Download presentation
Presentation is loading. Please wait.
Published byAlana Capstick Modified over 9 years ago
1
Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc.
2
Hosted by OWASP & the NYC Chapter SCADA components 2013 Vulnerability Analysis Recommendations and Proposals Agenda
3
Hosted by OWASP & the NYC Chapter SCADA DCS ICS
4
Hosted by OWASP & the NYC Chapter
5
Accidents liquid pipeline failures http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf power failures http://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf other accidents http://en.wikipedia.org/wiki/List_of_industrial_disasters
6
Hosted by OWASP & the NYC Chapter Vandalism vandals destroy insulators http://www.bpa.gov/corporate/BPAnews/archive /2002/NewsRelease.cfm?ReleaseNo=297
7
Hosted by OWASP & the NYC Chapter Insider disgruntle employee http://www.theregister.co.uk/2001/10/31 /hacker_jailed_for_revenge_sewage/
8
Hosted by OWASP & the NYC Chapter APT terrorism or espionage http://www.symantec.com/content/en/us/enterprise/ media/security_response/whitepapers/w32_duqu_ the_precursor_to_the_next_stuxnet.pdf
9
Hosted by OWASP & the NYC Chapter 2009 - 2013 SCADA Vulnerabilities (estimate)
10
Hosted by OWASP & the NYC Chapter Components FieldControl Center
11
Hosted by OWASP & the NYC Chapter Acquisition Convert parameters like light, temperature, pressure or flow to analog signals
12
Hosted by OWASP & the NYC Chapter Conversion Converts analog and discrete measurements to digital information
13
Hosted by OWASP & the NYC Chapter Communication Front end processors (FEP) and protocols Wired or wireless communication ModbusDNP 3OPC ICCPControlNetBBC 7200 ANSI X3.28DCP 1Gedac 7020 DeviceNetDH+ProfiBus TejasTREUCA
14
Hosted by OWASP & the NYC Chapter Presentation & Control Control, monitor and alarming using human machine interface (HMI)
15
Hosted by OWASP & the NYC Chapter 2013 Vulnerabilities by category
16
Hosted by OWASP & the NYC Chapter Acquisition –Requires physical access –Field equipment does not contain process information –Information like valve 16 or breaker 9B –Without process knowledge leads to nuisance disruption 0%11%22%66%
17
Hosted by OWASP & the NYC Chapter Emerson ROC800 Vulnerabilities –CVE-2013-0693: Network beacon broadcasts allows detection –CVE-2013-0692: OSE Debug port service –CVE-2013-0694: Hardcode accounts with passwords –Access: AV:N, AC:L, Au:N –Impact: C:C, I:C, A:C –Patch available from Emerson 0%11%22%66%
18
Hosted by OWASP & the NYC Chapter Siemens CP 1604 / 1616 Interface Card Vulnerability 0%11%22%66% –Siemens security advisory: SSA-628113 –CVE- 2013-0659: Open Debugging Port in CP 1604/1616 –UDP port 17185 –Access: AV:N, AC:L, Au:N –Impact: C:C, I:C, A:C –Patch available from Siemens
19
Hosted by OWASP & the NYC Chapter Communication 0%11%22%66%
20
Hosted by OWASP & the NYC Chapter ModBus Vulnerabilities –CVE-2013-2784: Triangle Research Nano-10 PLC Crafted Packet Handling Remote DoS –CVE-2013-0699: Galil RIO-47100 PLC Crafted Modbus Packet Handling Remote DoS –RBS-2013-003: Schneider Electric Multiple Modbus MBAP DoS and RCE 0%11%22%66% Nano-10 PLCRIO-47100 PLC
21
Hosted by OWASP & the NYC Chapter DNP Vulnerabilities –CVE-2013-2791: MatrikonOPC Server DNP3 Packet Handling buffer overflow –CVE-2013-2798: Schweitzer Real-Time Automation Controllers (RTAC) Local DoS –CVE-2013-2788: SUBNET SubSTATION Server DNP3 Outstation Slave Remote DoS –CVE-2013-2783: IOServer DNP3 Packet Handling Infinite Loop 0%11%22%66% Schweitzer RTAC IOServer Matrikon OPC Server
22
Hosted by OWASP & the NYC Chapter Modbus and DNP free tool: http://code.google.com/p/scadascan/ Security Analysis of SCADA protocols 0%11%22%66%
23
Hosted by OWASP & the NYC Chapter SSH, FTP, TFTP, IGMP, SNMP –CVE-2013-0137: Monroe Electronics Default root SSH Key Remote Access –CVE-2012-4697: TURCK BL20 / BL67 FTP Service Hardcoded Admin Credentials –CVE-2013-2800: OSIsoft PI Interface for IEEE C37.118 Memory Corruption –CVE-2013-0689: Emerson RTU TFTP Server File Upload Arbitrary Code Execution –CVE-2013-3634: Siemens Scalance X200 IRT SNMP Command Execution –Korenix Multiple JetNet Switches TFTP Server Arbitrary File Creation –RuggedCom ROX-II IGMP Packet Saturation RSTP BPDU Prioritization Weakness –Korenix Multiple JetNet Switches SSL / SSH Hardcoded Private Keys 0%11%22%66%
24
Hosted by OWASP & the NYC Chapter Presentation & Control 0%11%22%66%
25
Hosted by OWASP & the NYC Chapter Presentation & Control –CVE-2013-2299: Advantech WebAccess /broadWeb/include/gAddNew.asp XSS –CVE-2013-0684: Invensys Wonderware Information Server (WIS) SQL Injection –CVE-2013-3927: Siemens COMOS Client Library Local Database Object Manipulation –CVE-2013-0680: Cogent DataHub Crafted HTTP Request Header Parameter Stack Overflow –CVE-2013-0652: General Electric (GE) Intelligent Proficy Java Remote Method Invocation –CVE-2008-0760: SafeNet Sentinel Protection Server HTTP Request Directory Traversal and Arbitrary File Access –CVE-2012-3039: Moxa OnCell Gateway Predictable SSH / SSL Connection Key Generation –Weidmüller WaveLine Router Web Interface config.cgi Configuration Manipulation CSRF 0%11%22%66%
26
Hosted by OWASP & the NYC Chapter Real world issues Control system network connected to corporate network or internet 0%11%22%66%
27
Hosted by OWASP & the NYC Chapter Real world issues No authentication No per user authentication 0%11%22%66%
28
Hosted by OWASP & the NYC Chapter Real world issues Delayed patching if any 0%11%22%66%
29
Hosted by OWASP & the NYC Chapter Real world issues Default passwords Shared passwords No password change policy 0%11%22%66%
30
Hosted by OWASP & the NYC Chapter Real world issues Systems not restarted in years 0%11%22%66%
31
Hosted by OWASP & the NYC Chapter Real world issues Off-the-shelf software Operating system, Database, Browser, Web Server 0%11%22%66%
32
Hosted by OWASP & the NYC Chapter Real world issues Un-necessary services 0%11%22%66%
33
Hosted by OWASP & the NYC Chapter Real world issues Internal differences between IT and SCADA engineers 0%11%22%66%
34
Hosted by OWASP & the NYC Chapter System Wide Challenges SCADA system long life cycle Long life cycle of a SCADA system
35
Hosted by OWASP & the NYC Chapter System Wide Challenges SCADA system long life cycle Cost and difficulty of an upgrade
36
Hosted by OWASP & the NYC Chapter Proposals SCADA network auditing
37
Hosted by OWASP & the NYC Chapter Proposals Is you SCADA system exposed on the internet?
38
Hosted by OWASP & the NYC Chapter Proposals Password policy, access control and access roles
39
Hosted by OWASP & the NYC Chapter Proposals Are all services necessary?
40
Hosted by OWASP & the NYC Chapter Proposals Use secure protocols
41
Hosted by OWASP & the NYC Chapter Proposals Strategy for Software Update and patching
42
Hosted by OWASP & the NYC Chapter Proposals SCADA test environment
43
Hosted by OWASP & the NYC Chapter Proposals Keep up-to-date with vulnerabilities
44
Hosted by OWASP & the NYC Chapter Proposals Apply experience from IT network management
45
Hosted by OWASP & the NYC Chapter ScadaScan Current version Scan network range Works with TCP/IP Identifies Modbus TCP slaves Identifies DNP 3 TCP slaves Beta version SCADA master vulnerability scanning SNMP support HTTP support 1.0 Release User configurable signature files Authenticated support for Windows and *nix Code cleanup
46
Hosted by OWASP & the NYC Chapter Thank You Twitter: @amolsarwate http://code.google.com/p/scadascan/ https://community.qualys.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.