PowerPoint Presentation

Mechanics of an ICS/SCADA Man-In-The-Middle Attack

Jim GilsinnSenior Investigator, Kenexis ConsultingICS Network & Security Assessments & DesignsDeveloper, Dulcet Analytics, Reliability Monitoring ToolPrevious Life NIST Engineering Lab20+ Years EngineeringICS Cyber Security & Network PerformanceControl Systems, Automated Vehicles, Wireless Sensors & SystemsInternational Society of Automation (ISA)ISA99 Committee, Co-Chair (ISA/IEC 62443 Standard Series)ISA99-WG2, Co-Chair (ICS Security Program)

MITM Attacks Are Nothing NewMan-in-the-middle attacks have been around for a long timeThey utilize loopholes in some of the basic network protocolsAllows an attacker to impersonate another device

There are TONS of videos and tutorials on the Internet on how to conduct a MITM attack

This IS NOT a talk about how to run a MITM attack

What is this Talk About, Then?This IS a talk about what happens to the systems when you run a MITM attackICS/SCADA rely on deterministic communicationsHow does a MITM attack affect those deterministic communications?Can you detect a MITM attack using simple tools?Or, do you really need a full IDS system to detect it?

Man-In-The-Middle TestingKali Linux VMEttercapARP PoisoningAll default settings (script-kiddy style)Captured traffic off mirror portSeparate Kali Linux native machine with WiresharkPLC to I/OEtherNet/IP10ms frequencyMITM against PLC

A Little Bit About EtherNet/IPOriginally developed by Rockwell AutomationNow managed by ODVA, Inc.Generally used at lower-levels in ICS/SCADA architectureControllers (PLCs), HMI, I/O, motors, sensors, etc.Level 4-7+ layer protocolUses standard, unmodified TCP/UDP/IP stackHas both command/response and publish/subscribe type communicationsCommand/responseTCP 44818Unconnected messagingNo long-duration TCP connectionUsually for initializing other connectionsConnected messagingLong-duration TCP connection maintainedPeriodic data transfersPublish/subscribeUDP 2222Real-time messagingUnicast from subscriber, multicast or unicast from publisherAllows multiple subscribers

Description of MITM Attack Hosts ListPLCI/O BlockNetgear GS108EMITM MachineKali Linux 2.0 VMEttercap 0.8.2 (default Kali version)Capture MachineKali Linux 2.0 NativeWireshark 1.12.?

Description of MITM Attack TargetsTarget 1Main target of MITM attackPLCTarget 2Other target of MITM attackI/O Block

Description of MITM Attack ARP PoisonARP Poison using Sniff remote connections optionSince network extremely small, other attacks didnt workARP Poisoning seemed to get through relatively undetectedVirusTotalNetworkMinerBro

Description of MITM Attack FilteringFiltered MITM Attack to modify EtherNet/IP-specific packet fieldsAdvanced sequence number by 5Modified data value by adding 4 (decimal)

Description of MITM Attack Tests ConductedMulticast I/O Block PublisherBaselineBaseline w/ button pushesMITM attackMITM attack w/ button pushesMITM attack w/ filterMITM attack w/ filter & button pushesUnicast I/O Block PublisherBaselineBaseline w/ button pushesMITM attackMITM attack w/ button pushesMITM attack w/ filterMITM attack w/ filter & button pushes

Connection DetailsPLCMAC Address = 60:52:d0:05:58:70IP Address = 192.168.210.200I/O BlockMAC Address = 00:30:de:08:f8:7cIP Address = 192.168.210.5PLC -> I/O Block10ms cyclic frequencyUnicastI/O Block -> PLC10ms cyclic frequencyMulticast connection uses 239.192.1.128VMWareMAC Address = 00:0c:29:87:b6:45

Baseline

Baseline

PLC -> I/O Block~10ms cyclic frequency~500s distributionI/O Block -> PLC~10ms cyclic frequency~400s distribution

MITM Attack Multicast

MITM Multicast

MITM Multicast

I/O Block -> PLC~10ms cyclic frequency~400s distribution

No DifferencePLC -> MITM~10ms cyclic frequency~400s distribution

No Difference

MITM Multicast IP-based analysis

192.168.210.200 -> 192.168.210.5

MITM instantly recognizableDistribution extremely wideMean shifts down along distribution

MITM Multicast MAC-based analysis I/O Block Dst

Using the MAC address of the I/O block, isolate the traffic streamMITM recognizableDistribution recognizableMean remains the same

MITM Attack Unicast

MITM Unicast

MITM Unicast

I/O Block -> PLC~10ms cyclic frequency~400s distribution

No DifferencePLC -> MITM~10ms cyclic frequency~400s distribution

No Difference

MITM Unicast IP-based analysis

192.168.210.5 -> 192.168.210.200

MITM instantly recognizableDistribution extremely wideMean shifts down along distributionHerringbone pattern probably due to clock skew

MITM Unicast MAC-based analysis PLC Dst

Using the MAC address of the PLC, isolate the traffic streamMITM recognizableDistribution recognizableMean remains the same

MITM FilterAdditional testing was conducted to see if filters caused any performance differencesThe intent wasnt to do an awesome Stuxnet-type attackAdjusted sequence number to spoof out the signalsModify the I/O data in the packets to change light action related to button pushes

MITM Filter Base Button PushesButtonsPLC->I/O UnfilteredI/O->PLC UnfilteredPLC->I/O FilteredI/O->PLC Filtered0 0 0 00x000x550x040x551 0 0 00x010x560x050x560 1 0 00x040x590x080x590 0 1 00x100x610x140x610 0 0 10x400x950x440x95

MITM Filter

CapturesI hope to post the capture files shortlyCheck my Twitter feed for more infoI need to get approval first

EDIT:Capture files available at https://github.com/kenexis/PortableICS-MITM

Questions & Comments?

Jim GilsinnSenior Investigator, Kenexis+1-614-323-2254Jim.Gilsinn@Kenexis.com@JimGilsinn