Down the SCADA (security) Rabbit Hole. Alberto Volpatto

Transcription

1 Down the SCADA (security) Rabbit Hole Alberto Volpatto

2 Alberto Volpatto Security Engineer & Team Secure Network Computer Engineer Application Security Specialist

3 What is SCADA? Supervisory operators, engineers, supervisors Control monitoring, controlling, locally and/or remotely And Data information representing the acquired system Acquisition access, acquire and represent meaningful data

4 What is SCADA? A SCADA system is a type of ICS Industrial Control System used to monitor and control large-scale critical systems, both locally and remotely.

5 Application fields Industrial processes Manufacturing, power generation, production Infrastructure processes Water treatment and distribution, oil and gas pipelines, electrical power transmission Facility processes Heating, ventilation and air conditioning systems - HVAC

6 Application fields Industrial processes

7 Application fields Infrastructure processes

8 Application fields Facility processes

9 The SCADA ecosystem

10 SCADA/ICS Security For years SCADA/ICS systems relied on security through obscurity Industrial systems, which have been designed and intended to be alone, became magically connected to the world No perception of modern security threats and risks, from both SCADA vendors and consumers

11

12 SCADA/ICS Security As traditional IT networks, SCADA environments host critical data and information Projects, plans, chemical secrets They have a direct impact on the physical world An attack to a SCADA system could lead to a real world disaster, affecting people s safety

13 Attacking Chemical Plants August 2013 multiple vulnerabilities in the industrial wireless products of three vendors have been reported. Customers are nuclear, oil and gas, refining, petro-chemical, utility, and wastewater companies 2014 Lucas Apa and Carlos Penagos released a public advisory describing four vulnerabilities affecting some OleumTech Wireless Products

14 Attacking Chemical Plants Threat an attacker in a ~ 60 km range could inject false values on the wireless gateways, modifying measurements used to make critical decisions Targeting a wireless transmitter that monitors the process temperature could make a chemical react and explode If failsafe mechanisms are not implemented They demonstrated the scenario on a virtual simulator

15 Attacking Chemical Plants

16 Stuxnet The world s first cyber weapon source:

17 Stuxnet Switch off oil pipelines Turn up the pressure inside nuclear reactors STUXNET tells the operators that everything is normal source:

18 Stuxnet

19 SCADA/ICS Security Assessment Penetration testing goal is data The intrinsic critical nature of systems requires slight changes in the modus operandi Typically, no testing or quality environment Need for a methodology to nullify: Service interruption of the controlled process Damages to the industrial plants and materials Risk of injuring people safety

20 SCADA/ICS Security Assessment White or gray box assessment strategy Horizontal analysis and vertical exploits on a subset of pre-defined and authorized targets Assessment activity is supervised by the customer A proper knowledge of the controlled process is required to identify a potential issue and react

21 SCADA/ICS Security Assessment Testing SCADA network systems and services with the support of Customer personnel Internal policies review in order to spot issues in the organization processes Canonical corporate network assessment with a focus on network segregation or isolation Fuzz testing on adopted protocols. Lab testing preferred over production environment testing

22 Corporate Network Assessment

23 Corporate Network Assessment Scenario-driven attacks Corporate networks are likely to have been assessed before, but context-dependent scenarios need to be evaluated Verify proper network segregation between corporate network and SCADA network. Is it possible to jump from one network into the other? Network attacks against users who have access to the SCADA network or systems e.g., abusing whitelisted workstation to pivot on the SCADA network

24 SCADA Network Assessment

25 SCADA Network Assessment Again, scenario-driven attacks Simulating attacks from malicious employees Simulating attacks against legitimate employees Vulnerability research on adopted software solutions Production systems testing should be carefully supervised by personnel or operators A Point of Contact (PoC) should be available in order to handle any incidents Vulnerabilities exploiting must be specifically authorized and monitored by the Customer

26 SCADA Network Assessment Network attacks against servers could be expected Pivoting through internal user web browsers to attack internal web applications is less obvious Many web applications are vulnerable to Cross-Site Request Forgery (CSRF) Attacks CSRF attacks are completely transparent to the user and may affect any system they are currently logged into CSRF attacks do not require a compromised workstation Using penetration testing tools focused on client-side attacks makes pivoting easier e.g., BeEF (The Browser Exploitation Framework)

27 Cross-Site Request Forgery (CSRF) Attacker Authenticate 1 4 Malicious web page 3 Surf page 2 Vulnerable application Operator 5 Execute unwanted action

28 PLC/RTU Device Testing

29 PLC/RTU Device Testing In-lab devices testing (if available) Devices are often considered out of scope, despite being critical elements in the ICS ecosystem Custom protocols reversing and fuzzing Testing on production environment is usually avoided or explicitly denied A crash or generic fault on production systems could have unpredictable impact on people safety

30 Policies & Procedures Review Targeting non-technological issues Identify process-related security weaknesses Focus on SCADA/ICS systems management

31 SCADA Top 10 Security Risks Security through obscurity Unpatched or unsupported (operating) systems Authentication and authorization issues Transport layer insecurity Input validation issues Lack of proper security policies Network isolation and/or segregation Default or weak configuration Lack of accountability Availability issues Denial of Service

32 Statistics of SCADA Security Issues % Vulnerable systems

33 Conclusions ICS are critical, vulnerable, exposed Identifying their weaknesses is paramount Security testing can be done safely Specific methodologies and expertise are needed

34 Thank you! Special thanks to Luca De Fulgentis )