 Hello, hello Defcon So, yeah This is fear-uncertainty the digital armageddon. I hope everyone here can see the humor in that without that having to be explained So, yeah, yeah So, yeah, my name is Morgan and I'm a security guy I Second So you guys like woodrow malfunction there you go So I'm a security guy. I hack Skada networks critical infrastructure. I work for a firm called security assessment comm from New Zealand So I'm gonna go over What Skada is why it's really hip right now and then talk a bit about hacking it I'm not gonna talk about low-level protocols like Modbus But if you guys were like Mike Bristow's talk before then you would have got a pretty in-depth run over that anyway Sorry better all right so There's a tendency by the media to refer to like all industrial control systems of Skada What I'm primarily concerned with is power water Critical infrastructure mass manufacturing that sort of thing Now the risk in these environments is largely defined by the threat right like we're talking Power blackouts dams opening all that sort of bad stuff Probably not global thermonuclear war, but you know, we have had some you know stuff like this big explosions and whatnot These are from an accident that actually happened in Bellingham, Washington Now this was a hundred and thirty seven or two hundred and thirty seven thousand gallons of gasoline that caught fire on a Creek killed a couple of people and caused a lot of property damage This was actually an accident, but what was a really big firewall you could see from Canada So it wasn't a small explosion the largest non nuclear explosion in the world was actually a result of a Skada accident or scab sabotage depending on who you believe that apparently happened in Russia There's the largest gas pipeline explosion ever There's been a bunch of Skada incidents which have been reasonably well publicized over the years Russian hackers taking over gas pipelines guy called Vidic Bowden in Australia dumping sewerage into drinking water real jerk there There's been a lot of press recently about maybe al-qaeda is going to perform Skada attacks Chinese hackers are getting all up in the Skada You know everyone's having a go Now I think we're more worried about this than we used to be just because Hacking's a lot easier than it used to be like hacking used to be about quite skilled dudes Performing quite quite trivial attacks and kind of coming up with it themselves Now because of the rise of like exploitation platforms and Ode packs and that sort of thing You can get other people to do all the work for you and offset time and skill with money So you can just buy yourself a Russian Ode pack and you know, you're off to be a bad guy Now the digital Armageddon obviously hasn't happened yet, but Without hype there's no story right so it does behoove the media to you know Do sit up a bit and get people people worked up I mean despite this you get like you know the blaster didn't cause the East Coast power outage Everyone those stories of teenage hackers get pretty overblown and our Chinese hackers get blamed for everything these days Like kicking your dog taking your girlfriend, you know a Lot of the dire predictions so far also have been quite incorrect IDC named 2003 a year of cyberterrorism said the internet would crumble obviously didn't happen, you know So before we progress I'm going to explain a little bit about what a scarter system actually is and then we'll get to the good stuff The pop shots the owning so forth so Scarter system is basically generally a spread out geographically remote set of systems That are controlled by a central computer at the edges you've got remote terminal units of the older programmable logic controllers and they do the grunt work of a Scarter network are control mechanical devices pumps switches valves that sort of thing monitor levels This is an example from a water treatment plant So you've got you know the PLC's here and they measure flow according to set points to set by a human at the other end This is I've got quite a collection of scarter porn if people want to look at it with me afterwards So there's a master station and that takes information from PLC's and RTU's and converts it into a more human readable format for use in an HMI Which is something like that generally a point and click your way to controlling a scarter network as you can see here, this is for our Industrial food tip you can control heat pressure all sorts of good stuff The communications layer of a scarter network as Traditionally a mix of radio and direct zero connections protocol called RS485 which is multi-point serial used to transfer Modbus another low level scarter protocols These days we are actually moving to a brave new interconnected world where we want everything to run over IP from toasters to fridges and so We've got standards like open Modbus DNP3 these all run over IP networks and there's an open app architecture which allows people to use multiple vendors products So Historically we could describe scarter networks as quite primitive and they ran off proprietary hardware and you need you know closed-source manuals and so as such true or false They were considered to be immune to outside threats these days in our brave new interconnected world Everything is connected to the corporate land for reasons of monitoring alerting producing those graphs that managers know and love so much and Unfortunately modern stuff is susceptible to relatively Modern or not so modern threats, so you've got you know old old school But still new school for scarter network types of attacks basically work So the core guys have been beating pretty savagely on scarter recently and Wonderware, which is a vendor. We'll see a bit later as well. They're a really big vendor and Core found sending a Melbourne packet to a random TCP port caused a crash in the software. I mean this is you know pretty old school stuff What's interesting if you read the notes is that They sent the vendor proof-of-concept code and python wonder where asked for compiler tools to run python Courses go to python.org. I mean this is while while companies like Microsoft and Cisco and so forth used to doing the vulnerability dance big Scarter vendors still aren't and it still don't really had that sort of relationship with the security community This is another one found by core Again, it's like canonical stack overflow Improper length checking long buffer. I said, you know sort of same bug different app. It's you know There's a lot of research being published on at the moment. These are some of the favorite talks that I've read recently It's it's a hot topic because the possible ramifications of a scarter compromise could be pretty big as we're seeing and In the media, I think in the public mind cyber terrorism is like the new chemical warfare like chemical warfare was in the 80s We're really really afraid of it and a lot of people don't understand it That and scarter scarter is changing from as I said proprietary obscure isolated and theoretically immune to attack towards standard documented and connected systems So what that basically means is that you can you can test or hack scarter systems with a lot of the knowledge you already have I mean, you saw Mark Bristow before Really great accustomed tool mod scan is a sully fuzzer out there It's sweet if you know low level protocols like those guys, but you don't actually need to If you've got good knowledge of wireless good common systems knowledge void so on and so forth You can get quite a long way And if you're prepared to be intelligent about your intel gathering techniques and go a bit old school Then you can actually find this quite easy so Old school is good school. I'm going to talk about some stuff. I imagine everyone here knows If you don't know much about radio scanning, there is a wealth of knowledge online like radio geeks really like writing stuff down There's a protocol called pock pock sag Which is used for pager messages Now a lot of scarter alerts are sent via pager over radio link This is because sending really critical messages over IP networks isn't a great idea You know one carrier has a problem. You don't get your message for a couple of hours of it all blah blah blah So pager network is dependable reliable. Unfortunately goes over a clear text link So that means anyone with really cheap info cheap gear Can can read it now. This is a really cheap and nasty scanner. I've got a better one But this was 250 NZD that an electronics store across the road for my house so What what do I actually get from cheap and nasty gear like this? well In this particular slide We can see what the state of the system is we can see they've got some issues here, right? There's a strong smell of open sewer mod buses offline We keep going through the conversation and rather nicely. It tells us what sort of cysts are software They're using the using the software called start alarm, which is another one to wear product Rather usefully again now. I've scrubbed these because I checked before the talk and these numbers are still good But rather usefully they provide you with dial-in numbers and a legitimate fault ID so What what does that give us now you Google for start alarm that here's here's the pimping It's a alarm event notification software blah blah blah blah users can listen to an acknowledged alarms and ah Operate equipment via telephone from remote locations saving valuable time and money and effort for your lazy hacker so I Huh breaks down like this. It's an IVR control system for a scar to network You dial in you provide the ID and then you can punch button your way through scar to control now Authentication now it says on the Wonderware site wonder where is all up on the security Unfortunately, that means sick authors done via caller ID and that's actually disabled by default, but Modern void techniques make ID spoofing reasonably trivial to bypass this So what else can we find by that like so if you were dialing and I'm presuming everyone should be really well up on that There's a bunch of free tools to do this. That's I war. This is how do IVR, which is better provides paralyzed Void warding so you can chop through really big number blocks used to take you three four days and a couple of hours listen to the records later and Yeah, unorthed access to heat computers and so forth All right, people really don't audit their phone lines properly. So Thinking a bit about starter hacking for the practical security consultant We had a job a little while ago like a lot of companies have a really tight-knit presence these days, right? so you look at their website their mail all that sort of stuff, which is traditional and you know It's it was pretty tight, but um We we we tried to walk onsite and they were all like ID badge this please leave that which you know didn't work very well We looked at their wireless WPA to that was quite good Sort of getting a bit disheartened and then thought well, this is a starter network, right? These guys are geographically spread out across the whole country. They got a lot of sites Let's start driving around and have a look at it. So we drove out into the middle of nowhere and We um, we found a remote site which had big-ass electric fence security guard look quite intimidating And we were wondering what we could do. So we had a look at the wireless now We managed to crack the wireless we managed to get onto the corporate network Which was chewy and soft on the inside and had very poor architecture the scarter network is actually plugged directly into it So after we'd own the domain controller, we were able to own the scarter network now These guys looked really good from the outside It was basically the fact that they had so many sites that it was really difficult for them to make sure that everything was Adhere to corporate policy patch new tech and so on so forth now You've been looking at this picture of the bushes for you know 30 seconds now And you guys probably haven't seen the pertinent fact which is down here And what that is is there's a dude in the bushes with a big-ass parabolic dish right and so I mean That's the thing is they had security guards and electric fences and so forth But it availed them little to a long-haired hippie with Linux and you know so and you know ownage right so as I said like It's kind of it's it's a slightly different ball game when you're trying to hack scarter networks. These guys also had We're hackable via dial-in lines. They've actually still had default passwords on on their scarter software so the conclusions we can draw from this is that There's actually numerous connections to scarter networks. It used to be