Sergey Bratus Trust Lab, Dartmouth College

Similar documents
How To Fuzz On A Scada System

protocol fuzzing past, present, future

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Robert Malmgren. Smart Grid. Security Challenges - Legacy and Infrastructure Burdens

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

TFE listener architecture. Matt Klein, Staff Software Engineer Twitter Front End

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

protocol fuzzing past, present, future

The Hacker Strategy. Dave Aitel Security Research

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

The Security Development Lifecycle

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

Innovative Defense Strategies for Securing SCADA & Control Systems

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Holistic View of Industrial Control Cyber Security

Network Security Essentials Chapter 5

Securing Distribution Automation

Network Cyber Security. Presented by: Motty Anavi RFL Electronics

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Modbus and ION Technology

Managing Latency in IPS Networks

Introduction to Computer Security

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Keeping the Lights On

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Securing EtherNet/IP Using DPI Firewall Technology

Getting Ahead of Malware

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101

SNMP SECURITY A CLOSER LOOK JEFFERY E. HAMMONDS EAST CAROLINA UNIVERSITY ICTN 6865

Transport Layer Security Protocols

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Cyber Security Health Test

Cyber Security Management for Utility Operations by Dennis K. Holstein (Opus Publishing) and Jose Diaz (Thales esecurity)

Solution of Exercise Sheet 5

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Cisco RSA Announcement Update

WHITE PAPER. Securing Process Control Networks

7.1. Remote Access Connection

Update On Smart Grid Cyber Security

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

BlackRidge Technology Transport Access Control: Overview

Introduction to Computer Security

Chapter 7 Transport-Level Security

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Secure SCADA Communication Protocol Performance Test Results

Release Notes LS Retail Data Director August 2011

Peach Fuzzer Platform

Who is Watching You? Video Conferencing Security

Security Yokogawa Users Group Conference & Exhibition Copyright Yokogawa Electric Corporation Sept. 9-11, 2014 Houston, TX - 1 -

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

This chapter discusses Synchronous Data Link Control (SDLC) protocols that you can configure on a BANDIT device s ports. See the following sections:

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Remote Access Security

Achilles Assurance Platform. Dr. Nate Kube Founder / CTO Wurldtech

Passing PCI Compliance How to Address the Application Security Mandates

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Midterm. Name: Andrew user id:

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

12 Security Camera System Best Practices - Cyber Safe

N-Dimension Solutions Cyber Security for Utilities

Secure Installation and Operation of Your Xerox Multi-Function Device. Version 1.0 August 6, 2012

Fuzzing in Microsoft and FuzzGuru framework

Overview. Firewall Security. Perimeter Security Devices. Routers

Virtual Private Networks

IT Security and OT Security. Understanding the Challenges

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

SCADA SYSTEMS AND SECURITY WHITEPAPER

Operating System Security

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Moritz Jodeit

CONTROL MICROSYSTEMS DNP3. User and Reference Manual

Virtual Private Networks: IPSec vs. SSL

The Advantages of Block-Based Protocol Analysis for Security Testing

OPCNet Broker TM for Industrial Network Security and Connectivity

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Windows Remote Access

Key Components of WAN Optimization Controller Functionality

Security implications of the Internet transition to IPv6

How To Test A Control System With A Network Security Tool Like Nesus

Process Control and Automation using Modbus Protocol

RMCS Installation Guide

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

What is Really Needed to Secure the Internet of Things?

Transcription:

Adventures in SCADA Sergey Bratus Trust Lab, Dartmouth College Edmond Rogers ( bigezy ) a Fortune 500 utility company -> University of Illinois Information Trust Institute

What this talk is not No 0days No vendors named No Stuxnet

No Stuxnet?! WTF? ( Goto 27c3 x2: Bruce Dang, FX )

"SCADA in the wild" Seeing SCADA equipment/software in its natural habitat it s cruel to isolate them from their natural inputs & surroundings :) Seeing the operations of a control network Fuzzing with no target instrumentation & no protocol spec

Bonuses Going through a man-trap to get to a network port Fuzzing across state lines Fuzzing $100K+ systems Finding out what waking up for work at 6am feels like :)

What the jungle looks like

What the jungle looks like

Legacy: it s still there

What the jungle looks like

"Substation in a corn field"

"Substation in a corn field" 9600 baud serial modem line

"Substation in a corn field"

Meanwhile, at the Control Center... Some 100+ modem lines terminate at the "Front End Processor" (FEP)

Meanwhile, at the Control Center... Front End Processor connects to an Energy Management Server (EMS) EMS feeds data to boards/workstations

Meanwhile, at the Control Center... Front End Processor connects to an Energy Management Server (EMS) EMS feeds data to boards/workstations

Meanwhile, at the Control Center... Front End Processor connects to an Energy Management Server (EMS) EMS feeds data to boards/workstations

"Power ties" The closer to the control center, the more proprietary the protocols get Sold as (expensive!) integrated solutions ($100K+ - $1M+) Asset owners heavily rely on vendors Maintenance contracts, warranty, etc. But asset owners can push back, too

SCADA owners care Smart asset owners suspect things might be really brittle Hence serious investment into isolation of control networks (+ IPSec, too) The most paranoid production network I've seen...which was where we came in :)

The cause Utility may spend at least as much on mitigation as on original equipment! This research was done to show the need for such strong and meticulous measures Defense in depth is only as good as the hole is deep

Isolated Test Environment New devices and patches must be tested before being put into service Such a test environment was used as a basis: isolated from production network Took a lot of preparation and checking to assemble the right topology with the right geographic distances

Fuzzing across state lines 1: Your fuzzer is here A: your FEP is here (Note: these aren t the actual locations)

Fuzzing! Software internals Crafted inputs

Yeah, fuzzing SCADA...

"Fuzzing SCADA" is old... Ganesh Devarajan (TippingPoint) DNP3 module for Sulley the fuzzer (Sulley released in 2007 by Amini & Portnoy) Ganesh's BH 07 talk caused much media stir Digital Bond's ICCPSic test tools released to vetted asset owners subscribers...will crash vulnerable ICCP servers. SecuriTeam's bestorm DNP3 fuzzer crashed Wireshark's DNP3 protocol dissector/parser Mu Security's fuzzer hw appliance Licensed per protocol module

Problems in the field? Proprietary protocols => no block-based protocol modules a-la SPIKE Cannot instrument the targets (voiding $100K+ warranties is tough) Who s going to restart it for us when crashed? > 50% of fuzzing is framework setup

No problems! This... is... SCADA! Protocol transmissions are continuous and repetitive, same structure many samples of data to learn from Watchdogs automatically restart failed processes and systems Frequent keep-alive/status messages easy to see when targets crash

More SCADA goodies Distinct handshake phase in protocols skip it to let data connections proceed then fuzz data parsing code easy to recognize with packet regexps Similar data, similar packet structure seen over and over really helps mutational fuzzing

GPF, mutation fuzzing General Purpose Fuzzer fuzzes saved network protocol sessions useful heuristics for inserting runs of random or special bytes

Aitel had it right with SPIKE We d like to know the blocks of the protocol must match them closely enough to cover code paths past simple sanity checks Target process input sanitize business logic How to guess blocks of unknown protocol? well, just roughly enough to fuzz them :)

LZfuzz, a lazy hack Guesses blocks ( tokens ) based on repeated occurrence, a-la GZIP runs a variant of the Lempel-Ziv compression algorithm frequently repeated byte strings end up in a string table seeds the table with likely tokens/blocks from packet captures Applies GPF s heuristic mutations to tokens: long ASCII byte runs for buffers overruns extra delimiters, bit flips,...

IPQueue + per-packet LZ tokenizer + GPF LZfuzz

Recap Cannot instrument endpoints, must infer state of target processes/os: unexpected TCP RSTs, repeated SYNs special auth handshakes pre- data sessions timeouts Must adapt & back-off to allow watchdogs to reset targets & rebuild connections Must hypothesize checksum kinds & places

LZfuzz 2.0 Connection state inference rules Automatic checksum detection & fix-up

Coverage? Tried non-scada targets: DAAP (itunes) OSCAR (Pidgin)

Validation for utility Mitigating controls to prevent injection of packets into the control network Paranoia justified

The future?

The future?

The future? Composition is how humans do engineering But Security is not composable Composing wellunderstood parts may yield a new system with deadly properties Complexity Kills

Wrong threat model

Smart Grid! It s smarter grid, thank you very much Tens of millions of devices! or 100M, whichever you feel like Not just smart meters : phasors, relays, intelligent electronic devices,...

(2b! 2b) * 100M To remote admin or not to remote admin? To trust or not to trust (the network environment)? To trust or not to trust (remote systems)? Will old engineering solutions scale up to 100M?

When we have 100M computers... How do we extend trust to them? How do we keep all of them trustworthy?

When we have 100M computers... Should they have remote administration interfaces to get configured, patched, and upgraded? YES: huge network attack surface NO: be prepared to lose/replace entire generations, often [ evolution = stuff dies out ] -- Dan Geer, SOURCE Boston, 08

When we network 100M computers... How do we commission/config/replace them? Must be easy, not require special training (e.g., in a Home Area Network) Plug it in, it just works => Devices must TRUST their network environment to learn configs from it (e.g.,: IPv6 auto configuration)

Just trust the first message vs. key mgmt The only way to authenticate a message is to share a secret (or public key) with the trusted origin/environment How will this secret get to the new device? human_op * 100M =

Can we authenticate 100M devices? What would managing 100M keys cost? support remote replacement? A utility s PKI experience: keys are costlier than devices!

C, confidentiality: Crypto Chicken vs. Egg Key material to secure link layer (L2)...is exchanged via protocols in L3! programming with drivers/frames rather than sockets sucks

I, integrity: Run twice as hard to remain in place How much to: push patches * 100M =? runtime integrity computation CPU cost * 100M =? maintain white list of trusted configs?

...and other fun adventures...

Thank you!

More Information More research & industry interaction info: Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) project: http://www.tcipg.org/ Disclaimer: This talk presents only the authors positions, not those of sponsors or other organizations.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information