Presentation Material
Abstract
This talk will present technical security challenges faced by organizations that have SCADA, critical infrastructure or control systems installations. It will provide examples of attacks and examples of security controls that orginizations can implement to protect against these attacks. It will focus on how OWASP and SCADA are getting knit closely together. The talk will also introduce an updated version of an open-source tool to help identify and inventory SCADA systems. The presentation will begin by introducing SCADA systems under the hood including RTU, IED, PLC, FEP, PCS, DCS, HMI, sensors, data historians and other SCADA components. The presenter will categories these components into distinct groups based on the functionality that each component provides. We will review the security implications on each of these groups and identify where most of the threats lie. We will take a packet level dive into SCADA protocols and study their security implications. The presentation will give example of attacks that can be carried out against each group and component. The presenter will release an updated version of an open-source tool to identify and inventory SCADA systems using the protocols discussed in this presentation. It will then focus on real world examples of successful and not-so-successful implementations of security controls with SCADA systems which will include examples of what some large organizations have done. We will conclude with guidance on how control system owners can start implementing additional measures to get to an acceptable security. Attendees who are in charge of control system infrastructure will get insight on what worked and what did not for other organizations. Engineers who are in-charge of security for control systems will get a better technical insight of SCADA protocols and components and can use the open source tool that is introduced. Attendees who are new to control systems will get an excellent overview of security complexities of control systems.
AI Generated Summary
The talk focused on vulnerabilities in SCADA (Supervisory Control and Data Acquisition) systems, which are used to control and monitor industrial processes, such as power grids, water treatment plants, and transportation systems. The speaker presented an analysis of SCADA vulnerabilities reported in 2013, which showed that 66% of vulnerabilities were found in the SCADA master, 22% in communication components, 11% in data conversion components, and almost none in data acquisition components.
The speaker highlighted that many SCADA protocols, such as Modbus and DNP3, were developed 30 years ago without built-in security measures, making them vulnerable to attacks. The use of off-the-shelf operating systems, such as Windows, and web applications in SCADA systems has also increased the attack surface. The speaker presented examples of vulnerabilities in SCADA systems, including cross-site scripting, SQL injection, and denial-of-service attacks.
The talk emphasized the importance of application security (AppSec) in SCADA systems, as many of these systems now use web applications and databases, making them vulnerable to traditional web application attacks. The speaker stressed that SCADA system vendors and practitioners need to be aware of these vulnerabilities and take steps to secure their systems, including implementing secure coding practices, vulnerability scanning, and penetration testing.
The practical implications of the talk are that organizations operating SCADA systems need to prioritize security and implement measures to protect against vulnerabilities, including regular security audits, patch management, and employee training. Additionally, the talk highlights the need for SCADA system vendors to develop more secure products and for practitioners to stay up-to-date with the latest security threats and mitigation techniques.