believed that they're isolated But you've got dial-in networks radio wireless land connections, etc. Etc. Now the real problem with this is that these networks are insecure by design because they're anonymous They don't have users on them. So passwords a simple default never changed all the protocols are clear text Normal corporate policies regarding user management password rotation, etc. don't apply so even if The corporates care about security and have policy guys that write big docs chances are they're not being applied to You can scarter systems are rarely patched most vendors have an escalator provide one patch a year if that So this leads to a really large phone window generally what you do is you install your install your scarter system and walk away And just replace it when it's out of date. So as you can see like a really different model to traditional IT networks You know at the lifetime of the gear is a lot longer really patched Citra, etc. There's some good things happening in scarter security new standards excellent practical guides, etc. Etc. But you really need to conduct physical site surveys stuff like that because you know the guy in the bushes Lockpicking is actually pretty trivial And and as I said scarter networks are really spread out So this Mike Bristol said you gain access to the wire you can use as tool pretty much on anything Lockpicking is pretty easy, especially when it comes to Asset owners because they have lots of stuff to secure so they buy really shitty locks You can shim padlocks really easily if you don't believe me go the lockpick village I saw deviant olem shim a padlock with a piece of paper. I mean, yeah, I've seen I've seen scarter vendors use Wireless security cameras throughout there, which is really stupid because it's pretty easy to DOS wireless Like here's here's a site where they had a big-ass electric fence, but it was protected by a lock That was that shitty. I mean it doesn't matter if you spent like 20,000 bucks on your your massive electric fence if you're using a $5 lock and just leads to long hairs up in your Scarter like it's yeah, not a good plan so basically a lot of scarter stuff these days it does have you know more security features than it used to Where all the security all the scarter systems had none, but as is common You know a lot of this stuff is turned off by default So it's a good idea to you know ordered all that sort of stuff make sure it's implemented now You know surfing Scarter message boards like we're asset owners get together to bitch about scarter security I thought this was the best thing I've seen where this guy's like yes The threat from red teams foreign governments, etc. Is real, but seriously I can't deal with it It's not my problem. I can't deal with you know, I don't have government style Security software I don't have guards with submachine guns and flatjackets and I pay taxes and I'm actually worried about providing water Sanitation services or whatever so through you guys, but you know it's fair enough So here's here's another job. I did actually where we basically it's a difficult problem securing scarter networks because people frequently admin security gear from the corporate side of their network and so Basically, it means that if you compromise the business side of the network then you will own scarter without particularly sophisticated attacks Largely because if you own the side of the network that admins the firewalls you can just change them so We were at a customer site and they took a really long time to actually get to us and we were sitting in their lobby So we got pissed off noticed there was a jack there plugged into the wall and found that it was live Which gave us access to the corporate internal now we managed to own the internet server because they had insecure file upload dialogues Password reuse gave us the domain controller and that gave us arbitrary desktops now What we actually owned was not an IT file server. It was just a dude's share who had two gig of documentation Now we've been banging our heads against this firewall for quite a long time because it was guarding the scarter network These guys actually had pretty good architecture and it was pretty annoying. We couldn't get to the scarter However, two gig of documentation meant that we actually had their firewall configs and their passwords in cleartext And so what that meant was we now own the firewall and all their switches and routers which meant well We own the corporate network. We own the firewall. So let's just change the firewall rules and Booyah, we own the scarter network now because users are stupid and reuse passwords anyone whose password is Password one is probably going to reuse it on the other side to Passwords are the same on the scouting domain controller and we own that and there we go, right? so You know just just for extra bonus points We also realized that they were being stupid with their boy and using the same phone system on both sides of the network, too So I think I'm running out of time since summation It's a really good idea not to rely on your scarter networks being secure because you think they're difficult or esoteric or strange It's not going to work Basically, we need to lean on scarter vendors to be more open about the nature of the back doors They have to admin systems and demand that they provide systems that can be secured Now I've been thinking a bit about who's going to make money out of this all the fear uncertainty and doubt going around and it's It's not the it's not the pen testers. It's it's not even the scarter vendors It's actually the usual security players, right? You've got people like checkpoint for to gate etc. We're going to start selling magic bullet solutions and already have so sort of beware Snake oil and that sort of thing that's going to start going around So while I think that a lot of the fear mongering these days is pretty crazy This is an issue that really needs attention and we we need to look at it with sort of skeptical critical But you know recently open eyes and realize it's something that scarter asset owners can't do on their own We can't just yell at them to be more secure there needs to be pressure put on Guys like wonderware who don't understand the security dance at all to actually you know sort of step up. So that's me. Thanks a lot