welcome to phoenix contact industrial network security seminar · welcome to phoenix contact...
TRANSCRIPT
Welcome to PHOENIX CONTACT
Industrial network security seminar
Matt Cowell
Phoenix Contact ASE – North Central
847 226 5197
2 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Who am I?
Matt Cowell
ASE (Automation Sales Engineer) – N Central reg.
Tenure – Joined Phoenix Contact Jan 2008
Located Gurnee, IL (north of Chicago)
Responsible for all Phoenix Contact Automation product in N. Central Region
Automation product responsibility includes Ethernet, network security products, controllers and software, Industrial PC’s, HMI’s, I/O, safety and Wireless
Territory includes IL, WI, MN, ND, SD
Background – Various Engineering roles with later years focused in system integration
3 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Agenda
Industrial networking introduction
Recent product vulnerabilities
Case studies of recent security breaches
‘Typical’ network layouts and comparisons to IT
Introduction to basic Hacking techniques
Live demonstration of hacking techniques used
Highlighting ease of implementation on live network
Offering simple countermeasures and prevention
How mGuard can help
Standards and regulations
General Recommendations
4 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Objectives of this seminar
Not intended as a class to encourage
amateur hackers
Raise awareness to often overlooked
vulnerabilities
Offer simple concepts and solutions
for improved security
Question Time
Has your network ever been hacked?
How do you know?
Who’s responsibility is network security?
Everyone’s
Don’t assume someone else (IT) has it covered
6 | Presentation | Matt Cowell | ASE Central | 16 April 2014
7 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Why consider security now?
Scope of industrial networks has grown beyond conventional “switch
only” networks (layer 2)
Device access from IT/enterprise network is desired
Remote access to SCADA systems is required for support
Industrial devices lack network security features we have become
familiar with (robust NIC’s, win. updates, patches, anti virus, HTTPS
etc.)
Vulnerabilities are being discovered daily
Increase in network devices & trends are relying upon use of ‘the cloud’
Few standards in place yet to enforce security
Stuxnet demonstrated the sophistication and damage that can be
caused by industrial specific malware – don’t wait for stuxnet 2.0
Industrial attacks are becoming more common and brazen and usually
make headline news
Common objections (excuses)
“IT takes care of our firewall and security”
Do they really? So they will handle the consequences of an
attack on the SCADA system? Do they understand ‘SCADA’?
“Our SCADA network is isolated/air-gapped”
Are you sure? Either way Stuxnet (to date the worlds most
effective virus on SCADA) caused significant harm to its target
that was also “isolated”. What about USB or other attack vectors?
“Were just a small site, were not a target”
Really, when you search for devices on Shodan, does the
attacker care where the vulnerable PLC they just found is?
“SCADA Security is too complex and costs too much”
What are the financial consequences of a breach to critical
infrastructure? The risk has never been higher than today!
8 | Presentation | Matt Cowell | ASE Central | 16 April 2014
You already know physical security…
Cameras and surveillance
Analogous to IDS (Intrusion Detection System)/logging
Access control – access based upon credentials
Analogous to account/password control policy
Perimeter security – fences, gates, locks
Analogous to firewall’s
Alarms
Analogous to Email/SMS/SNMP/HMI alarms
SIEM (Security Information & Event Management) or IDS
Security guard
Analogous to IT/security focused professional
We generally take physical security very seriously
9 | Presentation | Matt Cowell | ASE Central | 16 April 2014
10 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Typical industrial network - machine
Typical production network interface Often Switch
sometimes router
Characteristics of an Ind. Eth. network
Often engineer governed
Desire high speed (typically small data transfer – bits vs.
mB)
Deterministic
Acceptable latency typically measured in mS
High reliability data transfer in rugged form factor
Typically comprising various protocols (ModbusTCP, DNP3,
E/IP)
Interconnected via various media (Fiber, copper, wireless,
leased lines etc.)
