Too Smart Grid Sergey Gordeychik Alexander Timorin
Cybersecurity of SmartGrid by Sergey Gordeychik & Alexander Timorin - CODE BLUE 2015
Apr 13, 2017
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Pra
Too Smart GridSergey GordeychikAlexander Timorin
www.scadasl.orgGroup of security researchers focused on ICS/SCADA
Alexander TimorinAlexander TlyapovAlexander ZaitsevAlexey OsipovAndrey MedovArtem ChaykinDenis BaranovDmitry EfanovDmitry NagibinDmitry SerebryannikovDmitry SklyarovEvgeny ErmakovGleb GritsaiIlya KarpovIvan PoliyanchukKirill NesterovRoman IlinSergey BobrovSergey DrozdovSergey GordeychikSergey ScherbelTimur YunusovValentin ShilnenkovVladimir KochetkovVyacheslav EgoshinYuri GoltsevYuriy Dyachenko
Bugs in SCADA/PLC
*ICS Security in 2014, Evgeny Druzhinin, Ilya Karpov, Alexander Timorin, Gleb Gritsay, Sergey Gordeychik
The Word of Power
Smartgrid cybersecurityhttp://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf
5
Smartgrid cybersecurityhttp://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf
6
IPC@CHIP
8
OSINT
9
10
Firmware
Google dorksConfiguration scriptsFS structure
11
Direct search
12
13
ENCRYPTION!!!11
14
Firmware update
15
Fixes--snip--Comment to PT-SOL-2014001:The upload path has been changed. It is still possible to upload files, but they can't overwrite system critical parts any more.Comment to PT-SOL-2014002:The system backup is created in a randomly chosen path an deleted afterwards. Therefore an unauthorized access is made much more difficult and very unlikely.Second comment to PT-SOL-2014002:In order to compensate the weak encryption in the configuration file, the whole configuration file is now encrypted via the new HTTP transmission.--snip--
16
osint
User manual
Admin manual
Source code
117.220 MW Googled (1/22)
The Wind?
Sergey Gordeychik () - 10x SASNordex
Archaeology
CVE Details
Pictures from Google
990.390 MW
*Special Bushehr photo for scary ICS security slides*
ping 8 077 220 000 WSolarWind
#SCADASOS
http://scadastrangelove.blogspot.com/2014/12/sos-secure-open-smartgrids.html
#SCADASOS Results60 000+ SmartGrid devices disconnected from the Internet Two AdvisoriesXZERES 442SR Wind Turbine CSRF SMA Solar Technology AG Sunny WebBox Hard-Coded Account Vulnerability
33
Global radio network
HUGE attack surfaceTCP/IP networksIt GLOBAL
IP boxes
LTE radio securityTheoryA5/3 ciphers GEA 2128 bits keysPractice Backward compatibility with 2G (MITM)Reuse of A5/1 or A5/0
36
Real 4G encryption
Karsten Nohl, CCC, Hamburg, Germany, 2014
Vulnerabilities of (u)SIMRemote data recovery (Kc, TIMSI)Chanel decryption (including A5/3)Clone the SIM and mobile stationSIM malwareBlock SIM via PIN/PUK bruteforce
Alexander Zaitsev, Sergey Gordeychik , PacSec, Tokyo, Japan, 2014
Femtoland and 3G snifferAlexey Osipov, Alexander Zaitsev, Black Hat USA 2015, Las Vegas
4G modemMobile computerLinux/Android/BusyBox/VxWorksDifferent interfacesStorageCWID USB SCSI CD-ROM USB DeviceMMC Storage USB Device (MicroSD Card Reader)Local managementCOM-Port (UI, AT commands)Remote managementRemote NDIS based Internet Sharing DeviceWiFi
Kirill Nesterov, Timur Yunusov,HITBSec 2015, Amsterdam
40
Attack the modem
41
Attack host
42
Control
43
First one to guess now to bypassBIOS secure boot gets
133t prize or free beer!
USB Drivers Bugs Over networkTravis Goodspeed, Sergey Bratus, https://www.troopers.de/wp-content/uploads/2012/12/TROOPERS13-You_wouldnt_share_a_syringe_Would_you_share_a_USB_port-Sergey_Bratus+Travis_Goodspeed.pdf
BADUSB via the Internet
scadastrangelove.blogspot.com/2015/10/badusb-over-internet.html
SCADA with Antenna
The POWERful social network
51
Dont patch too much
Some kWs only
#CablemeltingBAD
As a side note, there is about a 3GW buffer in the European energy grids -- take 3GW off the net within a couple of seconds (or add them), and lights will go out. For quite a long while.
