• No results found

Down the SCADA (security) Rabbit Hole. Alberto Volpatto

N/A
N/A
Protected

Academic year: 2021

Share "Down the SCADA (security) Rabbit Hole. Alberto Volpatto"

Copied!
34
0
0

Loading.... (view fulltext now)

Full text

(1)

Down

the SCADA (security)

Rabbit Hole

(2)

Alberto Volpatto

Security Engineer & Team Leader @ Secure Network

Computer Engineer

(3)

S

upervisory –

operators, engineers, supervisors

C

ontrol –

monitoring, controlling, locally and/or remotely

A

nd

D

ata –

information representing the acquired system

A

cquisition –

access, acquire and represent meaningful data

(4)

A SCADA system is a type of ICS – Industrial Control

System – used to monitor and control large-scale

critical systems, both locally and remotely.

(5)

Industrial processes

Manufacturing, power generation, production

Infrastructure processes

Water treatment and distribution, oil and gas pipelines, electrical power transmission

Facility processes

Heating, ventilation and air conditioning systems - HVAC

(6)
(7)
(8)
(9)
(10)

SCADA/ICS Security

For years SCADA/ICS systems relied on security through obscurity

Industrial systems, which have been designed and

intended to be alone, became magically connected to the world

No perception of modern security threats and risks, from both SCADA vendors and consumers

(11)
(12)

SCADA/ICS Security

As traditional IT networks, SCADA environments host critical data and information

Projects, plans, chemical secrets

They have a direct impact on the physical world

An attack to a SCADA system could lead to a real world disaster, affecting people’s safety

(13)

Attacking Chemical Plants

August 2013 – multiple vulnerabilities in the industrial wireless products of three vendors have been reported. Customers are nuclear, oil and gas, refining, petro-chemical, utility, and

wastewater companies

2014 – Lucas Apa and Carlos Penagos released a public advisory describing four vulnerabilities

(14)

Attacking Chemical Plants

Threat – an attacker in a ~ 60 km range could inject false

values on the wireless gateways, modifying measurements used to make critical decisions

Targeting a wireless transmitter that monitors the process

temperature could make a chemical react and explode

If failsafe mechanisms are not implemented

(15)
(16)

source:  https://www.youtube.com/watch?v=7g0pi4J8auQ

Stuxnet - 2010

The world’s first cyber weapon

(17)

Stuxnet - 2010

Turn up the

pressure inside nuclear reactors Switch off oil

pipelines

STUXNET tells the operators that

everything is normal

(18)
(19)

SCADA/ICS Security Assessment

Penetration testing goal is data

The intrinsic critical nature of systems requires slight changes in the modus operandi

Typically, no testing or quality environment Need for a methodology to nullify:

Service interruption of the controlled process Damages to the industrial plants and materials Risk of injuring people safety

(20)

SCADA/ICS Security Assessment

White or gray box assessment strategy

Horizontal analysis and vertical exploits on a subset of

pre-defined and authorized targets

Assessment activity is supervised by the customer

A proper knowledge of the controlled process is required to identify a potential issue and react

(21)

SCADA/ICS Security Assessment

Testing SCADA network systems and services with the support of Customer personnel Canonical corporate network assessment with a focus on network segregation or isolation

Internal policies review in order to spot issues in the organization processes

Fuzz testing on adopted protocols. Lab testing preferred over production environment testing

(22)
(23)

Corporate Network Assessment

Scenario-driven attacks

Corporate networks are likely to have been assessed before, but context-dependent scenarios need to be evaluated

Verify proper network segregation between corporate network

and SCADA network. Is it possible to jump from one network

into the other?

Network attacks against users who have access to the SCADA network or systems

e.g., abusing whitelisted workstation to pivot on the SCADA network

(24)
(25)

SCADA Network Assessment

Again, scenario-driven attacks

Simulating attacks from malicious employees Simulating attacks against legitimate employees

Vulnerability research on adopted software solutions

Production systems testing should be carefully supervised by personnel or operators

A Point of Contact (PoC) should be available in order to handle any incidents

Vulnerabilities exploiting must be specifically authorized and monitored by the Customer

(26)

SCADA Network Assessment

Network attacks against servers could be expected

Pivoting through internal user web browsers to attack internal web applications is less obvious

Many web applications are vulnerable to Cross-Site Request Forgery (CSRF) Attacks

CSRF attacks are completely transparent to the user and may affect any system they are currently logged into

CSRF attacks do not require a compromised workstation

Using penetration testing tools focused on client-side attacks makes pivoting easier

(27)

Cross-Site Request Forgery (CSRF)

Malicious web page Attacker Operator Vulnerable application 3 Surf page 1 Authenticate 2 4

(28)
(29)

PLC/RTU Device Testing

In-lab devices testing (if available)

Devices are often considered out of scope, despite being critical elements in the ICS ecosystem

Custom protocols reversing and fuzzing

Testing on production environment is usually avoided or explicitly denied

A “crash” or generic “fault” on production systems could

(30)

Policies & Procedures Review

Targeting non-technological issues

Identify process-related security weaknesses Focus on SCADA/ICS systems management

(31)

SCADA Top 10 Security Risks

Security through obscurity

Unpatched or unsupported (operating) systems Authentication and authorization issues

Transport layer insecurity Input validation issues

Lack of proper security policies

Network isolation and/or segregation Default or weak configuration

Lack of accountability

(32)

Statistics of SCADA Security Issues

80 65 55 90 55 25 80 65 90 45 0 10 20 30 40 50 60 70 80 90 100 %  Vulnerable  systems

(33)

Conclusions

ICS are critical, vulnerable, exposed

Identifying their weaknesses is paramount Security testing can be done safely

(34)

Thank you!

[email protected]

References

Related documents

The parties may have solemnly agreed, for example, that the contract law of nation state Y would govern their relationship; the material dispute may involve business that was

As the length of the space/time grid tends to zero, we prove several asymptotic properties of the finite MFGs equilibria and we also prove our main result in Theorem 4.1 showing

A total onslaught is launched against spiritual workers who are attacked from various directions.. My purpose however is not to paint a

Note: As for all VVs, this versatile verb can be followed by a variety of prepositions; whichever best describes the action that follows. SEASON

Outcome-Driven Technical Assistance: From Process to Impact © Nonprofit Impact, 2014 Page 3 Too often, the focus of public health TA is on the process itself –

The proposals submitted to ADX, TY, and GAM request the board of directors of each fund to (1) authorize a self-tender offer for all of its outstanding common shares at or close to

To understand interspecific differences in species sensitivity towards chemical exposure, it is useful to divide sensitivity into two processes: toxicokinetics (TK) and

But even at the low­ est levels, behavioral spontaneity is achieved through the types of flexible neural circuits animals possess, whereby behavioral "master