scada 2017 – the future of scada security
TRANSCRIPT
SCADA 2017 – The Future of SCADA Security :: jonathan pollet – red tiger security
jonathan pollet – CISSP, PCIP, CAP
2
� 15 Years of Electrical Engineering, SCADA, Industrial Controls, and IT Experience � PLC Programming and SCADA System Design and Commissioning � Wireless RF and Telecommunications Design and Startup � Front-end Web Development for SCADA data � Backend Database design for SCADA data � Acting CIO for Major Oil Company for 2 years – Enterprise IT Management
� Last 11 Years Focused on SCADA and IT Security � Published White Papers on SCADA Security early in 2001 � Focused research and standards development for SCADA Security since 2002 � Conducted over 175 security assessments on Critical Infrastructure systems � Conducted over 75 International conferences and workshops on CIP � Developed safe security assessment methodology for live SCADA Systems � Co-developed the SCADA Security Advanced 5-day training course � Featured presenter on Fox News Live, Vanity Fair, Popular Mechanics, CIO
Magazine, and several security publications
red tiger security � Consulting
� Cyber Vulnerability Assessments for NERC CIP-005/007 � SCADA / Wireless Telemetry Penetration Testing � Network Architecture Analysis / Design � Cyber Security Compliance Assistance � Development of SCADA Test Beds (Malaysia, Qatar, UAE, University of
Tulsa, University of Houston, and several private industry clients)
� Training � 5-SCADA Security Advanced Course (SANS) � 2-Day SCADA Security Course (BlackHat)
� Research
� Applicability and Usability of Cyber Security Solutions for SCADA / ICS � Product Evaluations � Various DHS Research Initiatives for ICS � Standards Development
3
outline � Why Cyber Security Matters so much today
� the world has changed – it is digital and connected � threats have changed – they are digital and connected � electric SCADA systems have changed – they are digital and connected
� The Threat spotlight is shifting from traditional IT systems to SCADA systems � the number of SCADA Vulnerability Disclosures and Exploits have exploded
in the past year (2011-2012) � 100 SCADA bugs in 100 days � ICS-CERT facts and statistics � 0-day Market � Foreign Governments Using Surveillance, Interception, and Tracking
systems on their own people � They want access to Critical Infrastructure as well – i.e. Night Dragon,
Duqu, Flame, etc… � What does the recent threats, and what we know about SCADA
Systems, tell us about the future?
4
the world has changed – it is digital and connected
5
threats have changed – they are digital and connected
6
…within ten minutes of the start of the SQL Slammer worm, 75,000 machines were already infected. This included many critical infrastructure systems…
new hacking techniques leverage social networking platforms to establish “trusted” connections
� Targets Developed Using: � Open Source Intelligence Gathering � Social Engineering � Targeted “Spear Phishing”
� Malicious Payloads delivered through: � Attachments � IM links � Compromised websites � Physically planted peripherals and devices � Smart Phones
7
anyone know this girl?
8
Within 2 months, “Robin Sage” had amassed a large social network of high-ranking military and government officials.
malicious attachments…
� MS Products � Word, Excel, etc…
� The usual suffixes… � mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg, rar, emf, shs,
js, vb, yourcompany.com.zip, cab, mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif, m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef, scf, chm, <#>.txt, wsf, fli, vbe
9
Malware Infections Still Highest Attack Vector
10
*reference: InformationWeek Reports
android = rootkit in your pocket that knows your location, and has access to your email, data, bank accounts, and the Internet
11
we now have to worry about our phones � Google pulled more than 50
apps in March from the Android Marketplace after security researcher found a Trojan that used applications to spread. The Trojan, called DroidDream, infected more than a quarter million Android phones. One sign of a DroidDream infection was resource consumption due to the way the malware exploits the phone.
� SOURCE: DroidDream used a fake bowling game to infect devices. Image courtesy of Lookout Mobile Security
12
SCADA systems have changed too…
13
all we had to worry about before was physical access
14
now SCADA and Critical Infrastructure Systems are digital and connected…
15
…running on the same operating systems as corporate desktops
16
Industrial Control Systems send data in the clear, without any requirement for encryption or authentication
17
from a cyber perspective, SCADA systems look similar to business systems
18
� Cisco ASA firewalls or equivalent
� Cisco 3750 / 6509 switch fabric
� Servers and workstations running on Windows platforms (WinXP/2003/Vista/7/2008)
� Active Directory
� File/Print servers
� However…. They often lack the protection that typical Corporate IT systems have
SCADA and ICS Systems are Low Hanging Fruit for Security Researchers – why?
19
� SCADA and ICS Hardware/Software do not go through the same rigorous security lifecycle process as Information Technology systems
� On average, Microsoft will put their software through 100,000 various fuzzing loops and debugging processes to test for crashes and bugs….and yet we still find plenty of vulnerabilities still being discovered and reported for Microsoft software
� Control System vendors, if they actually test their systems for bugs at all, will typically only run their applications through basic regression tests, and this process is maybe 5% of what Microsoft does to test their code.
� The SCADA / ICS world lags the IT world typically by 5 to 10 years, so we are only recently seeing the larger Control System vendors building plans to test their products for security flaws.
� All of those thousands of legacy products out there were NEVER tested for simple cyber security flaws like buffer overflows.
100 SCADA bugs in 100 days - McCorkle & Rios
� Terry McCorkle (Boing Red Team by day, security researcher by night)
� Billy Rios (Google Security Lead by day, security researcher by night)
� Teamed up as friends and ran the project independent from their employers resources
� All data and SCADA/ICS software used in their research was found FREE on the web (over 3600 SCADA and ICS executable files found using:
+HMI +Download + filetype :(exe,zip,msi) +HMI +<Vendor Name> +Download
� Used simple fuzzers: � Comraider (ActiveX) � FileFuzz (bitflipper) � Sully and Peach (allows custom fuzzings) � Blasty.py (Service Fuzzer)
20
100 SCADA bugs in 100 days - McCorkle & Rios
� Downloaded over 380 HMI and Control Workbench software packages, but only tested 76 of them
� Found 665 bugs – all unique crashes
� Found 75 exploitable bugs out of 665 bugs.
� Reported all to ICS-CERT, who worked with the vendors for remediation next steps and sent out advisories to the community
� Most bugs and crashes were code problems that were straight out of the 90s – Simple Buffer Overflows
� They would setup the automated fuzzing software at night, go to sleep, and find bugs and crashes in the morning… or set the fuzzers in the morning, and come back home from work and find more waiting for them at night.
21
interesting ICS-CERT facts
� 753% increase in vulnerability disclosures to ICS-CERT over the past year.
� Most new vulnerability reports have been from researchers without a ICS background.
� Researchers are developing an interest in SCADA systems especially since they are connecting the dots and seeing the connections between the cyber and kinetic world.
� SCADA and ICS Systems are the low hanging fruit. It is simplistic for researchers to find and exploit flaws in the code.
� Motivation? � Glory, Fame, $$ ??
22
the 0day market is booming � Nation States
� Underground
� Commercial market � ZDI (HP) � iDefence
� Bug bounty programs � Luigi Auriemma sold GE vulns to ZDi after GE refused to pay for them � In March 2011, disclosed 34 SCADA specific vulnerabilities all at once…
then in September released another bundle of vulnerabilities and exploit code for 6 more SCADA vendors
� Brokers � Researchers and Buyers � ExploitHub
23
majority of vulnerabilities “For Sale to Highest Bidder” are for SCADA system components
24
exploit frameworks that contain SCADA-specific exploit modules
� Metasploit has over 25 Exploit Modules (and growing)
� Core Impact 17 Exploit Modules
� Canvas 53 Exploit Modules � Gleg Agora SCADA+ Exploit pack for Immunity
CANVAS � they are aggressively acquiring SCADA vulns and
creating exploits � 2 ICS vendors have purchased the CANVAS modules � Canvas is $8,930
� Gleg pack is $5,000 and the canvas package is 3,930.
25
intelligence about the US SCADA and Critical Infrastructures are being sought out by nation states
1. Internet / Email / SMS layers � From what we can tell, they are actively acquiring and installing
technology that tracks, monitors, filters, and in some cases also manipulates what information is being transmitted.
2. Corporate IT layer � They already have information about how corporate IT systems function.
From 2010 through the end of 2011, attacks originating from China were involved in establishing a beachfront within several large Fortune 50 Energy and Oil and Gas corporations in the US. For over 18 months they extracted emails, financial information, blueprints of plants and factories, and had access to information about their SCADA systems as well.
3. SCADA / Manufacturing Systems Layer � They are acquiring information about these systems, and in one case we
actually found APT rootkits that had infected several operator consoles. Remote control of the system was one of the capabilities.
� They are targeting electrical utilities, oil and gas companies, and chemical manufacturing facilities
26
Night Dragon APT attacks on US Energy and Chemical companies moved from the Internet, through Corporate IT systems, and into the SCADA systems
27
Recent Cybersecurity Threats Since Stuxnet
28
*reference: NERC
The increased malware activity in recent months was a precursor of what was to happen next…
� With some variations all of the preceding malware infected
computers primarily in Iran, Israel, Afghanistan, the United Arab Emirates, Saudi Arabia, and/or Lebanon including systems used by critical infrastructure companies, government embassies, and financial services firms
� All of the above bits of Malware have been attributed to
friendly nation states � What happened next?
Mideast Energy (Shamoon), Financial Services (DDOS) and now Telvent (SCADA Manufacturer)
*reference: NERC
Ideally, we would like to keep all of the SCADA and Control Systems on the inside working while blocking all of the bad stuff
31
…we have to share information, so we create islands of operations and then DMZs between security zones
32
Corporate IT
Internet
SCADA DMZ SCADA LAN RTUs PLCs Meters
unfortunately, we become under pressure to open holes for communications between what used to be trusted security zones
33
Corporate IT
Internet
SCADA DMZ SCADA LAN RTUs PLCs Meters
Looking Back Helps Us Look Forward
� The evolution of SCADA and Industrial Control Systems can help us predict what features will should be expected by 2012
34
SCADA 1997
35
� PLCs began to ship with Ethernet ports, no encryption, no authentication, no forensics (syslog), no management (snmp)
� DCS Systems were all proprietary
� SCADA Systems were primarily UNIX based, but Windows-based systems like Wonderware and Intellution were gaining momentum
� SCADA protocols: � RS232 > 80% � Bus (Profibus, Foundation Fieldbus,
ModbusPlus, etc…) � Starting to see IP-based protocols
� Communications leveraged Corporate IT WAN Infrastructure, and often used IP subnets from a range of IP addresses allocated for SCADA by Corporate IT, no firewalls between Corp IT and SCADA, no IDS / IPS
� Media installed with CD-ROM, Backup media tape-drives, and each component used stand alone hardware
SCADA 2007 � All PLCs ship with Ethernet ports by default,
no encryption, some offering local authentication, no forensics (syslog), no management (snmp), “features” like internal web servers, FTP servers, and Telnet not able to be turned off
� DCS Systems are Hybrid > IT switches, IT computer workstations and servers, IT Operating Systems (Microsoft), IP protocols, but controllers and I/O still proprietary
� UNIX-based SCADA Systems dying breed, almost all being ported over to Windows
� SCADA protocols: � RS232 (only in limited basis) � Bus systems only really used in
manufacturing � IP-based protocols > 70%
� SCADA and DCS systems utilize separate networks or VLANs. Most are behind at least one firewall, very little use of IDS / IPS
� Media installed with DVD or USB, Backup Media moving to either external USB drives or dedicated SANS or NAS devices, some vendors testing virtualization for hardware (VMware)
SCADA 2012
36
SCADA 2017 � All PLCs ship with Ethernet ports by default, some
offer authentication, some offer encrypted or certificate based communications, “features” like internal web servers, FTP servers, and Telnet not able to be turned off, R&D being done for forensics (syslog), management (snmp), and auth (radius, ldap, AD)
� DCS Systems are Hybrid > IT switches, IT computer workstations and servers, IT Operating Systems (Microsoft), IP protocols, but controllers and I/O still proprietary. DCS systems shipping with firewalls in front of the controllers as an option, and whitelisting as an option on the workstations
� Almost all SCADA systems now on Microsoft OS
� SCADA protocols: � RS232 (only in limited basis) � Bus systems only really used in manufacturing � IP-based protocols > 80%
� SCADA and DCS systems utilize separate networks or VLANs. Most are behind at least one firewall, very little use of IDS / IPS
� Media installed with DVD or USB, Backup Media moving to either external USB drives or dedicated SANS or NAS devices, some vendors testing virtualization for hardware (VMware)
� All PLCs ship with Ethernet ports by default, but all security services offered by firewalls and IT equipment are fully supported with the ability to turn ON or OFF any feature
� DCS Systems are Hybrid > IT switches, IT computer workstations and servers, IT Operating Systems (Microsoft), IP protocols, but controllers and I/O still proprietary. Security features such as controller firewalls and end-point security are not “features” or options, they are implemented by default.
� Because of push-back from Microsoft-based vulnerabilities, some vendors offer non-Microsoft SCADA HMI options. Predict a “Return of the UNIX Jedi” in some form or another.
� SCADA protocols: � RS232 (only in limited basis) � Bus systems only really used in manufacturing � IP-based protocols > 90%
� SCADA and DCS systems utilize separate networks or VLANs. Most are behind a layered firewall system with multiple DMZs. IDS / IPS and centralized monitoring and logging essential and part of the system.
� Media installed by USB X.0 devices, SANS / NAS, and Virtualization is the norm.
37
38
39
lastly…step your game up!
� We will need more trained Cyber Security Professionals working in SCADA and Critical Infrastructure systems
� Get training
� The best defense spends most of their time understanding the offense
� Get plugged into RSS feeds and threat watch lists
� Practice offensive techniques
� Stand up an internal SCADA labs
� Try things
� Weave Penetration Testing into your overall strategy
40
41
contact info / q & a
Jonathan Pollet, CAP, CISSP, PCIP Founder, Principal Consultant
Red Tiger Security, USA
office: +1.877.387.7733
Mobile: +1.281.748.6401
fax: +1.800.864.6249
www.redtigersecurity.com