Protecting Your ICS/SCADA Networks

Chris Sistrunk, PESr. Consultant

Mandiant

@chrissistrunkElectrical EngineerMandiant, Entergy (11 years)SCADA ExpertLoves SecurityDNP3 User GroupButton Pusher but I like Blue

Chris Sistrunk, PE

How I Audit SCADA systems

http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems

What happens when you use nmap (or a fuzzer) on an ICS?

Latin for “bulwark” @jadamcrain and I

started in April 2013 26 advisories / 32 tickets 24 DNP3, 1 Modbus,

1 Telegyr 8979 Aegis ICS Fuzzing

Framework - OSS

Project Robus

www.automatak.com/robuswww.automatak.com/aegis

DNP3 – standard SCADA protocol

Ref from IEEE Std 1815-2012

TCP 20000TCP 19999 (TLS)UDP 20000

Types of Vulnerabilities

ICS/SCADA lags IT by 10-15 years 735 SCADA-related vulns on OSVDB.org

since 2011. “Like kicking a puppy” Positive vs. Negative Testing: The front yard

is mowed, but the back yard is overgrown.

State of ICS/SCADA Security

Let’s take a step back and ask some questions: What’s the risk if this device is compromised?

◦ Probability * Impact = Risk◦ Check out my RTU risk score pres from S4x13

What is the ICS device talking to? Does it uses serial or IP protocols…or both? How do we defend unsecured protocols? Is the physical security sufficient? Will you be called at 2AM?

Now What?

The answers to the questions tell you that you have to do something to protect the device(s) What types of mitigations exist? Which ones will you use?

◦ Defense in depth – more than one!◦ Belt and suspenders!

When will they be deployed?◦ The sooner the better!

Anticipate…Mitigate!

Software/firmware patches/device upgrades Robust RTU/PLC and master configurations Robust IP network configurations ICS Protocol-aware network tools Proper physical security Employee awareness

Secure coding and SDL for Vendors

ICS Vulnerability Mitigation

Software Testing

NERC/CIP?CFATS?

????

ICS Vulnerability Mitigation

If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known vulnerability (such as DNP3, modbus)…GO GET IT

Properly test it before you roll it out If you’re not used to patching your SCADA

system, please work with your vendors to do this to minimize downtime

Get The Bug Fix!

USE DNP3-SA! (application layer security)◦ Correct master only talks to the correct RTU◦ But it won’t protect against all “bugs”

Disable unused serial and network ports Use a possible workaround (ex: auto restart) Check the default settings

◦ DNP3 or other protocols may be factory configured

◦ If not used, disable them!◦ ICS devices are on SHODAN

Many appear to have the same configurations

Robust Device/Master Configuration

shodan.io – port:20000

What does SCADA stand for?◦ Supervisory Control and Data Acquisition

What is the standard TCP port for modbus?◦ 502

What are the 2 start bytes for DNP3?◦ 0x0564

What year was STUXNET discovered?◦ 2010

What ICS protocol did HAVEX malware use?◦ OPC

ICS Trivia

ICS Trivia

ics-radar.shodan.io

When possible, DISABLE functions that aren’t required in your production systems

DNP3 function code examples◦ Cold and/or Warm Restarts (FC 13 & 14)◦ Start/Stop Application (FC 17 & 18)◦ Save Configuration (FC 19) old

Activate Configuration (FC 31) new◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)

If you can’t disable these, use IDS/IPS or DPI Firewalls to alert on unwanted SCADA traffic

Robust Device/Master Configuration

Segment your ICS/SCADA WAN◦ Routers, Firewalls, DMZs, & VLANs◦ This can help isolate the network when needed

Understand your network!◦ The bad guys sure will

Use encryption and authentication◦ Use DNP3-SA and TLS◦ Remote access VPNs, radios, etc◦ Look at IEC 62351 standard (dovetails with SA)

No ICS protocols on Corporate WAN

Robust IP Networks

Examples of SCADA tools and Enterprise networks that understand ICS Protocol analyzers such as Wireshark, ASE &

TMW RTU Test Sets IDS/IPS such as SNORT, Bro, CyberX

SilentDefense ICS, McAfee ADM, Bayshore Networks, and Checkpoint

Routers such as the Cisco CGR 2010 Field firewall w/ICS Deep Packet Inspection

◦ Secure Crossing and Tofino

ICS-Aware Network Tools

Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network

Security Operations Center◦ Security Analyst(s) using a SIEM◦ Log aggregation◦ Anomaly and intrusion detection◦ Indicators of Compromise (IOCs)

Security Onion (Linux distro) www.securityonion.net

Network Security Monitoring

Remember this guy?

We in SCADA Security are in

Like in The Cuckoo’s Egg

1986

RTU

SCADAnet

Inside cover of The Cuckoo’s Egg

Is this happening in your ICS???

YourCompan

y

Internet

Pump

Plant1

DMZ

Corp

Cust 1

Cust 2

Hist

Plant2

HMI

http://www.liquidmatrix.org/blog/2014/07/01/is-there-a-cuckoo-in-your-control-system/

tl;dr ◦≥1 person who really cares!◦Security Onion (or other NSM)◦ICS Honeypot (Conpot, etc)

Full Packet Capture (even serial)

NSM for ICS

So, Chris, why haven’t we seen many ICS incidents?

You can’t see where you aren’t looking!

NSM for ICS

Put. NSM.

In.Your.

ICS/SCADA.

NOW

What is the proper amount of physical security? It depends…

If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay?

Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6

Harden your external barriers The better the defenses, the more time it

buys you to respond

Proper Physical Security

Physical Security

3/8” Mesh

ASTM Grade 6

These may buy youextra time to respond

“Thieves hit our store last night. This is

how they circumvented the

door alarm…”

via http://redd.it/1pn1xi

Because people follow directions…you know what happens next

Train your folks on ICS/SCADA security◦ Security Conferences, several training classes available◦ http://

ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT

◦GICSP Certification Security awareness is important Have a questioning attitude Report suspicious computer or personal

activity/incidents◦ Who do you call?◦ Internal hotline, supervisor, SOC, etc◦ ICS-CERT (877-776-7585)

Employee Awareness

Ask your vendors for DNP3-SA if they don’t have it or are already working on it

Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack◦ Positive Tests: FAT/SAT◦ Negative Tests: Fuzzing (it’s not new folks!)

DNP3 Will Be Here A While

I’m still more worried about…

DNP3 isn’t a special case. Other ICS protocols will see the same fate.

Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP… You can defend your SCADA. Early testing both slave/server AND

master/client sides of the protocol are important!

Compliance != Security, but the culture is important.

Don’t count on the government to protect your critical systems…it’s your job.

Conclusions

Ideas? Questions?