Down
the SCADA (security)
Rabbit Hole
Alberto Volpatto
Security Engineer & Team Leader @ Secure Network
Computer Engineer
S
upervisory –
operators, engineers, supervisorsC
ontrol –
monitoring, controlling, locally and/or remotelyA
nd
D
ata –
information representing the acquired systemA
cquisition –
access, acquire and represent meaningful dataA SCADA system is a type of ICS – Industrial Control
System – used to monitor and control large-scale
critical systems, both locally and remotely.
Industrial processes
Manufacturing, power generation, production
Infrastructure processes
Water treatment and distribution, oil and gas pipelines, electrical power transmission
Facility processes
Heating, ventilation and air conditioning systems - HVAC
SCADA/ICS Security
For years SCADA/ICS systems relied on security through obscurity
Industrial systems, which have been designed and
intended to be alone, became magically connected to the world
No perception of modern security threats and risks, from both SCADA vendors and consumers
SCADA/ICS Security
As traditional IT networks, SCADA environments host critical data and information
Projects, plans, chemical secrets
They have a direct impact on the physical world
An attack to a SCADA system could lead to a real world disaster, affecting people’s safety
Attacking Chemical Plants
August 2013 – multiple vulnerabilities in the industrial wireless products of three vendors have been reported. Customers are nuclear, oil and gas, refining, petro-chemical, utility, and
wastewater companies
2014 – Lucas Apa and Carlos Penagos released a public advisory describing four vulnerabilities
Attacking Chemical Plants
Threat – an attacker in a ~ 60 km range could inject false
values on the wireless gateways, modifying measurements used to make critical decisions
Targeting a wireless transmitter that monitors the process
temperature could make a chemical react and explode
If failsafe mechanisms are not implemented
source: https://www.youtube.com/watch?v=7g0pi4J8auQ
Stuxnet - 2010
The world’s first cyber weapon
Stuxnet - 2010
Turn up the
pressure inside nuclear reactors Switch off oil
pipelines
STUXNET tells the operators that
everything is normal
SCADA/ICS Security Assessment
Penetration testing goal is data
The intrinsic critical nature of systems requires slight changes in the modus operandi
Typically, no testing or quality environment Need for a methodology to nullify:
Service interruption of the controlled process Damages to the industrial plants and materials Risk of injuring people safety
SCADA/ICS Security Assessment
White or gray box assessment strategy
Horizontal analysis and vertical exploits on a subset of
pre-defined and authorized targets
Assessment activity is supervised by the customer
A proper knowledge of the controlled process is required to identify a potential issue and react
SCADA/ICS Security Assessment
Testing SCADA network systems and services with the support of Customer personnel Canonical corporate network assessment with a focus on network segregation or isolation
Internal policies review in order to spot issues in the organization processes
Fuzz testing on adopted protocols. Lab testing preferred over production environment testing
Corporate Network Assessment
Scenario-driven attacks
Corporate networks are likely to have been assessed before, but context-dependent scenarios need to be evaluated
Verify proper network segregation between corporate network
and SCADA network. Is it possible to jump from one network
into the other?
Network attacks against users who have access to the SCADA network or systems
e.g., abusing whitelisted workstation to pivot on the SCADA network
SCADA Network Assessment
Again, scenario-driven attacks
Simulating attacks from malicious employees Simulating attacks against legitimate employees
Vulnerability research on adopted software solutions
Production systems testing should be carefully supervised by personnel or operators
A Point of Contact (PoC) should be available in order to handle any incidents
Vulnerabilities exploiting must be specifically authorized and monitored by the Customer
SCADA Network Assessment
Network attacks against servers could be expected
Pivoting through internal user web browsers to attack internal web applications is less obvious
Many web applications are vulnerable to Cross-Site Request Forgery (CSRF) Attacks
CSRF attacks are completely transparent to the user and may affect any system they are currently logged into
CSRF attacks do not require a compromised workstation
Using penetration testing tools focused on client-side attacks makes pivoting easier
Cross-Site Request Forgery (CSRF)
Malicious web page Attacker Operator Vulnerable application 3 Surf page 1 Authenticate 2 4PLC/RTU Device Testing
In-lab devices testing (if available)
Devices are often considered out of scope, despite being critical elements in the ICS ecosystem
Custom protocols reversing and fuzzing
Testing on production environment is usually avoided or explicitly denied
A “crash” or generic “fault” on production systems could
Policies & Procedures Review
Targeting non-technological issues
Identify process-related security weaknesses Focus on SCADA/ICS systems management
SCADA Top 10 Security Risks
Security through obscurity
Unpatched or unsupported (operating) systems Authentication and authorization issues
Transport layer insecurity Input validation issues
Lack of proper security policies
Network isolation and/or segregation Default or weak configuration
Lack of accountability
Statistics of SCADA Security Issues
80 65 55 90 55 25 80 65 90 45 0 10 20 30 40 50 60 70 80 90 100 % Vulnerable systemsConclusions
ICS are critical, vulnerable, exposed
Identifying their weaknesses is paramount Security testing can be done safely