Whitepaper Project HoneyTrain - Seminar: Sophos Dialog ... · PDF fileWhitepaper Project...

Whitepaper

Project HoneyTrain

Publisher: Koramis GmbH Quartier Eurobahnhof Europaallee 5 66113 Saarbrücken With the friendly assistance of:

KORAMIS GmbH, 24.09.2015 Page 1 from 22

Contents Introduction ............................................................................................................................................. 2

What are Industrial Control Systems .................................................................................................. 3

Differences between ICS and conventional IT..................................................................................... 4

Project HoneyTrain .................................................................................................................................. 5

Structure & Layout .............................................................................................................................. 7

Information Portal ........................................................................................................................... 7

Media Server ................................................................................................................................... 8

HMI & CONPOT................................................................................................................................ 8

S7-1200 & S7-1500 .......................................................................................................................... 9

Firewall & Analysis Tools ............................................................................................................... 10

Project Schedule ................................................................................................................................ 11

Results and Metrics ............................................................................................................................... 13

HMI as Target of Attacks ................................................................................................................... 18

Media Server as Target ...................................................................................................................... 20

Recommendation and Conclusion ........................................................................................................ 21

List of Figures ......................................................................................................................................... 22


Introduction Industrial plants are being connected more and more via networks – and therefore become more

prone to cyber-attacks. Hacker attacks on critical infrastructures have emerged as a continuous

threat to industrial IT systems. Tailor-made Trojans and malware have been developed in order to

sabotage production and supply facilities or to collect information about industrial control systems.

Industrial nations are the main targets.

More and more attacks on such critical infrastructures are being detected, amongst them institutions

of high importance to the community. Their breakdown or the prolonged disruption of public

security can have dramatic consequences. Critical infrastructures include, in particular, energy

supply, information technology and telecommunication, health care systems, transport and traffic.

In autumn 2010, the Stuxnet virus shocked the automation industry concerning security, when

Siemens industrial control systems in an Iranian plant for uranium enrichment were manipulated.

The derivatives Duqu and Flame followed immediately. Since then, the media has been reporting

almost daily about cyber-attacks.

For example, a report from the German Federal Office for Security in Information Technology (BSI)

revealed at the beginning of 2015 a cyber-attack on a steelworks. The attackers were able to take

control of the blast furnace and to damage the plant heavily. The intrusion lead to a blackout of

systems on the site. According to the report, the people in charge were no longer capable of

gracefully shutting down the blast furnace.

To determine how attacks on such critical infrastructures are performed, what dangers they produce,

and how widespread the knowledge of such systems in the hacking community already is, Sophos

created, in cooperation with KORAMIS, a model of a real infrastructure in the transport and traffic

sector. Offering this model as a honeypot, information about quality, quantity and aggressiveness of

such attacks should be gained. Attacks at real transport systems weren’t focus of the research, they

just acted as a sample for critical infrastructures in general. This was due to the fact, that model

pieces for a train are much easier to get at as e.g. for a power plant.

In particular, the following questions should be answered:

What skill levels do the potential attackers have?

Cause and effect of cyber-attacks (e.g. are attacks carried out, even if damage to property

and/or injuries to personnel are caused consciously).

What methods were used?

Can conclusions on the attackers' motives be drawn?

Where do the attacks come from (matching of geolocation with local time)?


What are Industrial Control Systems Industrial control systems (ICS) are used for automated control of complex physical processes. These

systems are widely spread and used for controlling industrial processes in production and

distribution of energy, manufacturing, building services engineering, or traffic control systems.

But also daily life processes are controlled and monitored by ICS.

The following example should illustrate the intended use and the unitary structure of such ICS:

In a heating control system, the temperature is set via a controller. The controller reads the desired

value, and initiates the process to heat the water in the boiler. A thermometer forwards the current

temperature to the controller. If the desired temperature is reached, the controller interrupts the

water heating process.

Fig. 1: Schematic structure of a heating control versus an industrial control system.

An industrial control system works in the same way. An ICS usually has automation and visualization

functions, which can run the process chain automatically, and display graphically the operations in

order to make them traceable. Using this visualization, the operator can trigger actions that are

passed through a controller to the actuators. Finally, sensors give feedback to the controller about

the state of the process. In addition, this information is represented visually by the Controller.


Differences between ICS and conventional IT Even if today's industrial control systems use the same hardware as conventional information

technology (IT), the requirements are quite different.

