Título da Palestra: Como se iniciam os ataques à infraestrutura SCADA?

1. Como se iniciam os ataques à
infraestrutura SCADA?
Franzvitor Fiorim
Engenheiro de Vendas
Franzvitor_fiorim@trendmicro.com
CopCyroigphyrt ig©h 2t 0©1 240 T1r4e nTdre Mnidc rMo icInroco Irnpcoorraptoerda.t Aedll .r Aiglhl rtsig rhetse rrevseedr.v ed. 1

2. Cyberwar on your network
• 2 new threat each second 1
• 1 cyber-intrusion each 5 minutes 2
• 67 % of infrastructure can’t block a custom &
targeted attack 3
• 55 % of companies didn’t detected the breach 1
More frequent More targeted More money More sophiticated
Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 2

3. Security by signature is not enough
3
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 3
Crypted
RAT
Basic malware
Phishing
Exploitation tools
Malicious website
Common
vulnerabilities
Discovery tools
SWG NG
FW
Document
exploit
Obfuscated 0-Day
Javascript
Polymorphic
payload
Watering
Hole Attack
Spear
Phishing
C&C
communications
IPS AV

4. Ataque: Social, Sofisticado, Silencioso
Atacam indivíduos
utilizando engenharia social
Funcionários
Atacantes
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 4
Extrai dados de interesse – pode
não ser detectado por meses!
$$$$
Move lateralmente na rede
procurando dados valiosos
Coletam inteligência sobre
organizações e indivíduos
Copyright 2014 Trend Micro Inc.
Estabelece link com o
Command & Control server

5. Advanced Persistent Threats
Nem sempre os componentes são maliciosos;
O foco é ser evasivo;
Controlado por um humano;
Múltiplos vetores de ataque;
Ataque contínuo, repetitivo;
Atacantes são pacientes;
Exploram brechas do sistema;
Exploram brechas de segurança;
Com recursos suficientes para ter êxito no ataque.
11/13/20 Copyright © 2014 Trend Confidential | Micro Incorporated. All Copyright rights reserved. 5
5

6. Riscos de Segurança a
Sistemas ICS (Industrial Control
System )
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 6

7. Casos de Incidentes de Segurança
Industrial Facility Water Treating Plant Railway Traffic Control System
Car Factory Steel Plant Chemical Plant
13 production line stopped/
$14M loss
Zotob virus
Carry-on PC or
Office network
Source: IPA, http://www.ipa.go.jp/security/fy20/reports/ics-sec/rep_main_fy20.pdf
IPA, http://www.ipa.go.jp/security/fy21/reports/scada/documents/scada_report.pdf
The Security Incidents Organization, http://www.securityincidents.org
JPCERT,http://www.jpcert.or.jp/ics/2011/20110210-oguma.pdf
Steam turbine control system
stopped
DOWNAD/Conficker virus
unknown
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 7
8 hours of monitoring incapability
PE_SALITY virus
unknown
Centrifugal separator crash
(according to multiple reports)
Stuxnet virus
USB flash or office network
Loss of control for 3 months
(1ML of polluted water emission)
Unauthorized access
Wireless link
Shutdown of train service in the
morning during rush hour
Blaster virus
unknown
Impact
Cause
Path
Impact
Cause
Path
*Pictures above is not related to the contents

8. Tendência crescente de Incidentes de
Segurança
The number of incidents across critical infrastructure sectors, ICS-CERT responded, is
increasing year after year. Most recently 257 incidents are reported. A big increase from
197 in 2012
39
140
Source:
ICS-CERT Year in Review 2012 and 2013 http://ics-cert.us-cert.gov/Other-Reports
300
250
200
150
100
50
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 8
197
257
0
FY2010 FY2011 FY2012 FY2013

9. Direção do ICS
:Toward Open and Collapse of the myth of safety
Past Item Present
Closed environment
Physically closed Environment
*1 *2
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 9
Toward open environment
Connection with external N/W,
using USB flash drive
Specialized OS/Application
Specialized protocol Technology
General OS / Application
Standard protocol
(EtherNet/IP, PROFINET, CC-Link IE, etc)
Seldom Incident case Increasing trend
(STUXNET)
OS External media usage
Source:
*1,2 : METI http://www.meti.go.jp/committee/kenkyukai/shoujo/cyber_security/001_06_01.pdf

