Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

Published byAlana Capstick Modified over 9 years ago

Similar presentations

Presentation on theme: "Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc."— Presentation transcript:

1 Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

2 Hosted by OWASP & the NYC Chapter SCADA components 2013 Vulnerability Analysis Recommendations and Proposals Agenda

3 Hosted by OWASP & the NYC Chapter SCADA DCS ICS

4 Hosted by OWASP & the NYC Chapter

5 Accidents liquid pipeline failures http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf power failures http://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf other accidents http://en.wikipedia.org/wiki/List_of_industrial_disasters

6 Hosted by OWASP & the NYC Chapter Vandalism vandals destroy insulators http://www.bpa.gov/corporate/BPAnews/archive /2002/NewsRelease.cfm?ReleaseNo=297

7 Hosted by OWASP & the NYC Chapter Insider disgruntle employee http://www.theregister.co.uk/2001/10/31 /hacker_jailed_for_revenge_sewage/

8 Hosted by OWASP & the NYC Chapter APT terrorism or espionage http://www.symantec.com/content/en/us/enterprise/ media/security_response/whitepapers/w32_duqu_ the_precursor_to_the_next_stuxnet.pdf

9 Hosted by OWASP & the NYC Chapter 2009 - 2013 SCADA Vulnerabilities (estimate)

10 Hosted by OWASP & the NYC Chapter Components FieldControl Center

11 Hosted by OWASP & the NYC Chapter Acquisition Convert parameters like light, temperature, pressure or flow to analog signals

12 Hosted by OWASP & the NYC Chapter Conversion Converts analog and discrete measurements to digital information

13 Hosted by OWASP & the NYC Chapter Communication Front end processors (FEP) and protocols Wired or wireless communication ModbusDNP 3OPC ICCPControlNetBBC 7200 ANSI X3.28DCP 1Gedac 7020 DeviceNetDH+ProfiBus TejasTREUCA

14 Hosted by OWASP & the NYC Chapter Presentation & Control Control, monitor and alarming using human machine interface (HMI)

15 Hosted by OWASP & the NYC Chapter 2013 Vulnerabilities by category

16 Hosted by OWASP & the NYC Chapter Acquisition –Requires physical access –Field equipment does not contain process information –Information like valve 16 or breaker 9B –Without process knowledge leads to nuisance disruption 0%11%22%66%

17 Hosted by OWASP & the NYC Chapter Emerson ROC800 Vulnerabilities –CVE-2013-0693: Network beacon broadcasts allows detection –CVE-2013-0692: OSE Debug port service –CVE-2013-0694: Hardcode accounts with passwords –Access: AV:N, AC:L, Au:N –Impact: C:C, I:C, A:C –Patch available from Emerson 0%11%22%66%

18 Hosted by OWASP & the NYC Chapter Siemens CP 1604 / 1616 Interface Card Vulnerability 0%11%22%66% –Siemens security advisory: SSA-628113 –CVE- 2013-0659: Open Debugging Port in CP 1604/1616 –UDP port 17185 –Access: AV:N, AC:L, Au:N –Impact: C:C, I:C, A:C –Patch available from Siemens

19 Hosted by OWASP & the NYC Chapter Communication 0%11%22%66%

20 Hosted by OWASP & the NYC Chapter ModBus Vulnerabilities –CVE-2013-2784: Triangle Research Nano-10 PLC Crafted Packet Handling Remote DoS –CVE-2013-0699: Galil RIO-47100 PLC Crafted Modbus Packet Handling Remote DoS –RBS­-2013-­003: Schneider Electric Multiple Modbus MBAP DoS and RCE 0%11%22%66% Nano-10 PLCRIO-47100 PLC

21 Hosted by OWASP & the NYC Chapter DNP Vulnerabilities –CVE-2013-2791: MatrikonOPC Server DNP3 Packet Handling buffer overflow –CVE-2013-2798: Schweitzer Real-Time Automation Controllers (RTAC) Local DoS –CVE-2013-2788: SUBNET SubSTATION Server DNP3 Outstation Slave Remote DoS –CVE-2013-2783: IOServer DNP3 Packet Handling Infinite Loop 0%11%22%66% Schweitzer RTAC IOServer Matrikon OPC Server

22 Hosted by OWASP & the NYC Chapter Modbus and DNP free tool: http://code.google.com/p/scadascan/ Security Analysis of SCADA protocols 0%11%22%66%

23 Hosted by OWASP & the NYC Chapter SSH, FTP, TFTP, IGMP, SNMP –CVE-2013-0137: Monroe Electronics Default root SSH Key Remote Access –CVE-2012-4697: TURCK BL20 / BL67 FTP Service Hardcoded Admin Credentials –CVE-2013-2800: OSIsoft PI Interface for IEEE C37.118 Memory Corruption –CVE-2013-0689: Emerson RTU TFTP Server File Upload Arbitrary Code Execution –CVE-2013-3634: Siemens Scalance X200 IRT SNMP Command Execution –Korenix Multiple JetNet Switches TFTP Server Arbitrary File Creation –RuggedCom ROX-II IGMP Packet Saturation RSTP BPDU Prioritization Weakness –Korenix Multiple JetNet Switches SSL / SSH Hardcoded Private Keys 0%11%22%66%

