SCADA deep inside: protocols and

security mechanisms
Aleksandr Timorin
!
!
!
!
!
!
!
!
Budapest, 10 - 11 October 2014
# whoami

• SCADA security researcher, main specialisation - industrial protocols

• SCADAStrangeLove team member -> scadasl.org
• speaker at PHDays, Power Of Community, Chaos Communication
Congress (workshop), CONFidence etc.
• @atimorin
• [email protected]

SCADA deep inside: protocols and security mechanisms Hacktivity

2
# whoami

SCADA deep inside: protocols and security mechanisms Hacktivity

3
# agenda

• intro to scada world

• current situation in ICS network security
• overview of industrial protocols
• well-known protocols: profinet, modbus, dnp3, goose
• go to particular:
• IEC 61850-8-1 (MMS)
• IEC 61870-5-101/104
• FTE
• Siemens S7
• how to analyse protocols
• real case
• outro: releases, QA
SCADA deep inside: protocols and security mechanisms Hacktivity
4
# intro to scada world

ICS - Industrial Control System

SCADA - Supervisory Control And Data Acquisition
PLC - Programmable Logic Controller
HMI - Human-Machine Interface
RTU - Remote Telemetry Unit
Sensor, Actuator
!
… and much more
!

SCADA deep inside: protocols and security mechanisms Hacktivity

5
# intro to scada world
many many vendors in the world:
• siemens
• advantech
• citectscada problems in security:
!
• codesys • each vendor - own
• moxa protocol, technology
etc.
• schneider electric • out-of-date: don’t
• rslogics touch if it works!
• general electric • patch management
• wellintech
cycle
!
• sielco sistemi !
• emerson wild wild industrial world
• abb
• advanced micro controls
• ….

SCADA deep inside: protocols and security mechanisms Hacktivity

6
# current situation in ICS network security

absolutely
unbreakable ICS NETWORK
???

SCADA deep inside: protocols and security mechanisms Hacktivity

7
# current situation in ICS network security

NO, because of:

!
➡ typical network devices with default/crappy settings
➡ unpatched, old as dirt, full of junk software [malware] engineering
workstations
➡ wireless AP with WEP (if the best happend)
➡ low physical security
➡ … and
➡ industrial protocols

SCADA deep inside: protocols and security mechanisms Hacktivity

8
# current situation in ICS network security

!
!
➡ typical network devices with default/crappy settings
➡ unpatched, old as dirt, full of junk software [malware] engineering
workstations
➡ wireless AP with WER (if the best happend)
➡ low physical security
➡ … and
➡ industrial protocols

SCADA deep inside: protocols and security mechanisms Hacktivity

9
# current situation in ICS network security

How protocols live in the network ?

!
• full expanse
• not blocked by firewalls/switches
• accessible between LAN segments
• works from data link layer to application layer
• easy to detect
• easy to intercept, analyse, reproduce and reply (but not all ! )

SCADA deep inside: protocols and security mechanisms Hacktivity

10
# overview of industrial protocols
• modbus
• profibus
• profinet
• dnp3
• ethernet/ip
• s5/s7 (siemens protocols family)
• CIP (rockwell automation)
• cc-link (mitsubishi electric factory automation)
• bacnet
• iec 60870, iec 61850, iec 61107
• m-bus
• zigbee
• goose …
iec - international electrotechnical commission
SCADA deep inside: protocols and security mechanisms Hacktivity
11
# overview of industrial protocols

SCADA deep inside: protocols and security mechanisms Hacktivity

12
# modbus

• published by Modicon (now Schneider Electric) in 1979

• widely used for connecting industrial electronic devices
• in XX: through rs-232/rs-485
• in XXI: modbus tcp
• standard port 502/tcp
!