Smartgrid cybersecurityhttp://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf
61
Digital Substations
http://scadastrangelove.blogspot.com/2013/11/scada-security-deep-inside.htmlIEC 61850 tools:
Open Lab @PHDaysPHDays III Choo Choo Choo Pwn Security assessment/PentestPHDays IV Critical Infrastructure Attack 0-day research
http://bit.ly/1t8poTLhttp://www.phdays.com/press/news/38171/
63
PHDays IV CIAGoals0-day research on ICS components Make a disaster 0-day/1-day, CVSS, complexity, exploit, practical impact (e.g. disaster)TargetsSchneider Electric Wonderware System Platform, InduSoft Web Studio 7.1.4, ClearSCADA, IGSS, MiCOM C264 Siemens Flexible, TIA Portal 13 Pro, WinCC, KTP 600, Simatic S7-1500 (1511-1 PN), S7-300 (314-2 DP + CP343), S7-1200 v3, S7-1200 v2.2Rockwell Automation RSLogix 500, Allen-Bradley MicroLogix 1400 1766-L32BWAAWellinTech KingSCADA, ICONICS Genesis64, ICP DAS PET-7067, Kepware KepServerEX(S7, DNP3), Honeywell Matrikon OPC (Modbus, DNP3), etc.
64
Results of PHDays IV CIAWinners Alisa Esage SE InduSoft Web Studio 7.1Nikita Maximov & Pavel Markov - ICP DAS RTU Dmitry Kazakov - Siemens Simatic S7-1200 PLC 2 days 10+ 0daysResponsible disclosure
65
Digital Substation Takeoverhttps://www.youtube.com/watch?v=w8T-bbO3Qec
Digital Substation Takeover
DoS in SIPROTEC 4
Specially crafted packets sent to port 50000/udp could cause a denial-of-service of the affected device. A manual reboot is required to recover the service of the device.
The Power of Japan
Japan energy stations map: megawatts and location
Ukishima solar power plant
Kagoshima solar power plant
Kagoshima plant diagramSUNNY CENTRAL 500CP-JP
The 70-megawatt system in Kagoshima is a good example of how important it is to have the right service partner at your side - someone with broad experience, who can respond to unexpected events in a flexible manner.
http://www.sma.de/en/products/references/kagoshima.html
Kagoshima plant diagram
ICS Security in Japan600+ SCADA/PLC on the Internet
ICS Security in Japan
PS
Spot the difference
12
Super Heavy Trains
150 freight cars12 500 tonsSeveral locomotives
Super Heavy Jam
Automatic train protection - SIL 4!
SIL 4?!
Safety Integrity Level Probability of Failure on Demand (PFD)Probability of Failure per Hour (PFH)
SIL 4? Root in 15 minutes!
We know the difference
12
Need for speed?
http://www.theguardian.com/world/2013/jul/25/spain-train-crash-travelling-so-fast
PPS
Network Convergence?
OT Convergence?
Modern Smart Grid:- ICS/SCADA- Mobile carrier- Billing/Payment- IoT-Cloud
root via SMS
Alexander @arbitrarycode ZaitsevAlexey @GiftsUngiven Osipov Kirill @k_v_nesterov NesterovDmtry @_Dmit SklyarovTimur @a66at YunusovGleb @repdet GritsaiDmitry Kurbatov Sergey PuzankovPavel Novikov
*All pictures are taken from Dr StrangeLove movie and other Internets
Scadasl.orgSCADA STRANGELOVE
The Great Train Cyber Robbery
We already know: Reverse perimeter
93
HACK from the network94
OPEN ATM in the internet95
Thank you*All pictures are taken from google and other Internets
Alexander TimorinAlexander TlyapovAlexander ZaitsevAlexey OsipovAndrey MedovArtem ChaykinDenis BaranovDmitry EfanovDmitry NagibinDmitry SerebryannikovDmitry SklyarovEvgeny ErmakovGleb GritsaiIlya KarpovIvan PoliyanchukKirill NesterovRoman IlinSergey BobrovSergey DrozdovSergey GordeychikSergey ScherbelTimur YunusovValentin Shilnenkov Vladimir KochetkovVyacheslav EgoshinYuri GoltsevYuriy Dyachenko
Too Smart GridSergey GordeychikAlexander Timorin
Related Documents
