Hacking SCADA: 2011 A Year in Review :: jonathan pollet – red tiger security

1

Jonathan Pollet – CISSP, PCIP, CAP

2

�  12 Years of Electrical Engineering, SCADA, Industrial Controls, and IT Experience �  PLC Programming and SCADA System Design and Commissioning �  Wireless RF and Telecommunications Design and Startup �  Front-end Web Development for SCADA data �  Backend Database design for SCADA data �  Acting CIO for Major Oil Company for 2 years – Enterprise IT Management

�  Last 8 Years Focused on SCADA and IT Security �  Published White Papers on SCADA Security early in 2001 �  Focused research and standards development for SCADA Security since 2002 �  Conducted over 120 security assessments on Critical Infrastructure systems �  Conducted over 75 International conferences and workshops on CIP �  Developed safe security assessment methodology for live SCADA Systems �  Co-developed the SCADA Security Advanced 5-day training course

red tiger security �  Consulting

�  Cyber Vulnerability Assessments for NERC CIP-005/007 �  SCADA / Wireless Telemetry Penetration Testing �  Network Architecture Analysis / Design �  Cyber Security Compliance Assistance �  Development of SCADA Test Beds (Malaysia, Qatar, UAE, University of Tulsa,

University of Houston, and several private industry clients)

�  Training �  5-SCADA Security Advanced Course (SANS) �  2-Day SCADA Security Course (BlackHat)

�  Research

�  Applicability and Usability of Cyber Security Solutions for SCADA / ICS �  Product Evaluations �  Various DHS Research Initiatives for ICS �  Standards Development

3

outline

�  the world has changed – its digital and connected

�  threats have changed – they are digital and connected

�  electric SCADA systems have changed – they are digital and connected

�  the number of SCADA Vulnerability Disclosures and Exploits have exploded in the past year (2010-2011)

�  100 SCADA bugs in 100 days

�  ICS-CERT facts and statistics

�  0-day Market

�  how can bad stuff get in? – VIDEOS

�  direct compromise of vulnerable services

�  pivot on the historian in the DMZ

�  what can be done to SCADA / ICS devices once you are in? - VIDEOS

4

major world ISP and telecom trunks

5

malware can spread at the rate of 125 machines per second…

6

…within ten minutes of the start of the SQL Slammer worm, 75,000 machines were already infected. This included many critical infrastructure systems…

new hacking techniques leverage social networking platforms to establish “trusted” connections

�  Targets Developed Using: �  Open Source Intelligence Gathering �  Social Engineering �  Targeted “Spear Phishing”

�  Malicious Payloads delivered through: �  Attachments �  IM links �  Compromised websites �  USB devices �  Smart Phones

7

anyone know this girl?

8

Within 2 months, “Robin Sage” had amassed a large social network of high-ranking military and government officials.

malicious attachments…

�  PDF

�  MS Products �  Word, Excel, etc…

�  The usual suffixes… �  mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg, rar, emf, shs,

js, vb, yourcompany.com.zip, cab, mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif, m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef, scf, chm, <#>.txt, wsf, fli, vbe

9

adobe is still leading the pact J

10

4.52% 7.39%

39.22%

48.87%

Targeted%A2acks%

MS%PowerPoint%MS%Excel%MS%Word%Adobe%Acrobat%

hIp://www.f�secure.com/weblog/archives/00001676.html

malware most utilized attack vector

11

66.8%

7.7%

8.6% 3.1%

0.2% 11.8% 1.8%

Malware

Other

Phishing

Physical Loss

Denial of Service

Unauthorized Access Attempt

Inappropriate Use

usb toolkits provide fast physical access

12

�  autorun not required…

�  U3 not required…

�  registers as a HID device

�  requires 30 seconds with a host

�  can be left behind or retrieved

�  victim host beacons to a C&C server and can be remotely controlled

�  accounts, passwords, and any data the host is connected to can be retrieved through Internet connection or stored for later retrieval

anyone want a free mouse?

13

android = rootkit in your pocket that knows your location, and has access to your email, data, bank accounts, and the Internet

14

we now have to worry about our phones �  Google pulled more than 50 apps

in March from the Android Marketplace after security researcher found a Trojan that used applications to spread. The Trojan, called DroidDream, infected more than a quarter million Android phones. One sign of a DroidDream infection was resource consumption due to the way the malware exploits the phone.

�  SOURCE: DroidDream used a fake bowling game to infect devices. Image courtesy of Lookout Mobile Security

15

electrical SCADA systems have changed too…

16

all we had to worry about before was physical access

17

now SCADA systems are digital and connected…

18

modern SCADA systems are running on the same OS as corporate desktops

19

they send data in the clear, without any requirement for encryption or authentication

20

the SCADA control rooms and are morphing into IT data rooms

21

the trend for new control room installations is to keep the servers in data rooms and only leave the screens, keyboards, and mice in the control room

22

from a cyber perspective, SCADA systems look similar to business systems

23

�  Cisco ASA firewalls or equivalent

�  Cisco 3750 / 6509 switch fabric

�  Servers and workstations running on Windows platforms (WinXP/2003/Vista/7/2008)

�  Active Directory

�  File/Print servers

�  However…. They often lack the protection that typical Corporate IT systems have

SCADA and ICS Systems are Low Hanging Fruit for Security Researchers – why?

24

�  SCADA and ICS Hardware/Software do not go through the same rigorous security lifecycle process as Information Technology systems

�  On average, Microsoft will put their software through 100,000 various fuzzing loops and debugging processes to test for crashes and bugs….and yet we still find plenty of vulnerabilities still being discovered and reported for Microsoft software

�  Control System vendors, if they actually test their systems for bugs at all, will typically only run their applications through basic regression tests, and this process is maybe 5% of what Microsoft does to test their code.

�  The SCADA / ICS world lags the IT world typically by 5 to 10 years, so we are only recently seeing the larger Control System vendors building plans to test their products for security flaws.

�  All of those thousands of legacy products out there were NEVER tested for simple cyber security flaws like buffer overflows.

100 SCADA bugs in 100 days - McCorkle & Rios �  Terry McCorkle (Boing Red Team by day, security researcher by night)

�  Billy Rios (Google Security Lead by day, security researcher by night)

�  Teamed up as friends and ran the project independent from their employers resources

�  All data and SCADA/ICS software used in their research was found FREE on the web (over 3600 SCADA and ICS executable files found using:

+HMI +Download + filetype :(exe,zip,msi) +HMI +<Vendor Name> +Download

�  Used simple fuzzers: �  Comraider (ActiveX) �  FileFuzz (bitflipper) �  Sully and Peach (allows custom fuzzings) �  Blasty.py (Service Fuzzer)

25

100 SCADA bugs in 100 days - McCorkle & Rios �  Downloaded over 380 HMI

and Control Workbench software packages, but only tested 76 of them

�  Found 665 bugs – all unique crashes

�  Found 75 exploitable bugs out of 665 bugs.

�  Reported all to ICS-CERT, who worked with the vendors for remediation next steps and sent out advisories to the community

�  Most bugs and crashes were code problems that were straight out of the 90s – Simple Buffer Overflows

�  They would setup the automated fuzzing software at night, go to sleep, and find bugs and crashes in the morning… or set the fuzzers in the morning, and come back home from work and find more waiting for them at night.

26

interesting ICS-CERT facts

�  753% increase in vulnerability disclosures to ICS-CERT over the past year.

�  Most new vulnerability reports have been from researchers without a ICS background.

�  Researchers are developing an interest in SCADA systems especially since they are connecting the dots and seeing the connections between the cyber and kinetic world.

�  SCADA and ICS Systems are the low hanging fruit. It is simplistic for researchers to find and exploit flaws in the code.

�  Motivation? �  Glory, Fame, $$ ??

27

the 0day market is booming �  Nation States

�  Underground

�  Commercial market �  ZDI (HP) �  iDefence

�  Bug bounty programs �  Luigi Auriemma sold GE vulns to ZDi after GE refused to pay for

them �  In March 2011, disclosed 34 SCADA specific vulnerabilities all at

once… then in September released another bundle of vulnerabilities and exploit code for 6 more SCADA vendors

�  Brokers �  Researchers and Buyers �  ExploitHub

28

Exploit Frameworks that now contain SCADA-specific exploit modules

�  Metasploit 17 Exploit Modules

�  Core Impact 17 Exploit Modules

�  Canvas 53 Exploit Modules �  Gleg Agora SCADA+ Exploit pack for Immunity

CANVAS �  they are aggressively acquiring SCADA vulns and

creating exploits �  2 ICS vendors have purchased the CANVAS modules �  Canvas is $8,930

�  Gleg pack is $5,000 and the canvas package is 3,930.

