Category Archives: SCADA

04/11/12

Vulnerable SCADA Systems -Dorks

Here are some useful queries:

  • http://www.shodanhq.com/?q=port:161+country:US+simatic
  • http://www.shodanhq.com/?q=PLC
  • http://www.shodanhq.com/?q=allen+bradley
  • http://www.shodanhq.com/?q=fanuc
  • http://www.shodanhq.com/?q=Rockwell
  • http://www.shodanhq.com/?q=Cimplicity
  • http://www.shodanhq.com/?q=Omron
  • http://www.shodanhq.com/?q=Novatech
  • http://www.shodanhq.com/?q=Citect
  • http://www.shodanhq.com/?q=RTU
  • http://www.shodanhq.com/?q=Modbus+Bridge

    gAtO fool U -nO -sI

  • http://www.shodanhq.com/?q=modicon
  • http://www.shodanhq.com/?q=bacnet
  • http://www.shodanhq.com/?q=telemetry+gateway
  • http://www.shodanhq.com/?q=SIMATIC
  • http://www.shodanhq.com/?q=hmi
  • http://www.shodanhq.com/?q=siemens+-…er+-Subscriber
  • http://www.shodanhq.com/?q=scada+RTS
  • http://www.shodanhq.com/?q=SCHNEIDER
  • http://www.shodanhq.com/?q=port%3A161+simatic
  • http://www.shodanhq.com/?q=telemetry+gateway
  • http://www.shodanhq.com/?q=%22cisco-ios%22%20%22last-modified%22

Erk.. How to exploit?

  1. Default password (uhukk uhukk WinCC)
  2. http://reversemode.com/index.php?option=com_content&task=view&id=65&Itemid=1
  3. http://www.elladodelmal.com/2010/05/shodan-y-sistemas-scada.html
  4. [..]

What else to exploit ?

http://osvdb.org/search/search?search[vuln_title]=SCADA

INTRODUCTION TO SCADA HACKING

hi guys wassup today i will tell you about SCADA hacking some other reosurces

so first what is SCADA ? its abbreviated as Supervisory Control and Data Acquisition so basically there are lots of hardwares in it ans used in power grids, Dams and many other industires. they use primitive softwares that are easy to exploit. remember Stuxnet that exploited Iran`s windows computer to exploit iran`s nuclear facility which was of Siemens. same way there are lots of companies who make SCADA and for ease of use and to control them from remote places they have internet connection
so basically there are PLC (programmable logic contoller) which are exploited mostly. the I/O cycles are controlled by RISC (Reduced instruction set computing) processor

PLCs use RISC processors to run continuous, cyclical programs and they take time in their I/O cycle to talk to the SCADA unit and receive instructions from the SCADA to modify its instruction sets or operating parameters. SCADA typically operates by evaluating the input data and determine if it is within an allowable set of parameters

1st how to find vulnerable SCADA devices
you must know what an HTTP header does and also that we can know that what software or authentication a server is running. with the use of that we will find vulnerable SCADA devices. A website called Shodanhq does and makes our work easy
from that a specific code(something like dorks) we can get lots of SCADA

2nd exploits
SCADA exploits are hard to get  coz no one shares that sometimes you need to make your own but you can get some from exploit Db or there is are modules by metasploit to exploit some of them are here or here 

RESOURCES
1. shodanhq.com
2. scadahacker.com
3. SCADA dorks list 
4.SCADA security research and tools 

warning SCADA hacking is a very very  dangerous it can get people killed and lot of property damage… and end up in your life in jail for longer time and
this article is for education purposes only

http://technomaina.blogspot.com/2012/04/introduction-to-scada-hacking.html

 

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
03/8/12

Machine-to-Machine Protocol is it Secure

In August of last year, two researchers at an annual Black Hat security conference demonstrated some very clever and simple hacking with some very devastating results. They effectively stole a Subaru Outback by sending text messages from an Android phone.

It gets worse Wikipedia – http://en.wikipedia.org/wiki/Machine-to-Machine

“I could care less if I could unlock a car door,” researcher Don Bailey told CNN. “It’s cool. It’s sexy. But the same system is used to control phone, power, traffic systems. I think that’s the real threat.”

The automobile in question, like many others on the market, was equipped with remote starting and locking mechanisms, which are actuated through messaging from a GSM network. After sniffing authentication keys, Bailey and his cohort sent “authenticated” text messages to the vehicle, unlocking the doors and starting the engine. This process can be easily replicated on other similar cellular-linked M2M devices that do a lot more than protect cars, and it has.

