Nick Kornweibel Control System Project Manager RTI Connext Conference 9 th May 2017 Site Armazones Peak 3050 m. high. & 25 km from Paranal Armazones Paranal Selection criteria: impact on science,

556 views • 17 slides
Agenda The teleconference system in Kyushu University H.323 TV conference system

Agenda The teleconference system in Kyushu University H.323 TV conference system

MCU (Multi point Control Unit) for H.323 and software Polycom Yasuaki Antoku Kyushu Univ. Hospital / Japan Agenda The teleconference system in Kyushu University H.323 TV conference system MCU(Multi point Control Unit) H.323

815 views • 11 slides
Color Constancy Lecture 11 Chapter 5, Part 3 Jonathan Pillow Sensation & Perception (PSY

Color Constancy Lecture 11 Chapter 5, Part 3 Jonathan Pillow Sensation & Perception (PSY

Color Constancy Lecture 11 Chapter 5, Part 3 Jonathan Pillow Sensation & Perception (PSY 345 / NEU 325) Princeton University, Spring 2015 1 Color Constancy The visual system uses a variety of tricks to make sure things look the same

499 views • 46 slides
Top FINRA Enforcement Issues and Trends of 2019 Brian Rubin Adam Pollet Donald McElligott

Top FINRA Enforcement Issues and Trends of 2019 Brian Rubin Adam Pollet Donald McElligott

Top FINRA Enforcement Issues and Trends of 2019 Brian Rubin Adam Pollet Donald McElligott Partner Counsel VP, Compliance Supervision Eversheds Sutherland Eversheds Sutherland Global Relay Speakers Brian Rubin Adam Pollet Donald

959 views • 24 slides
Summary 12th June 2003 The ST/CV control system requirements ST/CV control system

Summary 12th June 2003 The ST/CV control system requirements ST/CV control system

LHC Controls Project Workshop Summary 12th June 2003 The ST/CV control system requirements ST/CV control system architecture ST/CV Control System and Projects Integration in CERN Network Projects and contracts ( running /

202 views • 4 slides
director One system to control them all Director excels at PA system supervision and control

director One system to control them all Director excels at PA system supervision and control

connect. control. monitor. visualize. director One system to control them all Director excels at PA system supervision and control Supported public address systems What is Director and what can it do? Director is a system management so

699 views • 15 slides
on a European System for Continuing Educational Activities of Dentists Jonathan Cowpe Emeritus

on a European System for Continuing Educational Activities of Dentists Jonathan Cowpe Emeritus

Update and Discussion on a European System for Continuing Educational Activities of Dentists Jonathan Cowpe Emeritus Professor School of Dentistry, Cardiff University, Wales, UK ADEE Annual Conference: Vilnius, Lithuania Learning together

811 views • 28 slides
Congestion Control Mark Handley Outline Part 1: Traditional congestion control for bulk

Congestion Control Mark Handley Outline Part 1: Traditional congestion control for bulk

Congestion Control Mark Handley Outline Part 1: Traditional congestion control for bulk transfer. Part 2: Congestion control for realtime traffic. Part 3: High-speed congestion control. Part 1 Traditional congestion control for

1.23k views • 98 slides
Crea%ng Videos Part I Funding for this conference was made

Crea%ng Videos Part I Funding for this conference was made

Crea%ng Videos Part I Funding for this conference was made possible (in part) by the Centers for Disease Control and Preven=on. The views expressed in

513 views • 8 slides
Session 3.3 Voltage Management, LV Modelling and System Control LCNI Conference Wednesday 12

Session 3.3 Voltage Management, LV Modelling and System Control LCNI Conference Wednesday 12

Session 3.3 Voltage Management, LV Modelling and System Control LCNI Conference Wednesday 12 October 2016 1 Paul Turner Innovation Delivery Manager 2 Smart Street project overview Extensive 11.5m, Started in Jan Quicker Trials period

461 views • 31 slides

More recommend