whitepaper project honeytrain - seminar: sophos dialog ... · pdf filewhitepaper project...
TRANSCRIPT
Whitepaper
Project HoneyTrain
Publisher: Koramis GmbH Quartier Eurobahnhof Europaallee 5 66113 Saarbrücken With the friendly assistance of:
KORAMIS GmbH, 24.09.2015 Page 1 from 22
Contents Introduction ............................................................................................................................................. 2
What are Industrial Control Systems .................................................................................................. 3
Differences between ICS and conventional IT..................................................................................... 4
Project HoneyTrain .................................................................................................................................. 5
Structure & Layout .............................................................................................................................. 7
Information Portal ........................................................................................................................... 7
Media Server ................................................................................................................................... 8
HMI & CONPOT................................................................................................................................ 8
S7-1200 & S7-1500 .......................................................................................................................... 9
Firewall & Analysis Tools ............................................................................................................... 10
Project Schedule ................................................................................................................................ 11
Results and Metrics ............................................................................................................................... 13
HMI as Target of Attacks ................................................................................................................... 18
Media Server as Target ...................................................................................................................... 20
Recommendation and Conclusion ........................................................................................................ 21
List of Figures ......................................................................................................................................... 22
KORAMIS GmbH, 24.09.2015 Page 2 from 22
Introduction Industrial plants are being connected more and more via networks – and therefore become more
prone to cyber-attacks. Hacker attacks on critical infrastructures have emerged as a continuous
threat to industrial IT systems. Tailor-made Trojans and malware have been developed in order to
sabotage production and supply facilities or to collect information about industrial control systems.
Industrial nations are the main targets.
More and more attacks on such critical infrastructures are being detected, amongst them institutions
of high importance to the community. Their breakdown or the prolonged disruption of public
security can have dramatic consequences. Critical infrastructures include, in particular, energy
supply, information technology and telecommunication, health care systems, transport and traffic.
In autumn 2010, the Stuxnet virus shocked the automation industry concerning security, when
Siemens industrial control systems in an Iranian plant for uranium enrichment were manipulated.
The derivatives Duqu and Flame followed immediately. Since then, the media has been reporting
almost daily about cyber-attacks.
For example, a report from the German Federal Office for Security in Information Technology (BSI)
revealed at the beginning of 2015 a cyber-attack on a steelworks. The attackers were able to take
control of the blast furnace and to damage the plant heavily. The intrusion lead to a blackout of
systems on the site. According to the report, the people in charge were no longer capable of
gracefully shutting down the blast furnace.
To determine how attacks on such critical infrastructures are performed, what dangers they produce,
and how widespread the knowledge of such systems in the hacking community already is, Sophos
created, in cooperation with KORAMIS, a model of a real infrastructure in the transport and traffic
sector. Offering this model as a honeypot, information about quality, quantity and aggressiveness of
such attacks should be gained. Attacks at real transport systems weren’t focus of the research, they
just acted as a sample for critical infrastructures in general. This was due to the fact, that model
pieces for a train are much easier to get at as e.g. for a power plant.
In particular, the following questions should be answered:
What skill levels do the potential attackers have?
Cause and effect of cyber-attacks (e.g. are attacks carried out, even if damage to property
and/or injuries to personnel are caused consciously).
What methods were used?
Can conclusions on the attackers' motives be drawn?
Where do the attacks come from (matching of geolocation with local time)?
KORAMIS GmbH, 24.09.2015 Page 3 from 22
What are Industrial Control Systems Industrial control systems (ICS) are used for automated control of complex physical processes. These
systems are widely spread and used for controlling industrial processes in production and
distribution of energy, manufacturing, building services engineering, or traffic control systems.
But also daily life processes are controlled and monitored by ICS.
