welcome to phoenix contact industrial network security seminar · welcome to phoenix contact...

Welcome to PHOENIX CONTACT

Industrial network security seminar

Matt Cowell

Phoenix Contact ASE – North Central

[email protected]

847 226 5197

mailto:[email protected]

2 | Presentation | Matt Cowell | ASE Central | 16 April 2014

Who am I?

Matt Cowell

ASE (Automation Sales Engineer) – N Central reg.

Tenure – Joined Phoenix Contact Jan 2008

Located Gurnee, IL (north of Chicago)

Responsible for all Phoenix Contact Automation product in N. Central Region

Automation product responsibility includes Ethernet, network security products, controllers and software, Industrial PC’s, HMI’s, I/O, safety and Wireless

Territory includes IL, WI, MN, ND, SD

Background – Various Engineering roles with later years focused in system integration


Agenda

Industrial networking introduction

Recent product vulnerabilities

Case studies of recent security breaches

‘Typical’ network layouts and comparisons to IT

Introduction to basic Hacking techniques

Live demonstration of hacking techniques used

Highlighting ease of implementation on live network

Offering simple countermeasures and prevention

How mGuard can help

Standards and regulations

General Recommendations


Objectives of this seminar

Not intended as a class to encourage

amateur hackers

Raise awareness to often overlooked

vulnerabilities

Offer simple concepts and solutions

for improved security

Question Time

Has your network ever been hacked?

How do you know?

Who’s responsibility is network security?

Everyone’s

Don’t assume someone else (IT) has it covered



Why consider security now?

Scope of industrial networks has grown beyond conventional “switch

only” networks (layer 2)

Device access from IT/enterprise network is desired

Remote access to SCADA systems is required for support

Industrial devices lack network security features we have become

familiar with (robust NIC’s, win. updates, patches, anti virus, HTTPS

etc.)

Vulnerabilities are being discovered daily

Increase in network devices & trends are relying upon use of ‘the cloud’

Few standards in place yet to enforce security

Stuxnet demonstrated the sophistication and damage that can be

caused by industrial specific malware – don’t wait for stuxnet 2.0

Industrial attacks are becoming more common and brazen and usually

make headline news

Common objections (excuses)

“IT takes care of our firewall and security”

Do they really? So they will handle the consequences of an

attack on the SCADA system? Do they understand ‘SCADA’?

“Our SCADA network is isolated/air-gapped”

Are you sure? Either way Stuxnet (to date the worlds most

effective virus on SCADA) caused significant harm to its target

that was also “isolated”. What about USB or other attack vectors?

“Were just a small site, were not a target”

Really, when you search for devices on Shodan, does the

attacker care where the vulnerable PLC they just found is?

“SCADA Security is too complex and costs too much”

What are the financial consequences of a breach to critical

infrastructure? The risk has never been higher than today!


You already know physical security…

Cameras and surveillance

Analogous to IDS (Intrusion Detection System)/logging

Access control – access based upon credentials

Analogous to account/password control policy

Perimeter security – fences, gates, locks

Analogous to firewall’s

Alarms

Analogous to Email/SMS/SNMP/HMI alarms

SIEM (Security Information & Event Management) or IDS

Security guard

Analogous to IT/security focused professional

We generally take physical security very seriously



Typical industrial network - machine

Typical production network interface Often Switch

sometimes router

Characteristics of an Ind. Eth. network

Often engineer governed

Desire high speed (typically small data transfer – bits vs.

mB)

Deterministic

Acceptable latency typically measured in mS

High reliability data transfer in rugged form factor

Typically comprising various protocols (ModbusTCP, DNP3,

E/IP)

Interconnected via various media (Fiber, copper, wireless,

leased lines etc.)

Originally isolated islands (no WAN or internet connectivity)

Longer system life cycle = more older technology and OS



Internet

Typical Enterprise network

Large network, vast data transfer, variable speed dependant

upon load, latency measured in seconds, isolation of

devices less critical, broadcast traffic common, integrated

security (anti virus/sw firewall)


Industrial link to Enterprise?

Internet

Router/Firewall

Machine/Cell/Line level

Production Floor level

Enterprise/Company level

Acce

ss th

rou

gh

ou

t

Why use router/firewall here?

Limit excess traffic – control network doesn’t need

to be burdened with excess traffic (broadcasts etc)

from enterprise network

Security – Engineering can control who/what can

access control network

Simplification of IP addresses – often machine IP

addresses come preset, a router can provide

network access without changing IP addresses on

control devices

The cyber threat is real….

14 | Presentation | Matt Cowell | ASE Central | 16 April 2014 8:40

Types of cyber incident

Audit

Legitimate attack/test

Vulnerability assessment

Accidental

Broadcast storm, misconfiguration, faulty product etc..

Wrong IP

Non malicious intrusion

Monitoring data, stealing information etc..

Malicious intrusion

Bad intentions/causing harm

Breaking something (equipment/process/data)


A few discovered vulnerabilities

All confirmed and published by US CERT (DHS)

Schneider – ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET

MODULE MULTIPLE VULNERABILITES

– ICSA-11-277-01—SCHNEIDER ELECTRIC UNITELWAY DEVICE DRIVER

BUFFER OVERFLOW

– ICSA-11-307-01—SCHNEIDER ELECTRIC VIJEO HISTORIAN WEB SERVER

MULTIPLE VULNERABILITIES

Siemens – ICSA-11-356-01—SIEMENS SIMATIC HMI AUTHENTICATION

VULNERABILITIES

– ICS-ALERT-11-332-02A—SIEMENS SIMATIC WINCC FLEXIBLE

VULNERABILITIES

– ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN

SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200

– ICS-ALERT-11-161-01—SIEMENS SIMATIC S7-1200 PLC VULNERABILITIES


..more discovered vulnerabilities

Rockwell Automation – VU#144233 - Rockwell Automation Allen-Bradley MicroLogix PLC

authentication and authorization vulnerabilities

– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC

EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW

– ICS-ALERT-10-194-01 OPEN UDP PORT IN 1756-ENBT ETHERNET/IP™

COMMUNICATION INTERFACE

– ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE

VULNERABILITY

– ICS-ALERT-12-020-02A—ROCKWELL AUTOMATION CONTROLLOGIX

MULTIPLE PLC VULNERABILITIES

– ICSA-12-088-01A—ROCKWELL AUTOMATION FACTORYTALK

RNADIAGRECEIVER DOS VULNERABILITIES

– ICSA-10-070-02 AUTHENTICATION VULNERABILITY IN ROCKWELL PLC-5

AND SLC 5/0X CONTROLLERS AND ASSOCIATED RSLOGIX SOFTWARE

– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC

EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW


..and some others

– ICS−ALERT-11-080-02 MULTIPLE VULNERABILITIES IN ICONICS

GENESIS (32 & 64)

– ICSA-11-173-01—CLEARSCADA REMOTE AUTHENTICATION BYPASS

– ICSA-11-332-01—INVENSYS WONDERWARE INBATCH ACTIVEX

VULNERABILITIES

– ICSA-11-243-03A—GE INTELLIGENT PLATFORMS PROFICY HISTORIAN

DATA ARCHIVER BUFFER OVERFLOW VULNERABILITY

– ICSA-12-243-01— GARRETTCOM PRIVILEGE ESCALATION VIA USE OF

HARD-CODED PASSWORD

– ICSA-12-146-01A—RUGGEDCOM WEAK CRYPTOGRAPHY FOR

PASSWORD VULNERABILITY

– ICS-ALERT-12-020-07A—WAGO I/O 750 MULTIPLE VULNERABILITIES


Network security breach case study: Stuxnet

The industrial virus that brought mass media attention

Complex rootkit exploiting 4 x zero day exploits

Designed to attack Siemens control networks and Win OS

Used stolen digital certificates to look inconspicuous

Could manipulate PLC logic and network traffic

Automatically spreads via USB jump drive

Reports updates back to internet server

Targeted Iran’s uranium enrichment centrifuges causing

significant damage but also spread worldwide

Suspected to be a state sponsored virus

It has a ‘kill date’ coded into it to stop spreading on 6/24/12


SCADA is a target


500,000 reasons to be afraid


How confident are you?


The Mandiant report

Exposed a multi-year, enterprise-scale computer espionage

campaign conducted by China’s PLA

Provided a timeline of the espionage conducted since 2006

against 141 victims across multiple industries in various

countries.

Highlighted how they did it with meticulous detail (tools,

tactics, procedures)

So popular a trojan version was created


Blackhat/Defcon 2013 highlights

3D printed keys to access secure locks

Using a $250 femtocell to intercept cellular transmissions

Hacking medical devices such as pacemaker or insulin

pump

Hacking a car while its in use

Hacking SCADA wireless networks (examples of weak

security inc. Banner and Prosoft radios)


Real world ransomware

Reported that up to $33k/day ‘stolen’


Not so ‘smart’ toilet


What industries should be concerned?

