Category Archives: Power Grid

04/11/12

Vulnerable SCADA Systems -Dorks

Here are some useful queries:

  • http://www.shodanhq.com/?q=port:161+country:US+simatic
  • http://www.shodanhq.com/?q=PLC
  • http://www.shodanhq.com/?q=allen+bradley
  • http://www.shodanhq.com/?q=fanuc
  • http://www.shodanhq.com/?q=Rockwell
  • http://www.shodanhq.com/?q=Cimplicity
  • http://www.shodanhq.com/?q=Omron
  • http://www.shodanhq.com/?q=Novatech
  • http://www.shodanhq.com/?q=Citect
  • http://www.shodanhq.com/?q=RTU
  • http://www.shodanhq.com/?q=Modbus+Bridge

    gAtO fool U -nO -sI

  • http://www.shodanhq.com/?q=modicon
  • http://www.shodanhq.com/?q=bacnet
  • http://www.shodanhq.com/?q=telemetry+gateway
  • http://www.shodanhq.com/?q=SIMATIC
  • http://www.shodanhq.com/?q=hmi
  • http://www.shodanhq.com/?q=siemens+-…er+-Subscriber
  • http://www.shodanhq.com/?q=scada+RTS
  • http://www.shodanhq.com/?q=SCHNEIDER
  • http://www.shodanhq.com/?q=port%3A161+simatic
  • http://www.shodanhq.com/?q=telemetry+gateway
  • http://www.shodanhq.com/?q=%22cisco-ios%22%20%22last-modified%22

Erk.. How to exploit?

  1. Default password (uhukk uhukk WinCC)
  2. http://reversemode.com/index.php?option=com_content&task=view&id=65&Itemid=1
  3. http://www.elladodelmal.com/2010/05/shodan-y-sistemas-scada.html
  4. [..]

What else to exploit ?

http://osvdb.org/search/search?search[vuln_title]=SCADA

INTRODUCTION TO SCADA HACKING

hi guys wassup today i will tell you about SCADA hacking some other reosurces

so first what is SCADA ? its abbreviated as Supervisory Control and Data Acquisition so basically there are lots of hardwares in it ans used in power grids, Dams and many other industires. they use primitive softwares that are easy to exploit. remember Stuxnet that exploited Iran`s windows computer to exploit iran`s nuclear facility which was of Siemens. same way there are lots of companies who make SCADA and for ease of use and to control them from remote places they have internet connection
so basically there are PLC (programmable logic contoller) which are exploited mostly. the I/O cycles are controlled by RISC (Reduced instruction set computing) processor

PLCs use RISC processors to run continuous, cyclical programs and they take time in their I/O cycle to talk to the SCADA unit and receive instructions from the SCADA to modify its instruction sets or operating parameters. SCADA typically operates by evaluating the input data and determine if it is within an allowable set of parameters

1st how to find vulnerable SCADA devices
you must know what an HTTP header does and also that we can know that what software or authentication a server is running. with the use of that we will find vulnerable SCADA devices. A website called Shodanhq does and makes our work easy
from that a specific code(something like dorks) we can get lots of SCADA

2nd exploits
SCADA exploits are hard to get  coz no one shares that sometimes you need to make your own but you can get some from exploit Db or there is are modules by metasploit to exploit some of them are here or here 

RESOURCES
1. shodanhq.com
2. scadahacker.com
3. SCADA dorks list 
4.SCADA security research and tools 

warning SCADA hacking is a very very  dangerous it can get people killed and lot of property damage… and end up in your life in jail for longer time and
this article is for education purposes only

http://technomaina.blogspot.com/2012/04/introduction-to-scada-hacking.html

 

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
12/16/11

Stuxnet / Duqu Cyber Weapons Diagram

Notes for Diagram W32.Duqu threat

These files must be installed by another executable (the installer) which has not yet been recovered.

1. the installer get’s in and installed the all and register the files to 

gather enumeration information and encrypts it.

 

Highly Targeted towards a limited number of organizations for their specific assets.

Enumerating the Network – Recording Keystrokes – Gathering System Information -

uses HTTP and HTTPS to communicate with a command-and-control

general remote access capabilities

gather intelligence from a private entity to aid future attacks on a third party

  • The DLL offers nine main routines:
    • 65h: List of running processes, account details, and domain information
  • • 66h: Drive names and information, including those of shared drives
    • 68h: Take a screenshot
    • 69h: Network information (interfaces, routing tables, shares list, etc.)
    • 67h: Keylogger
    • 6Ah: Window enumeration
    • 6Bh: Share enumeration
    • 6Dh: File exploration on all drives, including removable drives
    • 6Eh: Enumerate computers on the domain through NetServerEnum 
  • The log file contains records with the following fields:
    • Type
    • Size
    • Flags
    • Timestamp
  • • Data

Key points:

•    Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
•    The executables are designed to capture information such as keystrokes and system information.
•    Current analysis shows no code related to industrial control systems, exploits, or self-replication.
•    The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
•    The exfiltrated data may be used to enable a future Stuxnet-like attack.