The following example should illustrate the intended use and the unitary structure of such ICS:
In a heating control system, the temperature is set via a controller. The controller reads the desired
value, and initiates the process to heat the water in the boiler. A thermometer forwards the current
temperature to the controller. If the desired temperature is reached, the controller interrupts the
water heating process.
Fig. 1: Schematic structure of a heating control versus an industrial control system.
An industrial control system works in the same way. An ICS usually has automation and visualization
functions, which can run the process chain automatically, and display graphically the operations in
order to make them traceable. Using this visualization, the operator can trigger actions that are
passed through a controller to the actuators. Finally, sensors give feedback to the controller about
the state of the process. In addition, this information is represented visually by the Controller.
KORAMIS GmbH, 24.09.2015 Page 4 from 22
Differences between ICS and conventional IT Even if today's industrial control systems use the same hardware as conventional information
technology (IT), the requirements are quite different.
Category Conventional IT Industrial Control Systems
Virus protection Widely spread Complicated, often impossible
Life cycle 3 – 5 years 5-20 years
Outsourcing Widely spread Uncommon
Patch management Regularly, daily Seldom, needs approval by manufacturer
Modifications Frequent Seldom
Time dependency Delays accepted Critical
Availability 8x5/260 – 24x7/365 24x7/365
Awareness Good Bad
Security test Secured, by personnel Seldom, problematic
In contrast to conventional IT where confidentiality of data ranks first, the focus within ICS is mostly
the availability and smooth operation of the plant. However, the integrity of the data is more and
more important even in ICS environments, especially regarding industry 4.0 or the Internet of Things.
KORAMIS GmbH, 24.09.2015 Page 5 from 22
Project HoneyTrain To obtain an overview and the methods of hackers during attacks on industrial control systems,
Sophos, in cooperation with KORAMIS, set up an infrastructure of a transport operation as a
honeypot: the HoneyTrain project.
Fig. 2: HoneyTrain – a reproduction of a railway infrastructure including crossings.
Unlike traditional honeypots, for the HoneyTrain project not only computer systems and
communication protocols, but a possible infrastructure was reproduced with real hardware. In
addition, software components of automation and control systems (e.g. existing railway systems),
and (via a media server) CCTV videos of real stations and train operator cabins were simulated.
Finally, a customized website with general information, timetables, ticketing and information about
disturbances to the operating procedures was integrated.
Furthermore, control possibilities as well as feedback and status messages via integrated bus systems
(e.g. Profibus, CANbus, Modbus, Profinet and I/O interfaces) were implemented just like a real
transport system. The execution of control commands and the visualization of all important
operating states were produced in a realistic reproduction of a control room, which allows operation
of trains at a scale of 1:87 (H0).
Fig. 3: A SIEMENS S7 controls the trains.
KORAMIS GmbH, 24.09.2015 Page 6 from 22
During configuration of the systems, KORAMIS observed the manufacturers' recommended
procedures and techniques, in order to provide an infrastructure as close as possible to real traffic
operations.
Fig. 4: View of the miniature control room and programming device.
This real industrial system design makes it possible to learn from attackers by observing, recording
and analyzing various attacks.
KORAMIS GmbH, 24.09.2015 Page 7 from 22
Structure & Layout In order to give the attacker the impression of a real infrastructure, several systems were
constructed physically according to the standard layout of the system manufacturer.
Information Portal The Information Portal reproduced the web site of a transportation company based on CentOS 7 with
OpenSSH v6.6.1 and Apache Webserver 2.4.6.
Fig. 6: Journey Planner of HoneyTrain.
Fig. 5: Layout of HoneyTrain.
KORAMIS GmbH, 24.09.2015 Page 8 from 22
Media Server The Media Server received the streams from the surveillance cameras and made them available via a
web interface. The base system consisted of an Ubuntu Linux Mint 16perta with Apache Webserver
v2.4.10 and OpenSSH v6.1.2.
Fig. 7: Stream from surveillance camera no. 1.
