http://www.scadahacker.com ICS and SCADA Cyber Security for Critical Infrastructure Protection en-us http://www.scadahacker.com/dashboard.html Thu, 13 Sep 2012 11:00:00 CDT SCADAhacker has added an embedded site page that provides a direct link to the dashboard provided by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Center for Internet Security (CISecurity). http://www.scadahacker.com/howto.html Mon, 10 Sep 2012 09:00:00 CDT A useful video library on Vimeo has been added which provides tutorials and demonstrations on the SCADA+ Professional Pack for Immunity's CANVAS. Additional links added to the How-To and Metasploit for SCADA pages of the site. http://www.scadahacker.com/tools.html Thu, 6 Sep 2012 16:30:00 CDT The Tools page has recently been updated with mirrored images of the various Backtrack 5 R3 images released by Offensive Security on August 13. This site provides an alternative download mechanism, and is confirmed with MD5 hash to be the same images as that which is available on the Backtrack-Linux website. http://www.scadahacker.com/training.html Thu, 6 Sep 2012 06:45:00 CDT SCADAhacker is honored to have added Siemens to the list of Techology Partners who support the new course offering that focuses on not only understanding industrial control systems, but also in the implementation of strong security controls to better defend these systems. Siemens joins a distinguished list of industrial security leaders including: - AlienVault - Certes Networks - Secure Crossing - Tenable Network Security - Tofino (Hirschmann/Belden) - Waterfall Security Solutions Each of these vendors provides a unique offering to strengthen the security posture of any ICS, and are covered in detail through the training curriculum. Interested students are also offered hands-on time with these products. Training is offered throughout the year, so check the schedule for the next course offering. Private, on-site courses are also available upon request. http://www.us-cert.gov/control_systems/icsjwg/2012/fall/index.html Thu, 6 Sep 2012 06:30:00 CDT The preliminary agenda for the upcoming Fall 2012 ICSJWG Meeting in Denver, CO at the Grand Hyatt Hotel has been recently released. This is a no-cost conference that brings together leader ICS cyber security professionals from government and private sectors including end-users, ICS vendors, system integrators, and security researches. The conference begins on Monday, October 15 with various sub-group meetings, and kicks off on Tuesday with the general session. On Thursday, DHS will be offering their Intermediate course on cyber security for ICS, as well as hosting the International Partners Day. SCADAhacker will be presenting a paper on the use of IP addressing schema to address the fundamental requirement of network segmentation that is necessary to not only improve performance, but also contain network exposure in the event of a cyber event. This is one of the best conferences in the industry, and if you plan to attend, I would enjoy meeting and talking with you. http://h4ckr.us/ISA99d Thu, 6 Sep 2012 06:30:00 CDT from Eric Cosman - ISA99 Co-Chair - sent Sept. 5, 2012 Members of ISA99; We are often asked for copies of or access to the various work products (standards, technical reports) under development by the committee. As you may know, while such documents are in development they are made widely available, consistent with ISA's status as an open standards development organization. However, it is important that such works in progress be clearly marked as such so that readers do not assume that they are completed and approved by ISA. To meet this need we have created special watermarked PDF copies of those work products that are available in some draft form, and placed them on the public facing committee Wiki site (http://isa99.isa.org). The specific link is http://isa99.isa.org/ISA99%20Wiki/WP_List.aspx, which will display a tabular list of work products, including description, work or task group affiliation and a link to a working draft. These drafts will be updated from time to time as progress is made on the content. You are encouraged to use this information to learn more about the progress of the committee and perhaps choose to get involved with one of the work or task groups. http://www.automationworld.com/security/cyber-security-industrial-control-systems Fri, 27 Jul 2012 14:10:00 CST If you were not able to attend The Automation Conference in Chicago May 22-23, the folks at Automatio World have posted most of the session presentations, including my presentation entitled "Cyber Security for Industrial Control Systems". http://www.scadahacker.com/training.html#adv Thu, 26 Jul 2012 16:35:00 CST New course material to include a copy of the recently released book by Tyson Macaulay and Bryan Singer entitled "Cybersecurity for Industrial Control Systems". http://www.scadahacker.com/ Thu, 26 Jul 2012 16:40:00 CST A new widget has been added to the SCADAhacker Home page to include the lastest Twitter tweets from ICS-CERT ... this is an excellent source of currently information relating to