Ed Prevost - Securing nuclear facilities, on the cheap
description
Transcript of Ed Prevost - Securing nuclear facilities, on the cheap
Shout Outs
Charles Perine - @caperineJohn Matherly - @achilleanK. Reid Wightman - @ReverseICSJoel Langill - @SCADAHacker
Securing Nuclear Facilities, On The Cheap
RETR3AT - October 31, [email protected] - @edwardprevost - @compromiserLLC
Ed Who?
Reformed Christian(http://reformedpresbytery.org)
Husband & Father
Farmer
Computer Geek
Ed Who?
Reformed Christian(http://reformedpresbytery.org)
Husband & Father
Farmer
Computer Geek
Reformed Christian
Calvinistic
Christ Centered World-View
Inherently Paranoid
Husband & Father
Wife
Children
Responsibilities
FarmerFree Range Chickens
Heritage Hogs
Dairy Cattle
Barn Cats
Computer Geek
What’s this all about?
Industrial Control System Security
This presentation aims to provide you with a little:
history and terminology
corporate tools
opensource tools
encouragement
https://scadahacker.com/library/
http://www.digitalbond.com/tools/ics-security-tool-mail-list/
Water
ICS History
Gears
ICS History
Belts
ICS History
Flues
ICS History
Pneumatics
DCS - Distributed Control System
PLC - Programmable Logic Controller
PAC - Programmable Automation Controller
IoT - Internet of Things
ICS History
Everybody Open Immunity
CTRL/Command + F1
JUST KIDDING
Pneumatics
Clean, Dry and Oil Free
Voluminous (PRV, multi-line)
Reliability
On/Off vs Inherent Modulation
DCS
Distributed
Electrical
Cumbersome
Rocks at Analog
Feedback/Feedforward
PLCAuxiliary
Electrical
Rocks at Discrete
Proprietary
Ladder/Relay Logic
Constant I/O Coverage
SCADA
PACAuxiliary
Electrical
Open Standards
IDE with (OPC etc.)
Exception I/O Coverage
SCADA
IoT
Things
Connected
To
Each
Other
Now Forget Everything I Just Told You
PROTOCOLS
A LOT OF THEM
https://en.wikipedia.org/wiki/List_of_automation_protocols
https://en.wikipedia.org/wiki/List_of_automation_protocols
https://en.wikipedia.org/wiki/List_of_automation_protocols
So What Do The Big Corporations Use?
Not Really Much
Corporate ToolsWurldtech
Belden (Tofino)
Portswigger (Burp)
Ettus
National Instruments
Mocana
Open Source
nmap/Redpoint/Shodan
Killerbee/HackRF/Other
Burp
Sulley/Taof
Wireshark/scapy
nmap/Redpoint/Shodan
Reconnaissance
https://github.com/digitalbond/Redpoint/
https://icsmap.shodan.io/
https://code.google.com/p/plcscan/
Data DiodeImpenetrable
Proxy
https://mitmproxy.org/
http://www.squid-cache.org/
Some Cost
http://blog.cimation.com/blog/defending-industrial-control-systems-with-data-diodes
Killerbee/HackRF
RF Attacks
http://gnuradio.org
https://github.com/riverloopsec/killerbee
http://edwardprevost.info/RETR3AT/killerbeehw.php
https://greatscottgadgets.com/hackrf/
http://greatscottgadgets.com/sdr/
JTagulator
Devices interfaces galore
http://www.grandideastudio.com/portfolio/jtagulator/
Shikra
UART etc.
http://www.xipiter.com/musings/using-the-shikra-to-attack-embedded-systems-getting-started
Burp
Proxy
Spider
Repeater
https://github.com/madeye/proxydroid
Data Generation
Health Monitoring
Fault Tracking
Automated
Sulley
https://github.com/OpenRCE/sulley
GUI
Quick Setup
http://edwardprevost.info/RETR3AT/taof-0.3.2.gz
http://edwardprevost.info/RETR3AT/taof-0.3.2_Win32.zip
TAOF
Powerful
Everything is an object
http://www.secdev.org/projects/scapy/
Scapy
Two utility python scripts to speedup fuzzing
http://edwardprevost.info/RETR3AT/car2py.py
http://edwardprevost.info/RETR3AT/car2treqs.py
SURPRISE
Virtually indistinguishable from Wurldtech
http://www.filewatcher.com/m/isic-0.07-4.el6.i686.rpm.42652-0.html
http://clem1.be/isicng/
Surprise Surprise
verschlimmbessern