HMI & CONPOT The human-machine interface (HMI) implemented the visualization which allowed, for example,
individual control of trains.
Fig. 8: Speed level regulation of train no. 1.
KORAMIS GmbH, 24.09.2015 Page 9 from 22
The CONPOT is an industrial system reproducing various industrial control systems (e.g. Siemens S7-
300), protocols (e.g. Modbus, Profinet) and other HMIs (human-machine interfaces). For our
HoneyTrain project, the CONPOT implemented, among other things, a visualization of stops and
stations via a web interface.
Fig. 9: Visualization showing stops and stations of HoneyTrain.
CONPOT and the HMI were based on one common hardware.
S7-1200 & S7-1500 The programmable logic controllers (PLC, German: SPS) Siemens Simatic S7-1200 and S7-1500 were
the components for signal and train control. For administration purposes, both controllers offered a
web interface.
Fig. 10: Web administration of S7-1500 train control.
KORAMIS GmbH, 24.09.2015 Page 10 from 22
Firewall & Analysis Tools The firewall acts as a gateway to the internet. Furthermore, in a secure DMZ, multiple analysis tools
for logging and reporting were implemented, including a network sniffer and an intrusion detection
system. The analysis tools are specially designed for the requirements of industrial systems.
Using the logging function of the firewall, all network traffic was sent via Syslog to the reporting
console. Based on up-to-date provider databases and a geolocator, we were able to assign countries
to the IP addresses used for the attacks.
The Network sniffer tool analyzed the transmitted data stream. The content of the data stream was
compared with characteristic patterns of known attacks. Furthermore, the tool could detect whether
the transmission protocol was valid or falsified.
All system events and incidents could be collected, analyzed and evaluated with the host intrusion
detection tool. On a central SIEM console, all events of the host systems were processed chrono-
logically and made available for analysis. All systems were provided with analysis agents recording
both operating system event logs, file and registry access, or user logins.
KORAMIS GmbH, 24.09.2015 Page 11 from 22
Project Schedule After completing engineering and construction of the industrial infrastructure to control model
trains, for each industrial system a public IP address was assigned. This should reflect the fact that
many real industrial systems can be accessed via ISDN or DSL connections. The integration of video
streams from stations and driver's cabs completed the holistic image of a realistic control station.
All systems were put into operation according to manufacturer instructions. If such instructions were
not available, the default passwords were kept, and all services not disabled by the manufacturer
were still accessible.
Subsequently, a website was created providing information about stops and stations, ticket sales,
destinations and similar information typical for the modeled infrastructure.
In order to make the infrastructure as widely available as possible, a quick listing of the individual
components within in the "Internet of Things" search engine SHODAN (www.shodan.io) was
initiated.
This search engine presented all control components of the HoneyTrain with their accessible
services. Not only the open ports, but also the version number of the relevant services were shown.
Fig. 11: HoneyTrain components as shown by Shodan.
KORAMIS GmbH, 24.09.2015 Page 12 from 22
Fig. 12: Individual view of a S7-300 on Shodan.
Throughout the duration of the project, the network traffic as well as system events were recorded
and archived using the analysis tool.
KORAMIS GmbH, 24.09.2015 Page 13 from 22
Results and Metrics The infrastructure of the HoneyTrain project was operated for a period of 6 weeks. Subsequently,
both successful attacks and attempts were analyzed.
A total of 2,745,267 attacks could be detected.
For additional analysis, all IP addresses were converted into the corresponding country names using
a geolocator. The mention of explicit IP addresses is not included within this report.
For almost all countries, at least one attempted attack on one of the accessible components was
detected during the project duration.
The following image shows the top 10 countries in order of attempted attacks:
Countries shown here represent only the last resolvable IP address of the attack. These countries
could possibly differ from the actual location of the attacker.
Fig. 13: World map showing the top 10 countries from where attempted attacks were detected.
KORAMIS GmbH, 24.09.2015 Page 14 from 22
Fig. 14: Countries by percentage of attacks.