Alerts, Advisories, and News. http://www.scadahacker.com/files/reference/ICS-CERT%20Incident%20Response%20Summary%20Report.pdf Thu, 28 Jun 2012 16:00:00 CST The ICS-CERT has published a comprehensive Incident Response Summary Report to provide a summary of cyber incidents, onsite deployments, and associated findings from the time ICS-CERT was established in 2009 through the end of 2011. http://www.scadahacker.com/training.html Tue, 17 Apr 2012 13:15:00 CST Both courses in May will be held at the Hilton Rosemont/Chicago O'Hare. Rooms can be booked either by called Hilton Reservations or on-line by clicking here. Enter Group Code CAD for the 5-day Advanced course and AUTO for the 1-day Intro course to receive a negotiated room rate of $139/night. Free transportation is provided within a 5 mile radius of the hotel, including to/from Chicago O'Hare International Airport (ORD). http://scadahacker.com/resources/webinar-120216-endpoints.html Wed, 22 Feb 2012 16:30:00 CST Control systems are critical to the safety, performance and availability of the national power grid, pipelines and other critical infrastructures. These critical points of control must be forcefully protected at all times - but the systems have some unique operational realities that must be considered. On February 16, 2012, an expert panel, led by Joel Langill "the SCADAhacker", held a webcast that featured an interactive discussion about the future of critical infrastructure attacks and how to effectively combat them. Mr. Langill was be joined by Walter Sikora, Vice-President of Security Solutions at Industrial Defender, and Selim Nart, Vice-President of Professional Services at CoreTrace. http://www.scadahacker.com/files/reference/cybersecurity-act-2012-final.pdf Fri, 17 Feb 2012 07:45:00 CST There is much debate between Senate Republicans and Democrats on the wording of this new bill submitted by Senators Lieberman, Collins, Rockefeller and Feinstein around who will have control and how this will be funded - both public and private components. McCain and his colleagues oppose the current bill on the grounds that it would give the Department of Homeland Security regulatory authority over private businesses that own and operate critical infrastructure systems and that it doesn't grant the National Security Agency, a branch of the Defense Department, any authority to monitor networks in real-time to thwart cyberattacks. View the bill and be sure to contact your Senators to express your views. http://www.scadahacker.com/training.html Tue, 14 Feb 2012 09:10:00 CST The first dates for the new "Understanding and Securing Industrial Control Systems" course has been announced, and a registration link is now available. This course will be held in Chicago, May 14-18. In addition, a new 1-day course entitled "Introduction to Cyber Security for Industrial Control Systems" has also been added to the curriculum. This course will be offered the day before The Automation Conference in Chicago at the Hilton O'Hare on May 21. Addition courses will be made available on demand, or can be scheduled on-site. http://scadahacker.com/resources/msf-scada.html Tue, 14 Feb 2012 09:00:00 CST Following the release from Digitalbond of the exploit modules from the Project Basecamp work at S4, the following new modules are now available for Metasploit in advance of the schedule SVN update: - Koyo/DirectLOGIC ECOM Bruteforce - Rockwell Automatio ControlLogix Ethernet/IP - Schneider Modicon Quantum Credential Disclosure These modules can be manualled added to the modules/exploits/windows/scada directory and incorporated directly into the framework http://scadahacker.com/howto.html#feeds Thu, 9 Feb 2012 20:05:00 CST The folks have DigitalBond have done a great job of providing high-quality videos of the impressive sessions from the recent S4 conference in Miami. Their video channel on Vimeo has been added to the lineup of video sources available in the Resource - How-To section of the website. http://www.scadahacker.com/training.html Thu, 9 Feb 2012 19:30:00 CST Support for the course continues to climb, and several vendors have been gracious enough to provide some of the latest equipment and technology that is emerging to help protect industrial control system from past, present and future threats. Course development is proceeding, and the material is really taking shape. Dates should be finalized by mid-March. http://www.scadahacker.com/ Tue, 7 Feb 2012 18:30:00 CST Control systems are critical to the safety, performance and availability of the national power grid, pipelines and other critical infrastructures. These critical points of control must be forcefully protected at all times - but the systems have some unique operational realities that must be considered. Please join an expert panel, led by Joel Langill "the SCADAhacker", for an interactive discussion about the future of critical infrastructure attacks and how to effectively combat them. Mr. Langill will be joined by Walter Sikora, Vice-President of Security Solutiosn at Industrial Defender, and Selim Nart, Vice-President of Professional