SCADA Security Presentation

ECSA Lecture – 15.06.2006

Cyber threats to critical infrastructures.

A summary on emerging contemporary national threats.


About.

CYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURES

Filip MAERTENS

Partner Uniskill, Audit & Assessment Services

CISA, CISSP

[email protected]


Agenda.

• The Fear Factor

• What are the components ?

• Emerging threats and vulnerabilities

• Risk mitigating practices


The Fear Factor.

• Chevron Chevron Chevron Chevron (1992).... Emergency system was sabotaged by disgruntled

employee in over 22 states.

• Worchester Airport Worchester Airport Worchester Airport Worchester Airport (1997).... External hacker shut down the air and

ground traffic communication system for six hours.

• GazpromGazpromGazpromGazprom (1998).... Foreign hackers seize control of the main EU gas

pipelines using trojan horse attacks.

• Queensland, Australia Queensland, Australia Queensland, Australia Queensland, Australia (2000).... Disgruntled employee hacks into

sewage system and releases over a million liters of raw sewage into the

coastal waters.


The Fear Factor. (cont’d)

• Venezuela Port Venezuela Port Venezuela Port Venezuela Port (2002).... Hackers disable PLC components during a

national unrest and general workers strike, disabled the country’s main

port.

• Ohio DavisOhio DavisOhio DavisOhio Davis----BesseBesseBesseBesse Nuclear Plant Nuclear Plant Nuclear Plant Nuclear Plant (2003).... Plant safety monitoring system

was shut down by the Slammer worm for over five hours.

• Israel Electric Corporation Israel Electric Corporation Israel Electric Corporation Israel Electric Corporation (2003).... Iran originating cyber attacks

penetrate IEC, but fail to shut down the power grid using DoS attacks.

• DaimlerChrysler DaimlerChrysler DaimlerChrysler DaimlerChrysler (2005).... 13 U.S. manufacturing plants were shut down

due to multiple internet worm infections (Zotob, RBot, IRCBot).


Some first hand experiences.

• International Energy Company International Energy Company International Energy Company International Energy Company (2005).... Malware infected HMI system

disabled the emergency stop of equipment under heavy weather

conditions.

• Middle East Sea Port Middle East Sea Port Middle East Sea Port Middle East Sea Port (2006).... Intrusion test gone wrong. ARP spoofing

attacks shut down port signaling system.

• International Petrochemical Company International Petrochemical Company International Petrochemical Company International Petrochemical Company (2006).... Extremist propaganda

was found together with text files containing usernames & passwords of

control systems.


False stories. Yet…

• U.S. East Coast blackout U.S. East Coast blackout U.S. East Coast blackout U.S. East Coast blackout (2003).... A worm did not cause the blackout,

yet the Blaster worm did significantly infect all systems that were

related to the large scale power blackout.

• Al Qaeda plans worldwide attacks on SCADA technology Al Qaeda plans worldwide attacks on SCADA technology Al Qaeda plans worldwide attacks on SCADA technology Al Qaeda plans worldwide attacks on SCADA technology (2003)....

Computers and manuals seized in Al Qaeda training camps did contain

information on dams and related infrastructures, yet no clear evidence

of near future attacks is present.

• ““““Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !”””” (2003).... IDC research publications

appears to be based on strong coffee rather than factual research ?


The US Blackout in pictures.


So far, so good ?

• No human beings have been known to be killed by cyber attacks :

– Dorothy Denning, “ Unless people are injured, there is less drama and

emotional appeal “

• Operations personnel is highly trained for emergencies :

– Safety is paramount. But do we know how to respond to cyber attacks ?

• Cyber terrorism does not scare the public as much as 9/11 type of

attacks :

– Large scale ignorance and the main public remains oblivious for cyber

threats to our critical infrastructure components


Agenda.

• The Fear Factor





The NCI playground.

• National Critical Infrastructures (NCI) include, amongst others, the

following players :

– Energy, Communications, Emergency Services, Finance, Government &

Public Services, Water, Transportation, Food, Health services and Public

Safety

• These industries use Supervisory Control and Data Acquisition (SCADA)

systems to monitor and control industrial processes through the

collection and analysis of real time data.