The following image shows – separated by components of the HoneyTrain – the percentage of
attacks:
The majority of attempted attacks occurred at the Media Server and firewall components. One
possible reason could have been the open standard services of these systems and the availability of
out-of-the-box attacks offered by hacking tools.
In contrast, the industrial components (e.g. S7-1200 or HMI) provided industry specific services.
Although their vulnerabilities and attack routes are known, they are not always implemented in
hacking tools.
The attempted attacks were carried out via various network ports:
Fig. 15: Components by percentage of attacks.
KORAMIS GmbH, 24.09.2015 Page 15 from 22
Fig. 16: Top 15 affected network ports.
The main network ports used within the simulated industrial infrastructure are shown in the
following image with their corresponding ranking by attempted attacks:
Fig. 17: Network ports of the modeled industrial infrastructure.
Further analysis of attempted attacks revealed that the majority were carried out as automated
dictionary attacks.
KORAMIS GmbH, 24.09.2015 Page 16 from 22
Fig. 18: Attack methods by percentage of total attempted attacks.
Fig. 19: Windows event - maximum login attempts during a session.
In a dictionary attack, one is trying to identify an unknown user or an unknown password using a
dictionary list. Often whole dictionaries as well as known or commonly successful combinations are
used to create such a list.
KORAMIS GmbH, 24.09.2015 Page 17 from 22
The following image shows an excerpt of the user names used for attempts to access the HMI:
Fig. 20: Excerpt of the user names used for login attempts.
KORAMIS GmbH, 24.09.2015 Page 18 from 22
HMI as Target of Attacks During the project, four valid logins to the HMI were detected. Two of them were performed by
dictionary attacks, as we found out based on the comparison of attempted attacks.
The other two valid logins were (according to the IP address of the attacker) not based on dictionary
attacks. It is assumed that one or both attackers repeatedly accessed the HMI at a later time.
By geolocation of the last resolvable IP address, the first and second dictionary attack could be
identified as carried out by Japan or China, respectively.
Regarding direct accesses, a Polish IP address was recorded.
The detailed analysis of the IP addresses revealed that they were already known as dictionary
attacker IPs listed on the analysis website of the Honeypot project
(http://www.projecthoneypot.org).
In one of the following attacks, the recorded activities revealed that the command line (CMD) was
started, two PINGs were executed, and the Explorer was opened.
Fig. 21: Excerpt of the analysis of login attempts (including valid logins).
KORAMIS GmbH, 24.09.2015 Page 19 from 22
Analyzing the successful attack, we found out that the security configuration of industrial
components were read out via a central tool, and the settings were exported. As a result, the
visualization could be accessed to activate the front lights of one train.
At the same time as the attack, it was observed that the same accessing IP address tried to control
the S7-1200 (signal control) using another dictionary attack. However, this attack was not successful.
This sequence of attacks shows that the attacker has a deep knowledge of the industrial control
systems used for our HoneyTrain project. These actions were not performed randomly, but
deliberately.
Fig. 22: Access to HMI.
Fig. 23: Access to HMI and execution of a command.
KORAMIS GmbH, 24.09.2015 Page 20 from 22
Media Server as Target As another target, the media server was identified.
Again, using a dictionary attack, the valid login credentials were determined in order to access the
system at a later time.
The aim of this attack was to conduct a website defacement, in which the original contents were
redesigned.
Fig. 24: Original website contents (left), website defacement (right).
When evaluating the log files, we were able to reconstruct the following steps.
After determining user name and password, a SSH connection
to the media server was established.
Thereafter, the original web page within the directory
/var/www/html was deleted.
Then - from the home directory of the Ubuntu user - the
attacker copied his own website contents into the directory
/var/www/html. Because a second SSH connection was
recorded and the file was copied from the home directory,
probably a data transfer via Secure Copy (SCP) was used to
copy the website into the home directory.
