scada deep inside protocols and security mechanisms
play

SCADA deep inside: protocols and security mechanisms Aleksandr - PowerPoint PPT Presentation

Dec 06, 2022 •202 likes •1.03k views

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

  1. SCADA deep inside: protocols and security mechanisms Aleksandr Timorin � � � � � � � � 05|06|07 September 2014

  2. # whoami penetration tester at Positive Technologies • SCADA security researcher, main specialisation - industrial protocols • SCADAStrangeLove team member -> scadasl.org • speaker at PHDays, Power Of Community, Chaos Communication • Congress (workshop), CONFidence @atimorin • atimorin@ptsecurity.com • SCADA deep inside: protocols and security mechanisms BalCCon2k14 2

  3. # whoami SCADA deep inside: protocols and security mechanisms BalCCon2k14 3

  4. # agenda intro to scada world • current situation in ICS network security • overview of industrial protocols • well-known protocols: profinet, modbus, dnp3, goose • go to particular: • IEC 61850-8-1 (MMS) • IEC 61870-5-101/104 • FTE • Siemens S7 • how to analyse protocols • real case • outro: releases, QA • SCADA deep inside: protocols and security mechanisms BalCCon2k14 4

  5. # intro to scada world ICS - Industrial Control System SCADA - Supervisory Control And Data Acquisition PLC - Programmable Logic Controller HMI - Human-Machine Interface RTU - Remote Telemetry Unit Sensor, Actuator � … and much more � � � SCADA deep inside: protocols and security mechanisms BalCCon2k14 5

  6. # intro to scada world many many vendors in the world: siemens • advantech • problems in security: citectscada • � each vendor - own codesys • • protocol, technology moxa • etc. schneider electric • out-of-date: don’t • rslogics touch if it works! • patch management • general electric • cycle wellintech • � sielco sistemi • � emerson wild wild industrial world • abb • advanced micro controls • …. • SCADA deep inside: protocols and security mechanisms BalCCon2k14 6

  7. # current situation in ICS network security absolutely unbreakable ICS NETWORK ??? SCADA deep inside: protocols and security mechanisms BalCCon2k14 7

  8. # current situation in ICS network security NO, because of: � typical network devices with default/crappy settings ➡ unpatched, old as dirt, full of junk software [malware] engineering ➡ workstations wireless AP with WEP (if the best happend) ➡ low physical security ➡ … and ➡ industrial protocols ➡ SCADA deep inside: protocols and security mechanisms BalCCon2k14 8

  9. # current situation in ICS network security � � typical network devices with default/crappy settings ➡ unpatched, old as dirt, full of junk software [malware] engineering ➡ workstations wireless AP with WER (if the best happend) ➡ low physical security ➡ … and ➡ industrial protocols ➡ SCADA deep inside: protocols and security mechanisms BalCCon2k14 9

  10. # current situation in ICS network security How protocols live in the network ? � full expanse • not blocked by firewalls/switches • accessible between LAN segments • works from data link layer to application layer • easy to detect • easy to intercept, analyse, reproduce and reply (but not all ! ) • SCADA deep inside: protocols and security mechanisms BalCCon2k14 10

  11. # overview of industrial protocols modbus • profibus • profinet • dnp3 • ethernet/ip • s5/s7 (siemens protocols family) • CIP (rockwell automation) • cc-link (mitsubishi electric factory automation) • bacnet • iec 60870, iec 61850, iec 61107 • m-bus • zigbee • goose … • iec - international electrotechnical commission SCADA deep inside: protocols and security mechanisms BalCCon2k14 11

  12. # overview of industrial protocols SCADA deep inside: protocols and security mechanisms BalCCon2k14 12

  13. # modbus published by Modicon (now Schneider Electric) in 1979 • widely used for connecting industrial electronic devices • in XX: through rs-232/rs-485 • in XXI: modbus tcp • standard port 502/tcp • � � � SCADA deep inside: protocols and security mechanisms BalCCon2k14 13

  14. # modbus functions: � data access: read/write coils, registers, file records • diagnostics: device identification • user defined functions • � � � tools: � wireshark dissector • plcscan ( https://code.google.com/p/plcscan/ ) • modbus-discover nse (by Alexander Rudakov) • modbus simulators () • SCADA deep inside: protocols and security mechanisms BalCCon2k14 14

  15. # modbus security ? no authentication • no encryption • no security • � transaction id: 2 bytes protocol id: 2 bytes (always 0) length: 2 bytes unit id: 1 byte function code: 1 byte data … SCADA deep inside: protocols and security mechanisms BalCCon2k14 15

  16. # dnp3 DNP3 Distributed Network Protocol first version in 1990 • standartized by IEEE only on 2010 • mainly used in water and electric industry • master - outstation communication • tcp/udp standard port 20000 • � tools: • wireshark dissector • free implementation https://code.google.com/p/dnp3/ � security ? DNP3 Secure Authentication v5. First version in 2007. Add device and user authentication Data protection SCADA deep inside: protocols and security mechanisms BalCCon2k14 16

  17. # dnp3 dnp3 frame: header - 10 bytes • data - max 282 bytes • � header: sync - 2 bytes • length -1 byte • link control - 1 byte • destination addr - 2 bytes • source addr - 2 bytes • crc - 2 bytes • � each device in network has unique address 1..65520 crc for every 16 bytes of data -> max frame len = 292 bytes work on iso/osi layers: data link layer, transport layer, application layer SCADA deep inside: protocols and security mechanisms BalCCon2k14 17