Originally isolated islands (no WAN or internet connectivity)
Longer system life cycle = more older technology and OS
11 | Presentation | Matt Cowell | ASE Central | 16 April 2014
12 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Internet
Typical Enterprise network
Large network, vast data transfer, variable speed dependant
upon load, latency measured in seconds, isolation of
devices less critical, broadcast traffic common, integrated
security (anti virus/sw firewall)
13 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Industrial link to Enterprise?
Internet
Router/Firewall
Machine/Cell/Line level
Production Floor level
Enterprise/Company level
Acce
ss th
rou
gh
ou
t
Why use router/firewall here?
Limit excess traffic – control network doesn’t need
to be burdened with excess traffic (broadcasts etc)
from enterprise network
Security – Engineering can control who/what can
access control network
Simplification of IP addresses – often machine IP
addresses come preset, a router can provide
network access without changing IP addresses on
control devices
Types of cyber incident
Audit
Legitimate attack/test
Vulnerability assessment
Accidental
Broadcast storm, misconfiguration, faulty product etc..
Wrong IP
Non malicious intrusion
Monitoring data, stealing information etc..
Malicious intrusion
Bad intentions/causing harm
Breaking something (equipment/process/data)
15 | Presentation | Matt Cowell | ASE Central | 16 April 2014
A few discovered vulnerabilities
All confirmed and published by US CERT (DHS)
Schneider – ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET
MODULE MULTIPLE VULNERABILITES
– ICSA-11-277-01—SCHNEIDER ELECTRIC UNITELWAY DEVICE DRIVER
BUFFER OVERFLOW
– ICSA-11-307-01—SCHNEIDER ELECTRIC VIJEO HISTORIAN WEB SERVER
MULTIPLE VULNERABILITIES
Siemens – ICSA-11-356-01—SIEMENS SIMATIC HMI AUTHENTICATION
VULNERABILITIES
– ICS-ALERT-11-332-02A—SIEMENS SIMATIC WINCC FLEXIBLE
VULNERABILITIES
– ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN
SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200
– ICS-ALERT-11-161-01—SIEMENS SIMATIC S7-1200 PLC VULNERABILITIES
16 | Presentation | Matt Cowell | ASE Central | 16 April 2014
..more discovered vulnerabilities
Rockwell Automation – VU#144233 - Rockwell Automation Allen-Bradley MicroLogix PLC
authentication and authorization vulnerabilities
– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC
EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW
– ICS-ALERT-10-194-01 OPEN UDP PORT IN 1756-ENBT ETHERNET/IP™
COMMUNICATION INTERFACE
– ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE
VULNERABILITY
– ICS-ALERT-12-020-02A—ROCKWELL AUTOMATION CONTROLLOGIX
MULTIPLE PLC VULNERABILITIES
– ICSA-12-088-01A—ROCKWELL AUTOMATION FACTORYTALK
RNADIAGRECEIVER DOS VULNERABILITIES
– ICSA-10-070-02 AUTHENTICATION VULNERABILITY IN ROCKWELL PLC-5
AND SLC 5/0X CONTROLLERS AND ASSOCIATED RSLOGIX SOFTWARE
– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC
EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW
17 | Presentation | Matt Cowell | ASE Central | 16 April 2014
..and some others
– ICS−ALERT-11-080-02 MULTIPLE VULNERABILITIES IN ICONICS
GENESIS (32 & 64)
– ICSA-11-173-01—CLEARSCADA REMOTE AUTHENTICATION BYPASS
– ICSA-11-332-01—INVENSYS WONDERWARE INBATCH ACTIVEX
VULNERABILITIES
– ICSA-11-243-03A—GE INTELLIGENT PLATFORMS PROFICY HISTORIAN
DATA ARCHIVER BUFFER OVERFLOW VULNERABILITY
– ICSA-12-243-01— GARRETTCOM PRIVILEGE ESCALATION VIA USE OF
HARD-CODED PASSWORD
– ICSA-12-146-01A—RUGGEDCOM WEAK CRYPTOGRAPHY FOR
PASSWORD VULNERABILITY
– ICS-ALERT-12-020-07A—WAGO I/O 750 MULTIPLE VULNERABILITIES
18 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Network security breach case study: Stuxnet
The industrial virus that brought mass media attention
Complex rootkit exploiting 4 x zero day exploits
Designed to attack Siemens control networks and Win OS
Used stolen digital certificates to look inconspicuous
Could manipulate PLC logic and network traffic
Automatically spreads via USB jump drive
Reports updates back to internet server
Targeted Iran’s uranium enrichment centrifuges causing
significant damage but also spread worldwide
Suspected to be a state sponsored virus
It has a ‘kill date’ coded into it to stop spreading on 6/24/12
19 | Presentation | Matt Cowell | ASE Central | 16 April 2014
The Mandiant report
Exposed a multi-year, enterprise-scale computer espionage
campaign conducted by China’s PLA
Provided a timeline of the espionage conducted since 2006
against 141 victims across multiple industries in various
countries.
