Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.



scada protocol

lucy mcminn

on 13 December 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of SCADA

attacking scada protocol creating an autonomous attack vector challenges is it even possible? historical SCADA attacks... Stuxnet required significant insider knowledge Overview What is SCADA? What makes it so vulnerable? Proposal: Create an Autonomous Vector But the question is... Can we do it without insider knowledge? But why do we care Attacks escalate over time The nature of SCADA: Can't afford to be a step behind Cyber propagates to physical realm so its critical to think NOW of what the future will hold So lets put on our thinking hats Beginning to break up the problem Lets focus on one area Protocol communication between operator and remote terminal unit Specifically very vulnerable Public Security focused To begin to automate... TCP/IP enabled An attacker can see SCADA traffic over the Internet meaning Protocols are: System specific Lets make some assumptions First, find the traffic on the internet this is really a cyber specific problem non trivial but not SCADA focused Instead, lets assume an attacker is sophisticated Protocols are not: Proprietary Frequently updated So whats our effect When mitigating an attack Consider the most dangerous threat Consider the most likely Smart or Dumb? Dumb: Denial of Service Fuzzing inputs Focused on creating ANY effect Smart: Stealth Intelligence Knowledge Effects based This attacker will have resources Intrusion Detection Not all have this but... Need for stealth Passive vs. Active attacks "Shooting the moon" Can we just ask for all the commands? Watch out for: Error messages to the operator Log files So we are building a stealthy attack vector Wait and listen Intelligent attack In order to perform Lets get started... Tailor from general rules Plausibility?
decide now if the system is a good target but before we jump in Map out the packet frame MODBUS DNP3 or a proprietary version is it a flavor of: What frames are the most traffic? These are critical to daily operation Target these if: immediate change Noticeable Could cause significant upset of operations What frames are
the least traffic? These are probably
the commands that
modify and reprogram
the system Target these
if: Logical, subtle change Could cause drastic
propagated effects Ultimately changes
the functionality
of the unit Begin to analyze the frame specifically bit by bit Which blocks are changing? CRC? How can we correctly form a packet Look at specific values data values trigger an alarm? cause a change? What does each packet DO Requires complex computation But this won't stop a dedicated attacker... What kind of packet is it? Solicit a reply? If not... ability to try out commands But can a vector ever really KNOW? No, consider the halting problem But that didn't stop automated cyber attacks Metasploit for SCADA? Its already underway... Ultimately Consider automated SCADA attack vectors NOW targeted at protocol because its a weak link but its becoming more well understood difficulty of the problem has never stopped attackers before Stuxnet x 10 so what have we shown? Automated attack vectors ARE worth considering Protocols have generic features Common vulnerabilities Though its a challenging task... Standardized though they do have standards and focus on SCADA specifics timestamp? parity? what is the range? Recurring? flags? Questions? Why is this important? How can we attack it?
Full transcript