10. Attack Case Against Honeypot
CCCCoooonnnnffffiiiirrrrmmmmeeeedddd 77774444 aaaattttttttaaaacccckkkkssss aaaaggggaaaaiiiinnnnsssstttt HHHHoooonnnneeeeyyyyppppooootttt
mmmmooooddddiiiiffffiiiiccccaaaattttiiiioooonnnn aaaatttttttteeeemmmmpppptttt wwwwaaaatttteeeerrrr tttteeeemmmmppppeeeerrrraaaattttuuuurrrreeee aaaannnndddd ppppuuuummmmpppp pppprrrreeeessssssssuuuurrrreeee,,,, ppppuuuummmmpppp
sssshhhhuuuuttttddddoooowwwwnnnn,,,, eeeettttcccc…………
OOOOVVVVEEEERRRRVVVVIIIIEEEEWWWW::::
Develop honeypot of water
supply system and deploy on
the internet to catch attacks
against ICS.
SSSSuuuurrrrvvvveeeeiiiillllllllaaaannnncccceeee PPPPeeeerrrriiiioooodddd::::
Mar. – Jun. 2013
HHHHoooonnnneeeeyyyyppppooootttt ddddeeeeppppllllooooyyyyeeeedddd ppppllllaaaacccceeee：：
8 Countries, 12 Places
HHHHoooonnnneeeeyyyyppppooootttt SSSSaaaammmmpppplllleeee WWWWeeeebbbb PPPPaaaaggggeeee::::
Source:
http://apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/white-papers/
wp-the-scada-that-didnt-cry-wolf.pdf
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 10

11. Attack Case Against Honeypot
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 11

12. Background of Incidents
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 12

13. Increasing Trend of ICS Related Vulnerability
Information
Severity
Level III (Danger : System Hijack)
Level II （Alert : System Stop）
Level I （Notice：Partial Damage）
2008 2009 2010 2011 2012 2013
200
180
160
140
120
100
80
60
40
20
0
Level III 6 6 14 64 97 80
Level II 2 4 3 28 74 49
Level I 4 1 3 2
Source:
http://www.ipa.go.jp/files/000036346.pdf
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 13

14. Malware Infection through USB Flash Drive
Malware infection risk surely exists
even though it’s in closed environment
Top 3 Malware by Segment, 2013
Has capability of infection through USB flash drive
Source:
TrendLabsSM 2013 Annual Security Roundup, http://apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/reports/rpt-cashing-in-on-digital-information.pdf
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 14

15. Connected Devices is Easily Detected
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 15
Modbus/TCP to RTU Bridge
Serial Number ********
MAC address ***********
Software version 01.8b3 (031021)
Press Enter to go into Setup Mode

16. Sandworm (CVE-2014-4114)
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 16

17. Special Characteristics and
Security Requirements of ICS
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 17

18. IIIICCCCSSSS vvvvssss IIIICCCCTTTT
Control System Security Requirement Information System
A.I.C(Availability) Priority for Security C.I.A
24x365 stable running
（No reboot permitted）
Availability
*C（Confidentiality：）, I（Integrity）, A（Availability） Source：IPA, Survey about ICS of Critical Infrastructure and IT Service Continuity , Sep, 2009
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 18
Basically during working
time (Reboot is acceptable)
Worst case, Damage generally
becomes serious
Result of incident
Pecuniary loss
Privacy damage
10 - 20 years Operating term 3-5 years
Real time response Data processing speed Less impact for
Delay response
Irregular by each control system
vendor, Quite long term
(once a 1~4years)
Cycle for release patch and
applying Often and Regularly
Field Technical dept. Operation management Information System dept.
Threats become reality and
occurs incident.
Conscious about security Already measured basically.
Discussing with Country level Security standard Already established
Stuff（Facility, Product）
Service（continuous running）
Object for security Information
Industrial control systems are systems with special characteristics that are
very different to Information Systems

19. IIIICCCCSSSS vvvvssss IIIICCCCTTTT
ICS
• Correct commands issued (Integrity)
• Limit interruptions (Availability)
• Protect the data (Confidentiality)
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 19
IT
• Protect the data (Confidentiality)
• Correct commands issued
(Integrity)
• Limit interruptions (Availability)

20. Countermeasure points in ICS
Plant
4 4
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 20
Plant DMZ
Relay/terminal
Server
EWS
HMI
② Network
③ Server (plant DMZ)
④ Client/Server
(Control information N/W)
⑤ Client/Server:
(Control N/W)
⑥ External storage media
Internet
PLC/DCS
ICS Vendors
System integrators
Office PC Office PC
Field bus
Historian
Maintenance OPC Server
Maintenance service
Control information network
Operation PC MES
Control network
5 5
5
5
6
6
3
1
2
2
2
7
Countermeasure points
① Gateway
1
1
⑦ PCs brought to work
Office network