Highlighted how they did it with meticulous detail (tools,
tactics, procedures)
So popular a trojan version was created
25 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Blackhat/Defcon 2013 highlights
3D printed keys to access secure locks
Using a $250 femtocell to intercept cellular transmissions
Hacking medical devices such as pacemaker or insulin
pump
Hacking a car while its in use
Hacking SCADA wireless networks (examples of weak
security inc. Banner and Prosoft radios)
26 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Real world ransomware
Reported that up to $33k/day ‘stolen’
27 | Presentation | Matt Cowell | ASE Central | 16 April 2014
What industries should be concerned?
ALL Critical infrastructure
Water/Wastewater
Oil and Gas
Hospitals
Prisons
Power generation and Power distribution
Chemical plants
Nuclear reactors
HVAC systems – these not only cool people but critical
servers
29 | Presentation | Matt Cowell | ASE Central | 16 April 2014 11:00
2012 – Source: US CERT Monitor
Why do people ‘hack’?
There are a number of motivators, including:
Ego
Criminal
Political/Spying
Hacktivism
Terrorism
War
Personal gain
Corporate gain
Sabotage
Retribution
Personal Concern
32 | Presentation | Matt Cowell | ASE Central | 16 April 2014
How do people hack? Inside job/disgruntled employee - abusing network privileges
Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form
Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force
DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.
Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter
Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.
Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.
Ransomware – Specific infection that demands a ransom money or will lock you out from files or threaten to delete them by specific deadline - NEW
Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.
Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing
Exploiting vulnerabilities – latest windows updates, stuxnet
How easy is it to ‘hack’ a facility?
Just ask Google
Wireless breach
Wardriving
If no access to the inside network, first have to find it:
Specialist search engines
Public IP and Port scans
Social engineering via Trojan or Phishing
Vulnerabilities
Easy targets
Publically available online and being found daily
Dedicated tools to make life easier
…..as we will see
34 | Presentation | Matt Cowell | ASE Central | 16 April 2014
35 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Our demonstration scenario
Perimeter
192.168.0.100
192.168.0.102
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)
Master
Lean
Managed
Switch
PLC
Slave
Attacking
PC Internet
1.2.3.4
LAN WAN
Router
36 | Presentation | Matt Cowell | ASE Central | 16 April 2014
1. Explore and learn the network (learning)
DE:MO Time
37 | Presentation | Matt Cowell | ASE Central | 16 April 2014
1. Explore and learn the network
What did we learn?
What subnet they are using (192.168.0.x – ie 255.255.255.0)
What devices are on the network (Linksys, LMS, VL, PLC)
– What manufacturer (First 3 bytes MAC ID)
– What host name (if used)
What IP addresses/MAC addresses appear vacant for our attacking PC
What traffic is being broadcasted and who from – see multicast too with
unmanaged switch.
Recommendations:
Regulate who has access to network – layer 1 prevention?
Isolation using Routers/VLAN’s eliminate what devices can be scanned
38 | Presentation | Matt Cowell | ASE Central | 16 April 2014
2. Sniffing (learning cont.)
DE:MO Time
39 | Presentation | Matt Cowell | ASE Central | 16 April 2014
2. Sniffing
What did we learn?
Switch sends traffic to destination MAC address only, therefore to sniff
someone elses packets, need to do an ARP spoof
Now we can see what devices are communicating with each other (VL-
PLC)
What type of traffic is flowing (UDP 44818 – E/IP)
What device seems to be a router/firewall (192.168.0.1)
The LMS password as we happened to intercept an HTTP packet from
Valueline to LMS that contained password (‘private’)
Could intercept/modify any unencrypted data - Stuxnet
Recommendations:
Incorporate software or switch that monitors ARP activity (ARPwatch or
IDS)
Encrypt traffic - Use HTTPS where possible, VPN etc
40 | Presentation | Matt Cowell | ASE Central | 16 April 2014
3. Port Scanning (learning cont.)
DE:MO Time
41 | Presentation | Matt Cowell | ASE Central | 16 April 2014
3. Port Scanning (learning)
What did we learn?
What ports are open on each device
– TCP
– UDP
Potentially exploit known vulnerabilities
& back doors
Recommendations:
Use a firewall when possible
Use logging to notify you of port scan’s
43 | Presentation | Matt Cowell | ASE Central | 16 April 2014
4. DoS Attack
Perimeter
192.168.0.100
192.168.0.102
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)
Master
Lean
Managed
Switch
PLC
Slave
Attacking
PC Internet
1.2.3.4
LAN WAN
44 | Presentation | Matt Cowell | ASE Central | 16 April 2014
4. Denial Of Service attack
What did we learn?
With information we collected by learning the network, we can now break it
Network adapters (particularly on Industrial devices) can be overwhelmed if you send excessive packets
This can manifest in many devastating ways – preventing legitimate communications and in some cases locking up the device requiring power cycle or losing its program
Recommendations:
Use Firewalls to control/restrict access
Use managed switches with bandwidth limitation or routers to prevent excess traffic
Enable monitors/logging to watch and automatically notify of dangerous traffic levels
45 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Control the ‘inside’
Prevent unnecessary access to industrial devices/network
Use a firewall to control traffic rules
Be careful of open ports and ‘backdoors’
Ensure adequate encryption when using wireless (WPA2) &
long, unusual pass phrase
Restrict USB drive usage
Be careful of infected internal PC’s – a Virus or Trojan can
run on the inside ‘inside job’, cause havoc and send
information out
Its claimed 60-70% of all security breaches are carried out
by insiders
49 | Presentation | Matt Cowell | ASE Central | 16 April 2014
6. WIFI cracking (on the outside)
DE:MO Time
50 | Presentation | Matt Cowell | ASE Central | 16 April 2014
6. Gaining access through WIFI crack
What did we learn?
WIFI packets are transmitted over the air for all to see
Using specialist tools its easy to intercept 802.11 network traffic and get
enough ‘samples’ to decipher a WEP encrypted keyword.
Which can then be used to gain access to the network from afar.
WPA can be breached too but requires a bit more time and the use of
rainbow tables or brute force
A wireless network could also be jammed rather than penetrated
Some recommendations:
Only use wireless if truly necessary and be aware of consequences
Use the highest level of encryption available (min WPA2 for WIFI)
Disable SSID broadcasting
Use long, complex passphrases when possible
Use an Intrusion Detection System (IDS) and logging
Segment wireless networks and place behind firewalls
51 | Presentation | Matt Cowell | ASE Central | 16 April 2014
The solution?
mGuard Industrial Router, Firewall and VPN
Internet
Here
There
Partial
Not just my advice..
Use of a firewall is a common recommendation by the US
CERT for posted vulnerabilities
55 | Presentation | Matt Cowell | ASE Central | 16 April 2014
It gets worse…
70 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Cybersecurity Act of 2012
13
Defense in Depth in practice
www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
Zones
Firewalls
DMZ
IDS/Logging
78 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Summary - Prevention is better than cure
Many industrial devices are vulnerable…not just AB MLX 1100
An Air gap is a good line of defense if possible but not complete
Understand your network and data flows. Document!