• National infrastructures depend on SCADA technologies / systems !


Reliance on SCADA.

• Advancements in control systems require less manual / operator

interventions and allow more automated controls.

• Master station software analyzes more internally and presents less to

operator.

• HMI / operator software must meet stringent safety requirements for

some markets, but no specifics on security.


How does SCADA affect me ?

• SCADA is a wide and generic term to indicate the whole of industrial

control and monitoring systems that :

– Provide power to your home

– Bring water into your life

– Control traffic lights onto the way to your office

– Control the commuter train you are on every day

– Handle the air conditioning in your office

– Allow you to call your wife to tell her you’ll be late

• I’d say it pretty much affects everyone of us, won’t you ?


The SCADA components.

• Multi-tier SCADA terminology crash course :

– Control endpoints, such as Remote Terminal Units (RTURTURTURTU) and Programmable

Logic Controllers (PLCPLCPLCPLC) to measure voltage, adjust valve, flip switches, …

– Human Machine Interface or HMIHMIHMIHMI (often windows based GUI’s)

– Intermediate control systems (based on commercial 3rd party OS’s)

• Extensive usage of open networking and data communication

standards, such as MODBUS, Distributed Network Protocol (DNP) and

Utility Communication Architecture (UCA).

– Wide variety of communication carriers; serial, wireless, radio, analogue, …

– Raw Data Transmission Protocols, e.g. MODBUS, DNP3, …

• designed for radio serial/links but tunneled to read alerts and send commands

– High Level Data Protocols, e.g. ICCP, OPC / DCOM, …

• designed to provide information to humans and take commands


The SCADA components. (cont’d)

• Building blocks of SCADA :

– Operating & Monitoring Systems

• open systems (microsoft, linux, solaris, …)

• operating system vulnerabilities (e.g. vulndev, bugtraq, fulldisclosure, …)

– Communication network

• ethernet, fiber or wireless tcp/ip based transmissions

• tcp/ip vulnerabilities (e.g. arp spoofing, tcp/isn generation, …)

• opc / dcom / iccp / modbus / uca / dnp3 / … vulnerabilities

– Instrumentation & Industrial systems

• no authentication, …


Sample SCADA components.

OPC

ICCP

DNP3

OPC : optimized for making

it easy to program HMI

applications

DNP3 : optimized for

collecting data from simple

devices

ICCP : optimized for passing

bulk data to systems, e.g.

databases, trading or other

systems

HMI : presenting data and

pushing commands. Where is

your human located ?


A simple network overview.


Some visuals.


The SCADA requirements.

• Determinism :

– Quality of Service of data communication services

– Precise Interrupt Timing

– Reliability and latency are more important than throughput

• Minimal computing resources :

– Legacy equipment (pre 486 era)

– Bandwidth issues including noise, accessibility, etc.

– Little “extra features” possible, e.g. encryption, authentication, etc.

• Real time operating systems :

– Lacking encryption, authentication (AuthN, AuthZ)


General INFOSEC concepts.

• Applied to modern SCADA environments :

1. AvailabilityAvailabilityAvailabilityAvailability – easy to perform attacks & multiple attack vectors !

2. IntegrityIntegrityIntegrityIntegrity – multiple attacks & high risks !

3. Confidentiality Confidentiality Confidentiality Confidentiality – multiple attacks & medium risks.


Known attack motives.

• Industrial sabotage :

– Disgruntled employees

– Black-hat Hackers & criminals for personal gain

• Coordinated terrorism / eco – terrorists / “ hacktivism “ :

– Joint physical and cyber attacks

– Vendor compromise

• LetLetLetLet’’’’s not forgets not forgets not forgets not forget. Operator error :

– Human errors (“forgetting procedures”) and operational failures


Agenda.

• The Fear Factor





Emerging threats & vulnerabilities.

• Convergence of technology equals equals equals equals convergence of risk :

– Migration of proprietary systems to open systems (“security by obscurity”)

– Usage of TCP/IP Ethernet networks

– Traditionally built to be safe and reliable. But what about secure ?

