Scada Industrial Control Systems Penetration Testing
Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow
2. THIS PRESENTATION WILL LET US KNOW:
What is SCADA?
What is used For?
What the benefits behind using SCADA?
SCADA system concept
How SCADA Communication Works?
SCADA Protocols
SCADA Cyber security
Types of SCADA Networks
Attack Vectors
Penetration testing methodology
Conclusion
3. WHAT IS SCADA CONTROL SYSTEM?
* SCADA : Supervisory Control and Data Acquisition. A type of control
system can be used to monitor many different kinds of equipment in
many different kinds of environments
* In General Refers to an industrial control system (ICS)
4. WHERE YOU CAN LOCATE SCADA?
* Electric power generation, transmission, and distribution
* Water and sewage
* Buildings, facilities, and environments
* Manufacturing
* Mass transit
* Traffic signals.
5. BENEFITS OF SCADA
Used For
1-Trasmits individual device status
2- Manages energy consumption by controlling the devices
3- Allowing directly control power system equipment
4- Control chemical plant processes, oil and gas pipelines, electrical generation and transmission
equipment, manufacturing facilities...etc.
EX: Motors, valves, pumps, relayes, etc.
Benefits:
1- Identify and solve problems before they even start.
2- Keep your eye on long-term trends and threats
3- Identify and attack bottlenecks and inefficiencies throughout the enterprise
4- Effectively manage bigger and more complicated processes with a smaller staff.
6. SCADA SYSTEM CONCEPT
SCADA WorkStation : Human operator
it’s a device to issue a command central SCADA console, receiving raw data in human form,
also monitor and control
HMI: (Human-Machine Interface) It’s Software & Hardware that allows human operator to monitor state
of process under control, modify control settings, manually override auto-control operations The interface
locate between the human operator and the commands relevant to the SCADA system.
(Windows, Linux or Unix)
7. SCADA SYSTEM CONCEPT
Data Historian: Collect and store information from your mission critical systems, extract and perform
accurate analyses (SQL)
SCADA Server MTU: (Master terminal unit) is a device that issues the commands to the Remote
Terminal Unit (RTUs) which are located at remote places from the control, gathers the required data,
stores the information, and process the information and display the information
RTU: Connecting to sensors on the process, converting sensors signals and sending digital
data to the supervisory systems
PLC: Programmable Logic Controller (PLC)
automatically performers the main site control process which controls the operation of
industrial equipment's. such as control of machinery
8. WHO SCADA COMMUNICATIONS WORKS?
* The Control Operator or workstation monitor the data and initiates control commands to HMI
* HMI which is machines, traditional applications installed on workstations running Windows or
Linux and recently use web applications These HMIs speak to the SCADA controlling server
*SCADA controlling server collected data from Data historian which is basically a database that
the SCADA server pushes data to and in some cases pulls data from
* SCADA server sends the appropriate signal to the correct RTU or PLC.
* The RTU or PLC consults its pre-programmed logic to determine what it should do with this
control signal controls the operation of industrial equipment's
*Equipment's EX: Relays, Capacitor banks, Feeder Switches, Actuators
9. Temperature Level
Pressure Level
Oil Level
Alarm
Radioactivity level
HMI (Web Interface)
Work Station
Data Historian SCADA Server Communication
Router
Wide Area
Network
RTU/PLC
RTU/PLC
ModBus TCP/IP– DNP3 protocols
communicate between SCADA
server and RTU/PLC
System Concept of SCADA
10. SCADA PROTOCOL
* We have mention that SCADA server send signals to RTU or PLC and vice versa
How Can Central SCADA console to receive information from sensors, which are very simple devices?
Here is comes SCADA Protocols !
* RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or
DNP3, that can be transported across your communications network and back to you
DNP3(Distributed Network Protocol)
used for communications
between master station and RTUs
Port 20000 TCP/UDP
Modbus is typically used for
Supervisory Control and Data
Acquisition (SCADA)-style network
communication between devices
implementations over serial, TCP/IP
Standard port 502 TCP
DNP3 ModBus
11.
12. WHY SECURITY IS IMPORTANT IN
CONTROL SYSTEMS?
Why?
*The ability of cyber intruders to gain access to networked control systems might be easy
*More efficient methods of communication = more new risks cause disaster
*Control systems share the common vulnerabilities with the traditional information technology
*Control systems Recently adopting web technology , Which is interesting target for cyber attacks
*Non secure protocols that transmitted data some of them = TCP/IP
*Control systems turn on to use Windows , Linux which have known vulnerabilities
13. WHY SECURITY IS IMPORTANT IN
CONTROL SYSTEMS?
* New protocols and communication standards that are providing increased
are the same technologies that have been exploited and compromised in
the Internet and networking domains
Modbus TCP
Modbus request packet
No authentication
no encryption
no security
Attacks on Field Devices
Database Attacks
Communications hijacking and
‘Man-in-the-middle’ attacks
Vulnerabilities in Common Protocols
16. TYPES OF SCADA NETWORKS
Early or Monolithic SCADA systems
*First SCADA systems held all operations in one
*Usually a mainframe, computer. There was little control exercised, and most early SCADA functions
were limited to monitoring sensors and flagging any operations
*Limited to a single plant or facility. Like the software, SCADA hardware from one vendor was rarely
usable in another vendor's SCADA system.
