Vulnerability Assessments on SCADA: How i 'owned' the Power Grid.

BSidesLV 2014

Presented by: Fadli B. Sidek
Date: Tuesday August 05, 2014
Time: 15:00 - 15:50
Location: Common Ground

Critical Infrastructure security has been on the news and the talk of the town since 2005. While there are many talks and demonstrations about how to penetrate and exploit SCADA systems, little discussions about the pre-exploitation phase were shared and discussed. I'm talking of course about the Vulnerability Assessment phase. Some may have performed such assessment before and many are curious as to how to start it in the first place. Questions like, what are the methodologies used in performing an assessment on SCADA networks? What information is required before we click the 'Start Scan Now' button? What plugins should be used? And do my scans guarantee that these ultra sensitive systems will not go down? And which approach (automatic or manual) should be used in which situation. This talk is to share my personal experience and challenges faced during a SCADA assessment. I will also give an overview of a typical SCADA environment, the tools used for the assessment, the type of vulnerabilities found and how easy it is for an attacker to potentially 'own' the Power Grid and why the US is vulnerable.

Fadli B. Sidek

Security Consultant, BT Global Services A security consultant by day and a bookworm by night, Fadli works at BT as a penetration tester and has a huge passion in security. He graduated from Murdoch University, Australia with a Double Majors Degree in Cyber Forensics, Information Security Management. He has over 8 years of experience in IT and Security and has written and published security articles in Pentestmag and Hakin9. Besides writing articles, he also took part in CTF competitions and won the Cyber Readiness Challenge (2013) organized by Symantec in Cloud Asia Expo, Singapore. Recently he was given an honorable mention for his participation in the SANS Holiday Hack Challenge 2014. He has spoken in security seminars and recently in Defcon Kerala, India.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats