" EAST framework vs SCADA Software. ICS Attack Approaches " Yuriy&Nikolay Gurkin Gleg ltd Http://Eastfw.com 1. About contents 2. SCADA Pentesting software overview. East countries national aspect. 3. EAST framework 4 SCADA SEC — Architecture, functionality. 4. Typical SCADA vulns illustration. WinCC, IGSS etc... 5. «0Day»for IGSS SCADA. Full pwn via xml injection. 6. «0Day»for Kingview SCADA. Relatively new vector of attack — projects infection. Works were headed by Gleg team. On the sec and exploit research market Gleg has been working since 2004. 1. About Information Security Research in: SCADA Medical Type of Software Defence Web What is SCADA SCADA Supervisory Control And Data Acquisition SCADA RTU HMI PLC etc. What is SCADA SCADA Supervisory Control And Data Acquisition SCADA Factory Controllers soft Human Machine Interface 2. Pentesting Tools West Source A BigOpen Question is pentest – Whichtools security software to choose for ICS pentest if take in account national country's aspects ?! frameworks West pentest Availability, Trust, Origin, Reliability Most known open-source & commercial PenTest demands. tools: Metasploit (partly open-source. US) Please have a Rapid7 look to our approach CoreImpact, Canvas, Metasploit (commercial. All US) to this. All from US. => many 0-Day`s vulns and knowledge are available FIRST for US anyhow... is this ok for East countries? Some thoughts about common SEC software: E.g. : For governmental structures in Russia (including learning and edu !) Bureau of Industry and Security approval is needed. => time and cost For commercial — depends on... Delivery — sometimes several monthes Some products are not delivered at all to some markets (e.g. Core Impact) No garantie from backdoors or «hiding» of info So, it is good to: Have national standards for Sec Admins, CSO, Pentesters Develope and use more national and partner countries tools and soft More info exchange, conferences, seminars etc.  Sec department for large companies or gov structures Ready for interaction with other countries. Security is international, but don't forget national interests... Conclusions. What do we need for SCADA Security? Trusted code ( national researchers and companies, verified code!) Ability to study, learn, develope 24/7 for all national and partner entities Most interesting and critical 0-day`s knowledge first for national partner and open-source frameworks... Free development of software and tools Equal conditions with partners in other countries Unrestricted knowledge exchange EAST framework for SCADA pentesting! Spaceship East ( «Vostok») ... were made in USSR... Same like EAST framework — for piecefull progress Let's proceed to second part. Functionality and Arch: 3. EAST — Exploits And Security Tools framework for SCADA pentesting So, our approach is to use EAST for SCADA pentesting and exploits development Let's have a look to Architecture, Functionality, Features etc. Architecture •Programming language - Python •Crossplatform •Modules interaction struct •API •GUI and console both remote All made SIMPLE to max extent! Architecture GUI • WebSocket interaction between modules, core, webserver and webclient. •Ability to correct modules «on the fly» •Fast reboot, fast operation Functionality EAST framework allows to develope modules like tools, exploits, fuzzers, scanners and so on. Currently: •3 types of shellcodes (message, reverse, command). •5 types encoders. • Troyan and executables of small size. • Classes for web vulns. Comparison Comparison EaST Core + - - -/+ Code verified (no backdoors) 100% 0% 50% 50% Lessons and learning docs( in english) +/- - - + Modules and packs available (exploits, tools etc..) -/ «+» + + + Simple to learn and use Canvas Metasploit SCADA exploits illustrated with the help of EAST Framework Log & Event Manager normalizes logs so your rules and reports work regardless of the source. For example, see all logon failures regardless of the original log structure. Soft • Solarwinds Log and Event Manager Type • Remote Code Execution CVE • public Attack • Solarwinds Log and Event Manager XML injection resulting in arbitrary code exec. SCADA exploits illustrated with the help of EAST Framework Solarwinds Log and Event Manager RCE. East framework module sample. WinCC Dos with EAST Framework SIMATIC WinCC - The scalable and open SCADA system for maximum plant trans