ics/scada 보안 위협 현황 및 제어망 해킹...
TRANSCRIPT
ICS/SCADA 보안 위협 현황 및 제어망 해킹 시연
Louis Hur
2016/3/14
주요 약력 • 2004 ~ Now – NSHC Inc, CEO • 2014 ~ Now – 시큐인사이드 조직위원회 • 2015 ~ Now – Kimchicon Organizer & Staff • 2009 ~ Now – 이슈메이커스랩 Researcher • 2010 ~ Now – Red Alert Team Researcher • 2015 ~ Now – 인터폴 국제기구 악성코드 분석 부분 자문
최근 활동 • 2016.04 – Null&Con in Singapore Speaker • 2015.06 – 1st Kimchicon Speaker • 2015.11 – 2015 Black Hat Amsterdam Speaker • 2015.08 – 2015 HongKong CCS 2015 Speaker
관심 분야 • 제어시스템 보안과 관련 S/W 버그 헌팅 • Offensive Security Business Modeling • Global Business structure
Part 1. NSHC ? Part 2. ICS/SCADA Security Part 3. Conclusion
Index
Let me introduce NSHC
Part 1. NSHC ?
General NSHC Inc. (Kor) Located at South Korea Senior Researcher: 58
NSHC Global (SIN) Located at Singapore Senior Researcher: 16
Advanced Hacking Lab
Zero-day Vulnerability Hunting Team
Security Training
Team
Red Alert Team NSHC United.
• CEO & Founder: Louis Hur
• Establish: Mar. 2004.
• Staffs: 74
• Researcher : 56
Solutions
Research
Consulting & Training - Vulnerability Scanner & Analysis
- Penetration Testing - Information Security Consulting - Real-world Hacking Simulation - Mobile App Security Checking
- nSafer: Encryption Library - nFilter: Security Keypads - Droid-X: Mobile Antivirus - nOTP: OTP for Smart device - App Protect: App Security Tool
- Red Alert Service - Zero-day Research - APT & Threat Research
Part 1. NSHC ?
Part 1. NSHC ?
Reputation of Red Alert Team
2015.11 – Code blue Pwn2Own Winner 2015.07 시큐인사이드 CTB 대회 포상
2015 Year
Part 1. NSHC ?
Bug Hunting
NSHC 싱가포르 법인은 발전소와 공항 등 주요 기반시설 ICS 보안 취약점을 연구했다. 제품보다 보안정보 제공, 모의해킹, 컨설팅, 교육 서비스에
집중했다.
ICS / SCADA 보안 취약점 정보와 기업·개인정보 유출 현황 등을 글로벌
기업과 정부기관에 판매했다.
2016년 1월 - 전자신문
Part 1. NSHC ?
SCADA/ICS Service
Part 1. NSHC? Part 2. ICS/SCADA Security Part 3. Conclusion
Index
ICS/SCADA Security
ICS/SCADA Security
http://www.risidata.com/Database/event_date/desc 1
2
ICS/SCADA Security
ICS/SCADA Security
ICS/SCADA Security
ICS/SCADA Security
https://www.shodan.io/ 1 2 Search Keyword: siemens country:kr
ICS/SCADA Security
https://www.shodan.io/ 1 2 Search Keyword: sunny webbox
ICS/SCADA Security
https://www.google.co.kr 1
2 Search Keyword: "모니터링 화면입니다" 태양
ICS/SCADA Security Date Customer Project Name
2014-5 Speaker at 2015 PoC Security conferences
Speaker at PoC Security Conference of New Threat of SCADA
System (Include showing 0-day of SCADA System) –
Encl(Attached file)
Project description : Success (SCADA Training Services)
SCADA 0-Day Demo
https://www.youtube.com/watch?v=PvfUUbS16F8
ICS/SCADA Security
ICS/SCADA Security
ICS/SCADA Security
ICS/SCADA Security
ICS/SCADA Security
ICS/SCADA Security https://infogr.am/app/#/edit/45f624f3-72fe-46ba-b880-c9d0ec47806f https://infogr.am/app/#/edit/48fde95f-c5eb-4ab2-b2ed-4e1c06f90744 1
2
ICS/SCADA Security
ICS/SCADA Security
a
Traditionally, SCADA networks have been segregated from other corporate networks to minimize exposure to unsecure areas, such as the Internet. Recently however, more organizations are connecting SCADA networks with other potentially unsecure networks in order to cut costs, share operational information, or distribute ordering/billing data. Even when connecting SCADA networks to other networks is prohibited by corporate policy, incorrectly installed systems can unintentionally bridge networks together - putting SCADA networks and the processes they control at risk.
ICS/SCADA Security No Attack Vector Target Case Study
1 Malware infected through internet service (Email, File, hyper-Link, APK, etc.)
Control System Network Business/corporate Network
Stuxnet, Regin 3.20 Korea Plants (http://www.theguardian.com/world/2014/dec/22/south-korea-nuclear-power-cyber-attack-hack)
2 Malware infect through physical access to victim PC (USB, Bluetooth, RFID and etc…)
Control System Network Business/corporate Network
Stuxnet
3 Malware infect through Water Hole Attack (Drive-by-Exploit: Using browser or plug-in 0day, Firmware updated Hijacked, DNS Spoofing Attack)
Control System Network Business/corporate Network
APT Attack
4 Attacker can access Business / Corporate network through DMZ System (Mail, Web, FTP, DNS, and VPN Server)
DMZ Zone Systems
5 Identity Theft, Social Engineering hacking, abetting crime
Control System Network Business/corporate Network
6 Drone , Dragonfly, Havex Attack Control System Network Business/corporate Network
https://www.alienvault.com/forums/discussion/2950/dragonfly-havex-energetic-bear-cyber-espionage-attacks-against-energy-suppliers
ICS/SCADA Security No Attack Vector Target Case Study
7 IoT Devices and embedded system Attack Control System Network Business/corporate Network
8 File Transfer between air-gab area through other devices (Mic & Speaker)
Using Mic and speaker For communicate between separated network. Attacker is able to execute command and file transfer over the air-gab.
Demo Video: https://www.youtube.com/watch?v=Tpc8tyqG88U
9 Hack Air-Gapped Computer With Simple Cell Phone
Attacker can access Control System Network and Business/corporate Network through simple Cell Phone.
Demo Video: http://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple-cell-phone/?mbid=social_twitter
10 intentional backdoor which made by other country or vendor
Control System Network
11 BAD DNS Attack Over the Airgap but connected DNS Siemens
Hacking Demo for SCADA
Part 1. NSHC? Part 2. ICS/SCADA Security Part 3. Conclusion
Is it interesting? And then…
Conclustion
Cyber trend? Is your trend?