Fast forward to November, when it was reported on a damaging digital intrusion at an Illinois public water facility: hackers were able to gain control of a water utility pump, and sent it a cyber poison pill, destroying the pump and impacting residents’ water resources.

Commenting on this cyber terrorism, a McAfee researcher David Marcus wrote that “It is really no more difficult to attack a [Supervisory Control And Data Acquisition] SCADA network or system than it is to attack any other system.” A hacker who claimed knowledge of the attack wrote of the stupidity of “connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of Simatic.”

This is not science fiction–this is today’s reality. As the “internet of things” goes online, questions of security and fraud move to the forefront. Particularly in light of recent high-profile attacks by Anonymous (who brazenly takes down government websites at will), cyberterrorism becomes much more frightening as a threat when critical infrastructures are exposed to infiltration and manipulation.

Both of these cases illustrate a major security problem facing M2M: machine-to-machine communication is inherently unattended, and unattended security is prone to attack. Additionally, “the number of M2M endpoints dramatically increases the attack surface,” says Scott Swartz, CEO and founder of MetraTech. As we take a closer look at M2M, other security issues become apparent, a major issue being GSM itself. Surely carriers and vendors have already thought this through…or have they?

Is The Developing Digital World Inherently Unsafe?

“The research in security for M2M communications is still in its infancy,” concluded a lengthy academic research paper published by researchers from the University of Waterloo and the University of Ontario in April 2011. “Despite the promising real-time monitoring applications and tremendous benefits, M2M communication is still in its infancy and faces many technical challenges,” the researchers indicated.

Like web browsers and the Internet, it wasn’t until after viruses and Trojans began to infiltrate our daily lives that security programs began to catch up. Similarly, each time a new digital platform is commercialized—smartphone, tablet—a new wave of cyber attack hits shore before security patches are released, and prevention and detection software is released.

Certainly, as M2M matures, better security will evolve, but until then, we are living in a developing country.  Identifying key security problems is the first step in creating solutions.

M2M and GSM: An Unhealthy Marriage?

One of the biggest security issues facing M2M is the predominant network technology used to send M2M messaging is still GSM, which has considerable security flaws, compared to CDMA. Denny Nunez, Business Development Manager, Sprint, elucidated this threat. “The voice security hole has been exploited dozens of times over the years on GSM.  Today eavesdropping over the GSM voice channel is done with relative ease and with under $100 in equipment costs. SMS has also been exploited in GSM M2M modules.”

In fact, both examples at the beginning of this article were exploits of GSM networks.

“None of these examples have ever been successfully done on CDMA,” continued Nunez. “This is thanks to the higher encryption level native in CDMA vs. GSM, and the spread spectrum technology inherent in its design.”

Scott Schwartz, CEO of MetraTech, agrees. “3G and 4G already offer better security than GSM/GPRS networks and if the device has the ability to encrypt the data, the connections are as secure as those that we use for online commerce and banking.”

Although M2M will certainly evolve to communicate over 3G and 4G networks, today most M2M communication requires very little bandwidth and is still delivered over GSM networks.  But that doesn’t mean we’re doomed until the next M2M network upgrade–there are security holes that can be closed.

Let’s Get Physical

There are two points of attack on M2M communications: over the network, or physical attacks on the device. As I pointed out, M2M devices, by nature, are unattended, making physical attacks fairly easy. Also, many devices switch to sleeping mode in order to conserve energy, making detection of an attack difficult. Sadly, M2M devices aren’t very well equipped to deal with physical attacks.

According to security experts, the security technology employed in the embedded hardware in most M2M devices is “from the 80s”—in other words, very easy to hack. This is based on simple market dynamics: M2M devices must be cheap, highly available, and consume little power. In order to create a “trusted” connection, the devices contain authentication information. However, unencrypted flash memory in the devices themselves easily exposes the “secret keys” to an intruder.

Security researcher Hunz outlined the ease with which M2M devices can be physically attacked in a recent presentation. Hunz bought an asset tracking M2M device from eBay. When he looked inside, he found a PIN-protected SIM card.  However, the device sent the PIN to the SIM card when it was powering up, making the PIN easy to “sniff” using SIMTrace. Hunz took the compromised SIM card from the device and put it in a cellphone that had the firmware patched to the IMEI of the M2M module. He began making phone calls.  The SIM remained active.

If it ended here, this would be an example of SIM-fraud via M2M module. This is surprisingly quite common—recently an Australian woman was jailed for racking up nearly $200,000 on a SIM card she pulled from her smart meter. In Africa, a network of thieves pulled SIM cards from traffic lights to make thousands of dollars worth of calls. However, free calls and SIM-fraud is only one exploit; Hunz dug deeper.

He located a private internet of IP addresses (likely other similar devices) that updated regularly (likely moving cars).  He then connected the M2M module to his PC, and spoofed the control surface to gain entrance into the vendor network, which had no rogue device identification parameter. Once “inside,” he could have launched a passive attack to map out the network protocols, or an active attack to disrupt services provided by the M2M network.

Since physical attacks on M2M devices must be expected, the need for better device-side protocols is paramount.  These include:

  • Disabling debugging functions in M2M devices themselves.
  • Encrypting the internal memory of microcontroller in the device.
  • Eliminating signal pathways that send unencrypted data over external buses (USB, etc.)
  • Building in circuitry that detects tampering or intrusion.

Physical security protocols are important whether a device is on a GSM network or a CDMA network, so carriers and M2M service providers should make every effort to ensure “secret” data is encrypted and properly handled through all touch points in the M2M communications chain.

Better Gateways and Encryption

Beyond physical device attacks, communications service providers who offer M2M solutions must also prepare for network-side attacks. As security expert Hunz wrote, “never trust the communications channel; always use extra sound encryption and authentication.” For one, this means stronger gateways.

“CSPs should provide a gateway between M2M endpoints and M2M management platforms and any external interface,” said Scott Swartz. “Consider the recent cell phone hacking scandals. Was the device hacked or the connection hacked? The industry must take into account what confidential information the endpoints contain and how to protect it.”

In other words, even if a device is hacked, the gateway to the network must have robust authentication that prevents and detects unauthorized use and entry attempts, as well as logging and reporting mechanisms.  In the case of the Illinois water plant intrusion, hackers were poking around inside the SCADA network for months without detection. Proper detection, logging, and reporting could have contained the attack as a passive intrusion, before hackers were able to launch an active attack on the water pump.

Additionally, communications channels used by M2M applications aren’t usually encrypted by M2M service providers. As Denny Nunez at Sprint explained, “a concern is that many M2M applications also open up and utilize both the SMS and Voice channels.  SMS and Voice are rarely ever encrypted by third-party M2M solutions and THAT is where a big security hole exists.”

A Standard for Safety

While M2M solutions reside within a latticework of overlapping standards that address various points along the machine-to-machine technological continuum, “There is no ISO standard for M2M security,” says Denny Nunez.  There are M2M working groups that are certainly dedicating considerable time to creating security standards, but as of today, a M2M device doesn’t come with a sticker that verifies its compliance with, say, standards for encrypted security key handling in on-board memory. While security standards for M2M communications will certainly be developed, until they do, it is critical that CSPs who offer M2M diligently investigate the security protocols of devices, their third-party partners, and the level of encryption and authentication in their gateways and SMS/voice channels.

As I pointed out elsewhere in this issue the future of connected devices belongs to machines. Standing at the first stop on the road to the internet of things, we see M2M primarily being used for metering, asset tracking, and dynamic advertising. Although improving security of both the M2M devices and communications networks for these applications is crucial, the importance of M2M security will only increase as M2M applications evolves into active infrastructure management.

Scott Swartz summed up the challenges facing M2M service providers as applications move from simple monitoring and tracking to control: “The scary question is, “What M2M applications control things that are potentially dangerous vs. applications that are primarily benign?” I allow my home automation system to activate my alarm, but do I trust it to deactivate it? Not yet. Let’s hope that critical infrastructure providers use the same common sense until the security issues are sorted out.”