17. TYPES OF SCADA NETWORKS
Distributed SCADA Systems
*Shared control functions across multiple smaller (usually PC) computers connected by Local Area
Networks (LAN)
*Shared Real Time information and often performed small control tasks in addition to alerting operators
of possible problems
18. TYPES OF SCADA NETWORKS
Networked SCADA systems
* Current SCADA systems are usually networked
* Communicate through Wide Area Networks (WAN) systems, over phone or data lines and often transmit data
between nodes through Ethernet or Fiber Optic connections.
* Make heavy use of Programmable Logic Controllers (PLC) to monitor and make routine process adjustments,
*The hardware tends to be more interchangeable as PLC and other sub-unit vendors have standardized
communications and other protocols to allow the user to choose the best component for their needs
19. TYPES OF SCADA NETWORKS
Internet of Things (IoT)
*A data model allows to define the types of data that will be monitored, allows for new types to be added quickly and
easily as new smart objects are added to the process
*Allows combinations of smart things/objects, sensor network technologies
* Communication will bring physical business benefits like high-resolution management of resources and products,
better collaboration between enterprises, and improved life-cycle management
20.
21. ATTACK VECTORS
*SCADA systems are vulnerable to the same threats as any TCP/IP-based system.
*SCADA Administrators and Industrial Systems Analysts deceived into thinking that since their industrial
networks are on separate systems ,they are safe form outside attacks.
*PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols
MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite
systems
*Security in an industrial network can be compromised in many places along the system and is most
easily compromised at the SCADA host or control room level
SCADA Attacks How Far?
22. ATTACK VECTORS
*Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition
*Delete system files on the SCADA server (System Downtime and Loss of Operations)
*Plant a Trojan and take complete control of system
*Log any company-sensitive operational data for personal or competition usage
There is Attack Vectors Should be addressed
1- Backdoors and holes in network perimeter
2- Vulnerabilities in common protocols
3- Attacks on Field Devices
4- Database Attacks
5- Communications hijacking and ‘Man-in-the-middle’ attacks
++ Once the corporate network compromised, then any IP-based device or computer system can be accessed.
++ 24/7 provides an opportunity to attack the SCADA host system can cause :
23. ATTACK VECTORS
1-Modern networks in the control system arena, often have inherent capabilities that are deployed without
sufficient security analysis and can provide access to attackers once they are discovered.
2- Network components, have technologies These technologies often include firewalls, public-facing services,
and wireless access. each of these components often does have associated security vulnerabilities
3-Remotely located control system elements that can be accessed via remotely connected communications
if systems are based on commercial operating systems, the attacks can be via DDOS, escalated privilege
exploits, Trojan horse
Backdoors and holes in network perimeter
24. ATTACK VECTORS
4- Organizations in many CI/KR sectors provide data to customers, providers, through publicly accessible services.
Such as calculating load expectations, billing futures information. As these services are in the public domain, they
are often accessible from the Internet with little or no user access limitations
5- Relationship between the firewall and the web server if not deployed right this allows unauthorized, data to flow
from the external side to the internal domain. If the attacker compromised the trusted web server, the attacker
has a channel to access internal services (or control systems) LAN.
Backdoors and holes in network perimeter
25. ATTACK VECTORS
1- Microsoft XP, a platform commonly used in control systems, mitigates the security issues
2- Control systems and modern networking technologies comes some inherited security vulnerabilities. Even
though many of these vulnerabilities have solutions and available workarounds, the deployment of these
mitigations in control systems architectures is not always feasible.
Attacks Using Common Protocols
26. ATTACK VECTORS
1-Control systems architectures usually have a capability for remote access to terminal end points and devices in
number of ways including by telephonic or dedicated means. To provide for the collection of operational and
maintenance data
2-Modern equipment has embedded file servers and web servers to facilitate robust communications these
devices are part of an internal and trusted domain, and thus access into these devices can provide an attacker
with an unauthorized vector into the control system architecture.
3-RTUs, are an extension of the control domain, attackers can add these field devices to their list of viable targets
to be investigated during reconnaissance and scanning phases of the attack.
3-If a device is compromised, and the attacker can leverage control over the device and escalate privileges
Attack into control system via field devices
27. ATTACK VECTORS
1-Database applications have become core application components of control systems and their associated record
keeping utilities
2-Databases used by control systems are often connected to databases located on the business network and most
use (SQL). The information contained in databases makes them high-value targets for any attacker
3-Attackers can exploit the communications channel between the two networks and bypass the security
mechanisms used to protect the control system environment
4-The effect of corrupted database content can impact data acquisition servers, historians, and even the operator
HMI console. Control systems databases because they are so reliant on data accuracy and integrity.