SCADA deep inside: protocols and security mechanisms Hacktivity

13
# modbus

functions:
!
• data access: read/write coils, registers, file records
• diagnostics: device identification
• user defined functions
!
!
!
tools:
!
• wireshark dissector
• plcscan ( https://code.google.com/p/plcscan/ )
• modbus-discover nse (by Alexander Rudakov)
• modbus simulators ()

SCADA deep inside: protocols and security mechanisms Hacktivity

14
# modbus

security ?
• no authentication
• no encryption
• no security
!
transaction id: 2 bytes
protocol id: 2 bytes (always 0)
length: 2 bytes
unit id: 1 byte
function code: 1 byte
data …

SCADA deep inside: protocols and security mechanisms Hacktivity

15
# dnp3

DNP3 Distributed Network Protocol

• first version in 1990
• standartized by IEEE only on 2010
• mainly used in water and electric industry
• master - outstation communication
• tcp/udp standard port 20000
!
tools:
• wireshark dissector
• free implementation https://code.google.com/p/dnp3/
!
security ?
DNP3 Secure Authentication v5. First version in 2007.
Add device and user authentication
Data protection

SCADA deep inside: protocols and security mechanisms Hacktivity

16
# dnp3
dnp3 frame:
• header - 10 bytes
• data - max 282 bytes
!
header:
• sync - 2 bytes
• length -1 byte
• link control - 1 byte
• destination addr - 2 bytes
• source addr - 2 bytes
• crc - 2 bytes
!
each device in network has unique address 1..65520
crc for every 16 bytes of data -> max frame len = 292 bytes
work on iso/osi layers: data link layer, transport layer, application layer

SCADA deep inside: protocols and security mechanisms Hacktivity

17
# profinet dcp

PROFINET family
!
• Profinet CBA/IO/PTCP/DCP
• iec 61158, iec 61784 in 2003
• Ethernet type 0x8892
• exchange data in real-time cycles
• multicast discovery devices and stations
!
security ?
• no encryption
• no authentication
• no security

SCADA deep inside: protocols and security mechanisms Hacktivity

18
# profinet dcp

PROFINET DCP - Discovery and basic Configuration Protocol

!

SCADA deep inside: protocols and security mechanisms Hacktivity

19
# profinet dcp

frame types:
• request 0xfefe
• response 0xfeff
• get/set 0xfefd
!
multicast identify (scapy code):
payload=‘fefe05000401000200800004ffff’.decode(‘hex’)
srp(Ether(type=0x8892, src=smac, dst=’01:0e:cf:00:00:00’)/payload)
!
fefe request
05 service id: identify
00 service type: request
04010002 xid (request id)
0080 delay
0004 data len
ff option: all
ff suboption: all

SCADA deep inside: protocols and security mechanisms Hacktivity

20
# profinet dcp

• main interesting fields for playing is option and suboption

• for example, set/get network info: opt 0x01, subopt 0x02
• led flashing: opt 0x05, subopt 0x03
!
so we can:
• scan profinet supported devices and stations
• change name of station
• change ip, netmask, gateway
• request full network info
• LED flashing: PLC, HMI (simulates that smth wrong with
device)
• and much more

SCADA deep inside: protocols and security mechanisms Hacktivity

21
# profinet dcp

profinet dcp scanner (raw sockets and scapy versions)

!
!
!
!
!
!
!
discover all devices (PC, PLC, HMI) in subnet
!

SCADA deep inside: protocols and security mechanisms Hacktivity

22
# profinet dcp

profinet fuzzer:
fuzz options and sub options on plc siemens s7-1200
!
CVE-2014-2252
“An attacker could cause the device
to go into defect mode if specially
crafted PROFINET packets are sent
to the device. A cold restart is required
to recover the system.”
!
what is “specially crafted profinet packets” ?

SCADA deep inside: protocols and security mechanisms Hacktivity

23
# profinet dcp

CVE-2014-2252
!
just “set” request: set network info with all zero values.
!
ip 0.0.0.0
mask 0.0.0.0
gw 0.0.0.0
!
!
!
!

SCADA deep inside: protocols and security mechanisms Hacktivity

24
# profinet dcp

DEMO: CVE-2014-2252

SCADA deep inside: protocols and security mechanisms Hacktivity

25
# goose

GSE - Generic Substation Events - fast and reliable mechanism for transfer
events data over entire substation networks:
• IEC 61850
• multicast, broadcast mechanism
!
GSE:
• GOOSE: Generic Object Oriented Substations Events
• GSSE: Generic Substation State Events