Services at CoreTrace. During the session, the panelists will discuss: - The future of malware attacks: targeted, purpose-built blended threats that easily bypass traditional antivirus, e.g., Stuxnet. - Why traditional, reactive endpoint security offerings are ineffective against modern malware and exploits. - The future of industrial endpaoint security: proactive, defense-in-depth protection powered by application whitelisting. - Case Study: How one company went beyond simple "check box" compliance to truly increase the overall security of its critical infrastructure. http://www.smartgridobserver.com/langill-abstract.htm Tue, 24 Jan 2012 13:35:00 CST In the year since Stuxnet first struck, cyber security has become of critical concern for utilities. Securing the emerging smart grid must be an end-to-end, architectural undertaking built into all facets of IT, OT, ICS, communications and infrastructure. Introducing intelligence and two-way communication into the utility network means opening the door to vulnerability, and utilities must proceed with caution. Organized by The Smart Grid Observer, the one day, 100% online Smart Grid Cyber Security Virtual Summit features a series of in-depth presentations designed to examine the very latest technologies, deployment strategies, best practices, and lessons learned in making smart grid security a reality. SCADAhacker will be moderating a Discussion Panel entitled "The Future of Securint Industrial Endpoints" with Selim Nart (Vice-President, Professional Services, CoreTrace) and Walter Sikora (Vice-President, Security Solutions, Industrial Defender). This interactive discussion will talk about hte future of critical infrastructure attacks and how to combat them, including a look at how one utility went beyond simple NERC CIP "check box" compliance to truly increase the overall security of its critical infrastructure. Click here to learn more about the Summit, including an Overview and detailed Agenda. The 100% online format of the Smart Grid Cyber Security Virtual Summit enables industry professionals from around the world to attend sessions easily and conveniently. Powered by the Cisco WebEx platform, the live format of the Virtual Summit ensures maximum interaction among attendees and presenters, for a unique, cost-effective, and in-depth networking experience. http://scadahacker.com/files/presentations/CAN-0024%20-%20Waterfall-Encari-SCADAhacker%20Webinar%202012.pdf Tue, 24 Jan 2012 13:20:00 CST Today, Andrew Ginter (Waterfall Security), Mark Simon (Encari), and Joel Langill (the SCADAhacker) held an informative webinar on the NERC's recent release of the Compliance Application Note (CAN) CAN-0024 regarding the use of unidirectional communications and its impact on the classification of cyber assets. A recording of the webcast will be available shortly. http://www.scadahacker.com/resources/msf-scada.html#scadamsf Thu, 19 Jan 2012 14:30:00 CST Added the latest Metasploit Framework automated exploit modules released today by Rapid7 as part of their presentation on General Electric D20 PLC's as part of Project Basecamp at Digital Bond's S4 conference. http://www.scadahacker.com/resources/stuxnet.html Thu, 19 Jan 2012 11:00:00 CST Updated page with new section entitled "Stuxnet Research" and added Threat Post article on Ralph Langner's presentation at the 2012 S4 conference hosted by Digital Bond. http://www.flowcontrol-digital.com/#&pageSet=4 Fri, 13 Jan 2012 14:30:00 CST Flow Control Magazine January 2012 Issue SCADAhacker works with Amy Richardson on our favorite malware - Stuxnet! http://www.scadahacker.com/vulndb/2011/ics-vuln-openautosw-11-285-01.html Fri, 13 Jan 2012 08:45:00 CST Luigi Auriemma publicly reported a malformed packet vulnerabilities with RPC packets in the Open Automation Software's OPC Systems.NET application potentially creating a denial-of-service situation. Proof-of-concept (PoC) exploit code accompanied this report. The vulnerability is exploitable by sending a malformed .NET Remote Procedure Call (RPC) packet to cause a denial of service (DoS) through port 58723/tcp, denying service to legitimate users. ICS-CERT has coodinated this vulnerability with OAS, and an update is available that resolves this vulnerability. Luigi Auriemma has tested the update and has confirmed that it resolves the vulnerability. All versions of OPC Systems.NET prior to 5.0 are affected. http://www.scadahacker.com/vulndb/2011/ics-vuln-3s-11-336-01.html Tue, 10 Jan 2012 17:45:00 CST Updated the reference page to include the lastest article from Greg Hale at ISSSource.com. http://www.scadahacker.com/vulndb/2011/ics-vuln-3s-11-336-01.html Mon, 9 Jan 2012 10:45:00 CST Security researcher Luigi Auriemma has discovered and publicly disclosed multiple vulnerabilities in the CoDeSys application developed by Smart Software Solutions Gmbh. At the same time, Celil Unuver of SignalSEC Labs disclosed similar vulnerabilities, and coordinated this disclosure with ICS-CERT and 3S. According to information obtained, none of the PoC developed by Unuver has been released publicly. 