• Main drivers and trends :

– Convergence of corporate IT with industrial operations

– Migration towards open protocols, e.g. MODBUS, DNP3, … over Ethernet

carriers

– Wireless technology increasingly used

– Remote access for maintenance and support facilities


Layers of cyber security attacks.


Layers of risk.

• Network (Inter)Connectivity & General Access Risks : entry vectors

– Local Area Network / Corporate Networks

– Internet Connections

– Direct access connections

– Out of band access connections

• Network Protocol Risks : attack vectors

– Known TCP/IP Ethernet based vulnerabilities

– Wireless connectivity problems

– Open SCADA protocol vulnerabilities

• Monitoring and Command Systems Risks : attack vectors

– Known open system vulnerabilities (e.g. Microsoft, Linux, Solaris, …)


Connectivity & Access.

• LAN & Corporate Network interconnectivity :

– Using simple, or even non existent, packet filters

– Threats from corporate environments (e.g. virusses, hackers, …) can easily

jump to industrial networks => huge risk propagation factor.

• A BCIT survey on incidents by internal entry points :


Connectivity & Access. (cont’d)

• Internet connectivity => uncontrolled, a huge risk in its own

– Major threat for HMI and other operator systems !

– Increasing number of external attacks over the Internet

• A BCIT survey on incidents by external entry points :



• Direct Access connections :

– 3rd party vendor access often needed for remote support and maintenance

– Remote access often preferred for “remote management” purposes

– Direct Access connections :

• dial-in

• xDSL and direct cable connections with remote management software (cfr.

Internet access)

• wireless

– Direct access often used with low or no identification and authentication

controls in place.

• Problems with third-party contractors, suppliers and vendors



• Out of band connections :

– All of the above, but … now without anyone knowing it !

– Common types of out of band connections :

• rogue access points,

• uncontrolled dial-up modems

• uncontrolled connection tunnels (e.g. vpn, …)

– Problem : Network traffic is bidirectional ! *sigh*


Protocol risks & vulnerabilities.

• Supporting network protocols are Ethernet & TCP/IP Based :

– Designed for reliable packet transport, but known for insecurity !

– Foremost threats and risks are : Denial of Service, ARP attacks,

Manipulation of packet data, Man in the middle, Identity Theft

• Technology and knowledge becomes very accessible :

– Clear evidence that common hackers showing a growing interest in SCADA

protocols and technology !

• Open SCADA protocols are designed for reliability and speed, but

security ?


Protocol risks & vulnerabilities. (cont’d)

• MODBUS(+) has known vulnerabilities : countermeasures are being put

in place as we speak.

– Reminder : MODBUS is used for …

– Common attacks on MODBUS(+) protocols :

• generates network broadcast storms => interruption of service

• manipulating command data => reset system, disrupt component, reprogram

• DNP3 has multiple vulnerabilities : no current countermeasures.

– Reminder : DNP3 is used for …

– Common attacks on DNP3 protocols :

• degrade system performance (“IIN1.4 bit attack”)

• manipulating command data => reset system, overwrite configuration file,

• file manipulating on the industrial component



• UCA / SMART GOOSE has vulnerabilities : more research is spent in

investigating into new vulnerabilities.

– Reminder : SMART GOOSE is used for high speed multi-device

communications

– Common attacks on UCA / SMART GOOSE protocols :

• interception of devices during “mentoring phase” (identification phase)

• ARP table manipulations resulting in Denial of Service condition !

• OPC has multiple vulnerabilities : authentication ?



• Multiple wireless connections => multiple attacks !

– No longer physical presence required, attack zone depends on wireless

range

– Wireless in a real-time communication environment ? Beware !

• Bluetooth (IEEE 802.15.1). Insecure.

– Known attacks to send AT commands, download address books and break

pairing mechanisms

• WLAN (IEEE 802.11). Insecure.

– Multiple attacks including encryption key breaking (WEP/WPA), MAC bypass

attacks, Access Point denial of service attacks



• Zigbee (IEEE 802.15.4). Low power radio transmission.

– Frequency disruption attacks => denial of service or alert mode

• WiMAX (IEEE 802.16). Untested.

