SlideShare une entreprise Scribd logo

Experience with testing industrial cybersecurity solutions against real-world attack scenarios

Anton Shipulin
Anton Shipulin

Slide deck from the XIII International Congress of Industrial Cybersecurity in Madrid Sep 24-25, by Industrial Cybersecurity Center (CCI) #CCICON_13

Technologie
1  sur  27
Télécharger pour lire hors ligne
• Industrial Cybersecurity Business Development at Kaspersky Lab • Head of program committee of Kaspersky Industrial Cybersecurity Conference • Coordinator for Russia at Industrial Cybersecurity Center (CCI) • Co-Founder of ICS Cyber Security community RUSCADASEC • Certified SCADA Security Architect (CSSA), CISSP, CEH • @shipulin_anton
• • •
https://ics.kaspersky.com/
https://www.nsslabs.com/tested-technologies/
• • • • • • • • • • • • • • • • • • • •
https://twitter.com/shipulin_anton
https://attack.mitre.org
https://public.tableau.com/profile/cyb3rpanda#!/vizhome/MITREATTCKMatrixforEnterpriseV2/ATTCK Endpoint Data Network Data
https://www.gartner.com/en/documents/3875421 https://blogs.gartner.com/augusto-barros/2018/04/17/threat-simulation-open-source-projects/ https://github.com/redhuntlabs/RedHunt-OS/ • • • • • • • • • • • • • • • • • https://attackevals.mitre.org
https://ctf.kaspersky.com
Full details on the testbed https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/ 6 stages: ►P1: RAW water Supply and storage ►P2: Pre‐treatment ►P3: Ultrafiltration and backwash ►P4: De‐Chlorination System ►P5: Reverse Osmosis (RO) ►P6: RO Permeate Transfer, UF Backwash and Cleaning
Cybercriminal Attacker Model - Control of the PLC through the Bridged Man-in-the-Middle (MiTM) at Level 0 - Control of the chemical dosing system through a Python script (pycomm) - Control of the Historian through the Aircrack WiFi - Control of the pressure through the Server Message Block (SMB) - Control of the water level in the tank through the Metasploit VNC Scanner - Control of the pump through a rogue router - Control of the pump through the FactoryTalk and password vulnerability - Control of the pressure pump through Python script (pycomm) - Control of the pump through the compromised HMI - Overwriting data stored at Historian - Control of the Historian through MiTM using ARP Insider Attacker Model - Control of the Motorised Valve through Manual Intervention - Control of the RIO/Display through manual configuration on the sensor - Control of the water pump P101 through the Python script (pycomm) - Control of the water pump P101 through manual operation of the HMI - Control of the pressure pump through Python script (pycomm) - Control of the water tank level LIT101 through Python script (pycomm) - Control of chemical dosing through modified PLC Logic - Control of the RIO through disconnecting Analogue Input/Output pin - Control of the amount of chemical dosing through Python script - Control of the PLC through the modification of PLC logic in Studio 5000 - Control of the motorised valve through modification of PLC logic in Studio 5000 - Control of the motorised valve MV201 through the modification of PLC logic - Control of the water tank level LIT301 through adjusting alarm levels - Control of the chemical dosing pump P205 through manual operation of the dosing meter - Control of the HMI/SCADA through simulation control - Control of the PLC through disconnected network cables Details: https://goo.gl/y1Pxre
• Out of the box installation with no learning mode • Only L1 monitoring / L0 attacks was out of scope • Didn’t monitor physical attacks Detection results Details: https://goo.gl/y1Pxre
