1052 Hacking Scada
1052 Hacking Scada
1052 Hacking Scada
SCADA (in)Security:
Hacking Critical Infrastructures
[email protected] [email protected]
$ whois raoul
Founder @
OPST, OPSA, Key Contributor for OSSTMM (1.5, 2.0, 2.1, 3.0)
Security Evangelist @
http://www.ccc.de/updates/2007/paragraph-202c?language=de
What is SCADA?
Going commercial...
“Supervisory Control
And Data Acquisition”.
http://www.nbtinc.com/Software/telemetry-software.html
SCADA (in)Security http://cristal.recursiva.org/ 8
Industrial Automation
http://www.scadalink.com/netscada%20EI-155%20Web%20image.jpg
10
Critical Infrastructures
Communication infrastructure
http://www.radfiber.com/Article/0,6583,27608,00.html
Enel is the biggest power distributor in Italy
SCADA Issues
Hackers know about it! :)
A lot of presentations by SCADA people talk about
Vendors People
Technology
Incidents Customers
Incidents
“Shit happens!”
“About 3:28 p.m., Pacific daylight time, on June 10, 1999, a 16-
inch-diameter steel pipeline owned by Olympic Pipe Line
Company ruptured and released about 237,000 gallons of
gasoline into a creek that flowed through Whatcom Falls Park
in Bellingham, Washington. About 1.5 hours after the rupture,
the gasoline ignited and burned approximately 1.5 miles along
the creek. Two 10-year-old boys and an 18-year-old young man
died as a result of the accident. Eight additional injuries were
documented. A single-family residence and the city of
Bellinghamís water treatment plant were severely damaged. As
of January 2002, Olympic estimated that total property
damages were at least $45 million.”
http://www.cob.org/press/pipeline/whatcomcreek.htm
http://www.cob.org/press/pipeline/whatcomcreek.htm
http://bst-tsb.gc.ca/en/media/communiques/pipe/1997/comm21.asp
Technical problems
Antivirus
Vendors
Vendor Live witness
Customers
Customer live witness
(no disclosure agreement)
People...
...were used to ...
http://www.metroland.org.uk/signal/amer01.jpg
SCADA (in)Security http://cristal.recursiva.org/ 41
Blockbuster
D.A. Norman
“The design of
everyday things”
ISBN 8809210271
http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/
Thomas C. Reed, Ronald Regan’s Secretary, described in his book “At the
abyss” how the U.S. arranged for the Soviets to receive intentionally
flawed SCADA software to manage their natural gas pipelines.
"The pipeline software that was to run the pumps, turbines, and values
was programmed to go haywire, after a decent interval, to reset pump
speeds and valve settings to produce pressures far beyond those
acceptable to pipeline joints and welds."
http://www.themoscowtimes.ru/stories/2004/03/18/014.html
http://findarticles.com/p/articles/mi_qa3739/is_200403/ai_n9360106
http://news.bbc.co.uk/2/hi/africa/6209845.stm
http://www.ansa.it/opencms/export/site/notizie/rubriche/daassociare/visualizza_new.html_127962764.html
Security Standards
The IT 5-10 years ago ...
“The present state of security for SCADA is not
commensurate with the threat or potential consequences. The
industry has generated a large base of relatively insecure
systems, with chronic and pervasive vulnerabilities that have
been observed during security assessments. Arbitrary
applications of technology, informal security, and the fluid
vulnerability environment lead to unacceptable risk. […]
Security for SCADA is typically five to ten years behind typical
information technology (IT) systems because of its historically
isolated stovepipe organization.”
http://www.tswg.gov/tswg/ip/SustainableSecurity.pdf
ISO/IEC 17799:2005 Information Technology – Code of practice for information sec. management
ANSI/ISA SP99 TR2 Integrating Electronic Sec. into Manufacturing and Control Systems Env.
CIDX Chemical Industry Data Exchange - Vulnerability Assessment Methodology (VAM) Guidance
PCSF Process Control System Forum ; NERC standards ; AGA standards ; NISCC Guidelines
Confidentiality Availability
Different
Priorities
Integrity Integrity
Availability Confidentiality
http://cristal.recursiva.org/
Elisa Bortolani
Raoul Chiesa
Alessio L.R. Pennasilico
Enzo M. Tieghi
Technical Organizational
Analysis Measurement
Hardening Ergonomics
192.168.1.161
in/ s
w bu
t
ou
ra ofi
Pr
192.168.1.160
➡ nmap -sV / -O
➡ ping -f
➡ ping -s > 56200
➡ Traffic > 10 Mb/s
Conclusions
Best Practices /I
https://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
http://cansecwest.com/slides06/csw06-byres.pdf
http://www.mayhem.hk/docs/scada_univr.pdf
http://darkwing.uoregon.edu/~joe/scada/
http://www.physorg.com/news94025004.html
http://ethernet.industrial-networking.com/articles/articledisplay.asp?id=206
http://www.apogeonline.com/libri/88-503-1042-0/ebook/libro
http://www.sans.org/reading_room/whitepapers/warfare/1644.php
http://www.digitalbond.com/SCADA_Blog/SCADA_blog.htm
http://www.securityfocus.com/news/11402
http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf
http://www.visionautomation.it/modules/AMS/article.php?storyid=32
http://www.cob.org/press/pipeline/whatcomcreek.htm
http://www.securityfocus.com/news/6767
http://www.iscom.istsupcti.it/index.php?option=com_content&task=view&id=16&Itemid=1
http://books.google.it/books?id=xL3Ye3ZORbgC
Studio Miliani
http://www.miliani.it/
[email protected]
These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-
ShareAlike 2.5 version; you can copy, modify, or sell them. “Please” cite your source and use the same licence :)
Thank You!
Raoul Chiesa Alessio L.R. Pennasilico
http://cristal.recursiva.org/