How can I. protect a system from cyber attacks? Design your architecture. System Technical Note Cyber security recommendations

Transcription

1 How can I protect a system from cyber attacks? System Technical Note Cyber security recommendations Design your architecture

2 2

3 Disclaimer This document is not comprehensive for any systems using the given architecture and does not absolve users of their duty to uphold the safety requirements for the equipment used in their systems or compliance with both national or international safety laws and regulations. Readers are considered to already know how to use the products described in this System Technical Note (STN). This STN does not replace any specific product documentation. 3

4 The STN Collection The implementation of an automation project includes five main phases: Selection, Design, Configuration, Implementation and Operation. To help you develop a project based on these phases, Schneider Electric has created the Tested, Validated, Documented Architecture and System Technical Note. A Tested, Validated, Documented Architecture (TVDA) provides technical guidelines and recommendations for implementing technologies to address your needs and requirements, This guide covers the entire scope of the project life cycle, from the Selection to the Operation phase, providing design methodologies and source code examples for all system components. A System Technical Note (STN) provides a more theoretical approach by focusing on a particular system technology. These notes describe complete solution offers for a system, and therefore support you in the Selection phase of a project. The TVDAs and STNs are related and complementary. In short, you will find technology fundamentals in an STN and their corresponding applications in one or several TVDAs. Development Environment PlantStruxure, the Process Automation System from Schneider Electric, is a collaborative system that allows industrial and infrastructure companies to meet their automation needs while also addressing growing energy management requirements. Within a single environment, measured energy and process data can be analyzed to yield a holistically optimized plant. 4

5 Table of Contents 1. Security Overview Purpose Introduction Why is Security a Hot Topic Today? What is Cyber Security? Cyber Attack Profile How Attackers Can Gain Access to the Control Network How Attackers Attack Accidental Events Control System Vulnerabilities Schneider Electric Cyber Security Defense Security Plan Network Separation Protecting the Plant Perimeter Network Segmentation via VLAN Device Hardening Monitoring Appendix Methods of Attack IP Spoofing Denial of Service Attacks TCP SYN Flood Attack Land Attack ARP Spoofing ICMP Smurf

6 4.7. The PING of Death UDP Flood Attack Teardrop Attack References

7 1-Security Overview 1. Security Overview 1.1. Purpose 1.2. Introduction The intent of this System Technical Note (STN) is to describe the capabilities of the different Schneider Electric solutions that answer the most critical applications requirements, and consequently increase the security of an Ethernet-based system. It provides a description of a common, readily understandable, reference point for end users, system integrators, OEMs, sales people, business support and other parties. PlantStruxure openness and transparency provides seamless communication from the enterprise system or the internet to the control network. With this transparency comes security vulnerabilities that can be exploited to negatively impact production, equipment, personnel safety, or the environment. Security practices should be deployed to prevent these unwanted incidents from disrupting operations. Security is no longer a secondary requirement but should be considered mandatory and be viewed as important as safety or high availability. To meet the security challenges, Schneider Electric recommends a defense-in-depth approach. Defense-in-depth is a concept that assumes there is no single approach that provides all security needs. Rather, defense-in-depth layers the network with security features, appliances, and processes to ensure that disruption threats are minimized. Schneider s defense-in-depth approach includes: Eagle20 Security Router, from its partner Hirschmann Electronics, to secure the control network perimeter using secure links such as VPN and DMZ. Eagle Tofino firewall, from its partner Hirschmann Electronics, to secure communication zones within the control network using basic firewall rules, stateful packet inspection and deep packet inspection. ConneXium infrastructure devices to limit internal access to areas of responsibility and act as a second line of defense in the event of a firewall breech. PACs and Ethernet modules hardened with password protection, access control and the ability to turn off unneeded services. 7

8 1-Security Overview RTUs that offer secure links via VPN and strong authentication technology. The intent of this document is to understand what constitutes cyber security in the industrial market, why cyber security has become such a hot topic, risks caused by system vulnerabilities, methods of network penetration and Schneider Electric s recommendations to mitigate those risks. Remember, there is not one single product that can defend the network, rather a defense-in-depth approach ensures the best coverage for a secured, highly available operation Why is Security a Hot Topic Today? Industrial control systems based on computer technology and industrial-grade networks have been around for decades. The earlier control system architectures were developed with proprietary technology and were isolated from the outside world and therefore security was a primary concern. Physical perimeter security was adequate to feel comfortable about the systems reliability. Today the control systems have migrated to open systems using standardized technologies such as Microsoft Windows operating system and Ethernet TCP/IP to reduce costs and improve performance. Additionally, direct communications between control and business systems has been employed to improve operational efficiency and manage production assets more cost-effectively. 8

9 1-Security Overview This technical evolution has exposed control systems to vulnerabilities previously only affecting office and business computers. Although the malware found in the world has been used to target home, office, or business computers, the industrial computers employing the same technology has become exposed through lax internal security practices, external contractors with access to systems, and through inadvertent publicly accessible networked interfaces. Ethernet and TCP/IP have provided many new and attractive capabilities: Integrated applications through networked intelligent devices Embedded web servers for remote access Wireless connectivity Remote access for maintenance Automated software management Distributed control Instant access of information with the business systems inventory, production, shipping and receiving, purchasing, etc. With the use of standard technologies such as Ethernet, control systems are now vulnerable to cyber attacks from both inside and outside of the industrial control system network. The security challenges for the control s environment are: Physical and logical boundaries vary. Systems can span over large geographical regions with multiple sites. Security implementation can adversely impact process availability. With the heightened threats caused by political terrorism, cyber attacks, and internal security threats, companies must be more diligent than ever with how their systems are protected. Motivations can be hard to understand, but the implications can be devastating; from lost production, damaged company image, environmental disaster, or loss of life. Companies need to be more conscious of security than ever before. No longer will barbed wire and security guards satisfactorily protect industrial assets. Lessons learned from the IT world must be employed to protect industrial facilities and infrastructure from disruptions, damage, or worse. 9

10 2-What is Cyber Security 2. What is Cyber Security? Cyber security is a branch of security designed to address attacks on or by computer systems and through computer networks. The objective of cyber security is to protect information and physical assets from theft, corruption, or natural disaster, while allowing the information and assets to remain accessible and productive to its intended users. It is composed of procedures, policies, equipment; both software and hardware. Cyber security is an ongoing process. Cyber attacks are actions that target computers and network systems designed to disrupt the normal operations of the system. These actions can be initiated locally (from within the physical facility) or remotely (from outside). These attacks are normally intentional, but in fact could be unintentional due to poor security threat prevention. All potential causes of cyber attacks need to be considered when employing a defense-in-depth approach Cyber Attack Profile Cyber attacks to the control network system can come from a number of sources: Internal (employees, vendors and contractors) o o o Accidental events Inappropriate employee/contractor behavior Disgruntled employees/contractor External opportunistic (non-directed): o o o Script kiddies Recreational hackers Virus writers External deliberate (directed): o o o o Criminal groups Activists Terrorists Agencies of foreign states The intent of the cyber attacks on a control system is to: Disrupt the production process by blocking or delaying the flow of information. 10

11 2-What is Cyber Security Damage, disable, shutdown equipment to negatively impact production or the environment. Modify or disable safety systems to cause intentional harm or death. Most cyber attacks that penetrate the control network system originate from the enterprise system followed by the internet and trusted third parties How Attackers Can Gain Access to the Control Network The following information is extracted from US-CERT's Control Systems Security Program and is paraphrased from content on the US-CERT Control Systems: Overview of Cyber Vulnerabilties web page located at Schneider Electric recommends reviewing all the materials at this web site to gain a better understanding of control system vulnerabilities and potential threats. In order to attack the control system network, the attacker must bypass the perimeter defenses to gain access to the control system LAN. The most common methods of gaining access are: Dial-up access to RTU devices Supplier access (Technical support) IT controlled network products 11

12 2-What is Cyber Security Corporate VPN Database links Poorly configured firewalls Peer utilities Dial-up Access to the RTU Devices Most control systems have a backup dial-up modem in the event that the main network is no longer available. The attacker must know the protocol of the RTU in order to gain access. Most RTUs don t have strong security mechanisms employed and identify themselves to any caller. Authentication mechanisms are not widely employed Supplier Access In order to minimize down time and reduce costs, suppliers are often given VPN access for remote diagnostics or maintenance. The suppliers frequently leave ports open on the equipment to simplify their tasks, giving the attacker access to the equipment and links to control system network. 12

13 2-What is Cyber Security IT Controlled Communication Equipment The automation department s network authority is often limited to the control network within the facility. The IT department assumes the responsible for longdistance communication controlled and maintained from the business. A skilled attacker can access the control network via holes in the communication architecture and reconfigure or compromise communications to the field control devices Corporate VPNs Engineers working in the corporate offices and will often use VPN from the company broadband to gain access to the control network. The attacker waits for the legitimate user to VPN into the control system network and piggybacks on the connection. 13

14 2-What is Cyber Security Database Links Most control systems use real-time databases, configuration databases, and multiple historian databases. If the firewall or the security on the database is not configured properly, a skilled attacker can gain access to the database from the business LAN and generate SQL commands to take control of the database server on the control system network Peer Utility Links Partners and peers are granted access to information located on either the business or control network. With the peer-to-peer link, the security of the system is as strong as the security of the weakest member. 14

15 2-What is Cyber Security 2.3. How Attackers Attack The following information is extracted from US-CERT's Control Systems Security Program and is paraphrased from content on the US-CERT Control Systems: Overview of Cyber Vulnerabilties web page located at Schneider Electric recommends reviewing all the materials at this web site to gain a better understanding of control system vulnerabilities and potential threats. Depending on motives and skills, the attacker may or may not need to know details of the process to cause problems. For example, if the motive is simply to shut down the process, very little knowledge of the control process is needed. However, if the attacker wants to strategically attack a specific process, then specific details and knowledge is required. The two most vulnerable processes are: Data acquisition database HMI/SCADA display screens Names of databases differ from suppliers but most use a common naming convention with a unique number (i.e. Pump1, pump2, breaker1, breaker2 ). On the communications protocol level, the devices are simply referred to by number (memory location or register address). For a precise attack, the attacker needs to translate the numbers into meaningful information. Gaining access to the HMI screens is the easiest method for understanding the process and the interaction between the operator and the equipment. The information on the screen allows the attacker to translate the reference numbers into something meaningful. 15

16 2-What is Cyber Security Control of the Process Once an attacker has enough information about the process, the next step is to manipulate it. The easiest way to gain control of the process is to connect to a data acquisition device, such as a PAC, that also has access to field devices and send it properly formatted commands. Most of the PACs, gateways or data acquisition servers lack basic authentication and will accept any commands that have been formatted correctly Exporting the HMI Screen Another method of attack is to export the HMI screen back to the attacker to gain control of the operations. A sophisticated attacker may also modify the operator s screen to display normal operations in order to disguise the attack. The attacker is normally limited to the commands allowed for the currently logged-in operator. 16

17 2-What is Cyber Security Changing the Database The attacker accesses the database and modifies the data in order to disrupt normal operation of the control system or change stored values to affect the system s integrity Man-in-the-Middle Attacks Man-in-the-middle is a type of attack where the attacker intercepts messages from one computer (Host A), manipulates the data prior to forwarding to the intended computer (Host B) and vice versa. Both computers appear to be talking to each other and are unaware of an intruder in the middle. In order for the attacker to be successful in manipulating the packets, the protocol must be known. The man-in-the-middle attack allows the attacker to spoof the operator HMI screens and take full control of the control system. 17

18 2-What is Cyber Security 2.4. Accidental Events While many threats exist from disgruntled employees, hackers, terrorists, or activists, the majority of system outages related to networks are caused by accidental events. In this case, we are referring to personnel not following proper procedures, accidentally connecting network cables in wrong ports, poor network design, programming errors, or badly behaving network devices. Experts attribute >75% of network-related system outages to accidental events. Many of the security features and processes discussed in this document can also prevent these types of accidental events. In many cases, contractors are necessary contributors to system design, commissioning, or maintenance. Proper procedures should be defined that ensure that contractors don t bring malware, viruses, or other problems into the control network. Another example of proper procedures involves how USB keys; a convenient method to transfer files, can be safely employed in the control network environment. USB keys are a common source of malware and viruses and must be carefully screened before permitting their use. Network architectures are designed and configured at design time to comply with robust behaviors; including segmenting, filtering, and topological rules. Individuals who inadvertently connect a network cable into the wrong port on a multi-port switch might create outages or broadcast storms bringing a network to its knees. Many of the broadcast storm protections discussed in this document apply to this accidental events as well as Denial of Service attacks. In general, the cause might be accidental, but the features, practices, and procedures used to protect from cyber attack work equally well to prevent accidental system outages. In this case, disaster recovery methods should be 18

19 2-What is Cyber Security employed and tested to make sure that recovery from an outage or device failure can be quickly and reliably managed, minimizing downtime and lost production. High availability and redundant architectures play a role in this area when even short duration system outages can t be tolerated Control System Vulnerabilities The North American Electric Reliability Corporation (NERC) performed a study identifying the top 10 vulnerabilities of control systems: 1. Inadequate policies, procedures, and culture that govern control system security: Clash between operational culture with modern IT security methods. IT often does not have an understanding of operational requirements of a control system. Lack of overall awareness and appreciation of the risk associated with enabling the networking of these customized control systems. Absence of control system information security policy. Lack of auditing, enforcing, or adhering to control system information security policy not adhered to, enforced or audited. Lack of adequate risk assessment. 2. Inadequately designed control system networks that lack sufficient defensein-depth mechanisms: Network security of control system devices were not adequately considered when originally designed. These systems were designed with availability and reliability in mind. Control systems may not be capable of secure operation in an internet/intranet working environment without significant investment to reengineer the technology so it is in accordance with appropriate risk assessment criteria. 3. Remote access to the control system without appropriate access control: Inappropriate use of dial-up modems. Use of commonly known passwords or no use of passwords. Implementation of non-secure control system connectivity to the corporate Local Area Network (LAN). Practice of un-auditable and non-secured access by vendors for support. 19

20 2-What is Cyber Security 4. System administration mechanisms and software used in control systems are not adequately scrutinized or maintained: Inadequate patch management Lack of appropriately applied real time virus protection. Inadequate account management. Inadequate change control. Inadequate software inventory. 5. Use of inadequately secured wireless communication for control: Use of commercial off-the-shelf (COTS) consumer-grade wireless devices for control network data. Use of outdated or deprecated security/encryption methods. 6. Use of a non-dedicated communications channel for command and control and/or inappropriate use of control system network bandwidth for non-control purposes: Internet-based Supervisory Control and Data Acquisition (SCADA). Internet/Intranet connectivity initiated from control system networks: File Sharing Instant Messaging 7. Insufficient application of tools to detect and report on anomalous or inappropriate activity: Underutilized intrusion detection systems. Under-managed network system. Implementation of immature Intrusion Prevention Systems. 8. Unauthorized or inappropriate applications or devices on control system networks: Unauthorized installation of additional software to control system devices. Peripherals with non-control system interfaces, e.g., multi function or multi-network printers. Non-secure web interfaces for control system devices. Laptops. USB memory. 20

21 2-What is Cyber Security Other portable devices e.g., personal digital assistants (PDAs). 9. Control systems command and control data not authenticated: Authentication for LAN-based control commands not implemented. Immature technology for authenticated serial communications to field devices. Lack of security implemented on an object by object basis on the control displays. 10. Inadequately managed, designed, or implemented critical support infrastructure: Inadequate uninterruptible power supply (UPS) or other power systems. Inadequate or malfunctioning HVAC systems. Poorly defined 6-wall boundary infrastructure. Insufficiently protected telecommunications infrastructure. Inadequate or malfunctioning fire suppression systems. Lack of recovery plan. Insufficient testing or maintenance of redundant infrastructure. 21

22 3. Schneider Electric Cyber Security Defense No single solution can provide adequate protection against all cyber attacks on the control network. Schneider Electric recommends employing a defense in depth approach using multiple security techniques to help mitigate risk. The defense in depth approach recommends six layers of defense for a PlantStruxure network: 1. Security Plan Creating the security plan is the first step to secure the control system network. Polices and procedures must be defined, implemented and most importantly updated and maintained. The planning process involves perform a vulnerability assessment, mitigating the risk and creating a plan to reduce or avoid those risks. 2. Network Separation Physically separating the control system network from other networks, including the enterprise, by creating demilitarized zones (DMZs). 3. Perimeter Protection Preventing unauthorized access to the control system through the use of firewall, authentication and authorization, VPN (IPsec) and anti-virus software. This includes remote access. 22

23 3.1. Security Plan 4. Network Segmentation Use VLANs to sub-divide the network providing containment in the event of a security breach within a subnet. It can be further enhanced using the concept of communication zones. Each zone would be buffered from other zones by use of a security firewall to limit access, monitor communications and report incidents. 5. Device Hardening Device hardening is the process of configuring a device to protect it from communication-based threats. It involves password management, access control and disabling all unnecessary protocols and services. 6. Network Monitoring No network is 100% secure due to the constant evolution of new threats. Constant monitoring for control network system is necessary to block intruders before damage is done. The first step towards a secure network is to create a security plan with procedures and policies. A cross-functional team consisting of management, IT staff, control engineer, operator and a security expert should participate in the creation of a comprehensive security plan. The security plan should clearly define: Roles and responsibilities of those affected by the policy. Actions, activities and processes that are allowed and not allowed. Consequences of non-compliance. For existing networks, a full assessment is needed prior to creating the plan: Identify communication paths into and out of the control network. Identify communication paths within the control system network. Perform a complete audit of devices on the network. Record security settings of each device. Draw a detailed network diagram. 23

24 Once the infrastructure diagram is completed, a vulnerability assessment is required to identify weaknesses, potential threats and origins of threats. Vulnerabilities assessed are then: Prioritized by threat Prioritized by business consequences Prioritized by business benefits Annual business impact is estimated Ri$k = % Probability of Threat of Attack * % Probability of a Vulnerability Being Exploited * Reasonably Predictable (Financial) Consequences Introduction to Information Security, Dave Norton, CISSP Program Manager, Transmission IT Security Entergy New Orleans 24

25 The plan should consist of: Security policies - Security policies should be developed for the control system network and its individual components. The policies should be reviewed periodically for changes in threats, environment or adequate security level. Blocking access to resources and services Protecting the perimeter through the use of firewalls or proxy servers, access control and anti-virus software. Limiting communications between separate communications zones through the use of firewalls and inline security devices. Detecting malicious activity Intrusion detection such as monitoring audit and event logs is necessary to identify problems on the network. Mitigating possible attacks The more secure the network becomes, the greater the impact on latency. In order for the process to run correctly a level of vulnerability may be required. Fixing core detected problems Fixing detected problems usually involves updating, upgrading, or patching the software vulnerability or removing the vulnerable application Network Separation One of the critical elements of designing a control system network is the physical separation between the control network and external communication networks. Data access between the internet, enterprise system and the control network should take place on servers located in a demilitarized zone (DMZ). A DMZ provides a safe and secure means of sharing data between zones. The DMZ should contain: Data servers such as Citect Historian that share and collect data from the control system and enterprise system. Patch management Antivirus server Web access server Wireless access point Remote access All communication links should end in the DMZ. There should be no direct communication path into the industrial control network. 25

26 DMZ Guidelines All traffic should terminate at servers in the DMZ. Inbound traffic to the control system should be blocked. Access to devices inside the control system should be through the DMZ. Outbound traffic through the control network firewall should be limited to essential communications only. All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. Firewalls should be configured with outbound filtering to stop forged IP packets from leaving the control network or the DMZ. Firewalls should be configured to forward IP packets only if those packets have a correct source IP address for the control network or DMZ networks. Internet access by devices on the control network should be strongly discouraged. The servers in the DMZ zone must be hardened. Security patches and anti-virus software must be continuously updated. 26

27 3.3. Protecting the Plant Perimeter Firewalls are used to protect the network perimeter by blocking unauthorized access while permitting authorized communications. A firewall is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) traffic between different security domains based upon a set of rules and other criteria. Firewalls play an important role in a control system network. Process control devices require fast data throughput and therefore cannot afford latency introduced by a over-aggressive security strategy. The control system relies heavily on perimeter protection to block all unwanted and unauthorized traffic. There are three categories of firewalls: Packet filtering: A low cost basic type of firewall having minimal impact on the network performance. Basic information in each packet, such as IP addresses is validated prior to forwarding. This type is not recommended due to lack of authentication. It does not conceal the protected network s architecture. Application-Proxy Gateway An application proxy gateway examines packets at the application layer and filters traffic based on specific application rules such as specified applications (e.g., browsers) or protocols (e.g., FTP). Application proxy gateways provide a high level of security, but can have 27

28 overhead delays impacting the network performance of the control system. Their use is therefore not recommended. Stateful Inspection Firewalls: Stateful multilayer inspection firewalls are a combination of the above firewall types. Stateful inspection filters packets at the network layer and validates that the session packets and their contents at the application layer are legitimate. Stateful inspection makes sure that all inbound packets are the result of an outbound request. Stateful inspection firewalls provide a high level of security and good performance but can be expensive and complex to configure Firewall Guidelines The National Institute of Standards and Technology (NIST) has provided the following guidelines: The base rule set should be deny all, permit none. Ports and services between the control system network environment and the corporate network should be enabled and permissions granted on a specific case-by-case basis. There should be a documented business justification with risk analysis and a responsible person for each permitted incoming or outgoing data flow. All permit rules should be both IP address and TCP/UDP port specific. All rules should restrict traffic to a specific IP address or range of addresses. Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic should terminate in a DMZ. Any protocol allowed between the control network and the DMZ should explicitly NOT be allowed between the DMZ and corporate networks (and vice-versa). All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that is assigned to the control network or DMZ devices. Control network devices should not be allowed to access the Internet. Control networks should not be directly connected to the Internet, even if protected via a firewall. 28

29 Firewall Vulnerabilities Denial of Service is one of the most common vulnerabilities of the outer perimeter. Other common vulnerabilities: Spoofing Worms and Trojans Viruses Hijacking False identity Data/Network Sabotage These attacks on a control system can result in: Reduction or loss of production at one site or multiple sites simultaneously Injury or death of employees Injury or death of persons in the community Damage to equipment Release, diversion, or theft of hazardous materials National security breech Environmental damage Violation of regulatory requirements Product contamination Criminal or civil legal liabilities Loss of proprietary or confidential information Loss of brand image or customer confidence Firewall Risk Mitigation Packet Filtering Devices on the control network require security based on unique applications and protocols. Packet filtering is a feature found on a firewall that provides the protection based on: IP protocol Source IP address 29

30 Source port Destination IP address Destination port With packet filtering, access to a device can be restricted to only allow specific protocols (ports). In the drawing below, the PC can communicate with the PLC via port 80, but port 69 messages are blocked by the firewall. Ports that need extra protection due to low or no built-in security are: Non-secure Protocols IP Protocol Port # TCP Telnet 23 TCP/UDP HTTP 80 TCP/UDP TCP SNMP v1&v2 FTP Data 21-Command UDP TFTP 69 TCP/UDP DNS 53 TCP POP3 110 TCP/UDP SMTP 25 30

