Presentation is loading. Please wait.

Presentation is loading. Please wait.

Turning a SCADA Vulnerability into a Successful Attack ICSJWG 2011 Spring Conference Dallas, Texas May 2-5, 2011 SCADAhacker.com Think like a hacker …

Published byLauren Neal Modified over 9 years ago

Similar presentations

Presentation on theme: "Turning a SCADA Vulnerability into a Successful Attack ICSJWG 2011 Spring Conference Dallas, Texas May 2-5, 2011 SCADAhacker.com Think like a hacker …"— Presentation transcript:

1 Turning a SCADA Vulnerability into a Successful Attack ICSJWG 2011 Spring Conference Dallas, Texas May 2-5, 2011 SCADAhacker.com Think like a hacker … To secure industrial control systems and protect critical infrastructure

2 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Everyone’s Watching ICS In 2010, Stuxnet raised the awareness of the public and underground to the potential of an ICS compromise On March 21, an Italian security researcher “publically disclosed” 34 vulnerabilities covering 4 SCADA systems On March 22, another “public disclosure” was made targeting fifth SCADA system On March 23, yet another “responsible disclosure” was announced against sixth SCADA system 2

3 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Systems Targeted on March 21 7 Technologies IGSS (Denmark) ‒ Version 9, 8, 7 ICONICS GENESIS (USA) ‒ Version 9.21 (32-bit), 10.51 (64-bit) and earlier RealFlex Technologies RealWin (USA) ‒ Version 2.1 (build 6.1.1.10) and earlier ‒ “Demo” version only; “Commercial” version not vulnerable Siemens Tecnomatix FactoryLink (Germany) ‒ Version 8.0.1.1473 and earlier ‒ USData-Technomatic(’03)-UGS(‘05)-Siemens(’07) 3

4 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Co-authored with Eric Byres Coordinated with ICS-CERT and each Vendor 4 White Papers

5 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Details of the Disclosure Vulnerabilities could be classified as: ‒ Arithmetic (Integer) OFs:13 ‒ Buffer (Stack / Heap) OFs:13 ‒ Memory Corruption:2 ‒ Read Files:2 ‒ Write Files:1 ‒ Denial of Service:1 ‒ Command Execution:1 ‒ Miscellaneous:1 Proof-of-concept (PoC) only demonstrated control of memory and did not validate remote code could actually be executed High Effort; High Impact Low Effort; High Impact 5

6 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Proof-of-Concept nc 172.16.252.137 12397 < igss_8b.dat 6

7 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Turns to Exploit nc 172.16.252.137 12397 < mypayload.dat 7

8 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Pwned in 15 Minutes !!! Use MSF to create an attack payload and bundle in Windows executable (exe) format Use IGSS vulnerability to execute a TFTP GET command to download the payload Exploit fact that WinXP enables by default a TFTP Client on the target ‒ Could use Luigi exploit to “enable” it if it was disabled! Use same vulnerability to execute payload System is completely compromised! DEMO 8

9 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Create the Payload DEMO 9

10 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Create Data Files DEMO 10

11 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Launch Attack DEMO 11

12 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Control the Process DEMO 12

13 Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved. Mitigation from Zero Days Most vendors rapidly issued patches: ‒ IGSS: March 25 (Versions 9 and 8 only) ‒ FactoryLink: March 24 (8.0, 7.5, 6.6 only) ‒ RealWin: February 14 released 2.1.11 ‒ ICONICS: April 8 (Versions 10.51 [64] and 9.21/9.13 [32]) Emerging Threats Pro / NitroSecurity released 61 signatures to address multiple similar vulnerabilities ‒ Supports SNORT and Suricata IDS platforms ‒ Incorporated into QuickDraw IDS signatures Industrial firewalls (Tofino Argon 20) with rulesets have been published, including demonstration video for FactoryLink 13

14 SCADAhacker.com Think like a hacker …

Download ppt "Turning a SCADA Vulnerability into a Successful Attack ICSJWG 2011 Spring Conference Dallas, Texas May 2-5, 2011 SCADAhacker.com Think like a hacker …"

Similar presentations

GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Presenter: Robbie Corley Organization: KCTCS

Presenter: Robbie Corley Organization: KCTCS
USB Reloaded USB Reloaded: The Teensy Attack Eric Conrad

USB Reloaded USB Reloaded: The Teensy Attack Eric Conrad
USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.

How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
© 2006 Vigilar, Inc. All rights reserved worldwide. Contents are property of Vigilar, Inc. www.vigilar.com VoIP Penetration Testing: Lessons Learned, Tools.

© 2006 Vigilar, Inc. All rights reserved worldwide. Contents are property of Vigilar, Inc. VoIP Penetration Testing: Lessons Learned, Tools.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Similar presentations

Ads by Google