By: Jesse Cryderman

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
01/10/12

SCADA System Open to Google Search

 gAto tHiNk -SCADA systems are going to get hit this year. Why You Ask? gAto was chasing a mouse and found these misconfigured sites that with a little know how could be a bad day for some people.

a friend ask: http://115.248.75.73/rtu.aspx

You don’t want to peek and poke in a SCADA system, we need a place to report these open SCADA when we find them in the wild. So the government can make sure these open systems will be fixed by the companies. It’s their responsibility to keep these systems SECURE.

gAtO can you explain what confirmed that this is a scada system? This looks more like a mis-configured webserver at first glance. Haven’t gone deeper yet.

gAtO sAyA “mis-configured web server” is the skeleton key to any SCADA hack. Once opened we looked at the source code as to why this page was out in the wild. There are a few more from my first sweep that I found this is one that’s interesting. I contacted them about 3 months ago and told them what I found and they have not answered. A very passive scan will show “ports” that are open, a more aggressive scan will show more but I don’t want to go their unless I’m paid that is.

So now we have source code with directory structure of the website. The java script can be downloaded and studied for problems. http://119.226.250.66/ and other sites pop up this one a login for secure stuff and not even HTTPS. How many more server IP will I find, what OS do they have, what version do they have, what’s the webs app server-asp -error pages show a lot of information, on some Apache, linux (centOS used in Strafor, Duqu hacks- buggy-unsecure maybe) – what version and have the patches been upgraded. I could go on and on. The few I have found are in India and the states so far and Indian companies overseas copying the flawed open model for their overseas customers(Bali). As to RTU and stuff & thingy’s that go pop in the night, I think I’ll keep that information private, I hope you understand.
These are some of the things I saw without going into greater detail. I’t amusing what a web browser and a translate button can do. mis-configured web server are a big problem everywhere.

gAtO tried to contact these people but they did not answer so I hope this is just a lot of dumb stuff and it does not matter. gAtO will not go any deeper because that would mean I am a hacker and I do not have permission to do this. Any good security person will tell you this is not good practice. Below are gAto’s notebook log into this research some information is good some mAyBe good- gAtO oUt

Lab Notes:

Updated Jan 21,2012

Bad One - misconfigured sites:

