Dissecting the Design of SCADA Web Human Machine Interfaces (HMIs) - Hunting Vulnerabilities

Presented at DEF CON 23 (2015), Aug. 8, 2015, 10 a.m. (60 minutes)

Human Machine Interfaces (HMIs) are the subsets of the Supervisory Control and Data Acquisition (SCADA) systems. HMIs are control panels that provide interfaces for humans to interact with machines and to manage operations of various types of SCADA systems. HMIs have direct access to SCADA databases including critical software programs. The majority of SCADA systems have web-based HMIs that allow the humans to control the SCADA operations remotely through Internet. This talk unveils various flavors of undisclosed vulnerabilities in web-based SCADA HMIs including but not limited to remote or local file inclusions, insecure authentication through clients, weak password hashing mechanisms, firmware discrepancies, hardcoded credentials, insecure web-services, weak cryptographic design, cross-site request forgery, and many others. This talk digs deeper into the design models of various SCADA systems to highlight security deficiencies in the existing SCADA HMI deployments. The research is driven with a motivation to secure SCADA devices and to build more intelligent solutions by hunting vulnerabilities in SCADA HMIs. The vulnerabilities presented in this talk are completely undisclosed and will be revealed for the first time with live demonstrations.

Presenters:

• Aditya K Sood - Architect - Threat Research Labs, Elastica inc.
  Aditya K Sood (Ph.D) is a senior security researcher and consultant. Dr. Sood has research interests in malware automation and analysis, application security, secure software design and cybercrime. He has worked on a number of projects pertaining to penetration testing specializing in product/appliance security, networks, mobile and web applications while serving Fortune 500 clients for IOActive, KPMG and others. He is also a founder of SecNiche Security Labs, an independent web portal for sharing research with security community. He has authored several papers for various magazines and journals including IEEE, Elsevier, CrossTalk, ISACA, Virus Bulletin, Usenix and others. His work has been featured in several media outlets including Associated Press, Fox News, Guardian, Business Insider, CBC and others. He has been an active speaker at industry conferences and presented at BlackHat, DEF CON, HackInTheBox, RSA, Virus Bulletin, OWASP and many others. Dr. Sood obtained his Ph.D from Michigan State University in Computer Sciences. Dr. Sood is also an author of "Targeted Cyber Attacks" book published by Syngress. Company Website: http://www.elastica.net Personal website: http://adityaksood.secniche.org Twitter: @AdityaKSood

Links:

• https://defcon.org/html/defcon-23/dc-23-speakers.html#Sood
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Aditya K Sood - Dissecting the Design of SCADA Web HMIs - Hunting Vulns - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=jX5cz4jI3yk

Similar Presentations:

• DEF CON 18 (2010) / Exploiting SCADA Systems
• ToorCon San Diego 12 (2010) / Exploiting SCADA Systems
• AppSec USA 2015 / The State of Web Application Security in SCADA Web Human Machine Interfaces (HMIs) !