Why is SCADA Security an Uphill Battle?

Presented at AppSec USA 2013, Nov. 20, 2013, 11 a.m. (50 minutes)

Video of session: https://www.youtube.com/watch?v=quhbhy7WkkA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=12 This talk will present technical security challenges faced by organizations that have SCADA, critical infrastructure or control systems installations. It will provide examples of attacks and examples of security controls that orginizations can implement to protect against these attacks. It will focus on how OWASP and SCADA are getting knit closely together. The talk will also introduce an updated version of an open-source tool to help identify and inventory SCADA systems.  The presentation will begin by introducing SCADA systems under the hood including RTU, IED, PLC, FEP, PCS, DCS, HMI, sensors, data historians and other SCADA components. The presenter will categories these components into distinct groups based on the functionality that each component provides. We will review the security implications on each of these groups and identify where most of the threats lie. We will take a packet level dive into SCADA protocols and study their security implications. The presentation will give example of attacks that can be carried out against each group and component. The presenter will release an updated version of an open-source tool to identify and inventory SCADA systems using the protocols discussed in this presentation. It will then focus on real world examples of successful and not-so-successful implementations of security controls with SCADA systems which will include examples of what some large organizations have done. We will conclude with guidance on how control system owners can start implementing additional measures to get to an acceptable security. Attendees who are in charge of control system infrastructure will get insight on what worked and what did not for other organizations. Engineers who are in-charge of security for control systems will get a better technical insight of SCADA protocols and components and can use the open source tool that is introduced. Attendees who are new to control systems will get an excellent overview of security complexities of control systems.

Presenters:

• Amol Sarwate - Director of Vulnerability and Compliance Labs - Qualys Inc.
  As Director of Vulnerability Labs at Qualys, Amol Sarwate heads a worldwide team of security researchers who analyze threat landscape of exploits, vulnerabilities and attacks. He is a veteran of the security industry who has worked for the last 15 years on firewalls, vulnerability scanners, embedded security at McAfee, Hitachi, i2 and other organizations. He has presented his research on various topics like Vulnerability Trends, Credit Card Malware, Security Axioms, SCADA and Exploits at many conferences like RSA, BlackHat, AppSec, and others.

Links:

• https://appsecusa2013.sched.com/event/13j9dBP/why-is-scada-security-an-uphill-battle
• https://infocon.org/cons/OWASP/AppSecUSA 2013/Why is SCADA Security an Uphill Battle - Amol Sarwate.mp4
• https://www.youtube.com/watch?v=quhbhy7WkkA

Similar Presentations:

• ToorCon San Diego 12 (2010) / Exploiting SCADA Systems
• DEF CON 18 (2010) / Exploiting SCADA Systems
• AppSec USA 2015 / The State of Web Application Security in SCADA Web Human Machine Interfaces (HMIs) !