29

Night Dragon APT attacks on US Energy and Chemical companies moved from the Internet, through Corporate IT systems, and into the SCADA systems

30

so how does bad stuff get in?

�  the perfect ESP J

31

ideally, we would like to keep all of the Critical Cyber Assets (CCAs) on the inside working while blocking all of the bad stuff

32

…we have to share information, so we create islands of operations and then DMZs between security zones

33

Corporate IT

Internet

SCADA DMZ SCADA LAN RTUs PLCs Meters

unfortunately, we become under pressure to open holes for communications between what used to be trusted security zones

34

Corporate IT

Internet

SCADA DMZ SCADA LAN RTUs PLCs Meters

scenario 1 - direct compromise of vulnerable services

�  From open source intelligence gathering, Google searches, or social engineering, an attacker determines the asset is running an Emerson DeltaV DCS system

�  The attacker has no accounts on the system, no passwords, and is an unauthorized entity that has gained access to the network

�  What is possible?

35

36

scenario 2 – attacker pivots off of the historian, which is accessible from the corporate IT LAN

�  What is possible?

37

38

Scenario 3 – now with routed access into SCADA LAN, what can we do with the controllers?

39

�  enumeration of functions

�  denial of service

�  denial of access

�  denial of control

�  manipulation of view

40

function enumeration

denial of service

41

denial of access

�  Controller has a Login/Write Access password option �  16 character limit

�  Vendor specific Modbus/TCP function code

�  Password stored in the Flash of the controller

�  “This procedure cannot be undone if you forget the password. The PLC must be sent for repair”

42

denial of access

�  Quick script to sweep the network, find controllers supporting this function code, and configure a password.

43

denial of access

�  Locked Out. We just turned the PCN into some blinking bricks.

44

denial of control

�  Several vectors �  At the Operator stations �  On the wire (Ethernet) �  At the source (Controller/IED)

45

46

manipulation of view

47

48

49

50

the sky is not falling (yet)

51

�  Security can seem overwhelming…

�  Break it down into functional layers

�  Most Security Frameworks (i.e. NERC CIP, ISA S99, ISO 270001, DHS CFATS, etc) seem to break the required controls into: �  Technical Controls �  Procedural Controls

52

technologies that are holding back the tide… 1. Physical Security & Remote Access - Full Session Logging Solutions for VPN connections 2. Network Perimeter - UTM devices (Fortinet, Juniper, Cisco ASA) - Application Aware Firewalls (palo alto networks, barracuda appliances, etc..) - Industrial Firewalls (Emerson, Honeywell, Torfino, M-Guard, Endian) - Network Monitoring Tools (Solarwinds, LogicMonitor, Nagios...) - Vulnerability Scanning Appliances (Nessus, Rapid7 Nexpose, Nmap, etc..) - IDS/IPS solutions (Snort, Sourcefire, etc..) - Centralized SEM solutions (Nitro Security, Industrial Defender, LogLogic, etc...) 3. SCADA DMZ - OPC tunnelers (Matrikon, Kepware) - PI-toPI Trusts (OSI Soft)

53

technologies that are holding back the tide…

4. Control Room Servers and Workstations - Application Whitelisting (Core Trace, Bit9, Mcafee AV - USB-port locking (BitLocker, USB Lock...) 5. / 6. SCADA Protocols and Embedded Controllers - Protocol-aware firewalls (Torfino) - Device-level firewalls (Torfino, M-Guard, Honeywell, Emerson) - Data Diodes and Unidirectional diodes (Waterfall)

54

lastly…step your game up :)

�  The best defense spends most of their time understanding the offense

�  Get training

�  Get plugged into RSS feeds and threat watch lists

�  Practice offensive techniques

�  Stand up an internal lab

�  Try things

�  Weave Penetration Testing into your overall strategy

55

56

contact info / q & a

Jonathan Pollet, CAP, CISSP, PCIP

Founder, Principal Consultant

Red Tiger Security, USA

office: +1.877.387.7733

mobile: +1.281.748.6401

fax: +1.800.864.6249

jpollet@redtigersecurity.com

www.redtigersecurity.com

Credits :: Ty Bodell for assistance with the demos

:: Thievery Corporation and Pendulum for the soundtracks