ALL Critical infrastructure

Water/Wastewater

Oil and Gas

Hospitals

Prisons

Power generation and Power distribution

Chemical plants

Nuclear reactors

HVAC systems – these not only cool people but critical

servers

29 | Presentation | Matt Cowell | ASE Central | 16 April 2014 11:00

2012 – Source: US CERT Monitor

Why do people ‘hack’?

There are a number of motivators, including:

Ego

Criminal

Political/Spying

Hacktivism

Terrorism

War

Personal gain

Corporate gain

Sabotage

Retribution

Personal Concern


How do people hack? Inside job/disgruntled employee - abusing network privileges

Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form

Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force

DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.

Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter

Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.

Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.

Ransomware – Specific infection that demands a ransom money or will lock you out from files or threaten to delete them by specific deadline - NEW

Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.

Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing

Exploiting vulnerabilities – latest windows updates, stuxnet

How easy is it to ‘hack’ a facility?

Just ask Google

Wireless breach

Wardriving

If no access to the inside network, first have to find it:

Specialist search engines

Public IP and Port scans

Social engineering via Trojan or Phishing

Vulnerabilities

Easy targets

Publically available online and being found daily

Dedicated tools to make life easier

…..as we will see



Our demonstration scenario

Perimeter

192.168.0.100

192.168.0.102

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)

Master

Lean

Managed

Switch

PLC

Slave

Attacking

PC Internet

1.2.3.4

LAN WAN

Router


1. Explore and learn the network (learning)

DE:MO Time


1. Explore and learn the network

What did we learn?

What subnet they are using (192.168.0.x – ie 255.255.255.0)

What devices are on the network (Linksys, LMS, VL, PLC)

– What manufacturer (First 3 bytes MAC ID)

– What host name (if used)

What IP addresses/MAC addresses appear vacant for our attacking PC

What traffic is being broadcasted and who from – see multicast too with

unmanaged switch.

Recommendations:

Regulate who has access to network – layer 1 prevention?

Isolation using Routers/VLAN’s eliminate what devices can be scanned


2. Sniffing (learning cont.)

DE:MO Time


2. Sniffing

What did we learn?

Switch sends traffic to destination MAC address only, therefore to sniff

someone elses packets, need to do an ARP spoof

Now we can see what devices are communicating with each other (VL-

PLC)

What type of traffic is flowing (UDP 44818 – E/IP)

What device seems to be a router/firewall (192.168.0.1)

The LMS password as we happened to intercept an HTTP packet from

Valueline to LMS that contained password (‘private’)

Could intercept/modify any unencrypted data - Stuxnet

Recommendations:

Incorporate software or switch that monitors ARP activity (ARPwatch or

IDS)

Encrypt traffic - Use HTTPS where possible, VPN etc


3. Port Scanning (learning cont.)

DE:MO Time


3. Port Scanning (learning)

What did we learn?

What ports are open on each device

– TCP

– UDP

Potentially exploit known vulnerabilities

& back doors

Recommendations:

Use a firewall when possible

Use logging to notify you of port scan’s


4. DoS Attack

DE:MO Time


4. DoS Attack

Perimeter

192.168.0.100

192.168.0.102

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)

Master

Lean

Managed

Switch

PLC

Slave

Attacking

PC Internet

1.2.3.4

LAN WAN


4. Denial Of Service attack

What did we learn?

With information we collected by learning the network, we can now break it

Network adapters (particularly on Industrial devices) can be overwhelmed if you send excessive packets

This can manifest in many devastating ways – preventing legitimate communications and in some cases locking up the device requiring power cycle or losing its program

Recommendations:

Use Firewalls to control/restrict access

Use managed switches with bandwidth limitation or routers to prevent excess traffic

Enable monitors/logging to watch and automatically notify of dangerous traffic levels


Control the ‘inside’

Prevent unnecessary access to industrial devices/network

Use a firewall to control traffic rules

Be careful of open ports and ‘backdoors’

Ensure adequate encryption when using wireless (WPA2) &

long, unusual pass phrase

Restrict USB drive usage

Be careful of infected internal PC’s – a Virus or Trojan can

run on the inside ‘inside job’, cause havoc and send

information out

Its claimed 60-70% of all security breaches are carried out

by insiders


6. WIFI cracking (on the outside)

DE:MO Time


6. Gaining access through WIFI crack

What did we learn?

WIFI packets are transmitted over the air for all to see

Using specialist tools its easy to intercept 802.11 network traffic and get

enough ‘samples’ to decipher a WEP encrypted keyword.

Which can then be used to gain access to the network from afar.

