The Subversive Six: Hidden Risk Points in ICS

© 2017 Belden Inc. | belden.com | @BeldenInc 1© 2017 Belden Inc. | belden.com | @BeldenInc
Wednesday, March 22, 2017
The Subversive Six:
Hidden Risk Points in ICS
Sean McBride
ICS Attack Synthesis
Lead, FireEye-iSIGHT
David Meltzer
Chief Research Officer
Belden-Tripwire
Erik Schweigert
Software Manager, R&D
Tofino Security, Belden

© 2017 Belden Inc. | belden.com | @BeldenInc 2
Agenda
• Risks we can see
• The Subversive Six
• Mitigations
• Summary & Q&A

33% of ICS-Specific Vulnerabilities Have No Fix at Public Disclosure
(Since 2010)

Vulnerabilities by ICS Level (or Zones) -Modified Purdue Model
• Not this diagram
• Should be oriented this way
• Not wanting to use the old
FireEye/Belden/Tripwire architecture
slide
Proprietary and Confidential Information. © Copyright 2017 Belden, FireEye/iSIGHT, Tripwire. All Rights Reserved. 5

Level 2 – Highest Vulnerabilities
• ICS-specific vulnerability
affecting each level from
February 2013 to April 2014
• Vulnerabilities may affect
more than one zone

Larger Potential Physical Consequences
- San Bruno PG&E Explosion, 2010

The “Subversive Six”
• Outdated hardware
• Vulnerable Windows operating systems
• Weak password management
• Weak file integrity checks
• Unauthenticated protocols
• Undocumented third-party relationships

Outdated hardware
• NRC The U.S. Nuclear Regulatory Commission relates that in August 2006, PLCs
and VFDs at Browns Ferry Nuclear Generating Station malfunctioned as a result
of excessive network traffic.
• Digital Bond names GED20 substation gateway device as obsolete technology
exhibiting serious vulnerabilities.

Vulnerabilities affecting Windows operating systems
• In 2015, numerous exploit kits
− Targeting unsupported OS
− And supported OS where
patches were available
• Windows 7 (supported thru 2020)
− CVE-2011-5046
− CVE-2010-4701
− CVE-2010-3227
− also affect Windows XP (no
longer supported)
• Publicly available exploit code exists for at least eight vulnerabilities in Windows Server
OS, widely used in production and plant environments.
− Windows server 2008 (Service Pack 1 and 2 supported to January 2020)
− Windows Server 2003 (support ended in July 2015)

Weak password management
• Vendor default passwords
easily available online
− One group of researchers
actively maintains
publicly available lists of
hard-coded or default
passwords for ICS devices
• Research findings –
− dozens of vulnerabilities
involving password
weaknesses in ICS devices
and software from
numerous vendors.
- From September 2016

Weak file integrity checks
• PLC worm - In March 2016 researchers demonstrated a PLC
worm that spread from one Siemens PLC to another by
modifying control logic. The researchers opine that other PLCs
using unencrypted protocols are susceptible to similar attacks.
• Unauthorized firmware modifications - In 2013 a Master's
degree candidate from the U.S. Air Force Institute of
Technology demonstrated a firmware modification attack
against a Rockwell Automation PLC.
• DHS warnings - In 2009 the U.S. Department of Homeland
Security (DHS) warned that adversaries my attack industrial
environments by pushing rogue firmware uploads to
controllers in a plant.

Unauthenticated protocols
• Layer 0-1: HART, Foundation Fieldbus, Profibus, CAN
• Layer 1-2: Modbus, DNP3, EtherNet/IP

Undocumented third-party relationships
• In January 2013 Russian researchers identified at
least 15 third-party products used by Siemens
WinCC. These products exhibited a total of over
1,800 vulnerabilities, one of which was disclosed
in 1997.
• Two other examples of third-party issues that
affected ICS in recent years are Heartbleed and
Poodle. Both weaknesses affected numerous ICS
devices; however, many vendors did not release
advisories until months after the weaknesses
were publicized.

What is Deep Packet Inspection and How Can it Help?
• Deep Packet Inspection firewalls are designed to both filter at the:
− TCP/UDP and IP layers (just like a regular firewall)
− Session, Presentation and Application layers
• First acts as Layer 3/4 firewall
• Then performs DPI
• Can inspect commands, services, objects and addresses in SCADA and
process control protocols
Ethernet IP TCP Upper Layers & Data FCS
IP Src & Dest
Address
MAC Address
(Possible)
Dest Port
SCADA Protocol
Commands, Services, Objects,
Addresses, etc.
Data

Deep Packet Inspection Terms
Control Plane
• The ability to update the underlying
firmware is usually vendor specific
• Usually not widely published. This could
be ‘special’ function codes. Think
Modbus FC 90 (Schneider Unity/
Programming OFS software)
• You could think of it as doing a Kernel
update on a Linux system or doing a
Windows update. Has widespread
affects to the system.
• In many/most cases there is no
authentication on these protocols that
provide this functionality. Need DPI for
this.
Data Plane
• Think user data traffic
• HMI presents data to the plant
operator such as:
• Temperature values
• Pressure controls
• Any monitored values that
are usually functions of
ladder logic
• The actual process data
• Typical protocols:
• Modbus/TCP
• EtherNet/IP (CIP)
• DNP3

Signature-Based Deep Packet Inspection?
• A signature-based system is only a reactive mechanism. The signatures are usually built
from an already discovered vulnerability. Need a better proactive method.
• Signatures provide a shallow inspection and require signature database updates (Internet
access on the plant floor - no no)
• Signature is typically made for a specific vulnerability, so if one byte changes in the attack
vector you have to build a new signature to mitigate it
• Effectively building a Blacklist rather than Whitelist
• For open source / published protocols a signature based methodology is insufficient – full
protocol inspection is a must
− One use could be for a proprietary protocol where only basic byte checking is required.
• There must be a more complete way!

Signatures – Depth Matters
18
• Depth more important than Breadth
• Breadth with no depth has little to no value
• A signature that validates a single byte
should not be toted as ‘supporting that
protocol’ – need to disregard marketing fluff
• Need to question claims like “We support
500 protocols” – how deep?

Tofino™ Xenon Industrial Security Appliance
The Tofino Xenon delivers advanced cyber security protection for industrial
networks, securing critical assets at Layer 2, making it easier to deploy and
transparent to the network
• No IP or network architecture changes needed
• Protects endpoint devices
(PLCs, RTUs, IEDs, DCS, HMIs, Historians, Controller Consoles, etc)
• Easy to deploy with Plug and Protect™ - no downtime
• Secure Zones and Conduits (IEC-62443)
• Deep Packet Inspection for industrial protocols to enforce security policy
− DNP3 and IEC 104
− Modbus/TCP
− OPC
− EtherNet/IP
− Others coming
• Auto-generates firewall rules, and controls access and egress from secure zones

• Assessment and Recommendations
• Industrial Ethernet Infrastructure Design
• Security Configuration Monitoring
− Asset Discovery and configurations
• Security Event Logging
• Vulnerability Management
• Industrial Networking Appliances
− Firewalls, Routing, Switches , Serial Communications,
Media Converters, Wireless Security, POE
− Industrial Protocol Security
− Deep Packet Inspection
Belden, FireEye, Tripwire
Industrial Security Solutions

• Get a plan and program for ICS security
− Call in consultants to assess and recommend
− Merge ICS security governance with enterprise security governance
• Inventory your control systems and automate the maintenance
− Software, Hardware, Firmware versions
− Controllers
− Function/impact
• Segment your network, and consider “easy button” such as Tofino
− Passively listens, suggests firewall rules
− A “bump on the wire,” creating a secure zone and requiring no IP or subnet changes
− Review firewall placement and rules
− Review router configurations
Summary: Reducing Risk, Increasing Efficiency, and Faster Response

• Incident Response - investigation help to figure out if there has been a compromise
• Compromise Assessment - help identifying if there is current or past breach activity in the environment
• Inquiring about a health check assessment – basic information
• NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015
• Belden ICS Security website - product information, blog, news
• FireEye Threat Research Blog
• Belden Industrial Security Blog
• iSight Resources
• SANS Institute - SANS 2016 State of ICS Security Report
• Belden Whitepaper - Cybersecurity in Electrical Substations
• Belden Whitepaper – Understanding Deep Packet Inspection and Industrial Protocols
• Tripwire State-of-Security Blog
• ICS-CERT Compilation of reference documents
• SCADA Hacker website – Resources link
• Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems
Resources

The Subversive Six: Hidden Risk Points in ICS

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a The Subversive Six: Hidden Risk Points in ICS

Semelhante a The Subversive Six: Hidden Risk Points in ICS (20)

Mais de Tripwire

Mais de Tripwire (20)

Último

Último (20)

The Subversive Six: Hidden Risk Points in ICS