31 Packet filtering should be implemented. Trusted ports are for outgoing connections and untrusted ports are for incoming connections. Some firewalls are even capable of looking within the protocol to make intelligent decisions about allowing/restricting specific messages. These highly evolved firewalls are capable of looking into a protocol like Modbus TCP (port 502) and allowing certain function codes to pass while blocking others. An example of this type of firewall is the Eagle Tofino from Hirschmann Electronics. Anti-virus Software Always implement anti-virus scanning and keep anti-virus software and definition files up-to-date. This applies to the SCADA system and all PCs used to monitor or maintain the control system. Flood Protection The firewall is an important player in preventing unwanted traffic such as DoS attacks onto the control network. DoS attacks are the most common form of flood attacks. If a DoS attacker is successful in penetrating the control network, the impact can be minimized using flood protection provided in the firewall. 31

32 Firewall Rules for Specific Services Firewalls can deal with and help manage many of the protocols and services employed in industrial control systems, The ones we will discuss here are DNS, HTTP, DHCP, FTP, TFTP, Telnet, SMTP, POP, Telnet, SNMP, and NAT. Domain Name System (DNS) Server Domain Name System (DNS) server is a database used to translate DNS host names to IP addresses. Most Internet services rely heavily on DNS, but are rarely used by control systems. 32

33 DNS Vulnerabilities There are numerous exploits against DNS Servers. The two most common ones are DNS Cache Poisoning and DNS Amplification Attack. DNS cache poisoning is the result of replacing the intended domain IP address with the attacker s domain IP address. As a result of cache poisoning, web traffic, , and other important network data can be redirected to systems under the attacker's control. DNS amplification attack is a type of DoS attack that generates traffic overload. DNS Risk Mitigation DNS requests are seldom used from the control network to the corporate network and should be avoided if possible. Do not allow DNS requests into the control network. It is recommended that the DNS configuration be set to DNS Root Servers. Queries will be sent to the DNS Root server at the IP address stored in mguard. These addresses rarely change. Hypertext Transfer Protocol (HTTP) Hypertext Transfer Protocol is the underlying protocol used by the World Wide Web and is used in many applications: file download, software updates, or to 33

34 initialize multimedia streams. The use of HTTP is increasing due to embedded web servers in control products. Schneider Electric web servers use HTTP communications to display data and send commands via web pages. Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol and a cryptographic protocol. The primary differences between http and https are their default ports (80 for http and 443 for https). HTTPS operates by transmitting normal HTTP with encryption. There are two common types of encryption layers: Transport Layer Security (TLS) Secure Sockets Layer (SSL) - predecessor HTTP Vulnerabilities HTTP has little inherent security and can be used as a transport mechanism for attacks and worms. Common attacks are man-in-the-middle and eavesdropping. HTTP Risk Mitigation 34

35 If the HTTP server is not needed, then disable it. Otherwise use, HTTPS instead of HTTP if possible and only to a specific device. DHCP Dynamic Host Configuration Protocol (DHCP) is a network application protocol based on BootP. It is used by devices (DHCP clients) to obtain configuration information for operation in an Internet Protocol network. DHCP is an unauthenticated protocol. The DHCP service works by using the DORA (Discover, Offer, Request and Acknowledgment) grants. DHCP service uses port 67/UDP in the DHCP server, and 68/UDP at the DHCP clients. Schneider Electric uses DHCP for Faulty Device Replacement (FDR). DHCP Vulnerabilities There are two common types of DHCP attacks: DHCP starvation attack The DHCP server is inundated with countless requests from different MAC addresses. The DHCP server will eventually run out of IP addresses blocking a legitimate user from obtaining or renewing an IP address. 35

36 DHCP rogue attack The attacker disguises itself as a DHCP server and responds to a DHCP request with false IP addresses resulting in a man-in-themiddle attack. DHCP Risk Mitigation Prevent unauthorized persons to have physical or wireless access to the computer. Recommend that DHCP be disabled in the firewall, if not needed. Conflict: Schneider Electric devices such as the NOE s or ETY s have a built-in DHCP server. The DHCP server uses the device s MAC address or device name to serve the IP configuration and the name and location of the configuration file. FTP and TFTP File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) are used for transferring files between devices. Transparent Ready devices use FTP to load firmware, custom web pages, retrieving crash logs, etc. TFTP is used as a barebones unidirectional special purpose file transfer (firmware uploads). FTP Vulnerabilities FTP uses a login password that is not encrypted, and for TFTP, no login is required. FTP is vulnerable to Buffer Overflow and FTP Bounce attacks. The FTP bounce attack uses an FTP server in passive mode to transmit information to any device on the network. To begin the bounce attack process, the attacker must login to the FTP server that will be used as the "middleman." Once connected to the FTP server, the attacker sends the PORT command to direct all data connections to the destination IP address and TCP port. 36

37 FTP Risk Mitigation FTP communications should be allowed for outbound sessions only unless secured with additional token-based multi-factor authentication and an encrypted tunnel. If possible, use more secure protocols such as Secure FTP (SFTP) or Secure Copy (SCP). Configure each server connection individually. Use packet filtering to allow access only to the FTP server. The FTP file should be checked for viruses. Identify the IP address of the FTP server and enable content scanning for viruses if files are not expected to exceed the maximum file size. Large files that exceed the maximum file size are dropped. 37

38 Telnet The telnet protocol provides an interactive, text-based communications session between a client and a host. Telnet provides access to a command-line interface, typically via port 23. It is mainly used for remote login and simple control services to systems with limited resources or to systems with limited needs for security. Due to security risks, Schneider has limited the use of Telnet in its products. Telnet Vulnerabilities Use of Telnet is a severe security risk because all telnet traffic, including passwords, is unencrypted. It can allow a remote individual considerable control over a device. Telnet Risk Mitigation Inbound telnet sessions from the corporate to the control network should be prohibited unless secured with authentication and an encrypted tunnel. Outbound telnet sessions should be allowed only over encrypted tunnels (e.g., VPN) to specific devices (Covered in the Remote Access section). Simple Mail Transfer Protocol (SMTP) & Post Office Protocol (POP3) notification in the automation industry is becoming more prevalent as plants downsize and rely on remote experts to troubleshoot and fix detected problems. PlantStruxure devices only send . However, there is potential that non- Schneider Electric devices residing on the network can receive . Therefore, it is highly recommended that firewalls be configured to scan the for viruses. The Simple Mail Transport Protocol (SMTP) is an internet standard used by clients or mail transfer agents (MTA) to send s. An SMTP server performs two functions: 38

39 Verifies that the configuration is valid and grants permission to the computer sending the message. Sends the outgoing message to a predefined destination and validates the successful transfer of the message. If the message is not successfully transferred, a message is sent back to the sender. Post Office Protocol v3 (POP3) or Internet Message Access Protocol (IMAP) is used by local clients to download from a remote server. The POP3 server receives the message and retains the message until is retrieved by the local client. POP3 uses port 110. SMTP & POP3 Vulnerabilities Directory harvesting is the most common form of attack. The attack relies on invalid addresses being rejected by the system either during the SMTP conversation or afterwards via a Delivery Status Notification (DSN). When the attacker receives a rejection from an invalid address, the address sent is discarded. When no rejection or DSN is received, the address is considered valid and is added to a spam database. The attacker typically uses two methods: Brute force: an approach that sends messages with all possible alphanumeric characters and waits for a valid response. Selective: an approach sending an using a likely username in hopes of finding a valid one. SMTP and POP3 Risk Mitigation Inbound should not be allowed to any control network device. 39

40 Outbound SMTP mail messages from the control network to the corporate network are acceptable in order to send alert messages. PlantStruxure devices today only send s. All s should be scanned for virus. Note that some firewalls are not able to check encrypted data for viruses. Identify which IP address requires anti-virus protection and enable content scanning for viruses if ftp files are not expected to exceed maximum file size. Simple Network Management Protocol (SNMP) All PlantStruxure Ethernet devices have SNMP service capability for network management. Most of the PlantStruxure devices use SNMP v1 which does not use encryption and is therefore considered unsecure. ConneXium switches are an exception. They use SNMP v3 which has added security features: Message integrity Authentication Encryption 40

41 SNMP consist of three parts: Manager: an application that manages SNMP agents on a network by issuing requests, getting responses, and listening for and processing agent-issued traps. Managed devices can be any type of device: routers, access servers, switches, bridges, hubs, PACs, drives Agent: a network-management software module that resides in a managed device. The agents allow configuration parameters to be changed by managers. Network management system (NMS): the terminal through which administrators can conduct administration tasks. SNMP Vulnerabilities SNMP in general is weak in security. Versions 1 and 2 of SNMP use unencrypted passwords to both read and configure devices. Passwords may not be able to be changed. Version 3 is considerably more secure but is still limited in use. Often SNMP is automatically installed with "public" as the read string and "private" as the write string. This type of installation provides an attacker the means to perform reconnaissance on a system to create a denial of service. SNMP also provides information about the system that may allow the attacker to piece together the network system with the interconnection. 41

42 SNMP Risk Mitigation The best defense is to upgrade to SNMP V3, which encrypts passwords and messages. SNMP V1 & V2 commands to and from the control network should be prohibited unless it is over a separate, secured management network. Control access by identifying which IP address has privilege to query an SNMP device. Network Address Translation (NAT) Network Address Translation (NAT) is a firewall feature that does not permit the outside from knowing a device s true IP address and is therefore unable to access the device directly. NAT is a method to map the entire network to a single IP address prior to transmitting. NAT relies on the premise that not every internal device is actively communicating with external hosts at any given moment. The firewall must track the state of each connection and how each private internal IP address and source port was remapped. When the response is received by the firewall, the IP address mapping is reversed and the packets forwarded to the proper internal host. Although NAT routers are not technically firewalls because they do not filter the packets, NAT does protect the PlantStruxure devices from the network. NAT provides high security by blocking packets originating from the Internet from accessing the device directly. Only responses to a request are allowed to pass through. NAT was initially developed to address the shrinkage of available IP addresses prior to IPv6. NAT is also referred to as IP-masquerading. NAT Vulnerabilities None known NAT Configuration Recommendation Use NAT whenever possible. Note that NAT does not support producer-consumer protocols such as EtherNet/IP or Foundation Fieldbus. 42

43 Since NAT is usually used on routers and network gateways, it is necessary to enable IP forwarding so that packets can travel between networks: External Authentication Authentication is the process of determining a person s true identity. There are several methods of external authentication. Remote Authentication Dial in User Service (RADIUS) is the most popular network protocol used in the control system network. RADIUS provides three functions: Authenticate users or devices before granting them access to a network. Authorize users or devices for certain network services. Account for usage of those services. Transactions between the client and the RADIUS server are authenticated through the use of a shared secret. A shared secret is encrypted using the MD5 hashing algorithm. Originally, RADIUS was developed for dial-up remote access. Today, RADIUS is supported by VPN servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other network access types. 43

44 Authentication Guidelines Use a different shared secret for each RADIUS server-radius client pair. If possible, configure shared secrets with a minimum length of 16 characters consisting of a random sequence of upper and lower case letters, numbers, and punctuation. Authentication Vulnerabilities The RADIUS shared secret does not have sufficient randomness to face to a successful offline dictionary attack. This vulnerability is addressed using IPsec in the Remote Access section. 44

45 Authentication Risk Mitigation Implement RADIUS authentication on the firewall. Enter a shared secret used to authenticate the communication between the RADIUS server and a RADIUS client Remote Access There is a growing demand to establish connection to the control system that enables engineers and support personnel to monitor and control the system from remote locations. Remote access can be costly and susceptible to cyber attacks if not configured correctly. Many companies are migrating from telephone modems to a virtual private network (VPN) to reduce this risk. A VPN provides the highest possible level of security, through encryption and authentication, preventing viewing of the data over the public internet. 45

46 There are two VPN technologies used; IPsec and SSL: Internet Protocol Security (IPSec): IPSec is an open standard, transparent to the application, which provides IP network-layer encryption to provide private, secure communications over Internet Protocol (IP) networks. IPSec supports: network-level data integrity data confidentiality data origin authentication replay protection IPsec supports both Digital Signature and Secret key Algorithm. Secure Socket Layer (SSL): SSL is a common protocol built into most web browsers. SSL is easier to configure and does not require special client software. However, SSL only works for web-based (TCP) applications and only supports Digital Signature. 46

47 For remote access, VPN with IP-security (IPsec) is highly recommended. IPSec is a suite of standards for performing encryption, authentication, and secure tunnel setup. IPSec essentially creates private end-to-end tunnels out of the public bandwidth available on the Internet. IPsec uses the following components: Internet key exchange (IKE and IKEv2) Authentication Header (AH) Encapsulating Security Payload (ESP) IPsec has two connection modes, Tunnel and Transport mode. Tunnel mode: connection is established between Gateway-to-Gateway, Gateway-to-Host and Host-to-Host. The entire IP packet is encapsulated to provide a virtual secure hop between two gateways and provides a secure tunnel across an untrusted Internet (recommended). Transport mode: connection is Host-to-Host. Only the payload (the data you transfer) of the IP packet is encrypted and/or authenticated. VPN tunnel uses algorithms to encrypt and decrypt user information. The three common encryption protocols are: AES (Advanced Encryption Standard) DES (Data Encryption Standard) Triple-DES (3DES) - effectively doubles encryption strength over DES. Authentication is necessary to make sure that no change is made to a message during transmission. A hash, a one-way encryption algorithm, is used to take an input message of arbitrary length and produces a fixed-length output message. Hash algorithms are used by IKE, AH and ESP to authenticate data. The two popular hash algorithms are: Message Digest 5 (MD5): 160 bit key. Secure Hash Algorithm 1 (SHA-1): generates a 160-bit (20 byte) message digest. SHA-1 is slower than MD5 but offers greater protection against brute force attacks. Remote Access Guidelines All remote access enabling hardware and software should be approved and installed in accordance with the Security Policy. Remote access should only be enabled when required, approved, and authenticated. 47

48 Disable remote access when not needed. Change password once a remote maintenance session has terminated. Consider risk to the process when allowing remote access. Remote support personnel connecting over the Internet or via dialup modems should use an encrypted protocol such as IPsec. Once connected, they should be required to authenticate a second time at the control network firewall using a strong mechanism, such as a token based multi-factor authentication scheme, to gain access to the control network. Automatically lock accounts or access paths after a preset number of consecutive invalid password attempts. Change or delete any default passwords or User IDs. Change passwords periodically. For remote access modems: Change default settings as appropriate: o o o Set dial-out modems to not auto answer. Increase ring count before answer. Utilize inactivity timeout if available. Use callback whenever possible. Verify that the VPN devices do not have a negative impact on the control system network. Remote Access Vulnerabilities Inadequate access restriction is the number one vulnerability to the control system network. Firewall filtering deficiencies. Services allowed into the control system network. War dial-ups (computer dialing consecutive telephone numbers seeking a modem). Connection passwords programmed with vendor s default password. Access links not protected with authentication and/or encryption. 48

49 Wireless has additional challenges because radio waves propagate outside the intended area: Attackers who are within range to hijack or intercept an unprotected connection. Wardriving is a common form of attack where a person is searching for a wireless device in a moving vehicle, using a portable computer or PDA. Remote Access Risk Mitigation External Communication The firewall should be configured for a VPN connection using Tunnel network to network. The network to network is the most secure and will function in all applications Protecting the Perimeter for Remote Control Remote control differs from remote access in that remote control often by-passes the security perimeter protection due to the latency introduced by the firewall. A risk analysis by the organization is required to balance risk versus functionality. Remote control with wireless brings additional security challenges. The best defense is to use VPN tunnel with IPsec (same as firewall). Remote Control Guideline 49

50 The Wireless recommendations and guidance from the Industrial Control System Security organization are: Prior to installation, a wireless survey should be performed to determine antenna location and strength to minimize exposure of the wireless network. The survey should take into account the fact that attackers can use powerful directional antennas, which extend the effective range of a wireless LAN beyond the expected standard range. Faraday cages and other methods are also available to minimize exposure of the wireless network outside of the designated areas. Wireless users access should utilize IEEE 802.1x authentication using a secure authentication protocol (e.g., Extensible Authentication Protocol [EAP] with TLS [EAP-TLS]) that authenticates users via a user certificate or a Remote Authentication Dial In User Service (RADIUS) server. The wireless access points and data servers for wireless worker devices should be located on an isolated network with documented and minimal (single if possible) connections to the ICS network. Wireless access points should be configured to have a unique service set identifier (SSID), disable SSID broadcast, and enable MAC filtering at a minimum. Wireless devices, if being utilized in a Microsoft Windows ICS network, should be configured into a separate organizational unit of the Windows domain. Wireless device communications should be encrypted and integrityprotected. The encryption must not degrade the operational performance of the end device. Encryption at OSI Layer 2 should be considered, rather than at Layer 3 to reduce encryption latency. The use of hardware accelerators to perform cryptographic functions should also be considered. For mesh networks, consider the use of broadcast key versus public key management implemented at OSI Layer 2 to maximize performance. Asymmetric cryptography should be used to perform administrative functions, and symmetric encryption should be used to secure each data stream as well as network control traffic. An adaptive routing protocol should be considered if the devices are to be used for wireless mobility. The convergence time of the network should be as fast as possible supporting rapid network recovery in the event of a detected failure or power loss. The use of a mesh network may provide fault tolerance thru alternate route selection and pre-emptive fail-over of the network. 50

51 Remote Control Vulnerabilities for Wireless Security settings are either not configured or configured for poor security. Radio waves propagate outside the intended area. Easy to eavesdrop. Physical location permits easy access. No security polices for setting up a wireless network. Attackers who are within range can hijack or intercept an unprotected connection. War driving - a common form of attack where a person is searching for a wireless device in a moving vehicle, using a portable computer or PDA. Kurt Rogers / San Francisco Chronicle Remote Control Risk Mitigation FactoryCast ETG302x provides VPN capabilities for remote control. It is recommended that two ETGs be used to gain access to the control network from the RTU station using wireless. The same rules apply to ETG302x as the firewall: Pre-shared key is used for authentication. 51

52 For PlantStruxure devices, always use tunnel mode (mandatory). The encryption is preconfigured to 3DES (high) and authentication encryption to SHA-2. Enable VPN on both ETG302x and configure remote LAN in each. After selecting VPN mode on both ETGs, configure the GPRS DNS name and the mode to tunnel. Here below, you see a fully configured system providing VPN access across the public internet ensuring secured communications. 52

53 3.4. Network Segmentation via VLAN Virtual LANs Virtual LANs (VLAN) are commonly used to segment networks. VLANs divide physical networks into smaller logical networks to increase performance, improve manageability, simplify network design and provide another layer of security. Segmentation can be accomplished using devices such as firewalls, routers and Ethernet switches with access control list. Network segmentation advantages: Contains attacks (viruses, worms, trojans, spam, adware) to one network segment. Improves security by ensuring that nodes are not visible to unauthorized networks. Most of the intruders scans are dropped by the network before they ever hit a potential target system. Contains information leak if there is a security breach on a network. Broadcasts and multicasts are restricted to their respective VLAN s. 53

54 Improves network performance and reduces network congestion. Controls communication access from one segment to another providing enhanced security to a critical device or system. For a control system, segmentation can be done at several levels; switches, VLANs, and firewalls: The first level involves the use of Ethernet switches to prevent unwanted traffic from going to all devices, potentially allowing an attacker to view the data. The second level involves the use of switches with VLAN functionality to further restrict traffic. At this point, the concept of a communications or security zone is introduced. The control network is broken into separate zones based on physical proximity of purpose. Use of Access Control Lists further enhances the level of security to the zones. The third level involves the use of high performance industrial firewalls or routers to limit access to a communications zone and to monitor traffic inside the zone. As firewalls and routers are added to the system, the user must be cognizant of potential reduced network performance. 54

55 VLAN is a broadcast domain (layer 2) configured on Ethernet switches on a portby-port basis that isolates traffic from other VLANs. When two devices are defined as being on the same VLAN, the switch passes messages through with no filtering. VLANs are typical grouped by: Functionality or Cell Area: only relevant traffic for a particular cell area necessary for operation. Access Requirements: access requirements differ for different types of users: Operators, Engineers, Vendors, Accounting Security: access to sensitive information needs to be shielded: accounting, human resource, research Traffic: limit traffic load to achieve required throughput. Segmentation Recommendation Guideline: Use one VLAN per ring topology for all manufacturing traffic per cell/area zone. VoIP should be on a separate VLAN. Packets entering the DMZ from the Internet are assigned a restricted VLAN ID that allows access only to devices on the DMZ. All unnecessary traffic should be removed from the particular VLAN. Apply QoS ACLs to rate limit the maximum amount of ping traffic allowed. Prevent all Telnet connections and allow only SSH sessions. Connect untrusted devices to untrusted ports, trusted devices to trusted ports Disable unused ports and put them into an unused VLAN. VLAN Vulnerabilities VLAN hopping is a method of attacking networked resources on a VLAN. In the VLAN hopping attack, the attacker uses switch spoofing or double-encapsulated frames on an unauthorized port to gain access to another VLAN. Common types of attacks carried out once the intruder has gained access to the desired VLAN: MAC flooding attack (confined to the VLAN of origin) 802.1Q and ISL Tagging Attack 55

56 Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attacks Private VLAN Attack Multicast Brute Force Attack Spanning-Tree Attack Random Frame Stress Attack VLAN Risk Mitigation ConneXium VLAN capabilities allow limiting access to areas/zones of responsibility. For example, the engineer may have access to the entire plant but an operator responsible for site A & B should not have access to Site C. Maintenance personal assigned to site C should only have access to that site. This confines the area of vulnerability. Use caution when configuring VLAN 0 Transparent Mode. If checked, the packets are sent without VLAN membership. Use ingress filtering to validate that the incoming packets are legitimate. Communications Between VLANs Once the network is segmented into VLANs, many users desire to allow restricted communications between VLANs. This can be achieved by use of a Layer 3 switch/router that maps trafficfrom one VLAN to another. Schneider recommends the Hirschmann MICE range of Layer 3 switches for this purpose. Communication / Security Zones Each VLAN can be thought of as a communications or security zone with a defined list of network traffic that can enter the zone. A zone can be as small as a single device or as large as an entire plant. To limit the network traffic entering a zone, Schneider recommends the Hirschmann Eagle Tofino firewall appliance. This appliance is protocol-aware, providing the ability to monitor and limit access to specific data registers or function codes for each connected device. The Eagle Tofino firewall is specifically designed for use in industrial control systems providing setup and interface familiar to control system engineers. 56

57 3.5. Device Hardening Device hardening is a process that reconfigures a device s default settings to strengthen security. Device hardening applies to routers, firewalls, switches and other devices on the network such as SCADA and PACs. Examples of device hardening: Password management including encryption Disabling of unused services Access Control Network intrusion detection systems (NIDS) Strong authentication The following section will demonstrate methods of hardening Schneider Electric devices Passwords Password management is one of the fundamental means of device hardening that can easily and quickly be implemented but often neglected in the control system network. Policies and procedures are often lacking or missing entirely. Caution 57

58 must be taken when considering security requirements and potential ramifications (i.e. performance, safety or reliability are adversely impacted). Guidelines for password configuration Default passwords must be changed immediately after installation: User and Application passwords Scripts & source code Network Control equipment All user accounts must have passwords. Limit passwords to people that need access. Passwords should not to be shared and be difficult to guess. Password should contain at least 8 characters and contain: Upper and lowercase letters Numbers Non-alphanumeric characters (e.g.!, $, #, %) Passwords should be changed regularly. Remove employee s access account when employment has terminated. Use different passwords for different accounts, systems and applications. There needs to be a master of all passwords at all times in the plant that can quickly be accessed in the event of an emergency that is secured. Password implementation must never interfere with the ability of an operator to respond to a situation (e.g. emergency shut-down). Passwords should not be transmitted electronically over the insecure Internet, such as via . Password Vulnerabilities Storing passwords and dial-up numbers on unprotected portable devices that may be lost or stolen. Lack of password policy to define strength and usage. Use of default password allowing unauthorized access. 58

59 Passwords are not kept confidential and are shared or posted. Sending unencrypted passwords through unprotected comms (i.e. FTP, SMTP ). Providing inappropriate process control privileges to operators; either too much (e.g. administrative privileges) or too little (e.g. preventing operators from being able to take emergency corrective actions). Poorly chosen passwords can easily be guessed by humans or computer. Default passwords are not changed and default settings can be easily found in manuals. Password Risk Mitigation SMTP Server, HTTP - Web Server Enable password authentication on all and web servers: PLCs, Ethernet interface modules, built-in web servers FTP Change default password to FTP server Device Access Control One method of device hardening is to implement access control on the Schneider Electric devices. Access control, similar to IP packet filtering on the firewall, only permits access to the addresses entered in the Access table. It is useful to prevent access from one plant area to another. Guideline for Access Control Access control should be implemented at all levels: firewall, switches and devices. Access Control Vulnerability Accessing PAC logic that could have a negative impact on production, equipment and safety of personnel. Access Control Risk Mitigation 59

60 Configure the access control to determine whether or not a device is allowed to open a TCP connection to the module ConneXium Ethernet Switches To harden the network system it is necessary to parameterize the following features of the ConneXium managed Ethernet switches to provide additional protection against unauthorized users: SNMP Telnet/Web access Ethernet Switch Configurator Software Protection Port access control via IP or MAC address SNMP A network management station communicates with the device via the Simple Network Management Protocol (SNMP). A SNMP packet contains the IP of the sending computer along with the device s password needed for access. The device receives the SNMP packet and compares the IP address of the sending computer and the password with the entries in the device MIB. If the password has the appropriate access right, and if the IP address of the sending computer has been entered, then the device will allow access. 60

61 In the delivery state, the device is accessible via the password "public" (read only) and "private" (read and write) to every computer. SNMP Vulnerabilities Ethernet switches are susceptible to MAC spoofing, table overflows, and attacks against the spanning tree protocols, depending on the device and its configuration.) SNMP Risk Mitigation Use SNMP v3 whenever possible. Password protect. Limit the access rights of the known passwords or delete their entries. Telnet/Web access The device s Telnet server allows you to configure the device by using the Command Line Interface (in-band). The ConneXium switch can be configured using the web server. On delivery, the server is activated. Telnet/Web Access Vulnerabilities Same vulnerabilities as described in the firewall section. Telnet/Web access Configuration Recommendation Deactivate Telnet and web servers if not used. Ethernet Switch Configurator Software Protection The Ethernet Switch Configurator Software protocol allows you to assign the device an IP address based on its MAC address. Ethernet Switch Configurator Software Vulnerability Unauthorized access Ethernet Switch Configurator Software Risk Mitigation It is recommended that the Ethernet Switch Configurator Software function for the device be disabled after you have assigned the IP parameters to the device. 61

62 Disable the Ethernet Switch Configurator Software function in the "Ethernet Switch Configurator Software Protocol" frame or limit the access to "read-only". Ethernet Switch Port Access Implement port security to prevent unauthorized physical connection to the Ethernet port. Methods of securing the ports are: Disabling of open ports. MAC address locking locking a specific MAC address to a specific port on the Ethernet switch. IP address locking - locking a specific IP address to a specific port on the Ethernet switch. Commonly used for faulty device replacement. Ethernet Switch Port Vulnerability A malicious user who has physical access to an unsecured port on a network switch could plug into the network behind the firewall to defeat its incoming filtering protection. Ethernet switches maintain a table called the Content Address Memory (CAM) that maps individual MAC addresses on the network to the physical ports on the switch. In a MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses filling the CAM table. Once the CAM table is full, the switch becomes an Ethernet hub allowing all incoming packets to be broadcasted on all ports. The attacker then could use a packet sniffer (such as Wireshark) running in promiscuous mode to capture sensitive data from other computers (such as unencrypted passwords, and instant messaging conversations), which would not be accessible were the switch operating normally. Port Access Configuration Recommendation Disable unused ports. Restrict port access by allowing only selected devices (Up to 10 devices per port) SCADA System SCADA, or Supervisory Control and Data Acquisition systems are heavily used in industrial control for data collection, human interface, and data analysis. Schneider s Vijeo Citect is an example of this functionality. SCADA systems, due to their typical PC-based architecture, simple access to process control functions and criticality to the process, are one of the most vulnerable devices on the control system network. Steps required to harden the SCADA system are: 62

63 Limit the viewable areas by configuring roles. Use web clients instead of internet display clients. Use multiple digital signatures. Carefully configure privileges without interfering with the process. Implement MS windows authentication. SCADA System Guidelines Routinely track and monitor audit trails especially in the critical areas to identify suspicious activity and remedy the activity immediately. Configure mirrored servers such as the historian in the DMZ for external access. Do not allow direct access on the control system network. Validate that there are no foreign IP addresses on the access list. Keep the anti-virus software current. This can often conflict with production and may require a risk assessment. Maintain Passwords. No or web access. Disable or remove CD-ROM and diskette drive. Disable USB ports not used by the keyboard or mice. Do not leave remote units available. Secure in locked cabinets if possible. Dual firewalls are recommended. SCADA Vulnerabilities SQL Injection is a code injection technique that occurs in the database layer of an application. The attacker executes unauthorized SQL commands by taking advantage of poorly secured code on a system connected to the Internet. Most of the security issues center around the login and url string. SQL injection attacks are used to steal information from a database and/or to gain access to an organization's host computers through the computer that is hosting the database. 63

64 SCADA Risk Mitigation Assign Roles Limit access to plant areas to prevent unauthorized access to areas of nonresponsibility. If an intruder is able to penetrate, access will be to a specific area and not the entire plant. 64

65 Web Servers Internet Display Clients (IDC) are configured using FTP. As stated before, FTP is an untrusted protocol and should be avoided. Highly recommend that CitectSCADA web client be used instead of IDCs. Multiple Digital Signatures Whenever possible use multiple digital signatures for task that require a higher authorization such as modifying thresholds Device Hardening for Legacy Devices In many cases, the devices in the control system are older and were not equipped with sufficient device hardening features. In this case, an external device can be applied in combination with the installed end device to improve the hardening. Schneider recommends use of the Hirschmann Eagle Tofino firewall to provide these features. It is recommended to configure the firewall to use the same IP address as the end device so the combination of the two units appears as a single end device to the rest of the network The single combined unit can also take advantage of the Eagle s ability to limit network traffic, restrict access to allow only data requests from specific originating devices and even limit access to specific data register areas or use of specific function codes Monitoring Security monitoring on the control system network is critical. No system is fully protected due to the continuous evolution of new cyber attacks. By monitoring the system, immediate action can be taken to block intrusion attempts before damage is done Methods of Monitoring Networks There are several methods of monitoring the network for suspicious activity: Monitoring of log files. Usage of authentication traps. 65