  1. http://115.248.75.73/rtu.aspx
  2. http://scada.pln-jawa-bali.co.id/outofpoll.php
  3. http://bops.pln-jawa-bali.co.id/
  4. http://10.6.1.50
  5. http://scada.pln-jawa-bali.co.id/statusts.php
  6. http://80.81.127.209/citect/  – http://81.233.151.96/
  7. http://88.112.77.67/
  8. http://87.94.167.4/
  9. http://87.94.167.5/
  10. http://192.89.118.200
  11. http://217.30.178.82/
  12. http://84.249.121.239/ord?station:|slot:/P$e4$e4valikko
  13. http://132.181.40.6/index.cgi
  14. http://129.79.153.212/index.cgi
  15. http://155.185.12.221/index.cgi
  16. http://80.81.127.209/citect/
  17. http://85.112.163.200/
  18. http://81.233.151.96/
  19. http://213.201.177.254/
  20. http://64.131.88.166
  21. http://221.115.238.179/
  22. http://80.81.127.209/citect/
  23. http://84.249.121.239/ord?station:|slot:/P$e4$e4valikko
  24.  http://62.145.177.187/secure/ltx_conf.htm
  25. http://132.181.40.6/index.cgi
  26. http://129.79.153.212/index.cgi
  27. http://155.185.12.221/index.cgi
  28. http://80.81.127.209/citect/   80.81.127.209” on 80.81.127.209:80. ********
  29. http://85.112.163.200/
  30. http://81.233.151.96/
  31. http://155.185.12.221/
  32. http://115.248.75.73/rtu.aspx
  33. http://scada.pln-jawa-bali.co.id/outofpoll.php
  34. http://bops.pln-jawa-bali.co.id/
  35. http://10.6.1.50
  36. http://scada.pln-jawa-bali.co.id/statusts.php
  37. http://174.122.136.226/~tsoepcg/WEB-SCADA/admin/index.php
  1. The city of South Houston has a really insecure system. Wanna see? I know ya do.
  2. http://i41.tinypic.com/ip0aa0.png
  3. http://i42.tinypic.com/eun021.png
  4. http://i42.tinypic.com/1znptuu.png
  5. http://i41.tinypic.com/2m6o0au.png
  6. http://i40.tinypic.com/k386ep.png
  7. http://www.mediafire.com/file/38m3pvwrc8ckh7s/HMI.zip
  8. http://134.30.92.26
  9. http://77.241.236.100/
  10. http://84.35.1.26/
  11. http://62.132.140.68/
  12. http://86.86.170.62/
  13. http://81.70.183.50/
  14. http://90.145.71.18/
  15. http://77.170.9.159/
  16. http://87.195.149.111/
  17. http://213.84.82.128/
  18. http://213.125.69.122/
  19. http://92.65.96.170/
  20. http://188.203.145.174/
  21. http://92.65.96.170/
  22. http://82.92.163.7/
  23. http://92.68.26.162/
  24. http://213.197.61.146/
  25. http://213.84.223.82/
  26. http://80.126.161.66/
  27. http://188.201.63.161/
  28. http://31.160.203.190/
  29. http://31.160.203.188/
  30. http://213.84.82.144/
  31. http://92.67.47.42/
  32. http://81.205.168.234/
  33. http://188.204.125.49/
  34. http://194.89.33.245/
  35. http://173.247.17.72 12
  36. http://87.195.111.115/Infra-web/Login/Login.aspx?ReturnUrl=%2finfra-web%2fDefault.aspx
  37. http://194.89.33.245/
  38. http://188.204.125.49/
  39.  http://77.170.59.44/
  40. http://217.120.152.182/
  41. http://212.142.22.198/
  42. http://129.125.15.55/
  43. http://62.163.194.70
  44. http://188.200.74.43
  45. http://130.161.143.224/
  46.  http://87.195.111.115/
  47. http://77.170.59.44/
  48. http://217.120.152.182/
  49. http://178.85.43.105/
  50.  http://212.199.70.171/login.php
  51. http://188.64.203.242/login.asp
  52. http://212.235.109.200
  53. http://212.235.68.46/login
  54. http://77.127.51.131/admingui/login.html
  55. http://194.150.219.139/console/login.asp
  56. http://81.218.96.38/login
  57. http://212.199.41.148/Templates/Admin/login.aspx
  58. http://80.250.154.152/login.asp
  59. http://194.150.219.139/console/login.asp
  60. http://192.116.222.44
  61. http://81.137.8.170/file/px/Honeywell%20House%20Metering.px
  62. http://165.154.50.20/ord?station:|slot:/HOME
  63.  http://173.181.202.83/ord?station:|slot:/HOME
  64. http://219.90.201.244/ord?station:|slot:/Drivers/HOME$20PAGE
  65. http://124.178.246.152/ord?station:|slot:/Home$20Page
  66. http://203.122.195.160/ord?station:|slot:/Guest
  67. http://81.149.155.83/ord?file:^px/Welcome.px
  68.  http://81.149.206.150/ord?file:^px/energysummation1.px
  69. http://81.94.198.175/file/px/Chillers.px
  70. http://81.136.189.235/ord?file:^px/Welcome.px
  71. http://85.189.244.242/file/Graphics/Px/Guest.px
  72. http://188.205.196.6/ord?station:|slot:/MS01|view:MS01hx
  73. http://206.47.97.8/ord?station:|slot:/HOME
  74. http://208.80.99.243/ord?station:|slot:/HOME

http://115.248.75.73/

http://209.130.196.15/water1.htm

209.130.196.15/water1.htm


Lab Notes

 

Keeping Access

 

TCP/IP MODBUS  ethernet.industrial-networking.com/articles/i15security.asp

Traditionally network and security folks have focused virtually all our attention on the “enterprise” side of the network, ignoring the parallel “hidden” half of the network associated with process control systems and embedded systems.

Process control systems and embedded systems use different protocols, different jargon, and no one ever really mentioned them. They were out of sight and out of mind, and “handled” by hardware guys.

port 502/tcp -MODBUS/TCP

http://scadahoneynet.sourceforge.net

www.ethereal.com

SCADA Security Research Opportunities

http://www.instrument-middleware.org

120.124.6.25/broadWeb/bwview.htm


broadwin.com/

Broadwin WebAccess is web browser based HMI and SCADA software for industrial Automation. View and Control in Real-time using an ordinary Web browser.

http://120.124.6.25/broadWeb/

SCADA traffic will be on just one port such as 502/tcp (e.g., Modbus/TCP). This is both good and bad. The use of a single port (or just a couple of

http://www.robtex.com/dns/rtu.asia.html#records

http://my.epri.com/portal/server.pt?

http://www.pikeresearch.com/research/smart-grid/smart-grid-security

http://www.pikeresearch.com/research/smart-grid/smart-grid-security

http://blog.tenablesecurity.com/2006/12/nessus_3_scada_.html

http://115.248.75.73/rtu.aspx

http://scada.pln-jawa-bali.co.id/outofpoll.php

http://bops.pln-jawa-bali.co.id/

http://10.6.1.50

http://scada.pln-jawa-bali.co.id/statusts.php

http://115.248.75.73/

San Fransisco

http://209.130.196.15/water1.htm

San Francisco Water RTU 12

209.130.196.15/water1.htm

San Francisco Water. Pump Station 12. Rate -Pump 1. Rate -Pump 2. Tank Level. RTU Status. Pump Control /Alarms. MBP Statistics · RTU Home Page.