  18. # profinet dcp PROFINET family � Profinet CBA/IO/PTCP/DCP • iec 61158, iec 61784 in 2003 • Ethernet type 0x8892 • exchange data in real-time cycles • multicast discovery devices and stations • � security ? no encryption • no authentication • no security • SCADA deep inside: protocols and security mechanisms BalCCon2k14 18

  19. # profinet dcp PROFINET DCP - Discovery and basic Configuration Protocol � � � � � � � � � SCADA deep inside: protocols and security mechanisms BalCCon2k14 19

  20. # profinet dcp frame types: request 0xfefe • response 0xfeff • get/set 0xfefd • � multicast identify (scapy code): payload=‘ fefe05000401000200800004ffff ’.decode(‘hex’) srp(Ether(type=0x8892, src=smac, dst=’01:0e:cf:00:00:00’)/payload) � fefe request 05 service id: identify 00 service type: request 04010002 xid (request id) 0080 delay 0004 data len ff option: all ff suboption: all SCADA deep inside: protocols and security mechanisms BalCCon2k14 20

  21. # profinet dcp main interesting fields for playing is option and suboption • for example, set/get network info: opt 0x01, subopt 0x02 • led flashing: opt 0x05, subopt 0x03 • � so we can: scan profinet supported devices and stations • change name of station • change ip, netmask, gateway • request full network info • LED flashing: PLC, HMI (simulates that smth wrong with • device) and much more • SCADA deep inside: protocols and security mechanisms BalCCon2k14 21

  22. # profinet dcp profinet dcp scanner (raw sockets and scapy versions) � � � � � � � discover all devices (PC, PLC, HMI) in subnet � SCADA deep inside: protocols and security mechanisms BalCCon2k14 22

  23. # profinet dcp profinet fuzzer: fuzz options and sub options on plc siemens s7-1200 � CVE-2014-2252 “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system.” � what is “specially crafted profinet packets” ? SCADA deep inside: protocols and security mechanisms BalCCon2k14 23

  24. # profinet dcp CVE-2014-2252 � just “set” request: set network info with all zero values. � ip 0.0.0.0 mask 0.0.0.0 gw 0.0.0.0 � � � � SCADA deep inside: protocols and security mechanisms BalCCon2k14 24

  25. # profinet dcp DEMO: CVE-2014-2252 SCADA deep inside: protocols and security mechanisms BalCCon2k14 25

  26. # goose GSE - Generic Substation Events - fast and reliable mechanism for transfer events data over entire substation networks: • IEC 61850 • multicast, broadcast mechanism � GSE: • GOOSE: Generic Object Oriented Substations Events • GSSE: Generic Substation State Events SCADA deep inside: protocols and security mechanisms BalCCon2k14 26

  27. # goose • data as grouped dataset • transmitted within 4 ms • works on second layer (Ethernet) of ISO/OSI model • using publisher-subscriber mechanism -> broadcast, multicast MAC addresses (publisher ~ sender, subscriber ~ receiver) • use VLAN (IEEE 802.1Q standard) • message priority level (by VLAN PCP - Priority Code Point - in TCI field of packet) • retransmission mechanism and a message state number (new or retransmitted) • brand independent (i.e., IDE - intelligent electronic devices by some vendors doesn’t require specific cables) SCADA deep inside: protocols and security mechanisms BalCCon2k14 27

Recommend

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

583 views • 36 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
Adaptation of Failure Detection Mechanisms to Handle Attacks against SCADA Systems J.

Adaptation of Failure Detection Mechanisms to Handle Attacks against SCADA Systems J.

Adaptation of Failure Detection Mechanisms to Handle Attacks against SCADA Systems J. RUBIO-HERNAN and J. GARCIA-ALFARO Agenda Introduction State of the Art Physical-layer Failure Detection Mechanisms Conclusion & Future

465 views • 28 slides
SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

1.13k views • 65 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc. June 22, 2012 HACK IN PARIS Agenda SCADA Basics Threats (where, why & how) Challenges Recommendations and Proposals ScadaScan tool HACK

997 views • 65 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

Security The security environment Basics of cryptography User authentication Chapter 9: Security Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems CS 1550, cs.pitt.edu

538 views • 11 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Chapter 9: Security Security The security environment Basics of cryptography User

Chapter 9: Security Security The security environment Basics of cryptography User

Chapter 9: Security Security The security environment Basics of cryptography User authentication Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems Chapter 9: Security

801 views • 65 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS COMMUNICATIONS Dieter Gtschow Telecommunications specialist Industry Association Resource Centre African Utility Week, 810 May 2006 Overview

549 views • 21 slides
Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

626 views • 45 slides
_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor slrtu030.doc ~_-Computer Alternate Signal Path (3 x #16 wires) 3.275 Ghz Satollite Earth Station 3.275 Ghz Satellite _-'/P"lnK Antenna

2.28k views • 183 slides
Software Security Ge Zhang Security: When is it software problem Network Problem: caused by

Software Security Ge Zhang Security: When is it software problem Network Problem: caused by

Software Security Ge Zhang Security: When is it software problem Network Problem: caused by the flaws in networking mechanisms such as network protocols. OS Problem: caused by the flaws in OS mechanisms such OS resource management

976 views • 64 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides

More recommend