WPA can be breached too but requires a bit more time and the use of

rainbow tables or brute force

A wireless network could also be jammed rather than penetrated

Some recommendations:

Only use wireless if truly necessary and be aware of consequences

Use the highest level of encryption available (min WPA2 for WIFI)

Disable SSID broadcasting

Use long, complex passphrases when possible

Use an Intrusion Detection System (IDS) and logging

Segment wireless networks and place behind firewalls


The solution?

mGuard Industrial Router, Firewall and VPN

Internet

Here

There

Partial

Not just my advice..

Use of a firewall is a common recommendation by the US

CERT for posted vulnerabilities


It gets worse…


Cybersecurity Act of 2012

13

Defense in Depth in practice

www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

Zones

Firewalls

DMZ

IDS/Logging


Summary - Prevention is better than cure

Many industrial devices are vulnerable…not just AB MLX 1100

An Air gap is a good line of defense if possible but not complete

Understand your network and data flows. Document!

Adopt a defense in depth strategy employing various layers of security

Keep an inventory of networked devices and watch for vulnerabilities/updates

Implement layer 1 security solutions, lockable panels, patch cables etc..

Use updated AV/Spyware and ensure any PC’s are routinely patched/updated

When interconnecting devices/panels use a firewall

Isolate industrial devices and restrict network access to only those that need it (access control)

Consider specialist firewall functions (DoS prevention, CIFS monitoring)

VLAN’s and MAC filtering can be used to provide some defense using managed switches



Use VPN for ALL remote connections

Restrict use of USB jump drives (disable PC autorun feature, consider encrypted jump drives, don’t allow anyone’s stick)

Restrict/prevent web access to internet from control network

Try to use HTTPS exclusively when using passwords/secure webpages

Consider using network logging, SNMP, Alerts, Intrusion detection, Honeypots – how else will you know something bad happened?

When using wireless always encrypt with minimum of WPA2 for WIFI

Be aware of smartphone vulnerabilities and their place in SCADA

Implement authentication/authorization policy including how to handle access credentials for former employee’s/contractors

Security is not a one and done solution – continuously evolving standards, new vulnerabilities – someone has to stay on top of things

Security is also more than just a one product solution – it’s a way of life

Security requires behavioral diligence from EVERYONE



Change default passwords and use ‘strong’ passwords

Take ownership, don’t assume it is already covered – ask questions

Take advantage of online resources

Talk to a specialist and consider getting a vulnerability assessment

Educate all employees

Evaluate your system conceptually using the free US CERT - CSET tool (risk analysis)

Devise a cyber security policy – what are your security goals?

Require changes that affect the network be to reviewed/approved beforehand

Patch management – risk vs reward to patching holes in a running system. Where, when and how. Alternatives?

Devise a response/recovery plan to any potential events and have secure backups of all critical code


Function

SFN

Unmanaged

Switches

Unmanaged

Switches

Lean Managed

Switch

Managed

Compact Switch

Modular Managed

Switch

Smart Managed

Compact Switch

(gigabit)

mGuard Router

Port Flexibility Fixed: 5,8 Fixed: 5,8,16 Up to 8 ports Fixed 16 ports Mix Cable Types &

Expand to 24 ports Fixed 8 ports Lan/Wan

Security

Functions No No No Yes Yes Yes Yes

Message

Filtering No No Yes Yes Yes Yes Yes

Redundancy No No Yes Yes Yes Yes N/A

Diagnostics HW (LED, Alarm

Contact*)

HW (LED, Alarm

Contact)

HW + SW (Web,

SNMP)

HW + SW (Web,

SNMP)

HW + SW (Web,

SNMP)

HW + SW (Web,

SNMP) Yes

Application Distributed

Panels Distributed Panels Central Panels

Central or

Distributed Panels Central Panels

Central or

Distributed Panels

Security, remote

access or NAT

The Phoenix Contact products Layer 2 Layer 3

85 | Customer Presentation | Dan Schaffer| Phoenix Contact – Automation | Febuary 2010

FL MGUARD Hardware Variants

DIN-rail mounted, PCI card and USB-powered devices

Industrialized Hardware Wide Temp specs

Rugged housing

Resistance to Electrical Noise, RF, EMI, Shock & Vibe, etc.

Redundant 9-36VDC Power

10mb, 100mb, and Gigabit speed

Copper and fiber variants

Hardware Alarm contact to notify power failure or link loss


Thank You – Questions?

Distrust and caution are the parents of security - Benjamin Franklin

12:00

Final Thought


welcome to phoenix contact industrial network security seminar · welcome to phoenix contact...

Documents