The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.

 

Text of Diagram:

Stuxnet / Duqu

Architecture

Installation

Injection Procedure

USB Drives

Infection Routine Flow

Windows Computers

Stuxnet Updates Itself

Command and Control Server Communication

Internet Connection

Internal Networks

Remote Control

C&C Server

Compromised Computer -Client

GET

200 OK

GET index.php?data=[DATA]

DATA

OS Version

Machine Name

Workgroup Name

Exec RPC code

Responce Type 1:

200 OK execute RPC routine

Decrypt & exec.code

Responce Type 2:

200 OK encryption binary code

C&C Control

Check Internet Connection

Send system information to C&C

C&C response to execute to execute encrypted binary code

C&C reponse to execute RPC routine

Security Issues -Mitigation Techniques

Security Information

Event Management

Intrusion monitoring system intergrated with SIEM

Implement Extrusion Detection

Implement passive vulnerability scanners (PVS)

Control System

o

Secure Facility No Internet

Installation

Injection Procedure

USB Drives

Infection Routine Flow

Windows Computers

NO – Stuxnet Updates Itself

PLC Controllers

Industrial Motors

Command and Control Server Communication

Internet Connection

Internal Networks

Remote Control

PLC Controllers

Industrial Motors

PLC- Programmable logic controller

Duqu

Duqu – this capability to gather intelligence from a private entity to aid future attacks

Duqu – creators of Duqu had access to the source code of Stuxnet

Duqu – payload has been replaced with general remote access capabilities

Duqu – automatically remove itself from the system.

Duqu -  threat is configured to run for 36 days

Duqu – C&C – primarily downloading or uploading what appear to be JPG files

Duqu – information is logged to a lightly encrypted and compressed local file

Duqu -gathering system information

Duqu – enumerating the network

DUQU – download additional executables

Duqu -HTTP and HTTPS to communicate

Duqu – signed with a valid digital certificate

Duqu – record keystrokes

DATA:

Lists of running processes, account details, and domain information

Drive names and other information, including those of shared drives

Screenshots

Network information (interfaces, routing tables, shares list, etc.)

Key Presses – Key Logger

Open Windows Names

File Exploration on all Drives, including removable Drives

Enumeration of computers in the Domain through NetServerEnum

SCADA

Process automation protocols  DF-1 FOUNDATION fieldbus – H1 & HSE Profibus – by PROFIBUS International. PROFINET IO CC-Link Industrial Networks – Supported by the CLPA CIP (Common Industrial Protocol) – Can be treated as application layer common to DeviceNet, CompoNet, ControlNet and EtherNet/IP Controller Area Network utilised in many network implementations, including CANopen and DeviceNet ControlNet – an implementation of CIP, originally by Allen-Bradley DeviceNet – an implementation of CIP, originally by Allen-Bradley DirectNet – Koyo / Automation Direct proprietary, yet documented PLC interface EtherNet/IP – IP stands for “Industrial Protocol”. An implementation of CIP, originally created by Rockwell Automation Ethernet Powerlink – an open protocol managed by the Ethernet POWERLINK Standardization Group (EPSG). EtherCAT Interbus, Phoenix Contact’s protocol for communication over serial links, now part of PROFINET IO HART Protocol Modbus RTU or ASCII or TCP Modbus Plus Modbus PEMEX Ethernet Global Data (EGD) – GE Fanuc PLCs (see also SRTP) FINS, Omron’s protocol for communication over several networks, including ethernet. HostLink Protocol, Omron’s protocol for communication over serial links. MECHATROLINK – open protocol originally developed by Yaskawa. MelsecNet, supported by Mitsubishi Electric. Optomux – Serial (RS-422/485) network protocol originally developed by Opto 22 in 1982. The protocol was openly documented and over time used for industrial automation applications. Honeywell SDS – Smart Distributed System – Originally developed by Honeywell. Currently supported by Holjeron. SERCOS interface, Open Protocol for hard real-time control of motion and I/O SERCOS III, Ethernet-based version of SERCOS real-time interface standard GE SRTP – GE Fanuc PLCs Sinec H1 – Siemens SynqNet – Danaher TTEthernet – TTTech PieP – An Open Fieldbus Protocol BSAP – Bristol Standard Asynchronous Protocol, developed by Bristol Babcock Inc. RAPIEnet[1], Real-time Automation Protocols for Industrial Ethernet