SCADA deep inside: protocols and security mechanisms Hacktivity

26
# goose

• data as grouped dataset

• transmitted within 4 ms
• works on second layer (Ethernet) of ISO/OSI model
• using publisher-subscriber mechanism -> broadcast, multicast MAC
addresses (publisher ~ sender, subscriber ~ receiver)
• use VLAN (IEEE 802.1Q standard)
• message priority level (by VLAN PCP - Priority Code Point - in TCI field of
packet)
• retransmission mechanism and a message state number (new or
retransmitted)
• brand independent (i.e., IDE - intelligent electronic devices by some
vendors doesn’t require specific cables)

SCADA deep inside: protocols and security mechanisms Hacktivity

27
# goose

Attack scenarios:
• easy to receive multicast or broadcast packets
• easy to analyse, modify and reply packets
• DDoS
• by manipulating the state number in packet we can control the data set
which transmitted in entire network (hijacking of communication channel)
• VLAN hopping
!
Tools:
• wireshark dissector
• easy to create your own scanner or injection tool
• scapy based tool https://github.com/mdehus/goose-IEC61850-scapy

SCADA deep inside: protocols and security mechanisms Hacktivity

28
# IEC 61850-8-1

IEC 61850-8-1 (MMS)

!
!
!
!
!
MMS - Manufacturing Message Specification

SCADA deep inside: protocols and security mechanisms Hacktivity

29
# IEC 61850-8-1
• since 1980
• ISO 9501-1, 2003
• use ISO-TSAP as transport
• standard tcp port 102
!
functions:
• read/write tags, variables, domains (large unstructured data, i.e. program code)
• start/stop/rewrite firmware on PLC
• read/write/del files and directories
!
security ?
• simple methods whitelist
• TLS (in theory, but in practice not supported by vendors and haven’t seen before in products)
!
tools:
• wireshark dissector
• python and nmap identify scripts
• emulator, open source libs

SCADA deep inside: protocols and security mechanisms Hacktivity

30
# IEC 61850-8-1

SCADA deep inside: protocols and security mechanisms Hacktivity

31
# IEC 61850-8-1

~ nmap —script mms-identify.nse —script-args=‘mms-identify.timeout=500’ -p 102 <host>

!
!
!
!
!
!
!
!
!
!
!

SCADA deep inside: protocols and security mechanisms Hacktivity

32
# IEC 61870-5-101/104
IEC 61870-5-101/104
!
mainly for gathering telemetry in electricity distribution and power system automation
!
huge list of functions, depends on vendors implementation:
• read/write tags
• upload/download files
• broadcast connected devices discovery
• time sync
• reset process command
• query log files
• etc.
!
security ?
• no auth, no encryption
• simple ip address whitelist (ip of master devices defined on slaves)

SCADA deep inside: protocols and security mechanisms Hacktivity

33
# IEC 61870-5-101/104

IEC 61870-5-101/104
!
standard tcp port 2404
!
tools:
• simulators: sim104, mrts-ng etc.
• wireshark dissector
• python and nmap identify scripts

SCADA deep inside: protocols and security mechanisms Hacktivity

34
# IEC 61870-5-101/104

SCADA deep inside: protocols and security mechanisms Hacktivity

35
# IEC 61870-5-101/104

~ nmap --script iec-identify.nse --script-args='iec-identify.timeout=500' -p 2404 <host>

!
!
!
!
!
!
!
!
!
!
!

SCADA deep inside: protocols and security mechanisms Hacktivity

36
# FTE

Fault Tolerant Ethernet by Honeywell

!
Provides robust and low-cost technology for industrial networks.

Each FTE-node connected twice to network,

support actual route table and exchanges
route table with other nodes through multicast request.
!
UDP as a transport.
!
Proprietary protocol.

SCADA deep inside: protocols and security mechanisms Hacktivity

37
# FTE

!
attack vectors:
• flood udp ports
• send multicast packets with fake routing table
!
!

multicast packet —>
!
headers:
0x01000810
0x01a01001
send each second

SCADA deep inside: protocols and security mechanisms Hacktivity

38
# FTE
0x23
node index
!

0x433330302023303335
node name (C300 #5)
!

0x44 and 0xca

bytes of packets counter
!

0x32312032
part of firmware version
full: EXP3 10.1-65.57 Sat Dec 06 20:22:33 2008 (Fri Nov 21 20:22:57
2008)
SCADA deep inside: protocols and security mechanisms Hacktivity
39
# Siemens

!
TIA Portal (Totally Intergated Automation Portal)
!
!
TIA - intellectual kernel of more than
100000 products created last 15 years.
!
!
What about users, passwords
and permissions?