China :

http://www.echocontrol.com/en_typical/253.asp

RTU for the radio station side, PLC / DCS control room and two in between the fiber

Different sectors of the largest or most complex systems there is a difference, here cite a typical example of SCADA system:

Readiness desert oilfield SCADA system, that is, a secondary instrument to the oil extraction plant control room by a company’s products to complete.

This project is located in the eastern Junggar Basin, Xinjiang, enter Gurban classical and big desert 80Km, sand cover thickness 200m ~ 300m, annual temperature variation of -45 ? ~ 42 ?, the maximum surface temperature of the working platform up to 60 degrees. Field length 16km, width of 8km. IO points at 17,200 points or so, there are two in the control room, 34 PLC station, a DCS station, 478 RTU stations.

This should be the most typical one. Some system of nodes in the one thousand or more, but less IO points.

  1. it “should search all” do
  2.     industry = Industry.create(:name => ‘Pickle’)
  3.     country  = Country.create(:name => ‘Coffee’)
  4.     gis       = Domain.find_by_name(‘GIS’)
  5.     wireless  = Domain.find_by_name(‘Wireless’)
  6.     scada     = Domain.find_by_name(‘SCADA’)
  7.     tag = Tag.create(:name => ‘zomg!!!!’)
  8.     @org1 = Organization.create(:name => ‘foo org’, :domains => [gis, wireless, scada], :industry => industry, :country => country, :tags => [tag])
  9.     @org2 = Organization.create(:name => ‘foo two’, :domains => [gis, wireless, scada], :industry => industry, :country => country, :tags => [tag])
  10.     @org3 = Organization.create(:name => ‘foo xxx’, :domains => [gis, wireless, scada], :industry => industry, :country => country, :tags => [tag])
  12.     @org1.should be_valid
  13.     @org2.should be_valid
  14.     @org3.should be_valid
  15.     results = {:organizations => [@org1, @org2, @org3]}
  17.     params = { :keywords => “foo”, :domains => [gis.id, scada.id, wireless.id], :models => ["organization"] }
  19.     put “create”, params
  20.     response.should render_template(:create)
  21.     flash[:notice_organizations].should_not == “No Corporation Found”
  23.   end

port number is 6722

port number is 6722

?????Project Node Project Node????Scada ?????

www.broadwin.com.tw/…/WebAccess_ … - Translate this page

File Format: PDF/Adobe Acrobat – Quick View

<GOTO>URL=http://192.168.200.220/broadweb/bwview.htm. <GOTO>URL=http:/ /192.168.200.220/broadweb/bwview.htm#proj=AHC2001. #proj=AHC2001

 

“SCADA and Industrial Automation Security,” http://www.scadasec.net/

“SCADA Security Blog”

http://www.digitalbond.com/SCADA_Blog/SCADA_blog.htm

“SCADA Gospel Archives (edited archives of the SCADA mailing list)”
“http://members.iinet.net.au/~ianw/archive/book1.htm

“21 Steps to Improve the Cyber Security of SCADA Networks,”

http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf

“Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems”

http://www.gao.gov/new.items/d04354.pdf

“Myths and Facts Behind Cyber Security of Industrial Controls” http://www.pimaweb.org/conferences/
april2003/MythsAndFactsBehindCyberSecurity.pdf

Cisco’s “Integrating IT and Control System Security”

http://www.scadasec.net/local/37

modbus.org

protocols:

Ethernet - TCP/IP - Windows - RPC - SMB - 802.11b - HTTP/HTTPS - ASCII- Unix/Linux/Solaris - TFTP- - SQL - OPC - PLC - RTU - ModBus- -IEC 60870 - ICCP - HMI/MMI- S5/S7 - Fieldbus-  IED- TASE-2