2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 Attempt to do bridge in primary plc to RIO 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. Spoof water level to 390 2:54 - Attack Successful! 2:59 - Attack: Download modified P2 PLC code. 3:01 - Attack Unsuccessful! 3:18 - Attack: Downloading modified P2 PLC code. Attack Unsuccessful! 3:19 - Attack: Trying to breach the firewall. 3:22 - Attack: Overwriting PLC code. Attack Unsuccessful! 3:38 - Attack: Attempting to set LIT101 to 300. Attack Unsuccessful! 4:16 - Spoofing attack LIT101 at HMI Successful! 4:45 - Download of PLC code failed! 5:07 - Launch on DPIT pressure successful! 5:18 - Attempt to change plant to manual mode. 5:19 - Attempt successful! 5:20 - Attempt to stop plant process. 5:23 - Attempt to stop/start plant successful! 5:28 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 5:36 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:18 - Attack: Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:20 - Eternal Blue attack: Time Out! https://itrust.sutd.edu.sg/ciss-2019/
Overview of dataset requests by country (left) and year (right) • Secure Water Treatment (SWaT) • SWaT Security Showdown (S317) • Water Distribution (WADI) • BATtle of Attack Detection Algorithms (BATADAL) • Electric Power and Intelligent Control (EPIC) • Blaq_0 https://itrust.sutd.edu.sg/research/dataset/ Visit by Kaspersky LabDetected attack: 23 out of 34 Not detected: 9 with small impacts Correct interpretation: 22 out of 23 False positive: 3 as attack continuation New anomalies: 7 anomalies Kaspersky Machine Learning for Anomaly Detection Results on the SWaT Dataset https://tinyurl.com/mlad2018
• WMI Lateral Movement • Reconnaissance / Network Scan • Reconnaissance / Reading Project from PLC / Modbus • Reconnaissance / Modbus Scan • Transfer Malicious Firmware to Rockwell Automation PLC • Modbus Write Attempt from an Internet address • “Stuxnet” Malware Network Activity • “Havex” Malware Network Activity • “Greyenergy” Malware Network Activity https://www.youtube.com/watch?v=vSd8hoRqnF4&list=PLPmbqO785Hlt3yFvW-EZhvRq53EcCjmZc https://www.youtube.com/watch?v=A2tQo4t4ibo
KICS 60870-5-104 Protocol Events https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
Endpoint activities at different levels and stages Powershell, Python SSH clients (Putty/Plinks) Netcat/Cryptocat Mmikatz, PsExec AdExplorer, ShareEnum, PsGetSid Nmap, iPerf Trilog.exe Network activities at different levels and stages DNS SSH RDP RPC/SMB (PsExec) HTTP (Webshell) TCP/UDP (Nmap, iPerf) VPN Tristation (UDP) PLC Fieldbus Control Network SCADA/DCS Network Plant DMZ Network Office Network PLC SCADA SCADA SCADA SCADA SIS SIS Safety Instrumented System SIS EWS SIS Internet Attacker • Trilog.exe • Tristation (UDP)
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN
Unusual time for an engineering connection
Unauthorized application Not in the white list
• plaintext passwords • user authentication failures • new network devices • abnormal network traffic between devices • internet connectivity • data exfiltration • unauthorized software installations • PLC firmware modifications • unauthorized PLC logic modifications • file transfers between devices • abnormal ICS protocol communications • malware • denial of service (DoS) • abnormal manufacturing system operations • port scans/probes • environmental changes https://csrc.nist.gov/publications/detail/nistir/8219/draft
• • • • • • • • • • • • • • • • • • • •
Kaspersky HQ 39A/3 Leningradskoe Shosse, Moscow Т: +7 (495) 797 8700 #1746 Anton.Shipulin@kaspersky.com @shipulin_anton Anton Shipulin CISSP, CEH, CSSA Global Presales Manager Industrial Cybersecurity Business Development

