Down the SCADA (security) Rabbit Hole Alberto Volpatto
Alberto Volpatto Security Engineer & Team Leader @ Secure Network Computer Engineer Application Security Specialist
What is SCADA? Supervisory operators, engineers, supervisors Control monitoring, controlling, locally and/or remotely And Data information representing the acquired system Acquisition access, acquire and represent meaningful data
What is SCADA? A SCADA system is a type of ICS Industrial Control System used to monitor and control large-scale critical systems, both locally and remotely.
Application fields Industrial processes Manufacturing, power generation, production Infrastructure processes Water treatment and distribution, oil and gas pipelines, electrical power transmission Facility processes Heating, ventilation and air conditioning systems - HVAC
Application fields Industrial processes
Application fields Infrastructure processes
Application fields Facility processes
The SCADA ecosystem
SCADA/ICS Security For years SCADA/ICS systems relied on security through obscurity Industrial systems, which have been designed and intended to be alone, became magically connected to the world No perception of modern security threats and risks, from both SCADA vendors and consumers
SCADA/ICS Security As traditional IT networks, SCADA environments host critical data and information Projects, plans, chemical secrets They have a direct impact on the physical world An attack to a SCADA system could lead to a real world disaster, affecting people s safety
Attacking Chemical Plants August 2013 multiple vulnerabilities in the industrial wireless products of three vendors have been reported. Customers are nuclear, oil and gas, refining, petro-chemical, utility, and wastewater companies 2014 Lucas Apa and Carlos Penagos released a public advisory describing four vulnerabilities affecting some OleumTech Wireless Products
Attacking Chemical Plants Threat an attacker in a ~ 60 km range could inject false values on the wireless gateways, modifying measurements used to make critical decisions Targeting a wireless transmitter that monitors the process temperature could make a chemical react and explode If failsafe mechanisms are not implemented They demonstrated the scenario on a virtual simulator
Attacking Chemical Plants
Stuxnet - 2010 The world s first cyber weapon source: https://www.youtube.com/watch?v=7g0pi4j8auq
Stuxnet - 2010 Switch off oil pipelines Turn up the pressure inside nuclear reactors STUXNET tells the operators that everything is normal source: https://www.youtube.com/watch?v=7g0pi4j8auq
Stuxnet - 2010
SCADA/ICS Security Assessment Penetration testing goal is data The intrinsic critical nature of systems requires slight changes in the modus operandi Typically, no testing or quality environment Need for a methodology to nullify: Service interruption of the controlled process Damages to the industrial plants and materials Risk of injuring people safety
SCADA/ICS Security Assessment White or gray box assessment strategy Horizontal analysis and vertical exploits on a subset of pre-defined and authorized targets Assessment activity is supervised by the customer A proper knowledge of the controlled process is required to identify a potential issue and react
SCADA/ICS Security Assessment Testing SCADA network systems and services with the support of Customer personnel Internal policies review in order to spot issues in the organization processes Canonical corporate network assessment with a focus on network segregation or isolation Fuzz testing on adopted protocols. Lab testing preferred over production environment testing
Corporate Network Assessment
Corporate Network Assessment Scenario-driven attacks Corporate networks are likely to have been assessed before, but context-dependent scenarios need to be evaluated Verify proper network segregation between corporate network and SCADA network. Is it possible to jump from one network into the other? Network attacks against users who have access to the SCADA network or systems e.g., abusing whitelisted workstation to pivot on the SCADA network
SCADA Network Assessment
SCADA Network Assessment Again, scenario-driven attacks Simulating attacks from malicious employees Simulating attacks against legitimate employees Vulnerability research on adopted software solutions Production systems testing should be carefully supervised by personnel or operators A Point of Contact (PoC) should be available in order to handle any incidents Vulnerabilities exploiting must be specifically authorized and monitored by the Customer
SCADA Network Assessment Network attacks against servers could be expected Pivoting through internal user web browsers to attack internal web applications is less obvious Many web applications are vulnerable to Cross-Site Request Forgery (CSRF) Attacks CSRF attacks are completely transparent to the user and may affect any system they are currently logged into CSRF attacks do not require a compromised workstation Using penetration testing tools focused on client-side attacks makes pivoting easier e.g., BeEF (The Browser Exploitation Framework)
Cross-Site Request Forgery (CSRF) Attacker Authenticate 1 4 Malicious web page 3 Surf page 2 Vulnerable application Operator 5 Execute unwanted action
PLC/RTU Device Testing
PLC/RTU Device Testing In-lab devices testing (if available) Devices are often considered out of scope, despite being critical elements in the ICS ecosystem Custom protocols reversing and fuzzing Testing on production environment is usually avoided or explicitly denied A crash or generic fault on production systems could have unpredictable impact on people safety
Policies & Procedures Review Targeting non-technological issues Identify process-related security weaknesses Focus on SCADA/ICS systems management
SCADA Top 10 Security Risks Security through obscurity Unpatched or unsupported (operating) systems Authentication and authorization issues Transport layer insecurity Input validation issues Lack of proper security policies Network isolation and/or segregation Default or weak configuration Lack of accountability Availability issues Denial of Service
Statistics of SCADA Security Issues % Vulnerable systems 100 90 80 80 90 80 90 70 65 65 60 55 55 50 45 40 30 25 20 10 0
Conclusions ICS are critical, vulnerable, exposed Identifying their weaknesses is paramount Security testing can be done safely Specific methodologies and expertise are needed
Thank you! alberto@securenetwork.it Special thanks to Luca De Fulgentis ( @_daath )