SCADA deep inside: protocols and security mechanisms Hacktivity

40
# Siemens

PLC read/write protection for main and critical operations:

CPU start/stop/data change, project upload, firmware update, etc.
!

SCADA deep inside: protocols and security mechanisms Hacktivity

41
# Siemens

TIA Portal PEData.plf passwords history

!
!
!
!
!
!
!
!
!
!
passwords in sha-1
but “helpful” redbox value: password_len * 2 + 1 srsly>? for what???

SCADA deep inside: protocols and security mechanisms Hacktivity

42
# Siemens

After notification Siemens “strengthened” users passwords and switched to

md5…
!

!
!
!
!
!
TIA Portal V12 UPD 3

SCADA deep inside: protocols and security mechanisms Hacktivity

43
# Siemens

s7 password hashes extractor

!

SCADA deep inside: protocols and security mechanisms Hacktivity

44
# Siemens

Improve user rights

!

!
!
!
!
!
!
!
!
!
!
User rights - 2 bytes after second md5 hash: 0x8001 —> 0xFFFF

SCADA deep inside: protocols and security mechanisms Hacktivity

45
# Siemens

SCADA <-> PLC auth scheme:

!
scada -> plc: auth request
scada <- plc: challenge
scada -> plc: response = HMAC(SHA1(password), challenge)
scada <- plc: auth result
!
python scripts (for 1200 and 1500 Siemens S7 PLC) for extracting all
challenge-responses, export to JtR format and simple bruteforce
!
want to crack password? use john the ripper!

SCADA deep inside: protocols and security mechanisms Hacktivity

46
# Siemens

SCADA deep inside: protocols and security mechanisms Hacktivity

47
# Siemens

Bruteforce PLC online!

!
Use powerful THC-Hydra
Tested on S7-300 PLC.
Should work on S7-200, S7-400
!
!
!
~ hydra -F -V -P ./wordlist/500-worst-passwords.txt s7-300://<host>

SCADA deep inside: protocols and security mechanisms Hacktivity

48
# Siemens

SCADA deep inside: protocols and security mechanisms Hacktivity

49
# it’s a cookie time!

PRE-DEMO: plc-ownage

SCADA deep inside: protocols and security mechanisms Hacktivity

50
# it’s a cookie time!

• CVE-2014-2250, CVE-2014-2251
• SSA-654382, SSA-456423
• Affected devices:
• Siemens S7-1200 PLC
• Siemens S7-1500 PLC
• CVSS Base Score: 8.3
!

SCADA deep inside: protocols and security mechanisms Hacktivity

51
# it’s a cookie time!

Tested on S7-1200 CPU 1212C, firmware V 2.2.0

!

SCADA deep inside: protocols and security mechanisms Hacktivity

52
# it’s a cookie time!
PmzR9733Q8rG3LpwjCGZT9N/ocMAAQABAAKK1woAqsgAAAAAAAAAAIrXIUM=

!
uLiHXZUTy2GMgjr1KmgmcNN/ocMAAQACAAKK1woAqsgAAAAAAAAAAIrXIUM=

!
Mu/vgiIgtrxq0LVp26nkMtN/ocMAAQADAAKK1woAqsgAAAAAAAAAAIrXIUM=

!
tjH6vtNWCfa+QZHPDtCnKdN/ocMAAgADAAKK1woAqsgAAAAAAAAAAIrXIUM=

!
!
!
!
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143

!
b8b8875d9513cb618c823af52a682670d37fa1c30001000200028ad70a00aac800000000000000008ad72143

!
32efef822220b6bc6ad0b569dba9e432d37fa1c30001000300028ad70a00aac800000000000000008ad72143

!
b631fabed35609f6be4191cf0ed0a729d37fa1c30002000300028ad70a00aac800000000000000008ad72143

SCADA deep inside: protocols and security mechanisms Hacktivity

53
# it’s a cookie time!
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143

!
!
3e6cd1f7bdf743cac6dcba708c21994f

d37fa1c30001000100028ad70a00aac800000000000000008ad72143

!
!
3e6cd1f7bdf743cac6dcba708c21994f - ?

d37fa1c3 - ?