Adopt a defense in depth strategy employing various layers of security
Keep an inventory of networked devices and watch for vulnerabilities/updates
Implement layer 1 security solutions, lockable panels, patch cables etc..
Use updated AV/Spyware and ensure any PC’s are routinely patched/updated
When interconnecting devices/panels use a firewall
Isolate industrial devices and restrict network access to only those that need it (access control)
Consider specialist firewall functions (DoS prevention, CIFS monitoring)
VLAN’s and MAC filtering can be used to provide some defense using managed switches
79 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Summary - Prevention is better than cure
Use VPN for ALL remote connections
Restrict use of USB jump drives (disable PC autorun feature, consider encrypted jump drives, don’t allow anyone’s stick)
Restrict/prevent web access to internet from control network
Try to use HTTPS exclusively when using passwords/secure webpages
Consider using network logging, SNMP, Alerts, Intrusion detection, Honeypots – how else will you know something bad happened?
When using wireless always encrypt with minimum of WPA2 for WIFI
Be aware of smartphone vulnerabilities and their place in SCADA
Implement authentication/authorization policy including how to handle access credentials for former employee’s/contractors
Security is not a one and done solution – continuously evolving standards, new vulnerabilities – someone has to stay on top of things
Security is also more than just a one product solution – it’s a way of life
Security requires behavioral diligence from EVERYONE
80 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Summary - Prevention is better than cure
Change default passwords and use ‘strong’ passwords
Take ownership, don’t assume it is already covered – ask questions
Take advantage of online resources
Talk to a specialist and consider getting a vulnerability assessment
Educate all employees
Evaluate your system conceptually using the free US CERT - CSET tool (risk analysis)
Devise a cyber security policy – what are your security goals?
Require changes that affect the network be to reviewed/approved beforehand
Patch management – risk vs reward to patching holes in a running system. Where, when and how. Alternatives?
Devise a response/recovery plan to any potential events and have secure backups of all critical code
81 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Function
SFN
Unmanaged
Switches
Unmanaged
Switches
Lean Managed
Switch
Managed
Compact Switch
Modular Managed
Switch
Smart Managed
Compact Switch
(gigabit)
mGuard Router
Port Flexibility Fixed: 5,8 Fixed: 5,8,16 Up to 8 ports Fixed 16 ports Mix Cable Types &
Expand to 24 ports Fixed 8 ports Lan/Wan
Security
Functions No No No Yes Yes Yes Yes
Message
Filtering No No Yes Yes Yes Yes Yes
Redundancy No No Yes Yes Yes Yes N/A
Diagnostics HW (LED, Alarm
Contact*)
HW (LED, Alarm
Contact)
HW + SW (Web,
SNMP)
HW + SW (Web,
SNMP)
HW + SW (Web,
SNMP)
HW + SW (Web,
SNMP) Yes
Application Distributed
Panels Distributed Panels Central Panels
Central or
Distributed Panels Central Panels
Central or
Distributed Panels
Security, remote
access or NAT
The Phoenix Contact products Layer 2 Layer 3
85 | Customer Presentation | Dan Schaffer| Phoenix Contact – Automation | Febuary 2010
FL MGUARD Hardware Variants
DIN-rail mounted, PCI card and USB-powered devices
Industrialized Hardware Wide Temp specs
Rugged housing
Resistance to Electrical Noise, RF, EMI, Shock & Vibe, etc.
Redundant 9-36VDC Power
10mb, 100mb, and Gigabit speed
Copper and fiber variants
Hardware Alarm contact to notify power failure or link loss
86 | Presentation | Matt Cowell | ASE Central | 16 April 2014
Thank You – Questions?
Distrust and caution are the parents of security - Benjamin Franklin
12:00