Category Conventional IT Industrial Control Systems

Virus protection Widely spread Complicated, often impossible

Life cycle 3 – 5 years 5-20 years

Outsourcing Widely spread Uncommon

Patch management Regularly, daily Seldom, needs approval by manufacturer

Modifications Frequent Seldom

Time dependency Delays accepted Critical

Availability 8x5/260 – 24x7/365 24x7/365

Awareness Good Bad

Security test Secured, by personnel Seldom, problematic

In contrast to conventional IT where confidentiality of data ranks first, the focus within ICS is mostly

the availability and smooth operation of the plant. However, the integrity of the data is more and

more important even in ICS environments, especially regarding industry 4.0 or the Internet of Things.


Project HoneyTrain To obtain an overview and the methods of hackers during attacks on industrial control systems,

Sophos, in cooperation with KORAMIS, set up an infrastructure of a transport operation as a

honeypot: the HoneyTrain project.

Fig. 2: HoneyTrain – a reproduction of a railway infrastructure including crossings.

Unlike traditional honeypots, for the HoneyTrain project not only computer systems and

communication protocols, but a possible infrastructure was reproduced with real hardware. In

addition, software components of automation and control systems (e.g. existing railway systems),

and (via a media server) CCTV videos of real stations and train operator cabins were simulated.

Finally, a customized website with general information, timetables, ticketing and information about

disturbances to the operating procedures was integrated.

Furthermore, control possibilities as well as feedback and status messages via integrated bus systems

(e.g. Profibus, CANbus, Modbus, Profinet and I/O interfaces) were implemented just like a real

transport system. The execution of control commands and the visualization of all important

operating states were produced in a realistic reproduction of a control room, which allows operation

of trains at a scale of 1:87 (H0).

Fig. 3: A SIEMENS S7 controls the trains.


During configuration of the systems, KORAMIS observed the manufacturers' recommended

procedures and techniques, in order to provide an infrastructure as close as possible to real traffic

operations.

Fig. 4: View of the miniature control room and programming device.

This real industrial system design makes it possible to learn from attackers by observing, recording

and analyzing various attacks.


Structure & Layout In order to give the attacker the impression of a real infrastructure, several systems were

constructed physically according to the standard layout of the system manufacturer.

Information Portal The Information Portal reproduced the web site of a transportation company based on CentOS 7 with

OpenSSH v6.6.1 and Apache Webserver 2.4.6.

Fig. 6: Journey Planner of HoneyTrain.

Fig. 5: Layout of HoneyTrain.


Media Server The Media Server received the streams from the surveillance cameras and made them available via a

web interface. The base system consisted of an Ubuntu Linux Mint 16perta with Apache Webserver

v2.4.10 and OpenSSH v6.1.2.

Fig. 7: Stream from surveillance camera no. 1.

HMI & CONPOT The human-machine interface (HMI) implemented the visualization which allowed, for example,

individual control of trains.

Fig. 8: Speed level regulation of train no. 1.


The CONPOT is an industrial system reproducing various industrial control systems (e.g. Siemens S7-

300), protocols (e.g. Modbus, Profinet) and other HMIs (human-machine interfaces). For our

HoneyTrain project, the CONPOT implemented, among other things, a visualization of stops and

stations via a web interface.

Fig. 9: Visualization showing stops and stations of HoneyTrain.

CONPOT and the HMI were based on one common hardware.

S7-1200 & S7-1500 The programmable logic controllers (PLC, German: SPS) Siemens Simatic S7-1200 and S7-1500 were

the components for signal and train control. For administration purposes, both controllers offered a

web interface.

Fig. 10: Web administration of S7-1500 train control.


Firewall & Analysis Tools The firewall acts as a gateway to the internet. Furthermore, in a secure DMZ, multiple analysis tools

for logging and reporting were implemented, including a network sniffer and an intrusion detection

system. The analysis tools are specially designed for the requirements of industrial systems.

Using the logging function of the firewall, all network traffic was sent via Syslog to the reporting

console. Based on up-to-date provider databases and a geolocator, we were able to assign countries

to the IP addresses used for the attacks.

The Network sniffer tool analyzed the transmitted data stream. The content of the data stream was

compared with characteristic patterns of known attacks. Furthermore, the tool could detect whether

the transmission protocol was valid or falsified.

All system events and incidents could be collected, analyzed and evaluated with the host intrusion

detection tool. On a central SIEM console, all events of the host systems were processed chrono-

logically and made available for analysis. All systems were provided with analysis agents recording

both operating system event logs, file and registry access, or user logins.