Company Management

Internet

Local Control Offshore Platform

o

PLC-DCS -  distributed control system (

PLC-RTU – Remote Terminal Unit

Valve Station

Stress Breach Station

Terminals

Internet

PLC Programmable Logic Controller

Stuxnet Seeks Specific Models S7-300 S7-400

Read Input of Device

Execute Program

Diagnostics & Communications

Update Output

PLC Scans

Communication Media

Sattelite

TelCom

Internet

SONET / SDH

Cellular Networks

SCADA Master

Internet

HMI

MTU

Web Server

Internet

Duqu – Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu -Geographics

France, Netherland, Switzerland, Ukraine

India

Iran

Sudan

Vietnam

Duqu – Compile Time Wed Jun 01, 03:25:18 2011 Mon Oct 17 17:07:47 2011 Mon Oct 17 16:26:09 2011 Tue Aug 09 21:37:39 2011 Purpose Stealing information Reconnaissance module Lifespan extender Stealing information

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
08/5/11

Cyberspace Has Morphed Into Physical Destruction of a Nations Resource.

Mr. Cofer Black CIA- keynote speaker at Black Hat 2011 ties in the (Land- Sea- Air- Space- Cyber-) with (Chemical- Bacteriological- Radiation- Nuclear- Cyber-) in a world that has morphed into physical destruction of national resources via cyberspace. He also warns that the decision makers. “They didn’t understand it”. In today’s world that’s scary.

While this is going on, we find out that (Mr. Beresford –security researcher) is playing with PLC & Stuxnet and found: “Hard-Coded Password (Bisisk), an Easter egg with dancing chimpanzees, and Other Security Holes Found in Siemens Control Systems”. The program that killed Iran’s nuclear program for a few years worked because the Siemens Controls PCL have no security to speak of.

This is the same equipment that Lockheed (that got the Smart Grid Security Contract last week) would use to turn a transformer off –or- on from their cyber control center and so can the bad guy’s. Were in big trouble people.

We as Net-Citizens need to understand the transformation that technology is making on our physical infrastructure. These industrial control systems will become our building block to automate and generate real time reports from isolated geo-located equipment like pumping stations in the remote Alaskan pipeline. With a satellite and a computer connected to cyberspace a company can turn the pump On-Off real-time. This saves millions of man-hours sending a crew to check on a pump in bad weather. These PCL devices can be installed in hazardous environments like nuclear plants and undersea pumps on an oilrig.

We need to make sure that proper cyber security is applied to these devices when the government installs these devices in public projects. Just a simple water treatment plant in a small town can be hacked and the town will get sick because they did not know were to get the proper security baseline needed to protect this infrastructure assets.

We need better coordination with city’s, towns, states, and federal cyber security standard for our basic infrastructure. Imagine some Nation taking control of our traffic lights during rush hour in New York or DC. Imagine if it’s a 16 year old kid grounded in his room with a laptop. We need to work together and apply the best solutions not the political connected solution, the right solution by the right people with the proper cyber security savvy.

My 2© cents – gatoMalo_at_uscyberlabs_dot_com

http://USCyberLabs.com/blog/

http://ChinaCyberWarfare.wordpres

 

read More ..> http://www.informationweek.com/news/government/security/231300137

 

 

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
07/27/11

Lockheed Promises Electric-Grid Security

Lockheed Martin Corp. (LMT) is selling its military and intelligence expertise to electric utilities as the world’s largest defense contractor tries to exploit a U.S. push to guard power grids from terrorists and hackers.

Lockheed plans to enter the projected $1.3 billion market for utility cybersecurity next month with Palisade, a software program developed in partnership with American Electric Power Co. of Columbus, Ohio. The program alerts power companies to hacker intrusions and attacks on their electronic systems.

President Barack Obama’s administration proposed in May requiring utilities and other companies that operate “critical infrastructure” to develop cybersecurity plans that would be reviewed by commercial auditors. Companies could also work with the Department of Homeland Security to improve their plans.

Without adequate protection, the “smart grid” is “vulnerable to attacks that could result in widespread loss of electrical services essential to maintaining our national economy and security,” a Government Accountability Office report found in January.

Lockheed’s product gives utilities “the big picture of what’s really happening” within their networks, Rich Mahler, the company’s senior manager for cybersecurity in its energy solutions business, said in an interview. Bethesda, Maryland- based Lockheed suffered an attack on its own computer system last month.

IBM, Raytheon

International Business Machines Corp. (IBM), Raytheon Co. andBoeing Co. (BA) are among companies also working with utilities on smart-grid projects.

The U.S. electricity network is increasingly becoming a smart grid as it is overhauled with advanced information technology. Power companies are installing next-generation digital meters in buildings while preparing to attach more renewable energy resources and as many as 1 million electric autos to the grid by the middle of the decade. All those innovations give hackers more ways to break into a network.

