NiMa Bagheriasl, profile picture
Uploaded byNiMa Bagheriasl
PPTX, PDF295 views

Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02

The document discusses penetration testing of SCADA industrial control systems. It begins with an overview of SCADA systems, including what they are, where they are used, benefits, and basic concepts like the communication between the SCADA server and RTUs/PLCs. It then covers SCADA protocols like Modbus and DNP3. The document outlines various attack vectors like denial of service attacks, unauthorized access, and vulnerabilities in common protocols. It proposes a penetration testing methodology that involves discovery, protocol analysis, data manipulation, and security recommendations like firewalls, IDS, and training to improve SCADA security.

Downloaded 11 times
PENETRATION TESTING A SCADA INDUSTRIAL CONTROL SYSTEMS By : Yehia Mamdouh
THIS PRESENTATION WILL LET US KNOW: What is SCADA? What is used For? What the benefits behind using SCADA? SCADA system concept How SCADA Communication Works? SCADA Protocols SCADA Cyber security Types of SCADA Networks Attack Vectors Penetration testing methodology Conclusion
WHAT IS SCADA CONTROL SYSTEM? * SCADA : Supervisory Control and Data Acquisition. A type of control system can be used to monitor many different kinds of equipment in many different kinds of environments * In General Refers to an industrial control system (ICS)
WHERE YOU CAN LOCATE SCADA? * Electric power generation, transmission, and distribution * Water and sewage * Buildings, facilities, and environments * Manufacturing * Mass transit * Traffic signals.
BENEFITS OF SCADA Used For 1-Trasmits individual device status 2- Manages energy consumption by controlling the devices 3- Allowing directly control power system equipment 4- Control chemical plant processes, oil and gas pipelines, electrical generation and transmission equipment, manufacturing facilities...etc. EX: Motors, valves, pumps, relayes, etc. Benefits: 1- Identify and solve problems before they even start. 2- Keep your eye on long-term trends and threats 3- Identify and attack bottlenecks and inefficiencies throughout the enterprise 4- Effectively manage bigger and more complicated processes with a smaller staff.
SCADA SYSTEM CONCEPT SCADA WorkStation : Human operator it’s a device to issue a command central SCADA console, receiving raw data in human form, also monitor and control HMI: (Human-Machine Interface) It’s Software & Hardware that allows human operator to monitor state of process under control, modify control settings, manually override auto-control operations The interface locate between the human operator and the commands relevant to the SCADA system. (Windows, Linux or Unix)
SCADA SYSTEM CONCEPT Data Historian: Collect and store information from your mission critical systems, extract and perform accurate analyses (SQL) SCADA Server MTU: (Master terminal unit) is a device that issues the commands to the Remote Terminal Unit (RTUs) which are located at remote places from the control, gathers the required data, stores the information, and process the information and display the information RTU: Connecting to sensors on the process, converting sensors signals and sending digital data to the supervisory systems PLC: Programmable Logic Controller (PLC) automatically performers the main site control process which controls the operation of industrial equipment's. such as control of machinery
WHO SCADA COMMUNICATIONS WORKS? * The Control Operator or workstation monitor the data and initiates control commands to HMI * HMI which is machines, traditional applications installed on workstations running Windows or Linux and recently use web applications These HMIs speak to the SCADA controlling server *SCADA controlling server collected data from Data historian which is basically a database that the SCADA server pushes data to and in some cases pulls data from * SCADA server sends the appropriate signal to the correct RTU or PLC. * The RTU or PLC consults its pre-programmed logic to determine what it should do with this control signal controls the operation of industrial equipment's *Equipment's EX: Relays, Capacitor banks, Feeder Switches, Actuators
Temperature Level Pressure Level Oil Level Alarm Radioactivity level HMI (Web Interface) Work Station Data Historian SCADA Server Communication Router Wide Area Network RTU/PLC RTU/PLC ModBus TCP/IP– DNP3 protocols communicate between SCADA server and RTU/PLC System Concept of SCADA
SCADA PROTOCOL * We have mention that SCADA server send signals to RTU or PLC and vice versa How Can Central SCADA console to receive information from sensors, which are very simple devices? Here is comes SCADA Protocols ! * RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network and back to you DNP3(Distributed Network Protocol) used for communications between master station and RTUs Port 20000 TCP/UDP Modbus is typically used for Supervisory Control and Data Acquisition (SCADA)-style network communication between devices implementations over serial, TCP/IP Standard port 502 TCP DNP3 ModBus
WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? Why? *The ability of cyber intruders to gain access to networked control systems might be easy *More efficient methods of communication = more new risks cause disaster *Control systems share the common vulnerabilities with the traditional information technology *Control systems Recently adopting web technology , Which is interesting target for cyber attacks *Non secure protocols that transmitted data some of them = TCP/IP *Control systems turn on to use Windows , Linux which have known vulnerabilities
WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS? * New protocols and communication standards that are providing increased are the same technologies that have been exploited and compromised in the Internet and networking domains Modbus TCP Modbus request packet No authentication no encryption no security Attacks on Field Devices Database Attacks Communications hijacking and ‘Man-in-the-middle’ attacks Vulnerabilities in Common Protocols
REAL ATTACKS For last years, security risks have been reported in control systems
Types of SCADA Networks
TYPES OF SCADA NETWORKS Early or Monolithic SCADA systems *First SCADA systems held all operations in one *Usually a mainframe, computer. There was little control exercised, and most early SCADA functions were limited to monitoring sensors and flagging any operations *Limited to a single plant or facility. Like the software, SCADA hardware from one vendor was rarely usable in another vendor's SCADA system.
TYPES OF SCADA NETWORKS Distributed SCADA Systems *Shared control functions across multiple smaller (usually PC) computers connected by Local Area Networks (LAN) *Shared Real Time information and often performed small control tasks in addition to alerting operators of possible problems
TYPES OF SCADA NETWORKS Networked SCADA systems * Current SCADA systems are usually networked * Communicate through Wide Area Networks (WAN) systems, over phone or data lines and often transmit data between nodes through Ethernet or Fiber Optic connections. * Make heavy use of Programmable Logic Controllers (PLC) to monitor and make routine process adjustments, *The hardware tends to be more interchangeable as PLC and other sub-unit vendors have standardized communications and other protocols to allow the user to choose the best component for their needs
TYPES OF SCADA NETWORKS Internet of Things (IoT) *A data model allows to define the types of data that will be monitored, allows for new types to be added quickly and easily as new smart objects are added to the process *Allows combinations of smart things/objects, sensor network technologies * Communication will bring physical business benefits like high-resolution management of resources and products, better collaboration between enterprises, and improved life-cycle management
ATTACK VECTORS *SCADA systems are vulnerable to the same threats as any TCP/IP-based system. *SCADA Administrators and Industrial Systems Analysts deceived into thinking that since their industrial networks are on separate systems ,they are safe form outside attacks. *PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite systems *Security in an industrial network can be compromised in many places along the system and is most easily compromised at the SCADA host or control room level SCADA Attacks How Far?
ATTACK VECTORS *Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition *Delete system files on the SCADA server (System Downtime and Loss of Operations) *Plant a Trojan and take complete control of system *Log any company-sensitive operational data for personal or competition usage There is Attack Vectors Should be addressed 1- Backdoors and holes in network perimeter 2- Vulnerabilities in common protocols 3- Attacks on Field Devices 4- Database Attacks 5- Communications hijacking and ‘Man-in-the-middle’ attacks ++ Once the corporate network compromised, then any IP-based device or computer system can be accessed. ++ 24/7 provides an opportunity to attack the SCADA host system can cause :