Project Schedule After completing engineering and construction of the industrial infrastructure to control model

trains, for each industrial system a public IP address was assigned. This should reflect the fact that

many real industrial systems can be accessed via ISDN or DSL connections. The integration of video

streams from stations and driver's cabs completed the holistic image of a realistic control station.

All systems were put into operation according to manufacturer instructions. If such instructions were

not available, the default passwords were kept, and all services not disabled by the manufacturer

were still accessible.

Subsequently, a website was created providing information about stops and stations, ticket sales,

destinations and similar information typical for the modeled infrastructure.

In order to make the infrastructure as widely available as possible, a quick listing of the individual

components within in the "Internet of Things" search engine SHODAN (www.shodan.io) was

initiated.

This search engine presented all control components of the HoneyTrain with their accessible

services. Not only the open ports, but also the version number of the relevant services were shown.

Fig. 11: HoneyTrain components as shown by Shodan.


Fig. 12: Individual view of a S7-300 on Shodan.

Throughout the duration of the project, the network traffic as well as system events were recorded

and archived using the analysis tool.


Results and Metrics The infrastructure of the HoneyTrain project was operated for a period of 6 weeks. Subsequently,

both successful attacks and attempts were analyzed.

A total of 2,745,267 attacks could be detected.

For additional analysis, all IP addresses were converted into the corresponding country names using

a geolocator. The mention of explicit IP addresses is not included within this report.

For almost all countries, at least one attempted attack on one of the accessible components was

detected during the project duration.

The following image shows the top 10 countries in order of attempted attacks:

Countries shown here represent only the last resolvable IP address of the attack. These countries

could possibly differ from the actual location of the attacker.

Fig. 13: World map showing the top 10 countries from where attempted attacks were detected.


Fig. 14: Countries by percentage of attacks.

The following image shows – separated by components of the HoneyTrain – the percentage of

attacks:

The majority of attempted attacks occurred at the Media Server and firewall components. One

possible reason could have been the open standard services of these systems and the availability of

out-of-the-box attacks offered by hacking tools.

In contrast, the industrial components (e.g. S7-1200 or HMI) provided industry specific services.

Although their vulnerabilities and attack routes are known, they are not always implemented in

hacking tools.

The attempted attacks were carried out via various network ports:

Fig. 15: Components by percentage of attacks.


Fig. 16: Top 15 affected network ports.

The main network ports used within the simulated industrial infrastructure are shown in the

following image with their corresponding ranking by attempted attacks:

Fig. 17: Network ports of the modeled industrial infrastructure.

Further analysis of attempted attacks revealed that the majority were carried out as automated

dictionary attacks.


Fig. 18: Attack methods by percentage of total attempted attacks.

Fig. 19: Windows event - maximum login attempts during a session.

In a dictionary attack, one is trying to identify an unknown user or an unknown password using a

dictionary list. Often whole dictionaries as well as known or commonly successful combinations are

used to create such a list.


The following image shows an excerpt of the user names used for attempts to access the HMI:

Fig. 20: Excerpt of the user names used for login attempts.


HMI as Target of Attacks During the project, four valid logins to the HMI were detected. Two of them were performed by

dictionary attacks, as we found out based on the comparison of attempted attacks.

The other two valid logins were (according to the IP address of the attacker) not based on dictionary

attacks. It is assumed that one or both attackers repeatedly accessed the HMI at a later time.

By geolocation of the last resolvable IP address, the first and second dictionary attack could be

identified as carried out by Japan or China, respectively.

Regarding direct accesses, a Polish IP address was recorded.

The detailed analysis of the IP addresses revealed that they were already known as dictionary

attacker IPs listed on the analysis website of the Honeypot project

(http://www.projecthoneypot.org).

In one of the following attacks, the recorded activities revealed that the command line (CMD) was

started, two PINGs were executed, and the Explorer was opened.

Fig. 21: Excerpt of the analysis of login attempts (including valid logins).


Analyzing the successful attack, we found out that the security configuration of industrial

components were read out via a central tool, and the settings were exported. As a result, the

visualization could be accessed to activate the front lights of one train.

At the same time as the attack, it was observed that the same accessing IP address tried to control

the S7-1200 (signal control) using another dictionary attack. However, this attack was not successful.

This sequence of attacks shows that the attacker has a deep knowledge of the industrial control

systems used for our HoneyTrain project. These actions were not performed randomly, but

deliberately.

Fig. 22: Access to HMI.

Fig. 23: Access to HMI and execution of a command.


Media Server as Target As another target, the media server was identified.

Again, using a dictionary attack, the valid login credentials were determined in order to access the

system at a later time.