Recommandé

DDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворотDDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворот
Positive Hack Days
 
FinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatraFinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatra
Ratan Mohapatra
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
Pallavi7776
 
Microprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructionsMicroprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructions
Arkhom Jodtang
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
amiable_indian
 
62.water level control in reservoiers
62.water level control in reservoiers62.water level control in reservoiers
62.water level control in reservoiers
Padmakar Mangrule
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
PROIDEA
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 

Recommandé

DDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворотDDoS-атаки в 2016–2017: переворот
DDoS-атаки в 2016–2017: переворот
Positive Hack Days
 
FinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatraFinalExamWindows7_RatanMohapatra
FinalExamWindows7_RatanMohapatra
Ratan Mohapatra
 
Automation-PLC
Automation-PLCAutomation-PLC
Automation-PLC
Pallavi7776
 
Microprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructionsMicroprocessor Laboratory 2: Logical instructions
Microprocessor Laboratory 2: Logical instructions
Arkhom Jodtang
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
amiable_indian
 
62.water level control in reservoiers
62.water level control in reservoiers62.water level control in reservoiers
62.water level control in reservoiers
Padmakar Mangrule
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
PROIDEA
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Electronic DIY project book
Electronic DIY project book Electronic DIY project book
Electronic DIY project book
Raghav Shetty
 
Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0
Gautam Ahuja
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
Jose Palanco
 
Alcohol report
Alcohol reportAlcohol report
Alcohol report
chandan kumar
 
Tech
TechTech
Tech
Orafu James
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken drivers
Vinny Chweety
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Stuxnet
StuxnetStuxnet
Stuxnet
bueno buono good
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
P1111141868
P1111141868P1111141868
P1111141868
Ashraf Aboshosha
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Dominik Obermaier
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Contenu connexe

Similaire à Experience with testing industrial cybersecurity solutions against real-world attack scenarios

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
Roberto Soares
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Positive Hack Days
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Dominik Obermaier
 

Similaire à Experience with testing industrial cybersecurity solutions against real-world attack scenarios (20)

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Electronic DIY project book
Electronic DIY project book Electronic DIY project book
Electronic DIY project book
 
Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0Role of Connectivity - IoT - Cloud in Industry 4.0
Role of Connectivity - IoT - Cloud in Industry 4.0
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Alcohol report
Alcohol reportAlcohol report
Alcohol report
 
Tech
TechTech
Tech
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Microcontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken driversMicrocontroller based automatic engine locking system for drunken drivers
Microcontroller based automatic engine locking system for drunken drivers
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
BsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the ControllersBsidesSP: Pentesting in SDN - Owning the Controllers
BsidesSP: Pentesting in SDN - Owning the Controllers
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
P1111141868
P1111141868P1111141868
P1111141868
 
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
Bringing M2M to the web with Paho: Connecting Java Devices and online dashboa...
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Experience with testing industrial cybersecurity solutions against real-world attack scenarios

