Pages

Monday, January 28, 2013

ICS Security Analysis — New Pentest Tools

Industrial system (ICS/SCADA) security is a modern trend in information security. However, there is always a shortage of specialized tools for pentest or audit of ICS security. This article covers the latest publications, utilities, and presentations of Positive Technologies experts — all this will help you to ensure industrial system security..

Theory To Start With

Understanding of real threats is the core for any information security project. To ease this task, Positive Technologies experts assisted by the community http://asutpforum.ru undertook a large-scale study of the ICS systems (ICS/SCADA), the results of which are available here: http://ptsecurity.com/download/SCADA_analytics_english.pdf

Two Stories Of The Same Pentest

One of the problems of modern ICS is large-scale integrated projects related to MES construction and integration with business systems such as ERP. The report "From ERP to SCADA. Back and Forth. Two Stories of the Same Pentest" [ru] exemplifies what such projects can result in if they do not comply with security requirements.

ICS/SCADA/PLC Google/Shodanhq Cheat Sheet

Statements that industrial control systems are available via the Internet are usually taken with skepticism. A tool, which allows estimating a threat by yourself, has been published recently. Take notice that devices and systems provided in this list are all enterprise-level systems and will hardly be used to control fridges and microwaves.



The following video demonstrates what ICS availability via the Internet can result in:



Attention! Do not try to repeat it at home. A vulnerable system can control a very important object, and if it is handled carelessly it may cause damages. If all of a sudden you have detected an ICS available via the Internet, contact its owner or Computer Emergency Response Team, who can eliminate this flaw.

Contact GOV-CERT.RU if dealing with the systems of Russia, with regional CERT such as ICS-CERT if dealing with international systems.

Anonymous, judging by their Twitter, have already considered this tool, and it scares a little bit.



PLCScan

This open-code utility allows detecting devices interacting via the S7comm or Modbus protocols in a system. When a device is detected, PLCScan tries to obtain information about its vendor, type, installed modules, and etc.


Demonstrating video:



The utility is available here:  https://code.google.com/p/plcscan/.

WinCC Harvester

Metasploit WinCC Harvester can be used when access to SCADA WinCC has been obtained to collect additional information about a project, users, and controllers connected to a system.

Demonstrating video:



The utility is available here: https://github.com/nxnrt/wincc_harvester.

Siemens SIMATIC WinCC 7.X Security Hardening Guide

A checklist can be used for WinCC configuration in accordance with security requirements and for system security assessment in the course of audits.


If a lot of systems are assessed, the procedure can be automated as in case of MaxPatrol.



Siemens WinCC / S7 Under The X-ray

SCADA Security Scientific Symposium held in Miami on January 16-17 saw the report of Positive Technologies experts related to the results of Siemens WinCC/S7 security research. The report also covered SIMATIC WinCC/WinCC Flexible/TIA Portal and S7 PLC; from a network stack to an application, from a system architecture review to firmware reverse engineering. Sergey Gordeychik, Gleb Gritsay, and Denis Baranov considered almost 50 zero-day vulnerabilities and released a checklist for the configuration of WinCC Flexible 2008.



S7 password offline bruteforce tool

During the report the experts of Positive Technologies provided also a utility, which can be used to test S7 password strength in the course of audits and pentests.

The utility is available here: http://pastebin.com/0G9Q2k6y.

3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete