SCADA Strangelove presented at Chaos Communication Congress 29

by Sergey Gordeychik, Denis Baranov, Gleb Gritsai,

Tags: Attack SCADA

Summary : Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities.
During our report, we will demonstrate how to obtain full access to a plant via:
a sniffer and a packet generator
FTP and Telnet
Metasploit and oslq
a webserver and a browser
About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed.
modbuspatrol (mbpatrol) free tool to discover and fingerprint PLC
Simatic WinCC security checklist
Simatic WinCC forensic checklist and tools
close to real life attack scenario of a Simatic WinCC based plant
1.1 Who we are?
1.2 History of research
Overview of ICS/SCADA architecture
SCADA network puzzle
3.1 Overview of protocols used in SCADA networks
3.2 Modbus overview
3.3 S7 overview
3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint)
Who is mister PLC?
4.1. Typical PLC architecture
4.2. Security and configuration issues
4.3. Coordinated disclosure of vulnerabilities in several PLC
DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world.
6.1. Place of OS and DB in security of SCADA infrastructure
6.2. Simatic WinCC default configuration issues
6.3. Ways to abuse OS and DB vulnerabilities
6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities
6.5. Simatic WinCC security checklist
6.6. Simatic WinCC postexploitation/forensic
Heavy weapon
7.1. SCADA/HMI application architecture (based on Simatic WinCC)
7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software)
7.3. Coordinated disclosure of vulnerabilities in Siemens Simatic WinCC 7.0 used in exploit.
Architecture of exploit
DEMO. Owning plant with browser. Exploit scenario. Several 0-day (but responsible disclosed) vulnerabilities in Siemens Simatic WinCC 7.0 used to:
Fingerprint presence of WinCC client software
Obtain access password to WinCC WebNavigator interface
Read registry and files on WinCC box
View and manage HMI /PLC/technological process from internet via browser of operator
10 PS. Why physical separation is not enough
Will we tell about 0-day vulnerabilities? Yes, but we will coordinate with vendor. So list of vulnerabilities depended on patching speed of Siemens.
Will instruments be presented?