Switches Get Stitches

Presented at DEF CON 23 (2015), Aug. 8, 2015, 4 p.m. (Unknown duration)

This talk will introduce you to Industrial Ethernet Switches and their vulnerabilities. These are switches used in industrial environments, like substations, factories, refineries, ports, or other homes of industrial automation. In other words: DCS, PCS, ICS & SCADA switches. The researchers focus on attacking the management plane of these switches, because we all know that industrial system protocols lack authentication or cryptographic integrity. Thus, compromising any switch allows the creation of malicious firmwares for further MITM manipulation of a live process. Such MITM manipulation can lead to the plant or process shutting down (think: nuclear reactor SCRAM) or getting into a unknown and hazardous state (think: damaging a blast furnace at a steel mill) Not only will vulnerabilities be disclosed for the first time, but the methods of finding those vulnerabilities will be shared. All vulnerabilities disclosed will be in the default configuration state of the devices. While these vulnerabilities have been responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1-3 years. Because of this patching lag, the researchers will also be providing live mitigations that owner/operators can use immediately to protect themselves. At least four vendors switches will be examined: Siemens, GE, Garrettcom and Opengear.


  • Robert M. Lee
    Robert M. Lee is a co-founder of Dragos Security LLC where he has a passion for control system protocol analysis, digital forensics, and threat intelligence research. He is also an active-duty U.S. Air Force Cyber Warfare Operations Officer where he has been a member of multiple computer network defense teams including his establishing and leading of a first-of-its-kind ICS/SCADA threat intelligence and intrusion analysis mission. Robert received his BS from the United States Air Force Academy and his MS in Cybersecurity Digital Forensics from Utica College. He is a passionate educator and teaches in the ICS and Forensics programs at SANS and is an Adjunct Lecturer at Utica College where he teaches in their MS Cybersecurity program. Robert is also the author of 'SCADA and Me' and is currently pursuing his PhD at Kings College London with research in control system cyber security. He routinely publishes academic and industry focused works in a wide variety of journals and publications; additionally he has presented at conferences around the world. Twitter: @RobertMLee
  • √Čireann Leverett
    √Čireann Leverett hates writing bios in the third person. He once placed second in an Eireann Leverett impersonation contest. He likes teaching the basics, and learning the obscure. He is sometimes jealous of his own moustache for being more famous than he is. If he could sum up his life in one sentence; he wouldn't. That would be a life-sentence! He is primarily known for smashing the myth of the air-gap in industrial systems with his master's thesis, finding authentication bypasses for industrial ethernet switches, and working with incident response teams to improve their understanding of industrial control systems security. He believes security takes an awful lot more than penetration-testing and speaks often about the wider effects of embedded system insecurity. Twitter: @blackswanburst
  • Colin Cassidy - Senior Security Consultant at IOActive
    Colin Cassidy is a security consultant for IOActive where he focuses on Industrial Control Systems. He has a strong development and software engineering background. He is also a seasoned leader in the areas of security and software engineering. Before joining IOActive, Cassidy served for a number of years as Technical Manager and Security Technical Lead for IGE Energy Services, Ltd, part of GE Energy. He has hands-on experience with PowerOn Fusion, a leading Outage Management System/Distribution Management System (OMS/DMS) solution for electricity distribution management. He also led a team of developers in producing new functionality within the core product and worked with customers to understand their requirements. Colin Cassidy has a BSc (Hons) in Computing Science from the University of Glasgow. Twitter: @parttimesecguy
  • Panel


Similar Presentations: