bsidesaugusta ics scada defense
DESCRIPTION
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.TRANSCRIPT
![Page 1: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/1.jpg)
Protecting Your ICS/SCADA Networks
Chris Sistrunk, PESr. Consultant
Mandiant
![Page 2: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/2.jpg)
@chrissistrunkElectrical EngineerMandiant, Entergy (11 years)SCADA ExpertLoves SecurityDNP3 User GroupButton Pusher but I like Blue
Chris Sistrunk, PE
![Page 3: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/3.jpg)
How I Audit SCADA systems
http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
![Page 4: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/4.jpg)
What happens when you use nmap (or a fuzzer) on an ICS?
![Page 5: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/5.jpg)
![Page 6: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/6.jpg)
![Page 7: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/7.jpg)
![Page 8: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/8.jpg)
Latin for “bulwark” @jadamcrain and I
started in April 2013 26 advisories / 32 tickets 24 DNP3, 1 Modbus,
1 Telegyr 8979 Aegis ICS Fuzzing
Framework - OSS
Project Robus
www.automatak.com/robuswww.automatak.com/aegis
![Page 9: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/9.jpg)
DNP3 – standard SCADA protocol
Ref from IEEE Std 1815-2012
TCP 20000TCP 19999 (TLS)UDP 20000
![Page 10: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/10.jpg)
![Page 11: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/11.jpg)
Types of Vulnerabilities
![Page 12: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/12.jpg)
ICS/SCADA lags IT by 10-15 years 735 SCADA-related vulns on OSVDB.org
since 2011. “Like kicking a puppy” Positive vs. Negative Testing: The front yard
is mowed, but the back yard is overgrown.
State of ICS/SCADA Security
![Page 13: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/13.jpg)
Let’s take a step back and ask some questions: What’s the risk if this device is compromised?
◦ Probability * Impact = Risk◦ Check out my RTU risk score pres from S4x13
What is the ICS device talking to? Does it uses serial or IP protocols…or both? How do we defend unsecured protocols? Is the physical security sufficient? Will you be called at 2AM?
Now What?
![Page 14: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/14.jpg)
The answers to the questions tell you that you have to do something to protect the device(s) What types of mitigations exist? Which ones will you use?
◦ Defense in depth – more than one!◦ Belt and suspenders!
When will they be deployed?◦ The sooner the better!
Anticipate…Mitigate!
![Page 15: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/15.jpg)
![Page 16: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/16.jpg)
Software/firmware patches/device upgrades Robust RTU/PLC and master configurations Robust IP network configurations ICS Protocol-aware network tools Proper physical security Employee awareness
Secure coding and SDL for Vendors
ICS Vulnerability Mitigation
![Page 17: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/17.jpg)
Software Testing
![Page 18: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/18.jpg)
NERC/CIP?CFATS?
????
ICS Vulnerability Mitigation
![Page 19: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/19.jpg)
If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known vulnerability (such as DNP3, modbus)…GO GET IT
Properly test it before you roll it out If you’re not used to patching your SCADA
system, please work with your vendors to do this to minimize downtime
Get The Bug Fix!
![Page 20: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/20.jpg)
USE DNP3-SA! (application layer security)◦ Correct master only talks to the correct RTU◦ But it won’t protect against all “bugs”
Disable unused serial and network ports Use a possible workaround (ex: auto restart) Check the default settings
◦ DNP3 or other protocols may be factory configured
◦ If not used, disable them!◦ ICS devices are on SHODAN
Many appear to have the same configurations
Robust Device/Master Configuration
![Page 21: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/21.jpg)
shodan.io – port:20000
![Page 22: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/22.jpg)
What does SCADA stand for?◦ Supervisory Control and Data Acquisition
What is the standard TCP port for modbus?◦ 502
What are the 2 start bytes for DNP3?◦ 0x0564
What year was STUXNET discovered?◦ 2010
What ICS protocol did HAVEX malware use?◦ OPC
ICS Trivia
![Page 23: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/23.jpg)
ICS Trivia
![Page 24: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/24.jpg)
ics-radar.shodan.io
![Page 25: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/25.jpg)
When possible, DISABLE functions that aren’t required in your production systems
DNP3 function code examples◦ Cold and/or Warm Restarts (FC 13 & 14)◦ Start/Stop Application (FC 17 & 18)◦ Save Configuration (FC 19) old
Activate Configuration (FC 31) new◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)
If you can’t disable these, use IDS/IPS or DPI Firewalls to alert on unwanted SCADA traffic
Robust Device/Master Configuration
![Page 26: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/26.jpg)
Segment your ICS/SCADA WAN◦ Routers, Firewalls, DMZs, & VLANs◦ This can help isolate the network when needed
Understand your network!◦ The bad guys sure will
Use encryption and authentication◦ Use DNP3-SA and TLS◦ Remote access VPNs, radios, etc◦ Look at IEC 62351 standard (dovetails with SA)
No ICS protocols on Corporate WAN
Robust IP Networks
![Page 27: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/27.jpg)
Examples of SCADA tools and Enterprise networks that understand ICS Protocol analyzers such as Wireshark, ASE &
TMW RTU Test Sets IDS/IPS such as SNORT, Bro, CyberX
SilentDefense ICS, McAfee ADM, Bayshore Networks, and Checkpoint
Routers such as the Cisco CGR 2010 Field firewall w/ICS Deep Packet Inspection
◦ Secure Crossing and Tofino
ICS-Aware Network Tools
![Page 28: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/28.jpg)
Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network
Security Operations Center◦ Security Analyst(s) using a SIEM◦ Log aggregation◦ Anomaly and intrusion detection◦ Indicators of Compromise (IOCs)
Security Onion (Linux distro) www.securityonion.net
Network Security Monitoring
![Page 29: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/29.jpg)
Remember this guy?
![Page 30: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/30.jpg)
We in SCADA Security are in
Like in The Cuckoo’s Egg
![Page 31: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/31.jpg)
1986
![Page 32: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/32.jpg)
RTU
SCADAnet
Inside cover of The Cuckoo’s Egg
Is this happening in your ICS???
YourCompan
y
Internet
Pump
Plant1
DMZ
Corp
Cust 1
Cust 2
Hist
Plant2
HMI
![Page 33: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/33.jpg)
http://www.liquidmatrix.org/blog/2014/07/01/is-there-a-cuckoo-in-your-control-system/
tl;dr ◦≥1 person who really cares!◦Security Onion (or other NSM)◦ICS Honeypot (Conpot, etc)
Full Packet Capture (even serial)
NSM for ICS
![Page 34: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/34.jpg)
So, Chris, why haven’t we seen many ICS incidents?
You can’t see where you aren’t looking!
NSM for ICS
![Page 35: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/35.jpg)
Put. NSM.
In.Your.
ICS/SCADA.
NOW
![Page 36: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/36.jpg)
What is the proper amount of physical security? It depends…
If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay?
Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6
Harden your external barriers The better the defenses, the more time it
buys you to respond
Proper Physical Security
![Page 37: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/37.jpg)
![Page 38: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/38.jpg)
Physical Security
3/8” Mesh
ASTM Grade 6
These may buy youextra time to respond
![Page 39: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/39.jpg)
“Thieves hit our store last night. This is
how they circumvented the
door alarm…”
via http://redd.it/1pn1xi
![Page 40: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/40.jpg)
Because people follow directions…you know what happens next
![Page 41: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/41.jpg)
Train your folks on ICS/SCADA security◦ Security Conferences, several training classes available◦ http://
ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
◦GICSP Certification Security awareness is important Have a questioning attitude Report suspicious computer or personal
activity/incidents◦ Who do you call?◦ Internal hotline, supervisor, SOC, etc◦ ICS-CERT (877-776-7585)
Employee Awareness
![Page 42: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/42.jpg)
Ask your vendors for DNP3-SA if they don’t have it or are already working on it
Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack◦ Positive Tests: FAT/SAT◦ Negative Tests: Fuzzing (it’s not new folks!)
DNP3 Will Be Here A While
![Page 43: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/43.jpg)
I’m still more worried about…
![Page 44: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/44.jpg)
DNP3 isn’t a special case. Other ICS protocols will see the same fate.
Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP… You can defend your SCADA. Early testing both slave/server AND
master/client sides of the protocol are important!
Compliance != Security, but the culture is important.
Don’t count on the government to protect your critical systems…it’s your job.
Conclusions
![Page 45: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/45.jpg)
![Page 46: BSidesAugusta ICS SCADA Defense](https://reader033.vdocuments.mx/reader033/viewer/2022052218/546b19ceaf79599b248b4c91/html5/thumbnails/46.jpg)
Ideas? Questions?