ATTACK VECTORS 1-Modern networks in the control system arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to attackers once they are discovered. 2- Network components, have technologies These technologies often include firewalls, public-facing services, and wireless access. each of these components often does have associated security vulnerabilities 3-Remotely located control system elements that can be accessed via remotely connected communications if systems are based on commercial operating systems, the attacks can be via DDOS, escalated privilege exploits, Trojan horse Backdoors and holes in network perimeter
ATTACK VECTORS 4- Organizations in many CI/KR sectors provide data to customers, providers, through publicly accessible services. Such as calculating load expectations, billing futures information. As these services are in the public domain, they are often accessible from the Internet with little or no user access limitations 5- Relationship between the firewall and the web server if not deployed right this allows unauthorized, data to flow from the external side to the internal domain. If the attacker compromised the trusted web server, the attacker has a channel to access internal services (or control systems) LAN. Backdoors and holes in network perimeter
ATTACK VECTORS 1- Microsoft XP, a platform commonly used in control systems, mitigates the security issues 2- Control systems and modern networking technologies comes some inherited security vulnerabilities. Even though many of these vulnerabilities have solutions and available workarounds, the deployment of these mitigations in control systems architectures is not always feasible. Attacks Using Common Protocols
ATTACK VECTORS 1-Control systems architectures usually have a capability for remote access to terminal end points and devices in number of ways including by telephonic or dedicated means. To provide for the collection of operational and maintenance data 2-Modern equipment has embedded file servers and web servers to facilitate robust communications these devices are part of an internal and trusted domain, and thus access into these devices can provide an attacker with an unauthorized vector into the control system architecture. 3-RTUs, are an extension of the control domain, attackers can add these field devices to their list of viable targets to be investigated during reconnaissance and scanning phases of the attack. 3-If a device is compromised, and the attacker can leverage control over the device and escalate privileges Attack into control system via field devices
ATTACK VECTORS 1-Database applications have become core application components of control systems and their associated record keeping utilities 2-Databases used by control systems are often connected to databases located on the business network and most use (SQL). The information contained in databases makes them high-value targets for any attacker 3-Attackers can exploit the communications channel between the two networks and bypass the security mechanisms used to protect the control system environment 4-The effect of corrupted database content can impact data acquisition servers, historians, and even the operator HMI console. Control systems databases because they are so reliant on data accuracy and integrity. Database and SQL data injection attacks
ATTACK VECTORS 1- The ability for an attacker to re-route data that is in transit on a network, the ability to capture and analyze critical traffic that is in plaintext format, and the ability toreverse engineer any unique protocols to gain command over control communications 2- By combining all of these MITM, attack is executed 3- As the attack is on the control domain, this plaintext traffic can be harvested (sniffed) and taken offline for analysis and review 4-Using ARP poisoning and collecting traffic, the attacker can establish and maintain complete control over the communications in the network , preventing the HMI from issuing alarms 5- MTM can be between HMI and RTU due to week protocol that are used like Modbus Man-in-the-middle attacks
Penetration Testing Methodology
PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? * We are dealing With Devices - Operating systems (windows , Linux ) – Protocols over TCP –Application and SQL Databases – Firewalls Audit identification Devices and networks: Router configs, router tables, switch tables, physical cable checks, packet sniffing Services Local Port verification (nestate) Vulnerabilities Local banner grabbing Perimeter Identify all external connections *Review firewall rules *Review remote access methods *Check for wireless networks *Check physical access
PENETRATION TESTING METHODOLOGY Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing  How? Network Infrastructure Review router configs Review switch tables Conduct physical cable checks Conduct packet sniffing and analysis Host operating systems Review patch level Review password quality Review share and directory permissions Review remote access Applications Review ports and services Review OS credentials Revives remote access Consider code review PLCs, RTU,s ..etc. Review patch levels Review password quality Conduct packet sniffing
PENETRATION TESTING METHODOLOGY Scanning / Discovery Some tools are Available Like plcscan - Scans Modbus device Modescan - Scans Modbus devices Nmap ( Be carful single Nmap scan can crush system) Metasploit Modules for Modbus detection *Most PLCs (Communication Modules) have no ability to filter based on source IP address So we Can Use python scripts or John the Ripper for crack Bruteforce PLC online Scan supported devices and stations change name of stations change IP, Netmask, gateway request full network info
PENETRATION TESTING METHODOLOGY Analyze protocols How protocols live in the network? Not blocked by firewalls/switches Accessible between Lan segments Works form data link layer to application layer Easy to detect Easy to analyze So we Can Available Tools detect devices and their protocols monitor state, commands inject, modify reply packets in real times Sniffing Traffic Wireshark tcpdump python hex viewer
PENETRATION TESTING METHODOLOGY Analyze protocols Modbus Using the web is the often the easiest way 80% of Modbus/TCP devices have web interfaces Other research shows most devices run Windows 2k DNP3 *Has source and destination addresses that can be useful in Man-in the-Middle attacks Such as 1-Turn off unsolicited reporting to stifle alarms 2- Issue unauthorized stops, restart, or other functions that could disrupt specific operations *Implementations typically do not employ encryption, authentication and authorization; DNP3 devices simply assume that all messages are valid
PENETRATION TESTING METHODOLOGY Analyze protocols DNP3 Passive Network Reconnaissance With appropriate access captures and analyzes DNP3 messages. This provides the information about network topology, device functionality, Rogue Test Installs a “man-in-the-middle” device between the master and outstations that can read, modify and fabricate DNP3 messages and/or network traffic memory addresses and other data Other attacks on Data Link and Application Layer
PENETRATION TESTING METHODOLOGY Data Manipulation Available Tools Web Application Test and SQL Injection *As Scada Use Web application On HMI and SQL in Database we can test them for possible Vulnerabilities Modlib - Scapy extention [python] OpenDNP3 - Library [C++] Metasploit Modules
Conclusion
SCADA SECURITY Creating Demilitarized Zones (DMZs) Multiple DMZs could also be created for separate functionalities and access privileges, such as peer connections, the data historian, the Inter Control Center Communications Protocol (ICCP) server in SCADA systems Firewalls properly configured and coordinated, can protect passwords, IP addresses, files and more Proxy Servers Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and the internet The Security Policy Effective security policies and procedures are the first step to a secure control systems network. Many of the same policies Security Training Provide The staff that work in the facility Security Tanning very essential for preventing Physical and Social Engineering Attacks
SCADA SECURITY 1- Identify all connections to SCADA networks 2- Disconnect unnecessary connections to the SCADA network 3- Removing or Disable unnecessary services 4- Implement internal and external IDS and establish 24-hour incident monitoring 5- Conduct Physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 6- Clearly define cyber security roles, responsibilities and authorities for managers, system administrators and users 7- Document network architecture and identify systems that serve critical function that require additional levels of protection
Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02

More Related Content

PPTX
High dependability of the automated systems
byAlan Tatourian
 
PDF
Model-based security testing
byAxel Rennoch
 
PDF
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
byHyTrust
 
PPT
AMI Security 101 - Smart Grid Security East 2011
bydma1965
 
PPTX
2010-12 SCAP Explained
byRaleigh ISSA
 
PPTX
Classification of vulnerabilities
byMayur Mehta
 
PPT
Software security engineering
byaizazhussain234
 
PPTX
Sdl deployment in ics
byMayur Mehta
 
High dependability of the automated systems
byAlan Tatourian
 
Model-based security testing
byAxel Rennoch
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
byHyTrust
 
AMI Security 101 - Smart Grid Security East 2011
bydma1965
 
2010-12 SCAP Explained
byRaleigh ISSA
 
Classification of vulnerabilities
byMayur Mehta
 
Software security engineering
byaizazhussain234
 
Sdl deployment in ics
byMayur Mehta
 

What's hot

PPTX
Kaspersky Kesb ep10 no_cm_v01a
byIgor Pandzic
 
PPTX
Defending against industrial malware
byAyed Al Qartah
 
PDF
Information Technology Security Techniques Evaluation Criteria For It Secrit...
byVishnu Kesarwani
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
byTI Safe
 
