Out of Control: SCADA Device Exploitation

Similar documents
Security Issues with Integrated Smart Buildings

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

NEW GENERATION PROGRAMMABLE AUTOMATION CONTROLLER

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

AutoLog ControlMan. Remote Monitoring & Controlling Service

Secure Networks for Process Control

Modbus and ION Technology

QUICK REFERENCE GUIDE MOBILE HUMAN MACHINE INTERFACE (HMI): INNOVATION THAT EMPOWERS THE MOBILE OPERATOR

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

IT Security and OT Security. Understanding the Challenges

Designing a security policy to protect your automation solution

Goals. Understanding security testing

Innovative Defense Strategies for Securing SCADA & Control Systems

Security Management. Keeping the IT Security Administrator Busy

Securing EtherNet/IP Using DPI Firewall Technology

Holistic View of Industrial Control Cyber Security

What is Really Needed to Secure the Internet of Things?

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Protection profile of an industrial firewall

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Security Testing in Critical Systems

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Cybersecurity Health Check At A Glance

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Protection profile of an industrial firewall

Payment Card Industry (PCI) Data Security Standard

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Modbus and ION Technology

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Secure Software Programming and Vulnerability Analysis

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

How Secure is Your SCADA System?

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

ICS, SCADA, and Non-Traditional Incident Response. Kyle Wilhoit Threat Researcher, Trend Micro

Network Security Infrastructure Testing

Process Control and Automation using Modbus Protocol

WIRELESS REMOTE MONITORING OF CATHODIC PROTECTION SYSTEMS. John Hawkyard MICorr Deputy General Manager Rawabi Corrosion Technology Co Ltd Al-Khobar

A Systems Approach to HVAC Contractor Security

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

New Era in Cyber Security. Technology Development

Square D Model 6 Motor Control Centers

SANS Top 20 Critical Controls for Effective Cyber Defense

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Critical Security Controls

FOXBORO. I/A Series SOFTWARE Product Specifications. I/A Series Intelligent SCADA SCADA Platform PSS 21S-2M1 B3 OVERVIEW

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Chapter 9 Firewalls and Intrusion Prevention Systems

E-BUSINESS THREATS AND SOLUTIONS

Cautela Labs Cloud Agile. Secured.

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

PLCs and SCADA Systems

SCADAvantage Network Topology System software products

Network and Security Controls

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Topics in Network Security

Defending Against Data Beaches: Internal Controls for Cybersecurity

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Critical Controls for Cyber Security.

Understanding Programmable Automation Controllers (PACs) in Industrial Automation

CYBER SECURITY. Is your Industrial Control System prepared?

Maruleng Local Municipality

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Potential Targets - Field Devices

Network Defense Tools

Security all around. Industrial security for your plant at all levels. siemens.com/industrialsecurity. Answers for industry.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

13 Ways Through A Firewall

Protecting Critical Infrastructure

Security Issues in SCADA Networks

Building A Secure Microsoft Exchange Continuity Appliance

Recommended Practice Case Study: Cross-Site Scripting. February 2007

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Verve Security Center

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

CONTROL MICROSYSTEMS DNP3. User and Reference Manual

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Banking Security using Honeypot

Understanding SCADA System Security Vulnerabilities

Tk20 Network Infrastructure

The Trivial Cisco IP Phones Compromise

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Securing end devices

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Overview. Firewall Security. Perimeter Security Devices. Routers

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Wireless Communications for SCADA Systems Utilizing Mobile Nodes

INFORMATION ASSURANCE DIRECTORATE

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

End-user Security Analytics Strengthens Protection with ArcSight

Intrusion Detection Systems (IDS)

THE TOP 4 CONTROLS.

