29C3 - Version 1.9

F/a{hr-p).l//a,n
2.9/C-3

Speakers
Denis Baranov
Gleb Gritsai
Sergey Gordeychik
Schedule
Day Day 1 - 2012-12-27
Room Saal 6
Start time 23:00
Duration 01:00
Info
ID 5059
Event type Lecture
Language used for presentation English
Feedback

SCADA Strangelove

or: How I Learned to Start Worrying and Love Nuclear Plants

Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities.

During our report, we will demonstrate how to obtain full access to a plant via:

  • a sniffer and a packet generator
  • FTP and Telnet
  • Metasploit and oslq
  • a webserver and a browser

About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed.

Releases:

  • modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC
  • Simatic WinCC security checklist
  • Simatic WinCC forensic checklist and tools
  • close to real life attack scenario of a Simatic WinCC based plant

    1. Intro
  • 1.1 Who we are?
  • 1.2 History of research
    1. Overview of ICS/SCADA architecture
    1. SCADA network puzzle
  • 3.1 Overview of protocols used in SCADA networks
  • 3.2 Modbus overview
  • 3.3 S7 overview
  • 3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint)
    1. Who is mister PLC?
  • 4.1. Typical PLC architecture
  • 4.2. Security and configuration issues
  • 4.3. Coordinated disclosure of vulnerabilities in several PLC
    1. DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world.
    1. Miss SCADA
  • 6.1. Place of OS and DB in security of SCADA infrastructure
  • 6.2. Simatic WinCC default configuration issues
  • 6.3. Ways to abuse OS and DB vulnerabilities
  • 6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities
  • 6.5. Simatic WinCC security checklist
  • 6.6. Simatic WinCC postexploitation/forensic
    1. Heavy weapon
  • 7.1. SCADA/HMI application architecture (based on Simatic WinCC)
  • 7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software)
  • 7.3. Coordinated disclosure of vulnerabilities in Siemens Simatic WinCC 7.0 used in exploit.
    1. Architecture of exploit
    1. DEMO. Owning plant with browser. Exploit scenario. Several 0-day (but responsible disclosed) vulnerabilities in Siemens Simatic WinCC 7.0 used to:
  • Fingerprint presence of WinCC client software
  • Obtain access password to WinCC WebNavigator interface
  • Read registry and files on WinCC box
  • View and manage HMI /PLC/technological process from internet via browser of operator
  • 10 PS. Why physical separation is not enough

Will we tell about 0-day vulnerabilities? Yes, but we will coordinate with vendor. So list of vulnerabilities depended on patching speed of Siemens.

Will instruments be presented?

Releases:

  • modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC
  • Simatic WinCC security checklist
  • Simatic WinCC forensic checklist and tools