The aim of this attack was to conduct a website defacement, in which the original contents were

redesigned.

Fig. 24: Original website contents (left), website defacement (right).

When evaluating the log files, we were able to reconstruct the following steps.

After determining user name and password, a SSH connection

to the media server was established.

Thereafter, the original web page within the directory

/var/www/html was deleted.

Then - from the home directory of the Ubuntu user - the

attacker copied his own website contents into the directory

/var/www/html. Because a second SSH connection was

recorded and the file was copied from the home directory,

probably a data transfer via Secure Copy (SCP) was used to

copy the website into the home directory.

Finally, the attacker exploited the network settings and

executed a PING.

Using geolocation, Singapore could be identified as the origin

of the attacker's IP address.

Fig. 25: History of used commands.


Recommendation and Conclusion As a result of this long-term analysis we conclude that already small measures are sufficient to

prevent unauthorized access to industrial control systems, or to avoid their visibility within the

internet.

As basic guidelines for layout and configuration of such systems, the following topics should be taken

into account:

Evaluate the additional benefits of a direct connection to public networks before connection

your ICS.

Wherever technically and economically reasonable avoid external access.

Ensure that all standard and preconfigured passwords are changed prior to commencing

operation.

Make sure that strong passwords are used (min. 8 characters, uppercase and lowercase

letters, numbers and special characters).

Wherever technically possible, use multi-factor authentication.

Disable unnecessary services and users. Consider the use of secure protocols (e.g. SSH

instead of Telnet).

Monitor attempts to access your systems.

Use encryption for cross-network communication.

Segment your networks and build up secure system zones (e.g. according to IEC 62443).

Regularly check publications concerning vulnerabilities (released by manufacturers, national

or international committees like ICS-CERT).


List of Figures Fig. 1: Schematic structure of a heating control versus an industrial control system. ........................... 3

Fig. 2: HoneyTrain – a reproduction of a railway infrastructure including crossings. ............................. 5

Fig. 3: A SIEMENS S7 controls the trains. ................................................................................................ 5

Fig. 4: View of the miniature control room and programming device. ................................................... 6

Fig. 5: Layout of HoneyTrain. ................................................................................................................... 7

Fig. 6: Journey Planner of HoneyTrain. ................................................................................................... 7

Fig. 7: Stream from surveillance camera no. 1. ....................................................................................... 8

Fig. 8: Speed level regulation of train no. 1. ............................................................................................ 8

Fig. 9: Visualization showing stops and stations of HoneyTrain. ............................................................ 9

Fig. 10: Web administration of S7-1500 train control. ............................................................................ 9

Fig. 11: HoneyTrain components as shown by Shodan. ........................................................................ 11

Fig. 12: Individual view of a S7-300 on Shodan. .................................................................................... 12

Fig. 13: World map showing the top 10 countries from where attempted attacks were detected. .... 13

Fig. 14: Countries by percentage of attacks. ......................................................................................... 14

Fig. 15: Components by percentage of attacks. .................................................................................... 14

Fig. 16: Top 15 affected network ports. ................................................................................................ 15

Fig. 17: Network ports of the modeled industrial infrastructure. ......................................................... 15

Fig. 18: Attack methods by percentage of total attempted attacks. .................................................... 16

Fig. 19: Windows event - maximum login attempts during a session. .................................................. 16

Fig. 20: Excerpt of the user names used for login attempts. ................................................................ 17

Fig. 21: Excerpt of the analysis of login attempts (including valid logins)............................................. 18

Fig. 22: Access to HMI. .......................................................................................................................... 19

Fig. 23: Access to HMI and execution of a command. .......................................................................... 19

Fig. 24: Original website contents (left), website defacement (right). ................................................ 20

Fig. 25: History of used commands. ...................................................................................................... 20

Koramis GmbH Europaallee 5, D-66113 Saarbruecken © Copyright 2015 by Koramis GmbH. All rights reserved. Any further use (re-editing or modification, reproduction, disclosure to third parties, etc.) requires the author's consent. Commercial Register: Saarbruecken Local Court (Amtsgericht), HRB 33069 Managing directors: M.Sc. (Dipl.-Ing.) Hans-Peter Fichtner, Michael Krammel In loving memory of Dirk Lang (1969-2015) we dedicate this White Paper to him.

Date post:	23-Mar-2018
Category:	Documents
Upload:	buicong
View:	229 times
Download:	6 times

Whitepaper Project HoneyTrain - Seminar: Sophos Dialog ... · PDF fileWhitepaper Project...

Documents