PDF
"CERT Secure Coding Standards" by Dr. Mark Sherman
byRinaldi Rampen
 
PDF
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
byFalgun Rathod
 
PDF
Presentation on vulnerability analysis
byAsif Anik
 
PPTX
Network Vulnerability Assessment: Key Decision Points
byPivotPointSecurity
 
PDF
Nist.sp.800 82r2
byvimal Kumar Gupta
 
PPTX
what is security
byDedi Dwianto
 
PPT
OWASP - Building Secure Web Applications
byalexbe
 
PPT
Secure by design and secure software development
byBill Ross
 
PDF
NIST Framework for Information System
bynewbie2019
 
PPT
Software Security Testing
byankitmehta21
 
PPTX
Vulnerability Assesment
byDedi Dwianto
 
PPTX
CS5032 L11 validation and reliability testing 2013
byIan Sommerville
 
PDF
2020 safecomp-sep18
byKenji Taguchi
 
PDF
System-level Threats: Dangerous Assumptions in modern Product Security
byCristofaro Mune
 
PPT
Introduction to Functional Safety and SIL Certification
byISA Boston Section
 
Kaspersky Kesb ep10 no_cm_v01a
byIgor Pandzic
 
Defending against industrial malware
byAyed Al Qartah
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
byVishnu Kesarwani
 
The What, Why, and How of DevSecOps
byCprime
 
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
byTI Safe
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
byRinaldi Rampen
 
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
byFalgun Rathod
 
Presentation on vulnerability analysis
byAsif Anik
 
Network Vulnerability Assessment: Key Decision Points
byPivotPointSecurity
 
Nist.sp.800 82r2
byvimal Kumar Gupta
 
what is security
byDedi Dwianto
 
OWASP - Building Secure Web Applications
byalexbe
 
Secure by design and secure software development
byBill Ross
 
NIST Framework for Information System
bynewbie2019
 
Software Security Testing
byankitmehta21
 
Vulnerability Assesment
byDedi Dwianto
 
CS5032 L11 validation and reliability testing 2013
byIan Sommerville
 
2020 safecomp-sep18
byKenji Taguchi
 
System-level Threats: Dangerous Assumptions in modern Product Security
byCristofaro Mune
 
Introduction to Functional Safety and SIL Certification
byISA Boston Section
 

Viewers also liked

PPTX
Yelithza lopez herrera
byYELITHZA LOPEZ HERRERA
 
PPT
θIbet
by2ο Δημοτικό Σχολείο Ξάνθης
 
PDF
ISO/IEC 15408-Common Criteria: ارزیابی امنیتی محصولات فناوری اطلاعات
byMahdi Sayyad
 
PPTX
نمونه فرآیند مدل سازی شده
bySalar Saket
 
DOCX
12 pasos para el exito harold sánchez
byHarold Sanchez
 
PDF
آشنایی با جرم‌یابی قانونی رایانه‌ای
byRamin Najjarbashi
 
PPTX
Presentation1
byKatherine Duan
 
PPTX
Theories presentation
bySpencer Hancock
 
PDF
Guinness global energy report
byCraig McConnell (Cii)
 
PDF
Українські книги ювіляри - 2017
byБогдан Лісовенко
 
PPTX
پیوند استراتژی و عملیات
bySalar Saket
 
PPTX
ppt of gears manufacturing processes
byAyush Upadhyay
 
PPTX
Blackout poetry
byJessica Drinks
 
PDF
Cierre 2016 canaco
bycapacitacionpkfqueretaro
 
PDF
Extend and build on Kubernetes
byStefan Schimanski
 
PPTX
ΜΑΝΟΣ ΧΑΤΖΙΔΑΚΙΣ - ΒΙΟΓΡΑΦΙΑ
by2ο Δημοτικό Σχολείο Ξάνθης
 
DOCX
Tecnologia educativa
bymarlenne martinez
 
Yelithza lopez herrera
byYELITHZA LOPEZ HERRERA
 
θIbet
by2ο Δημοτικό Σχολείο Ξάνθης
 
ISO/IEC 15408-Common Criteria: ارزیابی امنیتی محصولات فناوری اطلاعات
byMahdi Sayyad
 
نمونه فرآیند مدل سازی شده
bySalar Saket
 
12 pasos para el exito harold sánchez
byHarold Sanchez
 
آشنایی با جرم‌یابی قانونی رایانه‌ای
byRamin Najjarbashi
 
Presentation1
byKatherine Duan
 
Theories presentation
bySpencer Hancock
 
Guinness global energy report
byCraig McConnell (Cii)
 
Українські книги ювіляри - 2017
byБогдан Лісовенко
 
پیوند استراتژی و عملیات
bySalar Saket
 
ppt of gears manufacturing processes
byAyush Upadhyay
 
Blackout poetry
byJessica Drinks
 
Cierre 2016 canaco
bycapacitacionpkfqueretaro
 
Extend and build on Kubernetes
byStefan Schimanski
 
ΜΑΝΟΣ ΧΑΤΖΙΔΑΚΙΣ - ΒΙΟΓΡΑΦΙΑ
by2ο Δημοτικό Σχολείο Ξάνθης
 
Tecnologia educativa
bymarlenne martinez
 

Similar to Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02

PPTX
SCADA Systems and its security!
byShiv Sahni
 
PPTX
Supervisory Control and Data Acquisition SYSTEMS.pptx
bytafadzwanderere1
 
PPTX
Scada systems basics winnie mbau
bywinnie15
 
PPTX
Scada presentation (group 10)
byRitvik Bhatia
 
PDF
A presentation on scada system
byIIT INDORE
 
PPTX
Training manual on scada
bybhavuksharma10
 
PDF
IJSRED-V2I2P15
byIJSRED
 
PDF
SCADA Systems Vulnerabilities and Blockchain Technology
byijtsrd
 
PDF
Unit Three.pdfrhykyfgdsfuliuyfgm,i;poiuyrtghkl;ipoiy
byinteraman123
 
PDF
Cryptography and Authentication Placement to Provide Secure Channel for SCADA...
byCSCJournals
 