0001 - ?

0001 - ?

00028ad7 - ?

0a00aac8 - ?

00000000000000008ad72143 - ?

SCADA deep inside: protocols and security mechanisms Hacktivity

54
# it’s a cookie time!

3e6cd1f7bdf743cac6dcba708c21994f MD5 of ? (16 bytes)

d37fa1c3 CONST (4 bytes)

0001 user logout counter (2 bytes)

0001 counter of issued cookies for this user (2 bytes)

00028ad7 value that doesn’t matter (4 bytes)

0a00aac8 user IP address (10.0.170.200) (4 bytes)

00000000000000008ad72143 value that doesn’t matter (12 bytes)

!
!
!
So, what about 3e6cd1f7bdf743cac6dcba708c21994f ???

SCADA deep inside: protocols and security mechanisms Hacktivity

55
# it’s a cookie time!

!
3e6cd1f7bdf743cac6dcba708c21994fd37fa1c30001000100028ad70a00aac800000000000000008ad72143

!
!
3e6cd1f7bdf743cac6dcba708c21994f

!
!
MD5( NEXT 26 BYTES OF COOKIE + 16BYTES OF SECRET + 2 NULL BYTES)

!
!

What is SECRET ?

SCADA deep inside: protocols and security mechanisms Hacktivity

56
# it’s a cookie time!
SECRET generates after PLC start by ~PRNG.

!
PRNG is a little bit harder than standard C PRNG.

!
SEED in {0x0000 , 0xFFFF}

!
!
!
!
!
!
!
!
It’s too much for bruteforce (PLC so tender >_<)

SCADA deep inside: protocols and security mechanisms Hacktivity

57
# it’s a cookie time!

What about SEED ?

SEED very often depends on time value

!
SEED = PLC START TIME + 320

!
320 by practical way: secret generates after ~ 3-4 seconds of PLC start using current time

!
!
How to obtain PLC START TIME ?

!
!
!
PLC START TIME = CURRENT TIME – UPTIME

SCADA deep inside: protocols and security mechanisms Hacktivity

58
# it’s a cookie time!

Current time via web interface

!
!
!
!
!
!
!
!
Uptime via SNMP with hardcoded read

community string “public”

SCADA deep inside: protocols and security mechanisms Hacktivity

59
# it’s a cookie time!

!
!
!
* 100 - calculation lapse

!
!
!
!
To generate cookie we should brute:

• logout number (2 bytes, max 65535)

• number of issued cookies (2 bytes, max 65535)

• seed value (2 bytes, but max 100)

!
!
Still too many values to bruteforce …

SCADA deep inside: protocols and security mechanisms Hacktivity

60
# it’s a cookie time!

But if user (admin) not logged out properly then after 7 logins it is not possible to login again

!
We should restart PLC or wait 30 minutes (cookie expire time)

!
!
!
!
!
!
!
!
We can minimize logout and issued cookies counters to 7

To generate cookie we should brute:

• logout number (2 bytes, max 7)

• number of issued cookies (2 bytes, max 7)

• seed value (2 bytes, but max 100)

SCADA deep inside: protocols and security mechanisms Hacktivity

61
# it’s a cookie time!

SCADA deep inside: protocols and security mechanisms Hacktivity

62
# it’s a cookie time!

Exploitation dependences:

!
• >= 1 success logins to PLC after last restart

• SNMP enabled

!
BUT IT DOES NOT NEED LOGIN AND PASSWORD !!!

!
CVE Timeline:

!
• End of July 2013 – vulnerability discovered

• 5 August 2013 – vendor notified

• 20 March 2014 – patch released, first public advisory

SCADA deep inside: protocols and security mechanisms Hacktivity

63
# heartbleed

• a lot of software, devices etc. of popular vendors affected

• it’ll be long long story (because of patch management and devices with
lifecycle ~10-15 yers)
• check https://ics-cert.us-cert.gov/advisories for openssl vulns
!
Siemens also vulnerable (ICSA-14-105-03B):
• eLAN-8.2 eLAN prior to 8.3.3
• WinCC OA only V3.12
• S7-1500 V1.5
• CP1543-1 V1.1
• APE 2.0
!
!
!
DEMO: winccoa-heartbleed

SCADA deep inside: protocols and security mechanisms Hacktivity

64
# S7 protocol
!

