Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

Similar presentations


Presentation on theme: "Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc."— Presentation transcript:

1 Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

2 Hosted by OWASP & the NYC Chapter SCADA components 2013 Vulnerability Analysis Recommendations and Proposals Agenda

3 Hosted by OWASP & the NYC Chapter SCADA DCS ICS

4 Hosted by OWASP & the NYC Chapter

5 Accidents liquid pipeline failures power failures other accidents

6 Hosted by OWASP & the NYC Chapter Vandalism vandals destroy insulators /2002/NewsRelease.cfm?ReleaseNo=297

7 Hosted by OWASP & the NYC Chapter Insider disgruntle employee /hacker_jailed_for_revenge_sewage/

8 Hosted by OWASP & the NYC Chapter APT terrorism or espionage media/security_response/whitepapers/w32_duqu_ the_precursor_to_the_next_stuxnet.pdf

9 Hosted by OWASP & the NYC Chapter SCADA Vulnerabilities (estimate)

10 Hosted by OWASP & the NYC Chapter Components FieldControl Center

11 Hosted by OWASP & the NYC Chapter Acquisition Convert parameters like light, temperature, pressure or flow to analog signals

12 Hosted by OWASP & the NYC Chapter Conversion Converts analog and discrete measurements to digital information

13 Hosted by OWASP & the NYC Chapter Communication Front end processors (FEP) and protocols Wired or wireless communication ModbusDNP 3OPC ICCPControlNetBBC 7200 ANSI X3.28DCP 1Gedac 7020 DeviceNetDH+ProfiBus TejasTREUCA

14 Hosted by OWASP & the NYC Chapter Presentation & Control Control, monitor and alarming using human machine interface (HMI)

15 Hosted by OWASP & the NYC Chapter 2013 Vulnerabilities by category

16 Hosted by OWASP & the NYC Chapter Acquisition –Requires physical access –Field equipment does not contain process information –Information like valve 16 or breaker 9B –Without process knowledge leads to nuisance disruption 0%11%22%66%

17 Hosted by OWASP & the NYC Chapter Emerson ROC800 Vulnerabilities –CVE : Network beacon broadcasts allows detection –CVE : OSE Debug port service –CVE : Hardcode accounts with passwords –Access: AV:N, AC:L, Au:N –Impact: C:C, I:C, A:C –Patch available from Emerson 0%11%22%66%

18 Hosted by OWASP & the NYC Chapter Siemens CP 1604 / 1616 Interface Card Vulnerability 0%11%22%66% –Siemens security advisory: SSA –CVE : Open Debugging Port in CP 1604/1616 –UDP port –Access: AV:N, AC:L, Au:N –Impact: C:C, I:C, A:C –Patch available from Siemens

19 Hosted by OWASP & the NYC Chapter Communication 0%11%22%66%

20 Hosted by OWASP & the NYC Chapter ModBus Vulnerabilities –CVE : Triangle Research Nano-10 PLC Crafted Packet Handling Remote DoS –CVE : Galil RIO PLC Crafted Modbus Packet Handling Remote DoS –RBS­-2013-­003: Schneider Electric Multiple Modbus MBAP DoS and RCE 0%11%22%66% Nano-10 PLCRIO PLC

21 Hosted by OWASP & the NYC Chapter DNP Vulnerabilities –CVE : MatrikonOPC Server DNP3 Packet Handling buffer overflow –CVE : Schweitzer Real-Time Automation Controllers (RTAC) Local DoS –CVE : SUBNET SubSTATION Server DNP3 Outstation Slave Remote DoS –CVE : IOServer DNP3 Packet Handling Infinite Loop 0%11%22%66% Schweitzer RTAC IOServer Matrikon OPC Server

22 Hosted by OWASP & the NYC Chapter Modbus and DNP free tool: Security Analysis of SCADA protocols 0%11%22%66%

23 Hosted by OWASP & the NYC Chapter SSH, FTP, TFTP, IGMP, SNMP –CVE : Monroe Electronics Default root SSH Key Remote Access –CVE : TURCK BL20 / BL67 FTP Service Hardcoded Admin Credentials –CVE : OSIsoft PI Interface for IEEE C Memory Corruption –CVE : Emerson RTU TFTP Server File Upload Arbitrary Code Execution –CVE : Siemens Scalance X200 IRT SNMP Command Execution –Korenix Multiple JetNet Switches TFTP Server Arbitrary File Creation –RuggedCom ROX-II IGMP Packet Saturation RSTP BPDU Prioritization Weakness –Korenix Multiple JetNet Switches SSL / SSH Hardcoded Private Keys 0%11%22%66%

24 Hosted by OWASP & the NYC Chapter Presentation & Control 0%11%22%66%

25 Hosted by OWASP & the NYC Chapter Presentation & Control –CVE : Advantech WebAccess /broadWeb/include/gAddNew.asp XSS –CVE : Invensys Wonderware Information Server (WIS) SQL Injection –CVE : Siemens COMOS Client Library Local Database Object Manipulation –CVE : Cogent DataHub Crafted HTTP Request Header Parameter Stack Overflow –CVE : General Electric (GE) Intelligent Proficy Java Remote Method Invocation –CVE : SafeNet Sentinel Protection Server HTTP Request Directory Traversal and Arbitrary File Access –CVE : Moxa OnCell Gateway Predictable SSH / SSL Connection Key Generation –Weidmüller WaveLine Router Web Interface config.cgi Configuration Manipulation CSRF 0%11%22%66%

26 Hosted by OWASP & the NYC Chapter Real world issues Control system network connected to corporate network or internet 0%11%22%66%

27 Hosted by OWASP & the NYC Chapter Real world issues No authentication No per user authentication 0%11%22%66%

28 Hosted by OWASP & the NYC Chapter Real world issues Delayed patching if any 0%11%22%66%

29 Hosted by OWASP & the NYC Chapter Real world issues Default passwords Shared passwords No password change policy 0%11%22%66%

30 Hosted by OWASP & the NYC Chapter Real world issues Systems not restarted in years 0%11%22%66%

31 Hosted by OWASP & the NYC Chapter Real world issues Off-the-shelf software Operating system, Database, Browser, Web Server 0%11%22%66%

32 Hosted by OWASP & the NYC Chapter Real world issues Un-necessary services 0%11%22%66%

33 Hosted by OWASP & the NYC Chapter Real world issues Internal differences between IT and SCADA engineers 0%11%22%66%

34 Hosted by OWASP & the NYC Chapter System Wide Challenges SCADA system long life cycle Long life cycle of a SCADA system

35 Hosted by OWASP & the NYC Chapter System Wide Challenges SCADA system long life cycle Cost and difficulty of an upgrade

36 Hosted by OWASP & the NYC Chapter Proposals SCADA network auditing

37 Hosted by OWASP & the NYC Chapter Proposals Is you SCADA system exposed on the internet?

38 Hosted by OWASP & the NYC Chapter Proposals Password policy, access control and access roles

39 Hosted by OWASP & the NYC Chapter Proposals Are all services necessary?

40 Hosted by OWASP & the NYC Chapter Proposals Use secure protocols

41 Hosted by OWASP & the NYC Chapter Proposals Strategy for Software Update and patching

42 Hosted by OWASP & the NYC Chapter Proposals SCADA test environment

43 Hosted by OWASP & the NYC Chapter Proposals Keep up-to-date with vulnerabilities

44 Hosted by OWASP & the NYC Chapter Proposals Apply experience from IT network management

45 Hosted by OWASP & the NYC Chapter ScadaScan Current version Scan network range Works with TCP/IP Identifies Modbus TCP slaves Identifies DNP 3 TCP slaves Beta version SCADA master vulnerability scanning SNMP support HTTP support 1.0 Release User configurable signature files Authenticated support for Windows and *nix Code cleanup

46 Hosted by OWASP & the NYC Chapter Thank You https://community.qualys.com


Download ppt "Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc."

Similar presentations


Ads by Google