PDF
Practical DNP3 and Modern SCADA Systems
byLiving Online
 
PDF
Scada system architecture, types and applications
byUchi Pou
 
PPTX
SCADA (Supervisory Control & data Acquisation) PPT
byDeepeshK4
 
PPTX
Scada slide
byTowfiqur Rahman
 
PPTX
SCADA The Universal Remote for Industrial Control.pptx
byAnujMarskole
 
PPT
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
bySonuSingh81247
 
PPT
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
bySonuSingh81247
 
PPTX
SCADA Assignment.pptx
byssuser1831ba
 
PPTX
Security Issues in SCADA based Industrial Control Systems
byaswanthmrajeev112
 
PPT
SCADA
bySABARINATH C D
 
SCADA Systems and its security!
byShiv Sahni
 
Supervisory Control and Data Acquisition SYSTEMS.pptx
bytafadzwanderere1
 
Scada systems basics winnie mbau
bywinnie15
 
Scada presentation (group 10)
byRitvik Bhatia
 
A presentation on scada system
byIIT INDORE
 
Training manual on scada
bybhavuksharma10
 
IJSRED-V2I2P15
byIJSRED
 
SCADA Systems Vulnerabilities and Blockchain Technology
byijtsrd
 
Unit Three.pdfrhykyfgdsfuliuyfgm,i;poiuyrtghkl;ipoiy
byinteraman123
 
Cryptography and Authentication Placement to Provide Secure Channel for SCADA...
byCSCJournals
 
Practical DNP3 and Modern SCADA Systems
byLiving Online
 
Scada system architecture, types and applications
byUchi Pou
 
SCADA (Supervisory Control & data Acquisation) PPT
byDeepeshK4
 
Scada slide
byTowfiqur Rahman
 
SCADA The Universal Remote for Industrial Control.pptx
byAnujMarskole
 
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
bySonuSingh81247
 
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
bySonuSingh81247
 
SCADA Assignment.pptx
byssuser1831ba
 
Security Issues in SCADA based Industrial Control Systems
byaswanthmrajeev112
 
SCADA
bySABARINATH C D
 

Recently uploaded

PDF
Somnath Mukherjee_BIM Specialist_Resume.pdf
bySomnathMukherjee980757
 
PDF
IS18591-2024 Geosynthetic Reinforced Soil Structures — Code of Practice
byRabindra Shrestha
 
PDF
Lagoon Liners and Baffle Curtains - v.23
byBrian Gongol
 
PDF
Boundary Conditions of field components.pdf
byRCC Institute of Information Technology
 
PDF
Replacing react with hotwire - Scot Ruby September 2025
bypythonandchips
 
PPT
Design Flow of Analog IC Design - Presentation
byRRaja Einstein
 
PDF
MCP, Functions and Security | Development with AI Tools
byShaBoncuku1
 
PPTX
RECENT RADIATION THERAPY AND RADIATION SAFETY
bySt.Xaviers Catholic College of Engineering
 
PDF
AppiaII-Manual-2-3Gr for service technician.pdf
bytroneelektrik
 
PPTX
DECARBONAZING REFINING INDUSTRY rev2.pptx
bygonzalezolabarriaped
 
PPTX
Introduction of gdg and info session on study jam.pptx
byDeepakkumarSingh415123
 
PDF
SE APPIA LIFE VOL 2-3GR for service manual.pdf
bytroneelektrik
 
PDF
energies-14-0ggggggggggggggggg2725-v2.pdf
byCarlosPrezBuelga
 
PDF
Certified Cloud Security Professional (CCSP): Unit 4
byVICTOR MAESTRE RAMIREZ
 
PDF
Evolution of MQ Messaging to Distributed Data Pipeline
byPeerapat Asoktummarungsri
 
PDF
Certified Kubernetes Security Specialist (CKS): Unit 8
byVICTOR MAESTRE RAMIREZ
 
PDF
Lecture 1 - Artificial Intelligence.pdf
bykq2g4jj66b
 
PDF
Overcoming QoS Challenges in a Full Automotive Ethernet Architecture
byRealTime-at-Work (RTaW)
 
PDF
Detailed functionof hydraulic system in OK and atox mills.pdf
byagungcemindo
 
PPTX
INDUSTRIAL ERGONOMICS.pptx-MCN 401 -MODULE 3
byVinayB68
 
Somnath Mukherjee_BIM Specialist_Resume.pdf
bySomnathMukherjee980757
 
IS18591-2024 Geosynthetic Reinforced Soil Structures — Code of Practice
byRabindra Shrestha
 
Lagoon Liners and Baffle Curtains - v.23
byBrian Gongol
 
Boundary Conditions of field components.pdf
byRCC Institute of Information Technology
 
Replacing react with hotwire - Scot Ruby September 2025
bypythonandchips
 
Design Flow of Analog IC Design - Presentation
byRRaja Einstein
 
MCP, Functions and Security | Development with AI Tools
byShaBoncuku1
 
RECENT RADIATION THERAPY AND RADIATION SAFETY
bySt.Xaviers Catholic College of Engineering
 
