employee Industrial CyberSecurity Mission Centric Approach Sergey Gordeyhcik SCADA StrangeLove Research Team WWW.SCADA.SL Group of security researchers focused on ICS/SCADA Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Sidorov Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko to save Humanity from industrial disaster and to keep Purity Of Essence CYBERSECURITY? INDUSTRIAL CYBERSECURITY Functional Safety and Reliability Industrial Safety Information Security The secrets of cybersecurity, Valentin Gpanovich, Efim Rozenberg, Sergey Gordeychik . Railway Strategies, Issue 130 https://issuu.com/schofieldpublishingltd/docs/railway_strategies_issue_130_june_2 THREATS? THREATS? http://news.sky.com/story/four-cyber-attacks-on-uk-railways-in-a-year-10498558 https://www.theguardian.com/technology/2016/jan/07/ukrainian-blackout-hackers-attacked-media-company INTERCONNECTED WORLD 32C3, Hamburg, The Great Train Cyber Robbery 220,558 ONLINE, 17,042 IN ENTERPRISES https://securelist.com/analysis/publications/75343/industrial-cybersecurity-threat-landscape/ ICS ONLINE: CHINA ICS ONLINE: CHINA http://plcscan.org/blog/2016/03/census-scanning-from-siemens-s7-plc-cpustatus/ GREATER CHINA ~10,000 OF “SMART” POWER GRID OBJECTS • GREEN ENERGY • SMART GRID • DIGITAL SUBSTATIONS 121,000 KM OF RAILWAYS • 19,000 KM OF HIGH-SPEED LINES • HIGHLY AUTOMATED • NATIONAL HIGH-SPEED RAIL GRID (4+4) DIGITAL SUBSTATION TAKEOVER CTF-STYLE WHITE HAT INDUSTRIAL CHALLENGE http://www.phdays.com/press/news/41213/ DIGITAL SUBSTATION TAKEOVER: GOALS • • • FIND VULNERABILITIES IN IEC-61850 SUBSTATIONS CREATE EXPLOIT TRIGGER CYBER-PHISICAL ATTACK Relay Protection http://www.phdays.com/press/news/41213/ VULNERABILITIES IN RELAY PROTECTION REMOTE CODE EXECUTION? • • • • • to get firmware? to get debug symbols? to debug? ..PowerPC no “operation system” CONFIRMATION CODE “311299” To access this information, the confirmation code “311299” needs to be provided when prompted." ...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information..." DEVICE MEMORY http://scadastrangelove.blogspot.com/2015/12/now-declared-capabilities.html CODE REUSE Linux VxWorks 6.x 61850 Stack Misfortune Cookie SSH server Kudos @repdet @k_v_Nesterov @samincube