ANSI X3.28BBC 7200CDC Types 1 and 2Conitel2020/2000/3000DCP 1DNP 3.0Gedac7020ICCPLandis & Gyr8979ModbusOPCControlNet

DeviceNetDH+ProfiBusTejas3 and 5TRW 9550UCA

OPC-DA, OPC-DX, OPC-A&E, OPC-HDA

Ethernet

SCADA & CS Components

•Sensors and Field Devices

•RTU –Remote Terminal Unit or Remote Telemetry Unit

•IED –Intelligent Electronic Device

•PLC –Programmable Logic Controller

•FEP / Protocol Pre-processor –Front End Processor

•HMI / Operator Console –Human Machine Interface

•PCS –Process Control System

•DCS –Distributed Control System

•SCADA –Supervisory Control and Data Acquisition

•EMS –Energy Management System

 

http://www.elp.com/index.html

form Stephen Scott Wright • presentation Critical Infrastructure attacks, that was part of an old presentation I put together titled “Today was forty years in the making..” note – this is not by any means all of them.

1. – Foreign intelligence service inserts Malicious Software into the Siberian Pipeline SCADA system and causes an explosion with an estimated 3 kiloton yield.

1. – Former Chevron employee disabled their alert system in 22 states.

1. – Hacker breaks into Roosevelt Dam SCADA flood system.

1. – Teenager hacks into NYNEX and cuts off Worcester airport for 6 hour affecting ground and air communications.

1. – Belham Wa. Gasoline pipeline SCADA failure resulting in 3 deaths.

1. – Hackers gain control of GAZPROM natural gas pipeline.

1. – Insider attack on sewage SCADA in Australia results in 1 million gallons of raw sewage being released.

1. – USA Northeast power system blackout believed to be caused by SCADA attack.

1. – CSX train signaling system attacked by Sobig virus.

1. – Auto plants attacked by ZOTOB worm.

1. – Unit 3 Browns Ferry nuclear plant shut down due to Cyber incident.

1. – Insider attacks California canal SCADA system.

1. – Hatch Nuclear Plant emergency shutdown due to Cyber incident.

1. DC Metro crash due to ATP failure – NTSB cites “parasitic oscillations and unintended signal paths”.

1. – Insider attack on US Hospital SCADA system.

 

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
01/4/12

China U.S. Cyber War Coming

China U.S. Cyber War Coming

gAtO sAy -the lack of trust between Washington and Beijing looks only likely to grow. Stuxnet was the first real Cyber Weapon that has been deployed by a nation/state actors and if you think that China does not see the threat, we all need to wake up. Just a few months ago the U.S made public (announced to the world) that their SCADA software (Sunway) has a number of security holes. They could of mentioned it quietly and confidential. This was a slap in the face to the Chinese, at the height of Lulz-Anonymous hackings.

gAtOmAlO - China U.S. Cyber War

Now if you were China and you know that America and/or Isreal created Stuxnet, and now they have the son of Stuxnet “the DuQu virus”(2nd generation)  and we told them that their SCADA is full of holes wouldn’t you start to beat your chess and bang the drums of cyber warfare, screaming saying every one is hacking China too.(True the U.S alone is conducting cyber testing of weapons every day)

Let look at this Cyber Warfare thingy.

Offense and defense in cyber war have distinct characteristics, and they change frequently. Offensive technologies include computer viruses, DDoS (type), EMP bombs, microwave bombs, and computer and microchip backdoors.  For defense, there are network scanners, network wiretapping devices, password breaking devices, electromagnetic detectors and firewalls, and anti-virus software. IMHO -Let me throw these few things out-

https://chinacyberwarfare.wordpress.com/

**__“China also need us as a consumer of their exports, as we are the biggest single market in the world.” — This statement is not really true anymore__**

This is were Americans are dead wrong, it used to be that way but as other countries like the BRIC countries have been growing they themselves have produced what “Mr Henry Ford” did create a middle class that can buy it’s own goods and service. As your people come out of the plow and into a smartphone working at the Apple I-Pad factory they learn, more and more. The Chinese are getting tried of being the cheap labor market and the corruption of the communist party to embrace capitalism is changing their minds quickly.

The sad facts are that while we (America) have been at war for the last 10 years China has been building business relations with every country it can. Money talks and they have made some solid moves. Take the biggest IPO this coming year “FACEBOOK” China has band Facebook from China but they are making a big deal in buying Facebook stocks with Glodman S. The US is looking into this and trying to stall it but, when they buy a let’s say 10% share then they will make Facebook available to the Chinese and WAMO add 50-100 million onto Facebook and that stock will be golden.

