工控安全渗透

工业控制系统的结构和场景

工业控制系统场景——啤酒厂

Beer factory layout

Monitoring Control Room

Production line equipment

工业控制系统结构

Sensors and actuators

Programmable Controller (PLC)

Industrial network and field bus

Industrial computer and industrial configuration software

工业控制系统应用场景

Process automation control system

It is used in process industries, such as: petroleum, chemical industry, medicine. Metallurgy, water treatment

Corresponding control systems: DCS (distributed control system), large PLC is the main one, and the number of IO points of a single controller (number of sensors and actuators) is mostly above 2,000 points, with a fully redundant architecture

Factory automation control system

Application in discrete industries, such as: automobiles, ports, tobacco

Corresponding control system: mainly based on PLC, mainly bundled with equipment, with a single control IO point of less than 2,000 points, and a single machine.

工业控制系统厂商和产品介绍

Siemens——控制系统家族

s7-1500 Control System

S7-1200 Control System

S7-300/400 Control System

S7-WINAC control system (PC simulation PLC, mostly used in college research)

Siemens——组态家族

TIA Blog/Step7 (Programming)

WINCC configuration monitoring software (monitoring)

PLCSIM simulation software (preliminary simulation)

Siemens——通讯协议及端口

S7 Comm protocol (private protocol)

Communication Port (102)

Rockwell Automation——控制系统家族

Controllogix Control System

Compactlogix Control System

MicroLogix Control System

Softlogix Control System

Rockwell Automation——组态家族

Studio5000/RSLogix 5000 configuration software

FactoryTalk SE configuration monitoring software

Emulation simulation software

Rockwell Automation——通讯协议及端口

Ethernet/IP (public protocol)

Communication port 44818/2222

工业控制系统脆弱性分析

工业控制协议漏洞

The industrial control protocol used lacks identity authentication

The protocols used in industrial control systems lack authorization mechanisms

The industrial control protocol used lacks encryption protection

PLC 代码逻辑漏洞

Computational logic vulnerability

Check out the timeout loophole at the door

Buffer overflow vulnerability

工业以太网链路漏洞

MAC flood attack

ARP overflow/man-in-the-middle attack

Ring beacon protocol attack

VLAN jump attack

Switch WEB vulnerability attack

主机安全漏洞

Firewall shutdown

No soft-kill protection

Lack of USB access

Windows itself vulnerability

SMB v1.0 Port 445

RDP Port 3389

AD Domain Attack

DNS pollution attacks

组态软件漏洞

DoS denial of service attack

Buffer overflow vulnerability

COM Service Component Unauthorized Access Vulnerability

SQL Database Injection Vulnerability

物理安全漏洞

The equipment location is not protected

Computer room cabinet is not locked

Network port not reinforced

Controller key not pulled out

The power supply is a single channel

Incomplete grounding system

工业控制系统渗透工具利用

Demo 场景

nmap 指纹扫描

1

nmap -p port --script scada protocol ip address

Reference: https://github.com/jianshting/NMAP-NSE-SCADA

Yersinia 二层网络的攻击

1

Yersinia -G

Reference: https://github.com/tomcat/yersinia

Snap7 协议层的攻击

s7 Client.exe

MSF 主机攻击和后渗透

Penetration and control of PC hosts (same as traditional intranet penetration)

ISF 工控渗透工具

Open source industrial control penetration framework

Reference: https://github.com/dark-lbp/isf

工业控制系统安全防御

区域边界

Industrial firewall, regional firewall, network gate

网络安全

Switch free port shutdown, native VLAN, CDP disabled or: LLDP, handshake packet encryption

主机安全

Soft-killing, firewall, baseline security, U-port access, application whitelist

控制器安全

Protocol encryption, injection control, identity authentication

物理安全

Grounding safety, dual power supply, locking of electric cabinets