Finally, the attacker exploited the network settings and
executed a PING.
Using geolocation, Singapore could be identified as the origin
of the attacker's IP address.
Fig. 25: History of used commands.
KORAMIS GmbH, 24.09.2015 Page 21 from 22
Recommendation and Conclusion As a result of this long-term analysis we conclude that already small measures are sufficient to
prevent unauthorized access to industrial control systems, or to avoid their visibility within the
internet.
As basic guidelines for layout and configuration of such systems, the following topics should be taken
into account:
Evaluate the additional benefits of a direct connection to public networks before connection
your ICS.
Wherever technically and economically reasonable avoid external access.
Ensure that all standard and preconfigured passwords are changed prior to commencing
operation.
Make sure that strong passwords are used (min. 8 characters, uppercase and lowercase
letters, numbers and special characters).
Wherever technically possible, use multi-factor authentication.
Disable unnecessary services and users. Consider the use of secure protocols (e.g. SSH
instead of Telnet).
Monitor attempts to access your systems.
Use encryption for cross-network communication.
Segment your networks and build up secure system zones (e.g. according to IEC 62443).
Regularly check publications concerning vulnerabilities (released by manufacturers, national
or international committees like ICS-CERT).
KORAMIS GmbH, 24.09.2015 Page 22 from 22
List of Figures Fig. 1: Schematic structure of a heating control versus an industrial control system. ........................... 3
Fig. 2: HoneyTrain – a reproduction of a railway infrastructure including crossings. ............................. 5
Fig. 3: A SIEMENS S7 controls the trains. ................................................................................................ 5
Fig. 4: View of the miniature control room and programming device. ................................................... 6
Fig. 5: Layout of HoneyTrain. ................................................................................................................... 7
Fig. 6: Journey Planner of HoneyTrain. ................................................................................................... 7
Fig. 7: Stream from surveillance camera no. 1. ....................................................................................... 8
Fig. 8: Speed level regulation of train no. 1. ............................................................................................ 8
Fig. 9: Visualization showing stops and stations of HoneyTrain. ............................................................ 9
Fig. 10: Web administration of S7-1500 train control. ............................................................................ 9
Fig. 11: HoneyTrain components as shown by Shodan. ........................................................................ 11
Fig. 12: Individual view of a S7-300 on Shodan. .................................................................................... 12
Fig. 13: World map showing the top 10 countries from where attempted attacks were detected. .... 13
Fig. 14: Countries by percentage of attacks. ......................................................................................... 14
Fig. 15: Components by percentage of attacks. .................................................................................... 14
Fig. 16: Top 15 affected network ports. ................................................................................................ 15
Fig. 17: Network ports of the modeled industrial infrastructure. ......................................................... 15
Fig. 18: Attack methods by percentage of total attempted attacks. .................................................... 16
Fig. 19: Windows event - maximum login attempts during a session. .................................................. 16
Fig. 20: Excerpt of the user names used for login attempts. ................................................................ 17
Fig. 21: Excerpt of the analysis of login attempts (including valid logins)............................................. 18
Fig. 22: Access to HMI. .......................................................................................................................... 19
Fig. 23: Access to HMI and execution of a command. .......................................................................... 19
Fig. 24: Original website contents (left), website defacement (right). ................................................ 20
Fig. 25: History of used commands. ...................................................................................................... 20
Koramis GmbH Europaallee 5, D-66113 Saarbruecken © Copyright 2015 by Koramis GmbH. All rights reserved. Any further use (re-editing or modification, reproduction, disclosure to third parties, etc.) requires the author's consent. Commercial Register: Saarbruecken Local Court (Amtsgericht), HRB 33069 Managing directors: M.Sc. (Dipl.-Ing.) Hans-Peter Fichtner, Michael Krammel In loving memory of Dirk Lang (1969-2015) we dedicate this White Paper to him.