66 Use of an Intruder Detection System (IDS) - Monitors activity on the network such as traffic patterns, file access, changes in port status, invalid password entries, equipment detected failure There are two types of IDS: Network Intruder Detection System (NIDS) Monitors traffic to and from all devices on the network. Host Intrusion Detection Systems (HIDS) Run on individual host or devices on the network Monitoring Recommendations SNMP Authentication Traps Enable SNMP Authentication traps to monitor for unauthorized login attempts. Monitor Event Log Monitor Event logs for devices for unusual activity. Monitor MS Windows Event Viewer Monitor MS Windows Event Viewer (Control Panel/Administrative tools/event Viewer/Application Log) for unusual activity. Monitor Network Load Using network diagnostic tools like HiVision from Hirschmann Electronics, monitor and immediately investigate unusual traffic load. Monitor Device Log Monitor Device Log FileMonitor log files produced by devices. For example: Crash log file (i.e. Quantum PAC) Alarm log files (i.e. PAC) Diagnostic log files (i.e. ConneXium Switch) 66

67 4 Appendix 4. Appendix Methods of Attack 4.1. IP Spoofing IP Spoofing is a method used to disguise the identity of the attacker in the attempt to perform various malicious attacks such as denial of service and man-in-themiddle. IP spoofing is accomplished by manipulating the IP address. The Internet Protocol (IP) is the main protocol used to communicate data across the Internet. The IP header of the data contains the information necessary to transport data from the source to the destination. The header contains information about the type of IP datagram, how long the datagram remains active on the network, special flags indicating any special purpose the datagram is supposed to serve such as whether or not the data can be fragmented, the destination and source addresses, and several other fields. The receiver of the packet is able to identify the sender by the source IP address. IP does not validate the source s IP address. In IP spoofing, the attacker manipulates the datagram. The most common manipulation is creating a false source IP address to hide identity. The primary motives of the attack are to: To gather information about open ports, operating systems, or applications on the host from the replies. For example: a port 80 response may indicate that the host is running a web server. Using telnet, the attacker may be able to see the banner and determine the Web server version and type. Now the attacker can try to exploit any vulnerability associated with that Web server. To uncover the sequence-number. TCP requires the use of sequence number for every byte transferred and requires an acknowledgement from the recipient. An 67

68 4 Appendix attacker will send several packets to the victim in hopes of determining the algorithm. Once the algorithm is determined, the attacker tricks the target in believing its legitimacy and begins to launch various attacks. Hijacking an authorized session by monitoring a session between two communicating host and then injecting traffic that appears to be coming from one host. By doing so the hijacker steals the session from one host and terminates its session. The hijacker continues the same session with the same access privileges to the other legitimate host Denial of Service Attacks Denial of Service (DoS) is an attempt to prevent legitimate users access to computer services either temporarily or permanently. One common method of attack involves saturating the victim s computer with external communications requests to either block responses or respond so slowly that the system is considered ineffective. The attacker usually accomplishes this by: Step Description 1 Crashing the system. 2 Deny communication between systems. 3 Bring the network or the system down or have it operate at a reduced speed affecting productivity. 4 Hang the system, which is more dangerous than crashing since there is no automatic reboot. Productivity can be disrupted indefinitely. There are several variations of DoS. The most popular are: TCP SYN flood attack Land attack ARP spoofing ICMP smurf attack Ping of death UDP flood attack Teardrop attack 68

69 4 Appendix 4.3. TCP SYN Flood Attack A TCP SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. In a TCP SYN attack, the client attempts to start a TCP connection to a server, the client and server exchange information in the following sequence: Step Description 1 The client requests a connection by sending a SYN (synchronize) message to the server. 2 The server acknowledges the request by sending SYN-ACK back to the client. 3 The client responds with an ACK and the connection is established. This is called the TCP three-way handshake. There is a limit to available resources. Once the limit has been reached, all other requests are dropped. Older operating systems are more vulnerable than newer operating systems. Newer operating systems manage resources better making it more difficult to overflow tables, but still are vulnerable. 69

70 4 Appendix 70

71 4 Appendix 4.4. Land Attack In a land attack a spoofed TCP SYN packet is sent in which the source IP addresses and the source port number are identical to the target IP address and port number. The target machine replies to itself in an endless loop until the idle timeout value is reached. 71

72 4 Appendix 4.5. ARP Spoofing Address Resolution Protocol (ARP) is a Layer 2 protocol that maps an IP address to a MAC address stored in a table (ARP cache) residing in memory. Step Description 1 ARP checks the local ARP cache for an entry for destinations IP address. If a match is found, then the hardware address of the destination is added to the frame header and the frame sent. 2 If a match is not found, then an ARP request broadcast is sent to the local network (remember it knows the destination is on the local network by working out the Network ID from the IP address and the subnet mask). The ARP request contains the senders IP address and hardware address, the IP address that is being queried and is sent to (everyone, but it won't get routed). 3 When the destination host receives the broadcast, it sends a ARP reply with its hardware address and IP address. 72

73 4 Appendix 4 When the source receives the ARP reply, it will update its ARP cache and then create a frame and send it. ARP flood spoofing, also known as ARP poisoning or ARP routing, sends fake ARP messages on the network. The intent is associate the attacker s MAC address of another node (i.e. gateway) by poisoning the ARP caches of the system to intercept traffic. 73

74 4 Appendix 4.6. ICMP Smurf In a Smurf attack the attacker spoofs the target IP address, sending an ICMP Echo Request (pings) to the broadcast address on an intermediary network. As a result, the target host is flooded with replies and resources become exhausted so legitimate users can not access the server. The ICMP Smurf attack is the same as an ICMP flood attack except Smurf attacks uses other networks to multiply the number of request. 74

75 4 Appendix 4.7. The PING of Death A feature of TCP/IP is to allow fragmentation by separating a single IP packet into smaller segments. When fragmentation is performed, each IP fragment needs to carry information about which part of the original IP packet it contains. This information is kept in the Fragment Offset field, in the IP header. The PING of death attack sends an ICMP Echo Request (pings) request multiple fragmented packets that are larger than the maximum IP packet size (63, 535 bytes). Since the received ICMP echo request packet is larger than the allowed IP packet size, the remote system crashes while attempting to reassemble the packet. 75

76 4 Appendix 4.8. UDP Flood Attack A UDP flood attack is similar to the ICMP flooding. The difference is that UDP datagrams of different sizes are used. In the UDP flood attack, the attacker sends a UDP packet to a random port on the victim s system. When the victim s system receives a UDP packet, it checks to see if there is an application listening at that port. If not, then it will reply with an ICMP Destination Unreachable packet to an unreachable spoofed IP address. If enough UDP packets are delivered to enough ports on victim, the system will go down. The primary motivation of the UDP flood attack is not to break into a system but to make the target system deny the legitimate user giving service Teardrop Attack Teardrop attack is the most popular fragment attack method. It involves inserting false offset information into fragmented packets. As a result, during reassembly, there are empty or overlapping fragments that can cause the system to crash. The primary motivation of the teardrop attack is to hang or crash a system. 76

77 5-References 5. References US Department of Homeland Security: Catalog of Control Systems Security: Recommendations for Standards Developers Guide to Industrial Control Systems (ICS) Security - National Institute of Standards and Technology (NIST), Keith Stouffer, Joe Falco, Karen Scarfone 2008 Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program - U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, National SCADA Test Bed (NSTB) Control Control Systems Cyber Security: Defense in Depth Strategies Idaho National Laboratory May 2006 The Instrumentation, Systems and Automation Society (ISA): Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Mitigations for Security Vulnerabilities Found in Control System Networks CSI Computer Crime & Security Survey - Robert Richardson, CSI Director Design Secure Network Segmentation Approach - SANS Institute InfoSec Reading Room 2005 VLAN Best Practices White paper FLUKE networks OPC Security Whitepaper #3 Hardening Guidelines for OPC Hosts - Digital Bond, British Columbia Institute of Technology, Byres Research

78 Schneider Electric Industries SAS Due to evolution of standards and equipment, characteristics indicated in texts and images in this document are binding only after confirmation by our departments. Head Office France 35 rue Joseph Monier Print: Rueil-Malmaison Cedex Version