Fadli B. Sidek

Security Specialist at Codenomicon Ltd

Fadli is a Cyber Security enthusiast and works as a Security Specialist with Codenomicon Ltd. His experience include performing vulnerability assessments and penetration testing to clients in the AMEA region. He graduated from Murdoch University, Australia with a Double Majors Degree in Cyber Forensics, Information Security Management and Business Information System. He has over 9 years of experience in IT and Security and has written and published security articles in Pentestmag and Hakin9 and has spoken at many security conferences in Singapore, India, UAE and recently in Las Vegas.

Presentation: Vulnerability Assessments on SCADA Networks: Outsmarting the Smart Grid.

SCADA assessments has been on the news and the talk of the town since 2005. While there are many talks and demonstrations about how to penetrate and exploit SCADA systems, little discussions about the pre-exploitation phase were being shared and discussed. I’m talking of course about the Vulnerability Scanning phase.

Some may have performed such Vulnerability Assessment before and many are curious as to how to start it in the first place. Questions like, what are the methodologies used in performing an assessment on SCADA systems? What information is required before we click the ‘Start Scan Now’ button? What plugins should be used? And does my scans guarantee that these ultra sensitive systems will not go down?

This talk is to share my personal experience and challenges faced during a SCADA assessment engagement. While i had no previous experience and only theoretical knowledge i gathered from the internet, i had to swallow it all and apply it during the engagement. Flying from Singapore to the Middle East just to perform the assessment, language is a barrier in terms of communication. But what if you were there in a situation where there were no policies, no security engineers or administrators, no proper documentations and worse, no one knows what they have and you were there to find them all and do the VA? This talk will also share how i accidentally brought down all the SCADA workstations in one site and how i could easily owned the systems with my findings. This talk will also share the lessons learned and how to develop a proper methodology and process in performing vulnerability assessment on a network of SCADA systems.

Presentation @DefCamp 2014