As to the all the hacking that China has done last year alone we cannot do a thing, not because we can’t but the relationship that we have with China is economics and they got us by the short hair there.

I compiled this bit of info that may open eyes— United States-China Economic and Security Review Commission

https://chinacyberwarfare.wordpress.com/2011/09/14/united-states-china-economic-and-security-review-commission-2/

We threw China a message a while back by exposing the weak links in their SCADA systems:

https://chinacyberwarfare.wordpress.com/2011/07/24/critical-infrastructure-vulnerable-to-holes-in-chinese-scada-software-threatpost/

And let’s not forget one of my Hero of 2011 Dillon Beresford – he took on CHina and found out that they were wide open. I followed and verified some of his findings and found even more open doors. You see the culture in China is all about saving face. You may of done bad work but when your boss disgraces you, you move and fix the problem, at least you think you fixed it, the pool of educated security people in CHina is low that they can’t,  so their defenses are down today.

https://chinacyberwarfare.wordpress.com/2011/07/30/glass-dragon-chinas-cyber-offense-obscures-woeful-defense-threatpost-2/

- China and the US will be at war in 2012 just how bad it’s going to get— will see.  That’s my 2 cents

gAtO tHiNk – China and Russia will use Iran as a proxy to get what they want and in so doing it they will train and arm Iranian with the needed infusion of technology and education. They do have oil and especially China needs it to make sure of it’s growing economy.

Let me add N. Korea to this mix because of the close ties with China. In N.Korea the new leader the son of the father will have to show the world where he stands as a show of power. Better yet if Obama get’s N. Korea to open up a bit it would be a political move that could help him in the elections this year. Kin Jr. could open N. Korea to the world and make it better for it’s people or they could take the hard line with China support. The could be another proxy for China or Russia.

Both Iran and N. Korea claim of a new super cyber army recently and that was a message to the world, cyber warfare will come – ready or not… gAtO oUt -

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
08/5/11

Cyberspace Has Morphed Into Physical Destruction of a Nations Resource.

Mr. Cofer Black CIA- keynote speaker at Black Hat 2011 ties in the (Land- Sea- Air- Space- Cyber-) with (Chemical- Bacteriological- Radiation- Nuclear- Cyber-) in a world that has morphed into physical destruction of national resources via cyberspace. He also warns that the decision makers. “They didn’t understand it”. In today’s world that’s scary.

While this is going on, we find out that (Mr. Beresford –security researcher) is playing with PLC & Stuxnet and found: “Hard-Coded Password (Bisisk), an Easter egg with dancing chimpanzees, and Other Security Holes Found in Siemens Control Systems”. The program that killed Iran’s nuclear program for a few years worked because the Siemens Controls PCL have no security to speak of.

This is the same equipment that Lockheed (that got the Smart Grid Security Contract last week) would use to turn a transformer off –or- on from their cyber control center and so can the bad guy’s. Were in big trouble people.

We as Net-Citizens need to understand the transformation that technology is making on our physical infrastructure. These industrial control systems will become our building block to automate and generate real time reports from isolated geo-located equipment like pumping stations in the remote Alaskan pipeline. With a satellite and a computer connected to cyberspace a company can turn the pump On-Off real-time. This saves millions of man-hours sending a crew to check on a pump in bad weather. These PCL devices can be installed in hazardous environments like nuclear plants and undersea pumps on an oilrig.

We need to make sure that proper cyber security is applied to these devices when the government installs these devices in public projects. Just a simple water treatment plant in a small town can be hacked and the town will get sick because they did not know were to get the proper security baseline needed to protect this infrastructure assets.

We need better coordination with city’s, towns, states, and federal cyber security standard for our basic infrastructure. Imagine some Nation taking control of our traffic lights during rush hour in New York or DC. Imagine if it’s a 16 year old kid grounded in his room with a laptop. We need to work together and apply the best solutions not the political connected solution, the right solution by the right people with the proper cyber security savvy.

My 2© cents – gatoMalo_at_uscyberlabs_dot_com

http://USCyberLabs.com/blog/

http://ChinaCyberWarfare.wordpres

 

read More ..> http://www.informationweek.com/news/government/security/231300137

 

 

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit