Security Testing in Critical Systems

Similar documents
Innovative Defense Strategies for Securing SCADA & Control Systems

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Penetration Testing of Industrial Control Systems

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

CYBER SECURITY. Is your Industrial Control System prepared?

Course Title: Penetration Testing: Security Analysis

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

IT Security and OT Security. Understanding the Challenges

OPC & Security Agenda

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

A Strategic Approach to Protecting SCADA and Process Control Systems

Using Tofino to control the spread of Stuxnet Malware

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Penetration testing & Ethical Hacking. Security Week 2014

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Protecting Critical Infrastructure

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Information Security Services

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Dr. György Kálmán

Chapter 9 Firewalls and Intrusion Prevention Systems

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

a Post-Stuxnet World The Future of Critical Infrastructure Security Eric Byres, P.Eng.

GE Measurement & Control. Cyber Security for NEI 08-09

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

Designing a security policy to protect your automation solution

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

A Decision Maker s Guide to Securing an IT Infrastructure

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Effective Defense in Depth Strategies

Digital Pathways. Penetration Testing

ISACA rudens konference

Global Partner Management Notice

Holistic View of Industrial Control Cyber Security

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

5 Steps to Advanced Threat Protection

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

Who is Watching You? Video Conferencing Security

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Are you prepared to be next? Invensys Cyber Security

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Industrial Security for Process Automation

Presented by Evan Sylvester, CISSP

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Professional Penetration Testing Techniques and Vulnerability Assessment ...

API Cybersecurity Conference Industrial Control Systems Workshop. Sponsored by Alpine Security

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

Recommended IP Telephony Architecture

Industrial Security Solutions

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security Issues with Integrated Smart Buildings

Rapid Vulnerability Assessment Report

Network Security Audit. Vulnerability Assessment (VA)

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Directory and File Transfer Services. Chapter 7

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

SAST, DAST and Vulnerability Assessments, = 4

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

How To Test A Control System With A Network Security Tool Like Nesus

Securing OS Legacy Systems Alexander Rau

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Payment Card Industry (PCI) Data Security Standard

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Industrial Firewalls Endpoint Security

Certified Ethical Hacker Exam Version Comparison. Version Comparison

How Secure is Your SCADA System?

SANS Top 20 Critical Controls for Effective Cyber Defense

8 Steps for Network Security Protection

Goals. Understanding security testing

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

8 Steps For Network Security Protection

Industrial Control Systems Vulnerabilities and Security Issues and Future Enhancements

Network Security Infrastructure Testing

Network Security Administrator


Seven Strategies to Defend ICSs

Attacks from the Inside

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Using Ranch Networks for Internal LAN Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Virtualization System Security

13 Ways Through A Firewall

NEW GENERATION PROGRAMMABLE AUTOMATION CONTROLLER

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Transcription:

Security Testing in Critical Systems An Ethical Hacker s View Peter Wood Chief Executive Officer First Base Technologies

Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base in 1989 (one of the first ethical hacking firms) CEO, First Base Technologies LLP Social engineer & penetration tester Conference speaker and security expert Vice Chair of BCS Information Risk Management and Audit Group Member of ISACA Security Advisory Group UK Programme Chair, Corporate Executive Programme FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, Mensa Slide 2 First Base Technologies 2013

Agenda Scope of this Presentation Vulnerabilities and concerns Security testing Summary and conclusions Slide 3 First Base Technologies 2013

Scope of Presentation Supervisory Control And Data Acquisition (SCADA) - computer systems that monitor and control industrial, infrastructure, or facility-based processes Programmable Logic Controller (PLC) - a computer used for automation of electromechanical processes, such as control of machinery Programmable Automation Controller (PAC) - a compact controller that combines the features and capabilities of a PC-based control system with that of a typical PLC Remote Terminal Unit (RTU) or Intelligent Electronic Device (IED) - a microprocessor-controlled device that interfaces objects in the physical world to a distributed control system or SCADA Slide 4 First Base Technologies 2013

Network Architecture RTUs and IEDs are proprietary devices running embedded operating systems These originally used serial communications with field bus protocols such as Modbus, BITBUS, PROFIBUS etc. Field bus protocols are now frequently encapsulated in TCP/IP SCADA controllers manage communications, analyse data and display the alerts and events Industrial systems now use UNIX or Windows in controllers and embedded in some field devices This has exposed industrial systems to the same IT security challenges as commercial systems Slide 5 First Base Technologies 2013

Agenda Overview of critical systems Vulnerabilities and concerns Security testing Summary and conclusions Slide 6 First Base Technologies 2013

Authentication Problems Default (manufacturer) passwords Very poor quality passwords Passwords never changed Passwords common across many devices Shared credentials No passwords / anonymous logins Remote access via modem Systems replaced less often than commercial systems: no cleanup, more opportunity for information leakage Slide 7 First Base Technologies 2013

Systems not Patched or Hardened Many systems running on legacy (unsupported) operating systems Patching can break applications Patching can violate some vendors service contracts Systems never taken off-line, as downtime can cause massive problems Systems are rarely hardened as it is believed this may impact the application SCADA applications themselves often contain vulnerabilities Frequently no anti-malware software Slide 8 First Base Technologies 2013

Insecure Protocols Field bus protocols were not designed to be secure Most field devices use proprietary IP stacks that are prone to DoS attacks and buffer overflows Field bus protocols designed for serial comms, so no built in authentication all legitimate packets will be processed Most communication is in plain text Default SNMP strings Slide 9 First Base Technologies 2013

Lack of Segmentation Firewalls usually only between the corporate network and the industrial network (if at all) Firewalls may be badly configured, industrial protocols difficult to control - All field bus traffic may be on one port - Cannot risk blocking critical messages Wireless can bypass firewalls Traditionally SCADA systems were isolated not any more Systems therefore vulnerable to malware, especially worms Slide 10 First Base Technologies 2013

Stuxnet: classic exploit Self-replicated through removable drives (auto-execution vulnerability) Spread in a LAN through a Windows Print Spooler vulnerability Spread through SMB (Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability) Copied and executed itself through network shares Copied and executed itself on computers running a WinCC database server Automatically executed when the Step 7 project is loaded Updated itself through a peer-to-peer mechanism within a LAN Exploited a total of four unpatched Microsoft vulnerabilities Command and control to download and execute code, including updates Contained a Windows rootkit that hid its binaries Attempted to bypass security products Fingerprinted and targeted Siemens PLCs to sabotage the system Hid modified code on PLCs, essentially a rootkit for PLCs Symantec: W32.Stuxnet Dossier version 1.4 (February 2011) Slide 11 First Base Technologies 2013

Agenda Overview of critical systems Vulnerabilities and concerns Security testing Summary and conclusions Slide 12 First Base Technologies 2013

Problems with Testing - 1 While a ping sweep was being performed on an active SCADA network that controlled 9-foot robotic arms, it was noticed that one arm became active and swung around 180 degrees. The controller for the arm was in standby mode before the ping sweep was initiated. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 13 First Base Technologies 2013

Problems with Testing - 2 A ping sweep was being performed on an ICS network to identify all hosts that were attached to the network, for inventory purposes. It caused a system controlling the creation of integrated circuits in the fabrication plant to hang. This test resulted in the destruction of $50,000 worth of wafers. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 14 First Base Technologies 2013

Problems with Testing - 3 A gas utility hired an IT security consulting organization to conduct penetration testing on its corporate IT network. The consulting organization carelessly ventured into a part of the network that was directly connected to the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Slide 15 First Base Technologies 2013

Areas for Review Perimeter Network infrastructure Active Directory etc. Host operating systems Applications PLCs, RTUs, IEDs, etc. Slide 16 First Base Technologies 2013

Perimeter Identify all external connections Review firewall rules Review remote access methods Check for wireless networks Check physical access If in doubt: test duplicate systems Slide 17 First Base Technologies 2013

Network Infrastructure Review router configs Review switch tables Conduct physical cable checks Conduct packet sniffing and analysis If in doubt: test duplicate systems Slide 18 First Base Technologies 2013

Active Directory Manual inspection Interviews Offline inspection Slide 19 First Base Technologies 2013

Host Operating Systems Review hardening Review patch levels Review password quality Review share and directory permissions Review remote access If in doubt: test duplicate systems Slide 20 First Base Technologies 2013

Applications Review ports and services Review OS credentials Review password quality Review remote access Consider code review If in doubt: test duplicate systems Slide 21 First Base Technologies 2013

PLCs, RTUs, IEDs, etc. Review hardening Review patch levels Review password quality (if any) Conduct packet sniffing If in doubt: test duplicate systems Slide 22 First Base Technologies 2013

Agenda Overview of critical systems Vulnerabilities and concerns Security testing Summary and conclusions Slide 23 First Base Technologies 2013

Summary and Conclusions Industrial systems now use UNIX or Windows exposing them to the same IT security challenges as commercial systems Systems still considered to be isolated, but they are not Systems not patched or hardened All devices will have authentication problems Systems replaced less often than commercial systems: no cleanup, more opportunity for information leakage Field bus protocols were not designed to be secure Poor segmentation and firewalling Conventional scanning and testing can cause serious problems Audit and careful manual inspection rather than pen test Slide 24 First Base Technologies 2013

Designing Security In Learn from the IT security challenges in commercial systems using UNIX or Windows Build firewalls with the understanding that industrial systems may not be isolated Work towards hardening and patching systems (thorough application testing required!) Segment systems that have authentication problems Perform regular cleanup of systems to minimise redundant accounts Replace field bus protocols wherever possible, otherwise segment them Segment and firewall thoroughly, then test the boundaries Slide 25 First Base Technologies 2013

Need more information? Peter Wood Chief Executive Officer First Base Technologies LLP peterw@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Twitter: peterwoodx Slide 26 First Base Technologies 2013

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information