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Missing the Obvious: Network Security Monitoring for ICS

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

Transcription:

Out of Control: SCADA Device Exploitation Contents SCADA vs. DCS... 1 Network Architecture... 2 Components... 3 Historian... 4 Human Machine Interface... 4... 4 EWS Engineering Workstation... 4 PLC Programmable Logic Controller... 4 RTU Remote Terminal Unit... 4... 4 Attack Scenarios... 4 Pivoting... 4... 5... 5 EWS... 5 PLC... 5 Common Vulnerabilities... 5 Industrial Protocols... 5 Debug Service... 6 Remediation... 6 Network Level... 6 Host Level... 6 Controller Level... 7 SCADA vs. DCS SCADA systems are traditionally used when real time control is not required. Devices are usually spread out over a large geographic region, such as a pipeline, and require remote access in order to operate. Distributed

Control Systems (DCS) are commonly used in real time control applications such as factories and assembly lines where all the components are in one location. Network Architecture INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Enterprise Network Domain Controller OPC Server Historian CCTV Server Plant Plant Bus Control Terminal Bus EWS Control Bus PLC PLC PLC PLC Field Bus to Field Bus to Standard DCS Architecture Figure 1

INTERNET SAP ERP EPA Database Alarm Aggregation Corporate Enterprise Network Domain Controller OPC Server Central Facilities Historian ACN Control EWS Terminal Bus PLC PLC PLC PLC Field Bus to Field Bus to Standard SCADA Architecture Figure 2 Standard architecture of a SCADA network is comprised of several compartmentalized levels intended to isolate critical systems from each other as well as more harmful traffic usually found on the business network segment. SCADA networks can use many different means of communication between remote field devices and the control network. Problems arise when the standard architecture is not implemented properly. The most common architecture issues are not implementing firewalls between the control network and the enterprise, or having firewall rules that allow all traffic to pass, effectively turning the firewalls into routers. Another scary, but still common architecture issue is no network segmentation at all where all devices are allowed to communicate and no firewalls are in place. SCADA devices were originally designed to be placed on air gapped networks Components

Historian A Historian captures field data for viewing by the enterprise. It holds a record of everything collected from the field such as flow data, amount of product produced, or even safety records. Human Machine Interface Until recently, most s were knobs and buttons in a control room. Modern s are usually Windows workstation class machines running a display of the process being controlled. Other common s are a panel display with a keypad that displays values and alarms for an operator. Typically s will allow the set points of a process to be changed, but nothing else. An application server is a server class machine that aggregates data from PLCs and RTUs on the control network and speaks EWS Engineering Workstation An engineering workstation provides engineers with the ability to manage and control PLCs and RTUs on the network, also usually in the form of a workstation class Windows machine. All the capabilities of an are present in a EWS as well as the ability to design and update controller logic. PLC Programmable Logic Controller A typical PLC has a power supply, network communications (serial or Ethernet), inputs, and outputs usually contained in separate modules that can be expanded. The PLC operates by scanning inputs, performing logic on those inputs and writing the result of the logic to an output. Inputs to the PLC are usually sensors on the control network. The output is connected to the physical elements of the control network such as motors, pumps, or valves. The computational architecture of a PLC is quite basic; processers are not high speed and do not use advanced capabilities. Notably, memory management is absent. All processes running on a PLC have direct memory access. RTU Remote Terminal Unit An RTU is very similar to a PLC except that it may have more advanced abilities such as interrupt based logic. on control networks usually consists of sensor networks like flow meters, temperature and pressure gauges. These devices often utilize wireless protocols to report their data back to the control network. Attack Scenarios Pivoting Pivoting is a standard technique used in penetration testing to navigate from machine to machine. As the Enterprise Network has the most visibility to the Internet, it is the most logical starting point to begin penetrating the network down to the process control domain.