AppiaII-Manual-2-3Gr for service technician.pdf
bytroneelektrik
 
DECARBONAZING REFINING INDUSTRY rev2.pptx
bygonzalezolabarriaped
 
Introduction of gdg and info session on study jam.pptx
byDeepakkumarSingh415123
 
SE APPIA LIFE VOL 2-3GR for service manual.pdf
bytroneelektrik
 
energies-14-0ggggggggggggggggg2725-v2.pdf
byCarlosPrezBuelga
 
Certified Cloud Security Professional (CCSP): Unit 4
byVICTOR MAESTRE RAMIREZ
 
Evolution of MQ Messaging to Distributed Data Pipeline
byPeerapat Asoktummarungsri
 
Certified Kubernetes Security Specialist (CKS): Unit 8
byVICTOR MAESTRE RAMIREZ
 
Lecture 1 - Artificial Intelligence.pdf
bykq2g4jj66b
 
Overcoming QoS Challenges in a Full Automotive Ethernet Architecture
byRealTime-at-Work (RTaW)
 
Detailed functionof hydraulic system in OK and atox mills.pdf
byagungcemindo
 
INDUSTRIAL ERGONOMICS.pptx-MCN 401 -MODULE 3
byVinayB68
 

Penetrationtestingascadaindustrialcontrolsystems 141229233134-conversion-gate02

  • 1.
    PENETRATION TESTING ASCADA INDUSTRIAL CONTROL SYSTEMS By : Yehia Mamdouh
  • 2.
    THIS PRESENTATION WILLLET US KNOW: What is SCADA? What is used For? What the benefits behind using SCADA? SCADA system concept How SCADA Communication Works? SCADA Protocols SCADA Cyber security Types of SCADA Networks Attack Vectors Penetration testing methodology Conclusion
  • 3.
    WHAT IS SCADACONTROL SYSTEM? * SCADA : Supervisory Control and Data Acquisition. A type of control system can be used to monitor many different kinds of equipment in many different kinds of environments * In General Refers to an industrial control system (ICS)
  • 4.
    WHERE YOU CANLOCATE SCADA? * Electric power generation, transmission, and distribution * Water and sewage * Buildings, facilities, and environments * Manufacturing * Mass transit * Traffic signals.
  • 5.
    BENEFITS OF SCADA UsedFor 1-Trasmits individual device status 2- Manages energy consumption by controlling the devices 3- Allowing directly control power system equipment 4- Control chemical plant processes, oil and gas pipelines, electrical generation and transmission equipment, manufacturing facilities...etc. EX: Motors, valves, pumps, relayes, etc. Benefits: 1- Identify and solve problems before they even start. 2- Keep your eye on long-term trends and threats 3- Identify and attack bottlenecks and inefficiencies throughout the enterprise 4- Effectively manage bigger and more complicated processes with a smaller staff.
  • 6.
    SCADA SYSTEM CONCEPT SCADAWorkStation : Human operator it’s a device to issue a command central SCADA console, receiving raw data in human form, also monitor and control HMI: (Human-Machine Interface) It’s Software & Hardware that allows human operator to monitor state of process under control, modify control settings, manually override auto-control operations The interface locate between the human operator and the commands relevant to the SCADA system. (Windows, Linux or Unix)
  • 7.
    SCADA SYSTEM CONCEPT DataHistorian: Collect and store information from your mission critical systems, extract and perform accurate analyses (SQL) SCADA Server MTU: (Master terminal unit) is a device that issues the commands to the Remote Terminal Unit (RTUs) which are located at remote places from the control, gathers the required data, stores the information, and process the information and display the information RTU: Connecting to sensors on the process, converting sensors signals and sending digital data to the supervisory systems PLC: Programmable Logic Controller (PLC) automatically performers the main site control process which controls the operation of industrial equipment's. such as control of machinery
  • 8.
    WHO SCADA COMMUNICATIONSWORKS? * The Control Operator or workstation monitor the data and initiates control commands to HMI * HMI which is machines, traditional applications installed on workstations running Windows or Linux and recently use web applications These HMIs speak to the SCADA controlling server *SCADA controlling server collected data from Data historian which is basically a database that the SCADA server pushes data to and in some cases pulls data from * SCADA server sends the appropriate signal to the correct RTU or PLC. * The RTU or PLC consults its pre-programmed logic to determine what it should do with this control signal controls the operation of industrial equipment's *Equipment's EX: Relays, Capacitor banks, Feeder Switches, Actuators
  • 9.
    Temperature Level Pressure Level OilLevel Alarm Radioactivity level HMI (Web Interface) Work Station Data Historian SCADA Server Communication Router Wide Area Network RTU/PLC RTU/PLC ModBus TCP/IP– DNP3 protocols communicate between SCADA server and RTU/PLC System Concept of SCADA
  • 10.
    SCADA PROTOCOL * Wehave mention that SCADA server send signals to RTU or PLC and vice versa How Can Central SCADA console to receive information from sensors, which are very simple devices? Here is comes SCADA Protocols ! * RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network and back to you DNP3(Distributed Network Protocol) used for communications between master station and RTUs Port 20000 TCP/UDP Modbus is typically used for Supervisory Control and Data Acquisition (SCADA)-style network communication between devices implementations over serial, TCP/IP Standard port 502 TCP DNP3 ModBus
  • 12.
    WHY SECURITY ISIMPORTANT IN CONTROL SYSTEMS? Why? *The ability of cyber intruders to gain access to networked control systems might be easy *More efficient methods of communication = more new risks cause disaster *Control systems share the common vulnerabilities with the traditional information technology *Control systems Recently adopting web technology , Which is interesting target for cyber attacks *Non secure protocols that transmitted data some of them = TCP/IP *Control systems turn on to use Windows , Linux which have known vulnerabilities
  • 13.
    WHY SECURITY ISIMPORTANT IN CONTROL SYSTEMS? * New protocols and communication standards that are providing increased are the same technologies that have been exploited and compromised in the Internet and networking domains Modbus TCP Modbus request packet No authentication no encryption no security Attacks on Field Devices Database Attacks Communications hijacking and ‘Man-in-the-middle’ attacks Vulnerabilities in Common Protocols