Database and SQL data injection attacks
28. ATTACK VECTORS
1- The ability for an attacker to re-route data that is in transit on a network, the ability to capture and analyze
critical traffic that is in plaintext format, and the ability toreverse engineer any unique protocols to gain command
over control communications
2- By combining all of these MITM, attack is executed
3- As the attack is on the control domain, this plaintext traffic can be harvested (sniffed) and taken offline for
analysis and review
4-Using ARP poisoning and collecting traffic, the attacker can establish and maintain complete
control over the communications in the network , preventing the HMI from issuing alarms
5- MTM can be between HMI and RTU due to week protocol that are used like Modbus
Man-in-the-middle attacks
30. PENETRATION TESTING METHODOLOGY
Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing
How?
* We are dealing With Devices - Operating systems (windows , Linux ) – Protocols over TCP –Application
and SQL Databases – Firewalls
Audit identification
Devices and networks:
Router configs, router tables, switch tables,
physical cable checks, packet sniffing
Services
Local Port verification (nestate)
Vulnerabilities
Local banner grabbing
Perimeter
Identify all external connections
*Review firewall rules
*Review remote access methods
*Check for wireless networks
*Check physical access
31. PENETRATION TESTING METHODOLOGY
Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing
How?
Network Infrastructure
Review router configs
Review switch tables
Conduct physical cable checks
Conduct packet sniffing and analysis
Host operating systems
Review patch level
Review password quality
Review share and directory permissions
Review remote access
Applications
Review ports and services
Review OS credentials
Revives remote access
Consider code review
PLCs, RTU,s ..etc.
Review patch levels
Review password quality
Conduct packet sniffing
32. PENETRATION TESTING METHODOLOGY
Scanning / Discovery
Some tools are Available Like
plcscan - Scans Modbus device
Modescan - Scans Modbus devices
Nmap ( Be carful single Nmap scan can crush system)
Metasploit Modules for Modbus detection
*Most PLCs (Communication Modules) have no ability to filter based on source IP address
So we Can
Use python scripts or John the Ripper for crack
Bruteforce PLC online
Scan supported devices and stations
change name of stations
change IP, Netmask, gateway
request full network info
33. PENETRATION TESTING METHODOLOGY
Analyze protocols
How protocols live in the network?
Not blocked by firewalls/switches
Accessible between Lan segments
Works form data link layer to application layer
Easy to detect
Easy to analyze
So we Can Available Tools
detect devices and their protocols
monitor state, commands
inject, modify reply packets in real times
Sniffing Traffic
Wireshark
tcpdump
python
hex viewer
34. PENETRATION TESTING METHODOLOGY
Analyze protocols
Modbus
Using the web is the often the easiest way 80% of Modbus/TCP devices have web interfaces Other research
shows most devices run Windows 2k
DNP3
*Has source and destination addresses that can be useful in Man-in the-Middle attacks Such as
1-Turn off unsolicited reporting to stifle alarms
2- Issue unauthorized stops, restart, or other functions that could disrupt specific operations
*Implementations typically do not employ encryption, authentication and authorization; DNP3 devices simply
assume that all messages are valid
35. PENETRATION TESTING METHODOLOGY
Analyze protocols
DNP3
Passive Network Reconnaissance
With appropriate access captures and analyzes DNP3 messages. This provides the information about network
topology, device functionality,
Rogue Test
Installs a “man-in-the-middle” device between the master and outstations that can read, modify and
fabricate DNP3 messages and/or network traffic memory addresses and other data
Other attacks on Data Link and Application Layer
36. PENETRATION TESTING METHODOLOGY
Data Manipulation
Available Tools
Web Application Test and SQL Injection
*As Scada Use Web application On HMI and SQL in Database we can test them for possible Vulnerabilities
Modlib - Scapy extention [python]
OpenDNP3 - Library [C++]
Metasploit Modules
38. SCADA SECURITY
Creating Demilitarized Zones (DMZs)
Multiple DMZs could also be created for separate functionalities and access privileges, such as peer
connections, the data historian, the Inter Control Center Communications Protocol (ICCP) server in
SCADA systems
Firewalls
properly configured and coordinated, can protect passwords, IP addresses, files and more
Proxy Servers
Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and
the internet
The Security Policy
Effective security policies and procedures are the first step to a secure control systems network. Many of
the same policies
Security Training
Provide The staff that work in the facility Security Tanning very essential for preventing Physical and Social
Engineering Attacks
39. SCADA SECURITY
1- Identify all connections to SCADA networks
2- Disconnect unnecessary connections to the SCADA network
3- Removing or Disable unnecessary services
4- Implement internal and external IDS and establish 24-hour incident monitoring
5- Conduct Physical security surveys and assess all remote sites connected to the SCADA network to evaluate
their security
6- Clearly define cyber security roles, responsibilities and authorities for managers, system administrators and
users
7- Document network architecture and identify systems that serve critical function that require additional levels
of protection