“Cybersecurity is being talked about at the CEO level” at U.S. utilities, David Batz, manager for security, infrastructure and operations at the Edison Electric Institute, a Washington- based industry group, said in an interview.

Investment in security for the computerized electrical grid is expected to increase to $1.3 billion in 2015 from about $800 million this year, according to Pike Research LLC, a Boulder, Colorado, firm that studies the clean-energy market.

Global Projects

IBM, which says it’s the market leader in power-company cybersecurity, is involved in about 150 smart-grid projects globally, with customers including Sempra Energy (SRE) of San Diegoand Japan’s Tokyo Electric Power Co.

“What we’re watching is an entire sector of the U.S. economy and the global economy modernizing,” Andy Bochman, an energy security specialist for Armonk, New York-based IBM, said in an interview.

Raytheon provides utilities with consulting services and software to protect their power grids, according to Charles Cartwright, who heads Raytheon’s integrated command systems business. The Waltham, Massachusetts-based company is working with utilities “mainly across the South,” he said in an interview.

Chicago-based Boeing won $8.56 million in pilot projects from the U.S. Energy Department to develop prototype smart-grid systems in collaboration with Consolidated Edison Inc. in New York and Southern California Edison Co., the department said last year.

Lockheed Hit

Lockheed, which drew 84 percent of its $45.8 billion in sales in 2010 from government contracts, said the May 21 cyber attack on its system was the result of a data breach at security provider RSA Security, a unit of EMC Corp. of Hopkinton, Massachusetts. Lockheed detected the “significant and tenacious” threat “almost immediately” and no customer, program or employee information was compromised, according to a statement from the company.

“I’m sure it hurts their credibility a little bit,” Mark Weatherford, security chief at the North American Electric Reliability Corp., a U.S.-approved power-grid watchdog, said in an interview.

Lockheed was able to respond immediately, “which is something that a lot of companies could not have done,” Weatherford said. “If you’re in this business long enough, you’re going to get hacked.”

Lockheed opened a cybersecurity research center in Gaithersburg, Maryland, in 2009 to develop tools to fight electronic attacks. What the company learns from government work can sometimes be adapted for utilities, Mahler said.

Research Center

Palisade runs on a utility’s existing networks, linking security components throughout the company’s computer and power- line system, according to Mahler.

“What we try to do is suppress a lot of the false alarms” so that utilities “can respond appropriately to the real ones,” he said.

American Electric, the biggest U.S. producer of coal-fueled electricity, received $75 million to make smart-grid upgrades under the 2009 U.S. stimulus law and teamed with Lockheed, which developed a new cybersecurity product for the utility’s network. The companies plan to run Palisade as a pilot project through 2012.

American Electric and Lockheed have been working with 15 other utilities, whose names haven’t been made public, to share the security threat information that the software provides.

“The sharing of threats from one company to another is really what this is all about,” Kevin Stogran, American Electric’s director of information risk services, said in an interview.

Obama Blueprint

None of the other utilities working with Lockheed has committed to buy the software. A “majoroil company” is considering purchasing it, Mahler said. Lockheed officials have declined to say how much Palisade costs.

“Right now security is definitely not integrated into the grid,” Weatherford said during a briefing in Washington last week. “Security is bolted on,” he said.

At a minimum, utilities are required to meet cybersecurity standards of the North American Reliability Corp., established in 2008, or face penalties of as much as $1 million a day.

The Obama administration’s smart-grid blueprint, which includes protection against cyber attacks as a primary goal, aims to coordinate public and private efforts to upgrade the aging power grid. Members of Congress are considering legislation that would provide the Federal Energy Regulatory Commission greater authority to respond to a cyber attack.

The Government Accountability Office in January determined that the electric utility industry doesn’t have a way of measuring the effectiveness of cybersecurity efforts, and power companies lack a means for sharing information about threats to the grid.

“Utilities are focusing on regulatory compliance instead of comprehensive security,” according to the report.

Via >> http://www.bloomberg.com/news/2011-06-30/lockheed-promises-electric-grid-security-for-1-3-billion-market.html

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
05/8/11

Web too Vulnerable to Potential Attack, Study Suggests | PCWorld

The report revealed that 40 percent of the IT executives surveyed felt that there was in their industry lately. However, nearly 30 percent of the same group of executives said their company networks are unprotected and 40 percent believe that a “major” cyber attack may be imminent within the next year.

The report also noted that the threats to critical infrastructure have increased compared to last year even as efforts to protect the infrastructures have not increased in any way. The new study is a follow-up of last year’s study which already noted that critical infrastructures were not as protected as expected.

Power Grids

via Web too Vulnerable to Potential Attack, Study Suggests | PCWorld.

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit