ICS/SCADA 보안 위협 현황 및 제어망 해킹 시연

Louis Hur

2016/3/14

주요 약력 • 2004 ~ Now – NSHC Inc, CEO • 2014 ~ Now – 시큐인사이드 조직위원회 • 2015 ~ Now – Kimchicon Organizer & Staff • 2009 ~ Now – 이슈메이커스랩 Researcher • 2010 ~ Now – Red Alert Team Researcher • 2015 ~ Now – 인터폴 국제기구 악성코드 분석 부분 자문

최근 활동 • 2016.04 – Null&Con in Singapore Speaker • 2015.06 – 1st Kimchicon Speaker • 2015.11 – 2015 Black Hat Amsterdam Speaker • 2015.08 – 2015 HongKong CCS 2015 Speaker

관심 분야 • 제어시스템 보안과 관련 S/W 버그 헌팅 • Offensive Security Business Modeling • Global Business structure

Part 1. NSHC ? Part 2. ICS/SCADA Security Part 3. Conclusion

Index

Let me introduce NSHC

Part 1. NSHC ?

General NSHC Inc. (Kor) Located at South Korea Senior Researcher: 58

NSHC Global (SIN) Located at Singapore Senior Researcher: 16

Advanced Hacking Lab

Zero-day Vulnerability Hunting Team

Security Training

Team

Red Alert Team NSHC United.

• CEO & Founder: Louis Hur

• Establish: Mar. 2004.

• Staffs: 74

• Researcher : 56

Solutions

Research

Consulting & Training - Vulnerability Scanner & Analysis

- Penetration Testing - Information Security Consulting - Real-world Hacking Simulation - Mobile App Security Checking

- nSafer: Encryption Library - nFilter: Security Keypads - Droid-X: Mobile Antivirus - nOTP: OTP for Smart device - App Protect: App Security Tool

- Red Alert Service - Zero-day Research - APT & Threat Research

Part 1. NSHC ?

Part 1. NSHC ?

Reputation of Red Alert Team

2015.11 – Code blue Pwn2Own Winner 2015.07 시큐인사이드 CTB 대회 포상

2015 Year

Part 1. NSHC ?

Bug Hunting

NSHC 싱가포르 법인은 발전소와 공항 등 주요 기반시설 ICS 보안 취약점을 연구했다. 제품보다 보안정보 제공, 모의해킹, 컨설팅, 교육 서비스에

집중했다.

ICS / SCADA 보안 취약점 정보와 기업·개인정보 유출 현황 등을 글로벌

기업과 정부기관에 판매했다.

2016년 1월 - 전자신문

Part 1. NSHC ?

SCADA/ICS Service

Part 1. NSHC? Part 2. ICS/SCADA Security Part 3. Conclusion

Index

ICS/SCADA Security

ICS/SCADA Security

http://www.risidata.com/Database/event_date/desc 1

2

ICS/SCADA Security

ICS/SCADA Security

ICS/SCADA Security

ICS/SCADA Security

https://www.shodan.io/ 1 2 Search Keyword: siemens country:kr

ICS/SCADA Security

https://www.shodan.io/ 1 2 Search Keyword: sunny webbox

ICS/SCADA Security

https://www.google.co.kr 1

2 Search Keyword: "모니터링 화면입니다" 태양

ICS/SCADA Security Date Customer Project Name

2014-5 Speaker at 2015 PoC Security conferences

Speaker at PoC Security Conference of New Threat of SCADA

System (Include showing 0-day of SCADA System) –

Encl(Attached file)

Project description : Success (SCADA Training Services)

SCADA 0-Day Demo

https://www.youtube.com/watch?v=PvfUUbS16F8

ICS/SCADA Security

ICS/SCADA Security

ICS/SCADA Security

ICS/SCADA Security

ICS/SCADA Security

ICS/SCADA Security https://infogr.am/app/#/edit/45f624f3-72fe-46ba-b880-c9d0ec47806f https://infogr.am/app/#/edit/48fde95f-c5eb-4ab2-b2ed-4e1c06f90744 1

2

ICS/SCADA Security

ICS/SCADA Security

a

Traditionally, SCADA networks have been segregated from other corporate networks to minimize exposure to unsecure areas, such as the Internet. Recently however, more organizations are connecting SCADA networks with other potentially unsecure networks in order to cut costs, share operational information, or distribute ordering/billing data. Even when connecting SCADA networks to other networks is prohibited by corporate policy, incorrectly installed systems can unintentionally bridge networks together - putting SCADA networks and the processes they control at risk.

ICS/SCADA Security No Attack Vector Target Case Study

1 Malware infected through internet service (Email, File, hyper-Link, APK, etc.)

Control System Network Business/corporate Network

Stuxnet, Regin 3.20 Korea Plants (http://www.theguardian.com/world/2014/dec/22/south-korea-nuclear-power-cyber-attack-hack)

2 Malware infect through physical access to victim PC (USB, Bluetooth, RFID and etc…)

Control System Network Business/corporate Network

Stuxnet

3 Malware infect through Water Hole Attack (Drive-by-Exploit: Using browser or plug-in 0day, Firmware updated Hijacked, DNS Spoofing Attack)

Control System Network Business/corporate Network

APT Attack

4 Attacker can access Business / Corporate network through DMZ System (Mail, Web, FTP, DNS, and VPN Server)

DMZ Zone Systems

5 Identity Theft, Social Engineering hacking, abetting crime

Control System Network Business/corporate Network

6 Drone , Dragonfly, Havex Attack Control System Network Business/corporate Network

https://www.alienvault.com/forums/discussion/2950/dragonfly-havex-energetic-bear-cyber-espionage-attacks-against-energy-suppliers

ICS/SCADA Security No Attack Vector Target Case Study

7 IoT Devices and embedded system Attack Control System Network Business/corporate Network

8 File Transfer between air-gab area through other devices (Mic & Speaker)

Using Mic and speaker For communicate between separated network. Attacker is able to execute command and file transfer over the air-gab.

Demo Video: https://www.youtube.com/watch?v=Tpc8tyqG88U

9 Hack Air-Gapped Computer With Simple Cell Phone

Attacker can access Control System Network and Business/corporate Network through simple Cell Phone.

Demo Video: http://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple-cell-phone/?mbid=social_twitter

10 intentional backdoor which made by other country or vendor

Control System Network

11 BAD DNS Attack Over the Airgap but connected DNS Siemens

Hacking Demo for SCADA

Part 1. NSHC? Part 2. ICS/SCADA Security Part 3. Conclusion

Is it interesting? And then…

Conclustion

Cyber trend? Is your trend?