– Huge area span (> 50 km coverage), equals your attack range :-)


Systems.

• Most systems run COTS / 3rd party operating systems, including

Microsoft Windows, Linux, VMS and Solaris.

• Shift from proprietary systems to open systems has led to a widespread

interest in underground research communities to investigate into

SCADA component vulnerabilities.

– No more security by obscurity

• And… Where are they deployed ? What are they actually used for ?

– Infested with malware, worm and virus infections ?

– Backdoored using root kits ?

– Member of botnets ?


Systems. (cont’d)

• BCIT 2005 Findings on system attacks :


Summary of risks scenarios.

• SCADA command systems can be hijacked, disrupted using widely

available knowledge and open source tools.

• SCADA protocols offer no authentication mechanisms.

• SCADA protocols have no encryption capabilities.

• SCADA systems have “ different ” patch cycles than IT systems :

– Often is patching production SCADA systems simply out of the question !

• Uncontrolled connectivity of SCADA systems and related components to

untrusted networks.


So, technically speaking…

• Uncontrolled SCADA environments are easily prone to :

– Disruption of services, bringing the industrial process to a halt;

– Manipulation of data that might disrupt industrial processes or seriously

sabotage the environment;

– External intrusions using Internet, dial-in or remote management software;

• Question. How does all this apply to youryouryouryour infrastructure ?

– You do the math…


What did we see already ?

• Frankly put. Too much :

– Remote access software (Microsoft RDP) using one-letter passwords

– Direct dial in for control of pumps without authentication

– Corporate networks directly connected with industrial control network

segments

– Unprotected wireless access points “because its faster”

– Lost PDA’s with service software for industrial food processing components

– 0 day OPC/DNP3 exploit code circulating underground hacking networks

– Malware infected HMI systems used for browsing “non work related”

websites

– …


Agenda.

• The Fear Factor





Some risk mitigation practices.

• Apply a layered security approach / Defense in Depth principle !

• Cyber security for process control :

– Performance (real-time, critical response, no delay allowed)

– Availability (outage is not acceptable, fault tolerant, pre-deployment testing)

– Security scope (controllers, field devices, stations, servers, protocols)

– Time critical interaction (response to human emergency action is crucial)

– Communications (proprietary protocols, diverse communication carriers)

– Software updates (strictly controlled updates)


Some risk mitigation practices. (cont’d)

• Your control environment security mission :

– CYBER SECURITY FOR INDUSTRIAL CONTROL SYSTEMS IS TO DESIGN,

BUILD AND MAINTAIN SYSTEMS TO BE AVAILABLE, TO ASCERTAIN THAT

OPERATORS ARE IN CONTROL AND THAT THE PROCESSES OF THE PLANT

ARE SECURED.

• Ensure that the plant’s requirements are met in terms of availability,

integrity and confidentiality

• Ensure that staff / operators are given proper security training and

awareness

• Embed security as an integral part in the life cycle process of your

environment



• Venues where INFOSEC principles apply :

– Enforcement of Security Policies and procedures

– Risk Management principles applied to process control environments

– Security and Contingency planning

– Incident response planning

– Physical and Personnel security

– Awareness and Training

• Technology applied principles :

– Access control mechanisms

– Identification and strong authentication protocols

– Auditing, IDS and logging mechanisms

– Encryption technology

– Specialized Firewall technologies



• Where to start ? Guiding documents ?



• Where to find more information and advisory :

– NISCC / BCIT Good Practices Whitepaper

• http://www.niscc.gov.uk/niscc/docs/re-20050223-00157.pdf

– US Department of Energy

• http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf

– Multiple Industry Organizations involved with security best practices :

SANDIA, NERC, AGA, API, CIGRE, IEC, ISA, IEEE, NIST, CIAO


Questions ? Debate.

CYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURES

Filip MAERTENS

Partner Uniskill, Audit & Assessment Services

CISA, CISSP

[email protected]


Corporate Information.

For more information, please visit http://www.uniskill.com.

SCADA Security Presentation

Documents

Transcript of SCADA Security Presentation