Date post: | 06-Apr-2017 |
Category: |
Technology |
Upload: | tripwire |
View: | 144 times |
Download: | 2 times |
© 2017 Belden Inc. | belden.com | @BeldenInc 1© 2017 Belden Inc. | belden.com | @BeldenInc
Wednesday, March 22, 2017
The Subversive Six:Hidden Risk Points in ICS
Sean McBrideICS Attack Synthesis Lead, FireEye-iSIGHT
David MeltzerChief Research OfficerBelden-Tripwire
Erik SchweigertSoftware Manager, R&DTofino Security, Belden
© 2017 Belden Inc. | belden.com | @BeldenInc 2
Agenda• Risks we can see• The Subversive Six• Mitigations• Summary & Q&A
© 2017 Belden Inc. | belden.com | @BeldenInc 3
© 2017 Belden Inc. | belden.com | @BeldenInc 4
33% of ICS-Specific Vulnerabilities Have No Fix at Public Disclosure(Since 2010)
© 2017 Belden Inc. | belden.com | @BeldenInc 5
Vulnerabilities by ICS Level (or Zones) -Modified Purdue Model
• Not this diagram• Should be oriented this way• Not wanting to use the old
FireEye/Belden/Tripwire architecture slide
Proprietary and Confidential Information. © Copyright 2017 Belden, FireEye/iSIGHT, Tripwire. All Rights Reserved. 5
© 2017 Belden Inc. | belden.com | @BeldenInc 6
Level 2 – Highest Vulnerabilities• ICS-specific vulnerability
affecting each level from February 2013 to April 2014
• Vulnerabilities may affect more than one zone
© 2017 Belden Inc. | belden.com | @BeldenInc 7
Larger Potential Physical Consequences
- San Bruno PG&E Explosion, 2010
© 2017 Belden Inc. | belden.com | @BeldenInc 8
The “Subversive Six”• Outdated hardware
• Vulnerable Windows operating systems
• Weak password management
• Weak file integrity checks
• Unauthenticated protocols
• Undocumented third-party relationships
© 2017 Belden Inc. | belden.com | @BeldenInc 9
Outdated hardware• NRC The U.S. Nuclear Regulatory Commission relates that in August 2006, PLCs
and VFDs at Browns Ferry Nuclear Generating Station malfunctioned as a result of excessive network traffic.
• Digital Bond names GED20 substation gateway device as obsolete technology exhibiting serious vulnerabilities.
© 2017 Belden Inc. | belden.com | @BeldenInc 10
Vulnerabilities affecting Windows operating systems• In 2015, numerous exploit kits
− Targeting unsupported OS− And supported OS where patches
were available
• Windows 7 (supported thru 2020)
− CVE-2011-5046− CVE-2010-4701− CVE-2010-3227− also affect Windows XP (no
longer supported)
• Publicly available exploit code exists for at least eight vulnerabilities in Windows Server OS, widely used in production and plant environments.− Windows server 2008 (Service Pack 1 and 2 supported to January 2020) − Windows Server 2003 (support ended in July 2015)
© 2017 Belden Inc. | belden.com | @BeldenInc 11
Weak password management• Vendor default passwords
easily available online− One group of researchers
actively maintains publicly available lists of hard-coded or default passwords for ICS devices
• Research findings – − dozens of vulnerabilities
involving password weaknesses in ICS devices and software from numerous vendors.
- From September 2016
© 2017 Belden Inc. | belden.com | @BeldenInc 12
Weak file integrity checks• PLC worm - In March 2016 researchers demonstrated a PLC
worm that spread from one Siemens PLC to another by modifying control logic. The researchers opine that other PLCs using unencrypted protocols are susceptible to similar attacks.
• Unauthorized firmware modifications - In 2013 a Master's degree candidate from the U.S. Air Force Institute of Technology demonstrated a firmware modification attack against a Rockwell Automation PLC.
• DHS warnings - In 2009 the U.S. Department of Homeland Security (DHS) warned that adversaries my attack industrial environments by pushing rogue firmware uploads to controllers in a plant.
© 2017 Belden Inc. | belden.com | @BeldenInc 13
Unauthenticated protocols• Layer 0-1: HART, Foundation Fieldbus, Profibus, CAN
• Layer 1-2: Modbus, DNP3, EtherNet/IP
© 2017 Belden Inc. | belden.com | @BeldenInc 14
Undocumented third-party relationships• In January 2013 Russian researchers identified at
least 15 third-party products used by Siemens WinCC. These products exhibited a total of over 1,800 vulnerabilities, one of which was disclosed in 1997.
• Two other examples of third-party issues that affected ICS in recent years are Heartbleed and Poodle. Both weaknesses affected numerous ICS devices; however, many vendors did not release advisories until months after the weaknesses were publicized.