As the is the eyes of the process, exploiting this machine can cause a process to run blind, i.e. the operations staff have no idea how the plant is actually operating. The can also write setpoints to the controller, which can map directly to outputs on the controller or to scratch memory to be used in calculations by the logic solver. A compromised can destroy a facility by putting certain safeties in bypass and writing bogus setpoints to the controller. s can also acknowledge alarms, which are critical in identifying and mitigating critical problems with the process. In some architectures the application server acts as a buffer between the sensitive control bus and the s. As PLCs are not meant to withstand constant traffic from a large quantity of data consumers, an polls each PLC for critical data and stores it in a database for retrieval. This way, the control bus experiences minimal and more deterministic traffic to keep the process running smoothly. Application servers are also single points of failure, and a compromise can alter the view of the process to all terminals that query it for data. Instead of exploiting each in a refinery, it is more fruitful to exploit the application server and modify operation s view of the process to every. EWS Engineering Workstations are the central repositories of logic held by the PLCs. They are used by engineering staff to diagnose and modify communications and logic on the control network. They have the necessary tools to download new code to the controllers and can be used as a last resort during a failure of the primary machines. Exploitation of an EWS is especially dangerous, because they have the tools to completely modify the contents of a controller, as well as force Inputs/Outputs. Engineering workstations can also hold the source for the logic, giving valuable information to an attacker that is attempting to map the process. PLC As the PLC is the main piece of hardware that directly control the process, exploitation of this component can be catastrophic. The PLC is usually the most protected part of the control network, not necessarily because of security, but because they can be so fragile and must be operational for the process to continue. Even something as simple as a DOS attack on a PLC can bring the entire process to a halt, or worse. Common Vulnerabilities Industrial Protocols Industrial protocols were designed to be lightweight and provide reasonably deterministic communications between controllers and terminals. Security was implemented as an afterthought or, perhaps, not at all. Simple serial protocols such as Modbus and DNP3 can and have been wrapped in IP datagrams and sent over the Internet. Significantly altering a process does not have to include component exploitation, it can be as easy as assembling a well formed IP packet of an industrial protocol and sending it to a controller. IP whitelisting and port security do not exist in standard PLCs, so it will take any well-formed IP packet and performed the requested actions on the actual process

Common Open Industrial Protocols examples are: Modbus/TCP TCP Port 502 Ethernet/IP TCP Port 44818 Profinet TCP/UDP Port 34962 (Typ) Debug Service At the device level, a debug service left enabled by the vendor typically allows full access to physical memory. An example was seen with VxWorks. These services are meant to aid developers and vendor troubleshooters in the case of a customer problem out in the field. Just as vendor support staff can access these services, so too can malicious entities. These debug services allow direct memory access, which for Controllers includes bit mappings to real world equipment. Arbitrarily modifying memory can have disastrous consequences. The three main memory areas involved with process control are the following: Input Table: This table is populated by scanning the Input cards of the controller. Each input is mapped to a memory location in the input table. This area of memory gives the controller a view of how the actual process is operating. Logic Memory: This area of memory hold the actual logic code. This code can either be compiled or interpreted, depending on the individual controller. Modifying this portion of memory can have extremely unpredictable consequences, just like modifying a binary. Output Table: This table is populated by the logic as it solves each ladder as it goes through a scan cycle. Once the cycle is complete, the output table is pushed to the Output cards where signals are sent to the physical equipment. Modifying this portion of memory directly impacts the process, as each bit in the table maps to instrumentation. Remediation Network Level Network attacks can be remediated by removing public facing devices and utilizing a private network for remote devices. Proper network architecture is a key component of preventing unauthorized access to critical systems. Network flow control and security devices such as firewalls and Intrusion Detection Systems (IDS) allow administrators to set restrictive traffic rules on a network and obtain a historical view of normal traffic. There are special concerns for wireless devices used to access remote systems. Frequency Hopping Spread Spectrum (FHSS) technology should be utilized when possible in wireless systems. Of course, network traffic should be encrypted whenever possible. Host Level Protecting hosts against attacks in SCADA systems is very similar to corporate environments, except additional considerations can be taken. Often, control systems are unable to be patched with the latest available security and bug fixes due to support issues and legacy systems. Due to the nature of control systems, the hosts are usually only performing a limited set of activities and are not used as general purpose machines. Therefore, control system hosts are a good candidate for whitelisting technology.

Antivirus products are important, if only to protect against older threats and rogue USB devices that may come into contact with hosts. However, as with other products on a control network, updates are a challenge because internet access is restricted. Controller Level Most of the attack remediation at the controller level is only applicable to device manufacturers. However, command level filtering such as device level firewalls are available that can filter which commands are available to be issued to devices such as a PLC. Device manufacturers can reduce attack surface by removing unnecessary and insecure protocols from firmware images. Hard coded credentials such as service level accounts and secret keys should also be removed or stored securely. Firmware itself should be encrypted. The biggest thing vendors can do is test their own products for security issues and audit code.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information