SCADA Security Example



Similar documents
SCADA Security. Christian Paulino. Instructor: JanuszZalewski

Lab Objectives & Turn In

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Security and Access Control Lists (ACLs)

Introduction on Low level Network tools

Linux Network Security

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Maruleng Local Municipality

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Payment Card Industry (PCI) Executive Report. Pukka Software

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CTS2134 Introduction to Networking. Module Network Security

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

ΕΠΛ 674: Εργαστήριο 5 Firewalls

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

1 Scope of Assessment

Firewalls Overview and Best Practices. White Paper

Internet Security Firewalls

HowTo: Logging, reporting, log-analysis and log server setup Version 2007nx Release 3. Log server version 2.0

Intro to Firewalls. Summary

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

1. Why is the customer having the penetration test performed against their environment?

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

1. LAB SNIFFING LAB ID: 10

Capture and analysis of the network traffic with Wireshark

Proxies. Chapter 4. Network & Security Gildas Avoine

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Network Traffic Analysis

Solution of Exercise Sheet 5

CS5008: Internet Computing


Firewall Firewall August, 2003

IDS and Penetration Testing Lab ISA656 (Attacker)

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

CISCO IOS NETWORK SECURITY (IINS)

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

How To Secure Network Threads, Network Security, And The Universal Security Model

How To - Implement Clientless Single Sign On Authentication with Active Directory

Networks and Security Lab. Network Forensics

EC-Council Certified Security Analyst / License Penetration Tester (ECSA/LPT) v4.0 Bootcamp

Firewalls (IPTABLES)

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Internet Security Firewalls

Lab - Observing DNS Resolution

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Lab 1: Packet Sniffing and Wireshark

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Introduction of Intrusion Detection Systems

The Open Cyber Challenge Platform *

Lab 1: Network Devices and Technologies - Capturing Network Traffic

My FreeScan Vulnerabilities Report

Technical Support Information

Using GhostPorts Two-Factor Authentication

Linux MDS Firewall Supplement

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Securing the system using honeypot in cloud computing environment

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Introduction to Endpoint Security

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

CRYPTUS DIPLOMA IN IT SECURITY

F-SECURE MESSAGING SECURITY GATEWAY

Network Security CS 192

Vulnerability Assessment and Penetration Testing

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

Firewalls and Software Updates

8 steps to protect your Cisco router

CSCI Firewalls and Packet Filtering

Exam Questions SY0-401

CYBERTRON NETWORK SOLUTIONS

Safe network analysis

Cautela Labs Cloud Agile. Secured.

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

NAS 224 Remote Access Manual Configuration

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Penetration Testing SIP Services

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Security threats and network. Software firewall. Hardware firewall. Firewalls

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

BASIC ANALYSIS OF TCP/IP NETWORKS

Packet Sniffing with Wireshark and Tcpdump

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

E-commerce Production Firewalls

TELNET CLIENT 5.11 SSH SUPPORT

Security Toolsets for ISP Defense

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

IDS and Penetration Testing Lab ISA 674

HoneyBOT User Guide A Windows based honeypot solution

Transcription:

SCADA Security Example Christian Paulino and Janusz Zalewski Florida Gulf Coast University December 2012 1. Introduction SCADA systems are always connected to a network, so they are vulnerable to attack. With many vulnerabilities that may affect SCADA, in general, in this project the focus is on network intrusions through viruses, worms, and other types of malicious code. A key element for any network to protect against these kinds of risks is the firewall, which needs to be configured appropriately based on the needs of the system. The case study in this project is the security of FGCU s SCADA system. Fig. 1. Packet filtering process After the security risks have been determined, this project implements a way to possibly improve security. The firewall on the SCADA server is used to do packet filtering. Packet filtering examines the packets that are sent to the network. It checks the source IP address, the destination IP address, and the Internet protocols involved. This process is shown in Figure 1. The Windows firewall can be configured to either permit or deny incoming packets. Rules are created that allow only the necessary connections for operation of the project s SCADA system. This will help ensure connection requests with malicious intent cannot be granted.

2. Implementation The first step is to see what connections are running on the SCADA server. The tests can be conducted on a SCADA workstation through an SSH connection, in this case using Putty. The command netstat at shows all active connection going through the network device (Figure 2), and the command netstat l displays active UDP connections (Figure 3). Fig.2. Active TCP Internet Connections Fig.5. Active Network UDP Connections

Another command netstat xl displays the active Unix domain sockets (Figure 4). Fig.4. Active UNIX Domain Socket The next step is to see how the workstation and the SCADA server interact. A software package called Wireshark is used to this purpose. Wireshark is a packet capturing program than can be used to analyze packets that are sent over a network. Figure 5 shows how Wireshark captures the packets in the CS lab where the workstation and SCADA server are located. Fig.5. Whireshark all packets

Next, the Wireshark results are filtered to include only packets sent from the workstation to the SCADA server as shown in Figure 6. The filtering is done by entering a command into the filter text box (highlighted green in Figure 6). To filter by IP address, both source and destination addresses are required. The Wireshark filter command used is as follows: ip.src==69.88.163.28 and ip.dst==69.88.163.30 Fig. 6. Wireshark workstation to SCADA server packets

Then Wireshark filter is used to highlight the login packet. This is shown in Figure 7. This is done by using the CTRL+F function. After hitting CTRL+F, a string needs to be selected and then any string that resides in the list of packets can be found. In this case, it was mgr, which is the username. The username is searched for until the packet that displayed both the username and the key is found. That packet is the one that was used to login. Fig. 7. Wireshark login packet

The last step is to see how the SCADA server fairs against attacks. This is done with a penetration testing tool called Meatasploit. Metasploit is a software package that has various penetration tests built into it. Before running any tests, the SCADA server needs to be detected. This is done by running a scan with Metasploit looking for the SCADA server s IP address which is 69.88.163.30. The results of the scan are shown in Figure 8 and the detected IP addresses are shown in Figure 9. Fig. 8. Metasploit scan results

Fig. 9. Metasploit detected IP addresses After the SCADA server is detected, the penetration tests can start. The first test is the Brute Force test. A Brute Force tests to see how secure the SCADA server s keys are. Metasploit generates a bunch of different keys and attempts to enter the SCADA server with each one. In this experiment, the test failed. That means that the SCADA server is secure against a Brute Force attack. Figure 10 shows the results of the test.

Fig. 10. Metasploit bruteforce test results The last test is an exploit test. An exploit test checks for any faults in the SCADA server and attempts to use them to get into the server. The exploit tests against the SCADA server failed, which means there weren t any faults detected by Metasploit that could be abused. The results of this test are not shown here for brevity. A complete Instruction Manual to run all tests described in this report is available from the Instructor upon request.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information