24 Hosted by OWASP & the NYC Chapter Presentation & Control 0%11%22%66%

25 Hosted by OWASP & the NYC Chapter Presentation & Control –CVE-2013-2299: Advantech WebAccess /broadWeb/include/gAddNew.asp XSS –CVE-2013-0684: Invensys Wonderware Information Server (WIS) SQL Injection –CVE-2013-3927: Siemens COMOS Client Library Local Database Object Manipulation –CVE-2013-0680: Cogent DataHub Crafted HTTP Request Header Parameter Stack Overflow –CVE-2013-0652: General Electric (GE) Intelligent Proficy Java Remote Method Invocation –CVE-2008-0760: SafeNet Sentinel Protection Server HTTP Request Directory Traversal and Arbitrary File Access –CVE-2012-3039: Moxa OnCell Gateway Predictable SSH / SSL Connection Key Generation –Weidmüller WaveLine Router Web Interface config.cgi Configuration Manipulation CSRF 0%11%22%66%

26 Hosted by OWASP & the NYC Chapter Real world issues Control system network connected to corporate network or internet 0%11%22%66%

27 Hosted by OWASP & the NYC Chapter Real world issues No authentication No per user authentication 0%11%22%66%

28 Hosted by OWASP & the NYC Chapter Real world issues Delayed patching if any 0%11%22%66%

29 Hosted by OWASP & the NYC Chapter Real world issues Default passwords Shared passwords No password change policy 0%11%22%66%

30 Hosted by OWASP & the NYC Chapter Real world issues Systems not restarted in years 0%11%22%66%

31 Hosted by OWASP & the NYC Chapter Real world issues Off-the-shelf software Operating system, Database, Browser, Web Server 0%11%22%66%

32 Hosted by OWASP & the NYC Chapter Real world issues Un-necessary services 0%11%22%66%

33 Hosted by OWASP & the NYC Chapter Real world issues Internal differences between IT and SCADA engineers 0%11%22%66%

34 Hosted by OWASP & the NYC Chapter System Wide Challenges SCADA system long life cycle Long life cycle of a SCADA system

35 Hosted by OWASP & the NYC Chapter System Wide Challenges SCADA system long life cycle Cost and difficulty of an upgrade

36 Hosted by OWASP & the NYC Chapter Proposals SCADA network auditing

37 Hosted by OWASP & the NYC Chapter Proposals Is you SCADA system exposed on the internet?

38 Hosted by OWASP & the NYC Chapter Proposals Password policy, access control and access roles

39 Hosted by OWASP & the NYC Chapter Proposals Are all services necessary?

40 Hosted by OWASP & the NYC Chapter Proposals Use secure protocols

41 Hosted by OWASP & the NYC Chapter Proposals Strategy for Software Update and patching

42 Hosted by OWASP & the NYC Chapter Proposals SCADA test environment

43 Hosted by OWASP & the NYC Chapter Proposals Keep up-to-date with vulnerabilities

44 Hosted by OWASP & the NYC Chapter Proposals Apply experience from IT network management

45 Hosted by OWASP & the NYC Chapter ScadaScan Current version Scan network range Works with TCP/IP Identifies Modbus TCP slaves Identifies DNP 3 TCP slaves Beta version SCADA master vulnerability scanning SNMP support HTTP support 1.0 Release User configurable signature files Authenticated support for Windows and *nix Code cleanup

46 Hosted by OWASP & the NYC Chapter Thank You Twitter: @amolsarwate http://code.google.com/p/scadascan/ https://community.qualys.com

Download ppt "Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc."

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
SCADA Security, DNS Phishing

SCADA Security, DNS Phishing
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Substation Automation (S.A) System Project Supervisor: Stuart Wildy.

Substation Automation (S.A) System Project Supervisor: Stuart Wildy.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
SCADA SYSTEM CLASSIFICATION

SCADA SYSTEM CLASSIFICATION
Open-source SCADA systems Denis Ulybyshev SCADA Open Source Solutions By Denis Ulybyshev.

Open-source SCADA systems Denis Ulybyshev SCADA Open Source Solutions By Denis Ulybyshev.
Applying Wireless in Legacy Systems

Applying Wireless in Legacy Systems
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
TETRA Data Applications for Gas and Oil Dubai, September 2013 Funk-Electronic Piciorgros GmbH Michael D. Piciorgros (CEO)

TETRA Data Applications for Gas and Oil Dubai, September 2013 Funk-Electronic Piciorgros GmbH Michael D. Piciorgros (CEO)
ADAM-5000/TCP- Distributed Ethernet I/O

ADAM-5000/TCP- Distributed Ethernet I/O
Join Us Now at: Enabling Interoperability for the Utility Enterprise And TESTING.

Join Us Now at: Enabling Interoperability for the Utility Enterprise And TESTING.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
SCADA and Telemetry Presented By:.

SCADA and Telemetry Presented By:.

Similar presentations

Ads by Google