  • 14.
    REAL ATTACKS For lastyears, security risks have been reported in control systems
  • 15.
  • 16.
    TYPES OF SCADANETWORKS Early or Monolithic SCADA systems *First SCADA systems held all operations in one *Usually a mainframe, computer. There was little control exercised, and most early SCADA functions were limited to monitoring sensors and flagging any operations *Limited to a single plant or facility. Like the software, SCADA hardware from one vendor was rarely usable in another vendor's SCADA system.
  • 17.
    TYPES OF SCADANETWORKS Distributed SCADA Systems *Shared control functions across multiple smaller (usually PC) computers connected by Local Area Networks (LAN) *Shared Real Time information and often performed small control tasks in addition to alerting operators of possible problems
  • 18.
    TYPES OF SCADANETWORKS Networked SCADA systems * Current SCADA systems are usually networked * Communicate through Wide Area Networks (WAN) systems, over phone or data lines and often transmit data between nodes through Ethernet or Fiber Optic connections. * Make heavy use of Programmable Logic Controllers (PLC) to monitor and make routine process adjustments, *The hardware tends to be more interchangeable as PLC and other sub-unit vendors have standardized communications and other protocols to allow the user to choose the best component for their needs
  • 19.
    TYPES OF SCADANETWORKS Internet of Things (IoT) *A data model allows to define the types of data that will be monitored, allows for new types to be added quickly and easily as new smart objects are added to the process *Allows combinations of smart things/objects, sensor network technologies * Communication will bring physical business benefits like high-resolution management of resources and products, better collaboration between enterprises, and improved life-cycle management
  • 21.
    ATTACK VECTORS *SCADA systemsare vulnerable to the same threats as any TCP/IP-based system. *SCADA Administrators and Industrial Systems Analysts deceived into thinking that since their industrial networks are on separate systems ,they are safe form outside attacks. *PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite systems *Security in an industrial network can be compromised in many places along the system and is most easily compromised at the SCADA host or control room level SCADA Attacks How Far?
  • 22.
    ATTACK VECTORS *Denial ofService (DoS) attack to crash the SCADA server leading to shut down condition *Delete system files on the SCADA server (System Downtime and Loss of Operations) *Plant a Trojan and take complete control of system *Log any company-sensitive operational data for personal or competition usage There is Attack Vectors Should be addressed 1- Backdoors and holes in network perimeter 2- Vulnerabilities in common protocols 3- Attacks on Field Devices 4- Database Attacks 5- Communications hijacking and ‘Man-in-the-middle’ attacks ++ Once the corporate network compromised, then any IP-based device or computer system can be accessed. ++ 24/7 provides an opportunity to attack the SCADA host system can cause :
  • 23.
    ATTACK VECTORS 1-Modern networksin the control system arena, often have inherent capabilities that are deployed without sufficient security analysis and can provide access to attackers once they are discovered. 2- Network components, have technologies These technologies often include firewalls, public-facing services, and wireless access. each of these components often does have associated security vulnerabilities 3-Remotely located control system elements that can be accessed via remotely connected communications if systems are based on commercial operating systems, the attacks can be via DDOS, escalated privilege exploits, Trojan horse Backdoors and holes in network perimeter
  • 24.
    ATTACK VECTORS 4- Organizationsin many CI/KR sectors provide data to customers, providers, through publicly accessible services. Such as calculating load expectations, billing futures information. As these services are in the public domain, they are often accessible from the Internet with little or no user access limitations 5- Relationship between the firewall and the web server if not deployed right this allows unauthorized, data to flow from the external side to the internal domain. If the attacker compromised the trusted web server, the attacker has a channel to access internal services (or control systems) LAN. Backdoors and holes in network perimeter
  • 25.
    ATTACK VECTORS 1- MicrosoftXP, a platform commonly used in control systems, mitigates the security issues 2- Control systems and modern networking technologies comes some inherited security vulnerabilities. Even though many of these vulnerabilities have solutions and available workarounds, the deployment of these mitigations in control systems architectures is not always feasible. Attacks Using Common Protocols
  • 26.
    ATTACK VECTORS 1-Control systemsarchitectures usually have a capability for remote access to terminal end points and devices in number of ways including by telephonic or dedicated means. To provide for the collection of operational and maintenance data 2-Modern equipment has embedded file servers and web servers to facilitate robust communications these devices are part of an internal and trusted domain, and thus access into these devices can provide an attacker with an unauthorized vector into the control system architecture. 3-RTUs, are an extension of the control domain, attackers can add these field devices to their list of viable targets to be investigated during reconnaissance and scanning phases of the attack. 3-If a device is compromised, and the attacker can leverage control over the device and escalate privileges Attack into control system via field devices
  • 27.