  • 1.
  • 2. • Industrial Cybersecurity Business Development at Kaspersky Lab • Head of program committee of Kaspersky Industrial Cybersecurity Conference • Coordinator for Russia at Industrial Cybersecurity Center (CCI) • Co-Founder of ICS Cyber Security community RUSCADASEC • Certified SCADA Security Architect (CSSA), CISSP, CEH • @shipulin_anton
  • 12. Full details on the testbed https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/ 6 stages: ►P1: RAW water Supply and storage ►P2: Pre‐treatment ►P3: Ultrafiltration and backwash ►P4: De‐Chlorination System ►P5: Reverse Osmosis (RO) ►P6: RO Permeate Transfer, UF Backwash and Cleaning
  • 13. Cybercriminal Attacker Model - Control of the PLC through the Bridged Man-in-the-Middle (MiTM) at Level 0 - Control of the chemical dosing system through a Python script (pycomm) - Control of the Historian through the Aircrack WiFi - Control of the pressure through the Server Message Block (SMB) - Control of the water level in the tank through the Metasploit VNC Scanner - Control of the pump through a rogue router - Control of the pump through the FactoryTalk and password vulnerability - Control of the pressure pump through Python script (pycomm) - Control of the pump through the compromised HMI - Overwriting data stored at Historian - Control of the Historian through MiTM using ARP Insider Attacker Model - Control of the Motorised Valve through Manual Intervention - Control of the RIO/Display through manual configuration on the sensor - Control of the water pump P101 through the Python script (pycomm) - Control of the water pump P101 through manual operation of the HMI - Control of the pressure pump through Python script (pycomm) - Control of the water tank level LIT101 through Python script (pycomm) - Control of chemical dosing through modified PLC Logic - Control of the RIO through disconnecting Analogue Input/Output pin - Control of the amount of chemical dosing through Python script - Control of the PLC through the modification of PLC logic in Studio 5000 - Control of the motorised valve through modification of PLC logic in Studio 5000 - Control of the motorised valve MV201 through the modification of PLC logic - Control of the water tank level LIT301 through adjusting alarm levels - Control of the chemical dosing pump P205 through manual operation of the dosing meter - Control of the HMI/SCADA through simulation control - Control of the PLC through disconnected network cables Details: https://goo.gl/y1Pxre
  • 14. • Out of the box installation with no learning mode • Only L1 monitoring / L0 attacks was out of scope • Didn’t monitor physical attacks Detection results Details: https://goo.gl/y1Pxre
  • 15. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. 2:23 - Scanning both Zycron and SWaT network concurrently. 2:30 - Discovered the VNC service. 2:38 - Attack: Attempting to do MITM attack on PLC1 Attempt to do bridge in primary plc to RIO 2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. Spoof water level to 390 2:54 - Attack Successful! 2:59 - Attack: Download modified P2 PLC code. 3:01 - Attack Unsuccessful! 3:18 - Attack: Downloading modified P2 PLC code. Attack Unsuccessful! 3:19 - Attack: Trying to breach the firewall. 3:22 - Attack: Overwriting PLC code. Attack Unsuccessful! 3:38 - Attack: Attempting to set LIT101 to 300. Attack Unsuccessful! 4:16 - Spoofing attack LIT101 at HMI Successful! 4:45 - Download of PLC code failed! 5:07 - Launch on DPIT pressure successful! 5:18 - Attempt to change plant to manual mode. 5:19 - Attempt successful! 5:20 - Attempt to stop plant process. 5:23 - Attempt to stop/start plant successful! 5:28 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 5:36 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:18 - Attack: Attempt to do DoS attack on historian for all values. Attack unsuccessful! 6:20 - Eternal Blue attack: Time Out! https://itrust.sutd.edu.sg/ciss-2019/
  • 16. Overview of dataset requests by country (left) and year (right) • Secure Water Treatment (SWaT) • SWaT Security Showdown (S317) • Water Distribution (WADI) • BATtle of Attack Detection Algorithms (BATADAL) • Electric Power and Intelligent Control (EPIC) • Blaq_0 https://itrust.sutd.edu.sg/research/dataset/ Visit by Kaspersky LabDetected attack: 23 out of 34 Not detected: 9 with small impacts Correct interpretation: 22 out of 23 False positive: 3 as attack continuation New anomalies: 7 anomalies Kaspersky Machine Learning for Anomaly Detection Results on the SWaT Dataset https://tinyurl.com/mlad2018
  • 17. • WMI Lateral Movement • Reconnaissance / Network Scan • Reconnaissance / Reading Project from PLC / Modbus • Reconnaissance / Modbus Scan • Transfer Malicious Firmware to Rockwell Automation PLC • Modbus Write Attempt from an Internet address • “Stuxnet” Malware Network Activity • “Havex” Malware Network Activity • “Greyenergy” Malware Network Activity https://www.youtube.com/watch?v=vSd8hoRqnF4&list=PLPmbqO785Hlt3yFvW-EZhvRq53EcCjmZc https://www.youtube.com/watch?v=A2tQo4t4ibo
  • 18.
  • 19. KICS 60870-5-104 Protocol Events https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
  • 20.
  • 21. Endpoint activities at different levels and stages Powershell, Python SSH clients (Putty/Plinks) Netcat/Cryptocat Mmikatz, PsExec AdExplorer, ShareEnum, PsGetSid Nmap, iPerf Trilog.exe Network activities at different levels and stages DNS SSH RDP RPC/SMB (PsExec) HTTP (Webshell) TCP/UDP (Nmap, iPerf) VPN Tristation (UDP) PLC Fieldbus Control Network SCADA/DCS Network Plant DMZ Network Office Network PLC SCADA SCADA SCADA SCADA SIS SIS Safety Instrumented System SIS EWS SIS Internet Attacker • Trilog.exe • Tristation (UDP)
  • 23. Unusual time for an engineering connection
  • 25. • plaintext passwords • user authentication failures • new network devices • abnormal network traffic between devices • internet connectivity • data exfiltration • unauthorized software installations • PLC firmware modifications • unauthorized PLC logic modifications • file transfers between devices • abnormal ICS protocol communications • malware • denial of service (DoS) • abnormal manufacturing system operations • port scans/probes • environmental changes https://csrc.nist.gov/publications/detail/nistir/8219/draft
  • 27. Kaspersky HQ 39A/3 Leningradskoe Shosse, Moscow Т: +7 (495) 797 8700 #1746 Anton.Shipulin@kaspersky.com @shipulin_anton Anton Shipulin CISSP, CEH, CSSA Global Presales Manager Industrial Cybersecurity Business Development