AppSecUSA 2015

Human Machine Interfaces (HMIs) are the subsets of the Supervisory Control and Data Acquisition (SCADA) systems. HMIs are control panels that provide interfaces for humans to interact with machines and to manage operations of various types of SCADA systems. HMIs have direct access to SCADA databases including critical software programs. The majority of SCADA systems have web-based HMIs that allow the humans to control the SCADA operations remotely through Internet.
This talk discusses the insecure development practices followed by SCADA developers while designing web HMIs that lead to inherent application level vulnerabilities. This talk digs deeper into the design models of various SCADA systems to highlight security deficiencies in the existing SCADA HMI deployments from application security point of view. In this talk, several real time case studies will be discussed to highlight the state of application security in the field of SCADA. This talk unveils various flavors of vulnerabilities in web-based SCADA HMIs including but not limited to remote or local file inclusions, insecure authentication through clients, weak, insecure web-services, weak cryptographic design, cross-site request forgery, and many others. The research is driven with a motivation to secure SCADA devices and to build more intelligent solutions by hunting vulnerabilities in SCADA HMIs. A number of vulnerabilities will be demonstrated in SCADA web HMIs. In addition, this talk also discusses how OWASP standards can be used by SCADA developers as baselines to develop robust SCADA web HMIs to defend application layer attacks