    ATTACK VECTORS 1-Database applicationshave become core application components of control systems and their associated record keeping utilities 2-Databases used by control systems are often connected to databases located on the business network and most use (SQL). The information contained in databases makes them high-value targets for any attacker 3-Attackers can exploit the communications channel between the two networks and bypass the security mechanisms used to protect the control system environment 4-The effect of corrupted database content can impact data acquisition servers, historians, and even the operator HMI console. Control systems databases because they are so reliant on data accuracy and integrity. Database and SQL data injection attacks
  • 28.
    ATTACK VECTORS 1- Theability for an attacker to re-route data that is in transit on a network, the ability to capture and analyze critical traffic that is in plaintext format, and the ability toreverse engineer any unique protocols to gain command over control communications 2- By combining all of these MITM, attack is executed 3- As the attack is on the control domain, this plaintext traffic can be harvested (sniffed) and taken offline for analysis and review 4-Using ARP poisoning and collecting traffic, the attacker can establish and maintain complete control over the communications in the network , preventing the HMI from issuing alarms 5- MTM can be between HMI and RTU due to week protocol that are used like Modbus Man-in-the-middle attacks
  • 29.
  • 30.
    PENETRATION TESTING METHODOLOGY PenetrationTesting Methodology we use in Control systems it like Normal Network Penetration Testing  How? * We are dealing With Devices - Operating systems (windows , Linux ) – Protocols over TCP –Application and SQL Databases – Firewalls Audit identification Devices and networks: Router configs, router tables, switch tables, physical cable checks, packet sniffing Services Local Port verification (nestate) Vulnerabilities Local banner grabbing Perimeter Identify all external connections *Review firewall rules *Review remote access methods *Check for wireless networks *Check physical access
  • 31.
    PENETRATION TESTING METHODOLOGY PenetrationTesting Methodology we use in Control systems it like Normal Network Penetration Testing  How? Network Infrastructure Review router configs Review switch tables Conduct physical cable checks Conduct packet sniffing and analysis Host operating systems Review patch level Review password quality Review share and directory permissions Review remote access Applications Review ports and services Review OS credentials Revives remote access Consider code review PLCs, RTU,s ..etc. Review patch levels Review password quality Conduct packet sniffing
  • 32.
    PENETRATION TESTING METHODOLOGY Scanning/ Discovery Some tools are Available Like plcscan - Scans Modbus device Modescan - Scans Modbus devices Nmap ( Be carful single Nmap scan can crush system) Metasploit Modules for Modbus detection *Most PLCs (Communication Modules) have no ability to filter based on source IP address So we Can Use python scripts or John the Ripper for crack Bruteforce PLC online Scan supported devices and stations change name of stations change IP, Netmask, gateway request full network info
  • 33.
    PENETRATION TESTING METHODOLOGY Analyzeprotocols How protocols live in the network? Not blocked by firewalls/switches Accessible between Lan segments Works form data link layer to application layer Easy to detect Easy to analyze So we Can Available Tools detect devices and their protocols monitor state, commands inject, modify reply packets in real times Sniffing Traffic Wireshark tcpdump python hex viewer
  • 34.
    PENETRATION TESTING METHODOLOGY Analyzeprotocols Modbus Using the web is the often the easiest way 80% of Modbus/TCP devices have web interfaces Other research shows most devices run Windows 2k DNP3 *Has source and destination addresses that can be useful in Man-in the-Middle attacks Such as 1-Turn off unsolicited reporting to stifle alarms 2- Issue unauthorized stops, restart, or other functions that could disrupt specific operations *Implementations typically do not employ encryption, authentication and authorization; DNP3 devices simply assume that all messages are valid
  • 35.
    PENETRATION TESTING METHODOLOGY Analyzeprotocols DNP3 Passive Network Reconnaissance With appropriate access captures and analyzes DNP3 messages. This provides the information about network topology, device functionality, Rogue Test Installs a “man-in-the-middle” device between the master and outstations that can read, modify and fabricate DNP3 messages and/or network traffic memory addresses and other data Other attacks on Data Link and Application Layer
  • 36.
    PENETRATION TESTING METHODOLOGY DataManipulation Available Tools Web Application Test and SQL Injection *As Scada Use Web application On HMI and SQL in Database we can test them for possible Vulnerabilities Modlib - Scapy extention [python] OpenDNP3 - Library [C++] Metasploit Modules
  • 37.
  • 38.
    SCADA SECURITY Creating DemilitarizedZones (DMZs) Multiple DMZs could also be created for separate functionalities and access privileges, such as peer connections, the data historian, the Inter Control Center Communications Protocol (ICCP) server in SCADA systems Firewalls properly configured and coordinated, can protect passwords, IP addresses, files and more Proxy Servers Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and the internet The Security Policy Effective security policies and procedures are the first step to a secure control systems network. Many of the same policies Security Training Provide The staff that work in the facility Security Tanning very essential for preventing Physical and Social Engineering Attacks
  • 39.
    SCADA SECURITY 1- Identifyall connections to SCADA networks 2- Disconnect unnecessary connections to the SCADA network 3- Removing or Disable unnecessary services 4- Implement internal and external IDS and establish 24-hour incident monitoring 5- Conduct Physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 6- Clearly define cyber security roles, responsibilities and authorities for managers, system administrators and users 7- Document network architecture and identify systems that serve critical function that require additional levels of protection