Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
 
View analytic
Friday, September 25 • 11:30am - 12:25pm
The State of Web Application Security in SCADA Web Human Machine Interfaces (HMIs) !

Sign up or log in to save this to your schedule and see who's attending!

Human Machine Interfaces (HMIs) are the subsets of the Supervisory Control and Data Acquisition (SCADA) systems. HMIs are control panels that provide interfaces for humans to interact with machines and to manage operations of various types of SCADA systems. HMIs have direct access to SCADA databases including critical software programs. The majority of SCADA systems have web-based HMIs that allow the humans to control the SCADA operations remotely through Internet.
This talk discusses the insecure development practices followed by SCADA developers while designing web HMIs that lead to inherent application level vulnerabilities. This talk digs deeper into the design models of various SCADA systems to highlight security deficiencies in the existing SCADA HMI deployments from application security point of view. In this talk, several real time case studies will be discussed to highlight the state of application security in the field of SCADA. This talk unveils various flavors of vulnerabilities in web-based SCADA HMIs including but not limited to remote or local file inclusions, insecure authentication through clients, weak, insecure web-services, weak cryptographic design, cross-site request forgery, and many others. The research is driven with a motivation to secure SCADA devices and to build more intelligent solutions by hunting vulnerabilities in SCADA HMIs. A number of vulnerabilities will be demonstrated in SCADA web HMIs. In addition, this talk also discusses how OWASP standards can be used by SCADA developers as baselines to develop robust SCADA web HMIs to defend application layer attacks

Speakers
avatar for Aditya K Sood

Aditya K Sood

Architect - Cloud Threat Labs, Elastica Inc.
Aditya K Sood (Ph.D) works for Elastica as an Architect of Cloud Threat Labs. Dr. Sood has research interests in malware automation and analysis, application security, secure software design and cybercrime. He has worked on a number of projects pertaining to penetration testing specializing in product/appliance security, networks, mobile and web applications while serving Fortune 500 clients for IOActive, KPMG and others. He is also a founder of... Read More →


Friday September 25, 2015 11:30am - 12:25pm
Room D