1. Session ID:
Session Classification:
Amol Sarwate
Qualys Inc.
TECH-F43
Intermediate
WHY IS ‘SCADA’ SECUIRTY AN
UPHILL BATTLE?

2. ► SCADA Basics
► Threats (where, why & how)
► Challenges
► Recommendations and Proposals
► ScadaScan tool
Agenda

3. SCADA – DCS – ICS

4. accidents
liquid pipeline failures
http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf
power failures
http://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf
other accidents
http://en.wikipedia.org/wiki/List_of_industrial_disasters

5. vandalism
vandals destroy insulators
http://www.bpa.gov/corporate/BPAnews/archive
/2002/NewsRelease.cfm?ReleaseNo=297

6. insider
disgruntle employee
http://www.theregister.co.uk/2001/10/31
/hacker_jailed_for_revenge_sewage/

7. APT
terrorism or espionage
http://www.symantec.com/content/en/us/enterprise/
media/security_response/whitepapers/w32_duqu_
the_precursor_to_the_next_stuxnet.pdf

8. SCADA Basics
Field Control Center

9. Acquisition
Convert parameters like light, temperature, pressure or flow to analog signals

10. Conversion
Converts analog and discrete measurements to digital information

11. Communication
Front end processors (FEP) and protocols
Wired or wireless communication
Modbus DNP 3 OPC
ICCP ControlNet BBC 7200
ANSI X3.28 DCP 1 Gedac 7020
DeviceNet DH+ ProfiBus
Tejas TRE UCA

12. Presentation and Control
Control, monitor and alarming using human machine interface (HMI)

13. Where are the threats?

14. I/O and Remote
Requires physical access

15. I/O and Remote
Field equipment generally does not
contain process knowledge

16. I/O and Remote
Information like valve 16 or
breaker 9B

17. I/O and Remote
Without process knowledge leads to
nuisance disruption

18. Communication
Manipulate FEP directly

19. Communication
Change FEP output
which is HMI input

20. Communication
Protocol threats

21. Example 1: Modbus protocol
MODBUS Request - Message sent on the network by the Client to initiate a transaction
MODBUS Indication - Request message received on the Server side
MODBUS Response - Response message sent by the Server
MODBUS Confirmation - Response Message received on the Client side
Modbus Client Modbus Server
Request Indication
Confirmation Response
Master Slave

22. Example 1: Modbus protocol request

23. Example 1: Modbus protocol response

24. What does Modbus provide?

25. ScadaScan

26. Example 2: DNP 3.0 protocol

27. Example 2: DNP 3.0 protocol request

28. Example 2: DNP 3.0 protocol response

29. What does DNP 3.0 provide?

30. ScadaScan (DNP mode)

31. Secure DNP 3.0
► New specification released in 2007
► Authentication
► Cryptography
► Keyed Hashing for Message Authentication (HMAC)
► Key Management
► New Function Codes

32. Master Threats
Control system network connected to
corporate network or internet

33. Master Threats
No authentication or per user
authentication

34. Off-the-shelf software
Master Threats

35. No patching
Master Threats

36. Shared passwords or default passwords
Master Threats

37. Not restarted in years
Master Threats

38. Unnecessary services
Master Threats

39. Biggest Challenge
Long life expectancy of
SCADA systems
Difficult and costly to upgrade

40. Proposals
► Strategy for password policy, access control and access
roles
► Strategy for software upgrades and patches
► SCADA test environment
► Demand expedite testing, guidance and approval of OS
patched from SCADA vendors
► Regular auditing and vulnerability scanning
► Apply security experience from IT network management

41.  Alpha version - http://code.google.com/p/scadascan/
Scan network range
Works with TCP/IP
Identifies Modbus TCP slaves
Identifies DNP 3 TCP slaves
 Beta version
SCADA master vulnerability scanning
SNMP support
HTTP support
 1.0 Release
User configurable signature files
Authenticated support for Windows and *nix
Code cleanup
ScadaScan
Twitter @amolsarwate