© 2017 Belden Inc. | belden.com | @BeldenInc 15
What is Deep Packet Inspection and How Can it Help?• Deep Packet Inspection firewalls are designed to both filter at the:
− TCP/UDP and IP layers (just like a regular firewall)− Session, Presentation and Application layers
• First acts as Layer 3/4 firewall• Then performs DPI• Can inspect commands, services, objects and addresses in SCADA and
process control protocols
Ethernet IP TCP Upper Layers & Data FCS
IP Src & Dest Address
MAC Address (Possible) Dest Port
SCADA Protocol
Commands, Services, Objects, Addresses, etc.
Data
© 2017 Belden Inc. | belden.com | @BeldenInc 16
Deep Packet Inspection Terms
Control Plane• The ability to update the underlying
firmware is usually vendor specific • Usually not widely published. This could
be ‘special’ function codes. Think Modbus FC 90 (Schneider Unity/ Programming OFS software)
• You could think of it as doing a Kernel update on a Linux system or doing a Windows update. Has widespread affects to the system.
• In many/most cases there is no authentication on these protocols that provide this functionality. Need DPI for this.
Data Plane• Think user data traffic • HMI presents data to the plant
operator such as:• Temperature values• Pressure controls• Any monitored values that
are usually functions of ladder logic
• The actual process data• Typical protocols:
• Modbus/TCP• EtherNet/IP (CIP)• DNP3
© 2017 Belden Inc. | belden.com | @BeldenInc 17
Signature-Based Deep Packet Inspection?• A signature-based system is only a reactive mechanism. The signatures are usually built
from an already discovered vulnerability. Need a better proactive method.• Signatures provide a shallow inspection and require signature database updates (Internet
access on the plant floor - no no)• Signature is typically made for a specific vulnerability, so if one byte changes in the attack
vector you have to build a new signature to mitigate it• Effectively building a Blacklist rather than Whitelist• For open source / published protocols a signature based methodology is insufficient – full
protocol inspection is a must− One use could be for a proprietary protocol where only basic byte checking is required.
• There must be a more complete way!
© 2017 Belden Inc. | belden.com | @BeldenInc 18
Signatures – Depth Matters
18
• Depth more important than Breadth
• Breadth with no depth has little to no value
• A signature that validates a single byte should not be toted as ‘supporting that protocol’ – need to disregard marketing fluff
• Need to question claims like “We support 500 protocols” – how deep?
© 2017 Belden Inc. | belden.com | @BeldenInc 19
Tofino™ Xenon Industrial Security Appliance The Tofino Xenon delivers advanced cyber security protection for industrial networks, securing critical assets at Layer 2, making it easier to deploy and transparent to the network• No IP or network architecture changes needed• Protects endpoint devices
(PLCs, RTUs, IEDs, DCS, HMIs, Historians, Controller Consoles, etc)
• Easy to deploy with Plug and Protect™ - no downtime• Secure Zones and Conduits (IEC-62443)• Deep Packet Inspection for industrial protocols to enforce security
policy− DNP3 and IEC 104− Modbus/TCP− OPC− EtherNet/IP− Others coming
• Auto-generates firewall rules, and controls access and egress from secure zones
© 2017 Belden Inc. | belden.com | @BeldenInc 20
• Assessment and Recommendations
• Industrial Ethernet Infrastructure Design
• Security Configuration Monitoring− Asset Discovery and configurations
• Security Event Logging• Vulnerability Management• Industrial Networking Appliances
− Firewalls, Routing, Switches , Serial Communications, Media Converters, Wireless Security, POE
− Industrial Protocol Security− Deep Packet Inspection
Belden, FireEye, Tripwire Industrial Security Solutions
© 2017 Belden Inc. | belden.com | @BeldenInc 21
• Get a plan and program for ICS security− Call in consultants to assess and recommend− Merge ICS security governance with enterprise security governance
• Inventory your control systems and automate the maintenance − Software, Hardware, Firmware versions− Controllers− Function/impact
• Segment your network, and consider “easy button” such as Tofino− Passively listens, suggests firewall rules− A “bump on the wire,” creating a secure zone and requiring no IP or
subnet changes− Review firewall placement and rules− Review router configurations
Summary: Reducing Risk, Increasing Efficiency, and Faster Response
© 2017 Belden Inc. | belden.com | @BeldenInc 22
• Incident Response - investigation help to figure out if there has been a compromise• Compromise Assessment - help identifying if there is current or past breach activity in the environment• Inquiring about a health check assessment – basic information• NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015• Belden ICS Security website - product information, blog, news• FireEye Threat Research Blog• Belden Industrial Security Blog• iSight Resources • SANS Institute - SANS 2016 State of ICS Security Report• Belden Whitepaper - Cybersecurity in Electrical Substations• Belden Whitepaper – Understanding Deep Packet Inspection and Industrial Protocols• Tripwire State-of-Security Blog • ICS-CERT Compilation of reference documents• SCADA Hacker website – Resources link• Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems
Resources
© 2017 Belden Inc. | belden.com | @BeldenInc 23
© 2017 Belden
Belden.com | @BeldenInc
Thank You!