Standard port 102/TCP

!
By Siemens terms it is ISO-on-TCP (RFC 1006) based communication
protocol
SCADA deep inside: protocols and security mechanisms Hacktivity
65
# S7 protocol

Materials:
!
• “Exploiting Siemens Simatic S7 PLCs” by Dillon Beresford
• wireshark dissector
• libnodave - free communication library
• snap7 - open source communication suite
• plcscan

SCADA deep inside: protocols and security mechanisms Hacktivity

66
# S7 protocol

• based on iso-tcp -> block oriented protocol

• block - PDU (Protocol Data Unit)
• functions and commands oriented -> each frame contains function request
or reply to it
!
S7 commands:
• plc start/stop cpu
• firmware update
• read/write data (blocks, tags)
• system info
• authentication
• etc…

SCADA deep inside: protocols and security mechanisms Hacktivity

67
# S7 protocol

History of S7:
• S5 Communication
(FETCH/WRITE, Sinec H1)
• S7 Communication
• “Another” S7 Communication
!
Simply “another” S7 looks like:
!
!
TCP : HEADER | ISO TCP
!
ISO TCP: TPKT | COTP | S7 PDU

SCADA deep inside: protocols and security mechanisms Hacktivity

68
# S7 protocol

• For old versions:

wireshark dissectors, libraries, simulators.
!
• Because we know all about that versions of protocol.
!
• But we know next to nothing about “another” S7.
!

SCADA deep inside: protocols and security mechanisms Hacktivity

69
# S7 protocol

Find your target:

• S7 200/300/400 family
!

SCADA deep inside: protocols and security mechanisms Hacktivity

70
# S7 protocol

Find your target:

• S7 1200/1500 family
!

SCADA deep inside: protocols and security mechanisms Hacktivity

71
# How to analyse protocols

SCADA deep inside: protocols and security mechanisms Hacktivity

72
# How to analyse protocols

How to analyse protocols ?

!

!
Rob Savoye, FOSDEM 2009
“Reverse engineering of proprietary
protocols, tools and techniques”
!

“Believe it or not, if you stare at the hex dumps long enough, you
start to see the patterns”
!
!
!

SCADA deep inside: protocols and security mechanisms Hacktivity

73
# How to analyse protocols

SCADA deep inside: protocols and security mechanisms Hacktivity

74
# How to analyse protocols
show_byte_sequences.py
!
!
!
!
!
!
!
!
!
!
!
!
!
!

SCADA deep inside: protocols and security mechanisms Hacktivity

75
# How to analyse protocols
s7-show-payloads.py
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

SCADA deep inside: protocols and security mechanisms Hacktivity

76
# How to analyse protocols
s7-packet-structure.py
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

SCADA deep inside: protocols and security mechanisms Hacktivity

77
# How to analyse protocols

Use your knowledge about protocols:

!
• it’s a universal and complex approach
• you can:
• detect devices and their protocols
• monitor state, commands, exchanging data
• inject, modify, reply packets in real-time
!
!
Because most of them INSECURE BY DESIGN
!
real example?

SCADA deep inside: protocols and security mechanisms Hacktivity

78
# real case
Energetic turbine
!

!
!
!
!
!
!
!
!
!
!
Simple UDP packet that set “speed” of turbine to 57 (min=0, max=100)
SCADA deep inside: protocols and security mechanisms Hacktivity
79
# real case

What will happen if you send another packet, another value?

!

SCADA deep inside: protocols and security mechanisms Hacktivity

80
# real case

Yes, you’re right

!

SCADA deep inside: protocols and security mechanisms Hacktivity

81
# outro

all scripts, tools -> https://github.com/atimorin/scada-tools

!
!
greetz to:
@scadasl
@repdet
@GiftsUngiven
Dmitry Sklyarov
!
!
!
!
QA ?

SCADA deep inside: protocols and security mechanisms Hacktivity

82
#
Thank you!
!

SCADASTRANGELOVE
!

PEACE IS OUR PROFESSION

!
!
!
!
!
!
!
!
!
!
@atimorin
[email protected]
!

SCADA deep inside: protocols and security mechanisms Hacktivity

83