1) Integer Overflow An integer overflow error in the Gateway service when processing certain requests can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to port 1217/tcp. Attackers can exploit these issues to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. (Credit: Luigi Auriemma) 2) Stack Overflow A boundary error in the Control service when processing web requests can be exploited to cause a stack-based buffer overflow via an overly long URL sent to port 8080/tcp. Attackers can exploit these issues to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. (Credit: Celil Unuver, Luigi Auriemma) 3) Content-Length Null Pointer A NULL pointer dereference error in the CmbWebserver.dll module of the Control service when processing HTTP POST requests can be exploited to deny processing further requests via a specially crafted "Content-Length" header sent to port 8080/tcp. Attackers can exploit these issues to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. (Credit: Luigi Auriemma) 4) Invalid HTTP Request Null Pointer A second NULL pointer dereference error in the CmbWebserver.dll module of the Control service when processing web requests can be exploited to deny processing further requests by sending a request with an unknown HTTP method to port 8080/tcp. (Credit: Luigi Auriemma) 5) Folders Creation An error in the Control service when processing web requests containing a non-existent directory can be exploited to create arbitrary directories within the webroot via requests sent to port 8080/tcp. Exploitation of this vulnerability results in the creation of arbitrary directories. (Credit: Luigi Auriemma) ICS-CERT has coordinated these vulnerabilities with 3S Smart Software Solutions, and they have produced new versions for both CoDeSys v3 and v2.3 that mitigate these vulnerabilities. Mr. Auriemma has confirmed that the new versions fully resolve the reported vulnerabilities. http://www.scadahacker.com/resources/msf-scada.html#publicmsf Mon, 9 Jan 2012 08:15:00 CST SecureState has released a new extension for Metasploit's Meterpreter called MSFMap. This new utility provides an NMap-like port scanner from within the context of a Meterpreter session. This gives penetration testers an easily deployable and flexible port scanning utility. Having this functionality can make pivoting into internal networks much easier without the need to install or upload an additional program. http://www.scadahacker.com/vulndb/2011/ics-vuln-invensys-11-332-01.html Thu, 5 Jan 2012 08:15:00 CST Researcher Kuang-Chun Hung of the Security Research and Service Institute - Information and Communication Security Technology Center (ICST) has identified three vulnerabilities in the Invensys Wonderware InBatch application. These vulnerabilities exist in the GUIControls, BatchObjSrv, and BatchSecCtrl ActiveX Controls. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code within the context of an application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial of service (DoS) on systems with affected versions of Wonderware InBatch Runtime Client components. The following InBatch versions are affected: - 8.1 SP1, 9.0, 9.0 SP1, 9.0 SP2, and 9.5 - InBatch Server and Runtime Clients The affected components exist in a variety of Wonderware products including InTouch and Information Server browser clients that have downloaded converted windows that contain these controls. According to Invensys, I/A Series Batch 8.1 SP1 and Wonderware InBatch 9.5 SP1 and higher are not affected by these vulnerabilities. Invensys has issued software updates that resolve these vulnerabilities (see links below). The ICST has confirmed the software updates fully resolve the reported vulnerabilities. http://www.scadahacker.com/vulndb/2012/ics-vuln-siemens-11-343-01.html Thu, 5 Jan 2012 08:15:00 CST Researcher Kuang-Chun Hung of Taiwan's Information and Communication Security Technology Center (ICST) has identified two vulnerabilities affecting ActiveX components in the Siemens Tecnomatix FactoryLink application. The report included buffer overflow and data corruption vulnerabilities. Coordination with Siemens was handled through ICS-CERT. 1) Buffer Overflow Attackers can exploit this issue to execute arbitrary code within the context of the application using the vulnerable control (typically Internet Explorer) 2) Data Corruption / File Overwrite Attackers can save and overwrite artibrary files on the victim's computer in the context of the vulnerabile application using the ActiveX control (typically Internet Explorer) Siemens has released a patch that addresses the identified vulnerabilities. ICS-CERT has confirmed that the Siemens patch resolves the reported vulnerabilities. The following Siemens Tecnomatix FactoryLink versions are affected: - 8.0.2.54 - 7.5.217 (V7.5 SP2) - 6.6.1 (V6.6 SP1) http://www.scadahacker.com/resources/duqu.html Wed, 4 Jan 2012 09:15:00 CST Page has been updated under January 4 heading with the latest findings from Kaspersky, including some additional details on yet to be discovered malware that may have also been developed along with Duqu and Stuxnet.