21. FFFFuuuunnnnddddaaaammmmeeeennnnttttaaaallll IIIICCCCSSSS SSSSeeeeccccuuuurrrriiiittttyyyy RRRReeeeqqqquuuuiiiirrrreeeemmmmeeeennnnttttssss ((((eeee....gggg....))))
①②
Gateway/
Network
Server/Client PC
• Create network
segment based on
risk level as zone
• Block unauthorized
access and
malicious code
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 21
⑥⑦
External
Device/PC
③ Plant DMZ
④ Control Information
Network
⑤
Control Network
TMUSB
• No change system
• Scan and clean with latest pattern file
even in closed network
• Prohibit
unauthorized
external device
• Scan external
device with
latest pattern
before/after
connect with
ICS
Prevention Detection Cleanup
Mission-Critical
Specific Purpose
Non Mission-Critical
General Purpose
• No stop system in update or recovery
time frequently.
• Secure the system even in closed
network
• Secure the system that cannot
patched regularly
• Keep minimum impact on system
performance
• Offer easy installation/operation for
non IT persons
• Secure the
system that have
system change
frequently
• Secure the
system that
exchange
applications and
documents from
outside of plant
• Secure the
system that is
accessed by
unauthorized
devices
• Monitor and control
data transaction at
zone boundaries
N/A

22. Copyright © 2013 Trend Micro Incorporated. All rights reserved. 22

23. Materiais de
Apoio
11/13/2014 Confidential | Copyright 2014 Trend Micro Inc.
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 23

24. Raio-X APT: Ferramentas de ataque
Nome Fases Típicas - Uso Description
GETMAIL Extração Typically used to ascertain mail archives and mail out of those archives.
Netbox Ataque, Extração, Persistência
Copyright © 2014 Trend Micro Incorporated. All rights reserved. 24
For hosting tools/drop servers/ C2 servers. Commonly used as infrastructure on the
backend to support operational tasks. (Netbox also has valid uses, and is not a direct
indicator of compromise)
Pwdump Movimento Lateral
Dumps password hashes from the Windows registry. Typically used to crack
passwords for lateral movement throughout the victim environment. It can also be
used in pass-the-hash attacks.
Cachedump Movimento Lateral
A program for extracting cached password hashes from a system’s registry. Typically
used to crack passwords for lateral movement throughout the victim environment. It
can also be used in pass-the-hash attacks.
Lslsass Persistência, Movimento Lateral
Dumps active login session password hashes from windows processes. It is used to
crack passwords for lateral movement throughout the victim environment. It can also
be used in pass-the-hash attacks.
mapiget Persistência, Movimento Lateral This is for collecting emails directly from Outlook, prior to ever getting archived. It is
then dumped to text files.
HTRAN Ataque, Extração, Persistência
Connection bouncer, redirects TCP traffic destinted for one host to an alternate host.
It is also used to help obfuscate source IP of an attacker. It allows the attacker to
bounce through several connections in the victim country, confusing incident
responders.
Windows Credential Editor
(WCE)
Persistência, Movimento Lateral A security tool that allows to list logon sessions and add, change, list and delete
associated credentials
Lz77.exe Extração It is used as a compression application to help exfiltrate data. This is commonly seen
in Winrar, 7zip, and Winzip.
Gsecdump Movimento Lateral Grabs SAM file, cached credentials, and LSA secrets. Used for lateral movement in
victim environment and pass-the-hash style attacks.
ZXProxy (A.K.A AProxy) Extração, Persistência Proxy functionality for traffic redirection. This helps redirect HTTP/HTTPS
connections for source obfuscation. We have seen it used in data exfiltration.
LSB-Steganography Comprometimento Inicial, Extração Uses steganography techniques to embed files into images. This helps with data
exfiltration as well as during the initial compromise of a traditional APT attack.
UPX Shell Ataque, Persistência Used to help pack code for malware used in APT campaigns. This tool helps prevent
reverse engineering and code analysis.
ZXPortMap Extração, Persistência Traffic redirection tool, which helps to obfuscate the source of connections.
ZXHttpServer Extração Small HTTP server that is deployable and extremely flexible. We have seen it used
when attempting transfer of some files.
Sdelete Persistência, Cobertura Secure deletion tool. Allows for secure deletion to make forensic recovery difficult-therefore
complicating incident response procedures.
Dbgview Persistência, Movimento Lateral An application that lets you monitor debug output on your local system, or any
computer on the network that you can reach via TCP/IP
http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/