Digital Energy BPT. Hack In Paris Paul Coggin Internetwork Consulting Solutions

Transcription

1 Digital Energy BPT Hack In Paris 2014 Paul Coggin work Consulting Solutions V## Goes Here 1

2 Digital Energy Basic Persistent Threat APT default excuse for any compromise Default passwords Little to no separation of control, management and data services Layer 2 security issues Lack of Perimeter Egress filtering Lack of Perimeter Egress authentication Trust Relationships Integration Interdependencies Dependencies Vendor remote access Default database client/server protocol configuration Talented attackers exploiting critical infrastructure using basic attack vectors are not an APT. Lack of security policies driving network and security infrastructure configuration Flat earth network architecture philosophy 2

3 Public Network Infrastructure Overview DHCP Server Policy Server Lawful Intercept AAA Server tuational Awareness Servers Provisioning Servers Assurance Servers Online and Internal Billing Servers VoIP GW Web server ICS / SCADA SIP Proxy Video Headend IPTV/VOD λ 1... λ n PLS/IP, DWD, SONET - Vendor/fg. Remote Support - Internal Tech Staff VPN - Customer online bill payment - isconfigured Backdoor i DWD GPON GigE SONET Branch Office Enterprise Residential Residential Telecommuter SOHO Energy Distribution Water / Sewer Treatment Plant Cell Tower 3

4 ANSI/ISA99 ICS Industrial Control Systems SCADA Supervisory Control and Data Acquisition PLC Programmable Logic Controller RTU Remote Terminal Unit IED Intelligent Electronic Device Historian HI Human achine Interface Protocols - odbus, ICCP, DNP3, Others In many networks there is not a firewall securing the integration between the Enterprise and ICS/SCADA network. A multi-homed Windows system is commonly integrates the two networks Typically, the ICS/SCADA network utilizes a flat network architecture. The vendors have VPN, Telnet and/or SSH holes punched through the firewall with weak authentication in most cases. Older systems will have back door modem connections for vendor remote access. Reference: - ANSI/ISA99 Standard 4

5 Voice Soft Switch Network The service provider transport and soft switch vendors commonly provide a ES for their solution. The ES server commonly is multi-homed with one interface connected directly to the and a second connected to the management network. The transport and voice technical staff may have the system installed without the protection of a firewall or VPN. A number of soft switch ES systems have been hacked using SSH brute force attacks. In some cases the ES is installed behind a firewall with ACL s trusting any inbound IP connection destined to the SSH service. Voice Transport Network anagement Network ES Backup ES λ 1 Soft Switch Backup Soft Switch λ 1... λ n 5

6 What Kind of Ring is It? Collapsed Ring Topology Logical Ring for Regulatory Requirements Any disruption to the single physical fiber run disrupts the logical ring. One service provider had their fiber cut between CO s by copper thieves. Ring Topology End point devices such as DSLAs are configured to form a ring on both ends of the fiber run. λ 3 λ 1... λ n 6

7 Dual Purposed Online Bill Paying Web Server & Internal Billing System Provisioning & onitoring Internal Billing System & Online Billing Web Server iddleware Directory Traversal led to root access to Internal billing system that was also the online billing system for customers. A billing system vendor designed architecture. The billing system vendor argued this architecture was secure even after their system was hacked. Power distributors may utilize the transport and access network for smart grid services. Internal Enterprise LAN Billing system hack exposes provisioning, network management, IPTV iddleware etc. to being compromised through trust relationships. AAA IPTV Netgt ES λ 1... λ n λ 3 Video On Demand Services Voice Services 7

8 Transport Network Disrupted by Accidental isconfiguration alware existed on Data (ISP) user computers alware sends ICP packets to DOS target. Transport equipment encapsulated DOS packets into multicast packets. Transport equipment replicated DOS in hardware to all users. TV S Residential Customer IP Phone STB essage On- Line Network enu Guide Ch Up Select Power Ch Dn NLC 3 PC IP Phone Private Virtual Circuits Separation of Service/ VLANs GPON Secure Visualiza-on and Instrumenta-on Deep Inspec-on and onitoring of Network Flows / Packets Diagnosed Configura-on Issue Customer with SVI was alerted to unusual traffic on multicast VLAN for video. Called for remote Incident Analysis/ Forensics on Network Packets showed multicasting of bad Info and misconfiguration of network logical data flows IPTV Video On Demand Services Voice Services TV S STB essage On- Line Network enu Guide Ch Up Select Power Ch Dn NLC 3 PC Service Provider Employee istakenly Integrated Data and Video Networks Services 8

9 CPE Router Hijacking Residential Customer TV S Hacker attacked DSL odems. Changed DNS address to Relay Box. IP Phone STB essage On- Line Network enu Guide Ch Up Select Power Ch Dn NLC 3 PC IP Phone Private Virtual Circuits Separation of Service/ VLANs GPON 6K DSL Routers hacked before stopped Router management access with open trust Unknown default router password Deep Inspection and onitoring of Network Flows / Packets IPTV Video On Demand Services Voice Services TV S STB essage On- Line Network enu Guide Ch Up Select Power Ch Dn NLC 3 PC Hijacked web requests and web traffic redirected to rogue site Services 9

10 BGP Attack from Broadband Subscriber Corporate Broadband subscriber infected with malware A system on the subscriber network starts sending malformed BGP D5 packets directly to legacy router Enterprise Broadband Customer TV S IP Phone STB essage On- Line Network enu Guide Ch Up Select Power Ch Dn NLC 3 PC IP Phone Private Virtual Circuits Separation of Service/ VLANs GPON Legacy router running buggy code crashes when malformed BGP D5 packets are sent to it. The Legacy router was installed in a rush for a temporary fix without close attention to control plane security. Access network subscribers should be blocked from ever initiating connections to control plane and management plane services. IPTV Video On Demand Services Voice Services Legacy BGP Router TV S STB essage On- Line Network enu Guide Ch Up Select Power Ch Dn NLC 3 PC Services 10

11 Utility CATV Head End Scenario Vendor aggregates customer VPN s to HQ site. The customer inherits the security risk of the vendor through the VPN trust relationship. Vendor was hacked enabling billing system integration server to be hacked. No Segmentation No PVLAN, VACL Vendor HQ Dedicated VPN for Remote gt Vendor VPN Router Billing System Integration TV downstream Routers iddleware C STB essage On- Line Network enu Guide Ch Up Select Power Ch Dn NLC 3 S Fiber Node upstream RF Combiner Cable odem Termination System (CTS) Cable Routers IPTV Video On Demand Services Voice Services 11

12 Utility CATV Head End Scenario 2 Vendor 1 If a vendor network, the CATV head end or the enterprise network is exploited. The trust relationships can then be easily used to pivot between networks. Dedicated VPN for Remote gt No Segmentation No PVLAN, VACL Freely Pivot between Vendors & Head End Exploit Enterprise Trust Relationships TV Vendor 2 downstream Routers Vendor VPN Routers Billing System Integration iddleware upstream C STB essage On- Line Network enu Guide Ch Up Select Power Ch Dn NLC 3 S Fiber Node RF Combiner Cable odem Termination System (CTS) Cable Routers Enterprise IPTV Video On Demand Services Voice Services 12

13 Transport Network Remote Support Services ulti-homed ES Server SSH Access for Transport and Access Vendor Firewall Physically Bypassed Open Trust Relationship for SSH OSS / NOC Enterprise Optical ES 13

14 In-Band Network anagement Network anagement Protocols SNP Telnet HTTP/s - XL TFTP TL1 SSH Network anagement Security Access List Firewalls VPN IDS/IPS AAA Trust levels anagement VLAN User VLAN s VLAN Trunks Users Utilize PLS VPN s and VRF s for anagement Network Business and Network anagement Traffic Uses Common Infrastructure NOC Data Center Resources Trust odel Defines Security Posture - Network management features are vulnerabilities (Provides Configuration and Access Information) - Security policies define trust model - Users access - Customer access - Vendor/fg local/remote tech support access - NOC \ Tech support staff - Secure visualization and instrumentation - Internal, Customer, anagement operations in separate IP subnets/vlan s/pvc s etc over shared network infrastructure. - Log everything - 2 Factor authentication 14

15 Out of Band anagement Network Network anagement Protocols SNP Telnet HTTP/s - XL TFTP TL1 SSH Custom\Proprietary NOC Data Center Resources Network anagement Security Access Lists VACL s Firewalls VPN IDS/IPS Terminal Server AAA Trust levels Terminal Server/Console gmt Network Dedicated gmt Interface User VLAN s VLAN Trunks Users Network management utilizes dedicated out of band IP network infrastructure Dedicated Network anagement Network - Network devices and servers now come built with dedicated management interfaces. - Cisco routers and switches have built-in mgt. int. - Utilize un-attributable for remote VPN access - 2 factor authentication - Strict policy for enabling/disabling remote vendor access - Log everything 15

16 Layer 2 Security Issues Prevalent Rogue Insider Routers Crafted HSRP coup packet with higher priority Common Issues STP / BPDU VTP VLAN Hopping ARP Poisoning FHRP Rogue DHCP Server Horizontal and Vertical Pivoting Suggested Remediation BPDU and Root Guard Secure VTP Disable Dynamic Trunking Dynamic ARP Inspection Limit ACs per Port Secure FHRP DHCP Snooping, Disable DHCP Trust PVLAN s, VACL s, DHCP Option 82 L2 NetFlow Secure Information Flow Trust Relationships 16

17 Bottom Line Whitelist the Applications Whitelist the Network Trust Relationships Whitelist Trusted Information Flows in onitoring 17

18 18