ACS-2010

672 views
582 views

Published on

SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
672
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ACS-2010

  1. 1. SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010Bob Radvanovsky, CIFI, CISM, CIPSJacob Brodsky, PE Enumerating and Validating ICS Devices Creative Commons License v3.0. 1
  2. 2. Who and what is “Infracritical”?• Leading industry and business in Critical Infrastructure Protection (CIP). – Provides guidance and direction to both public and private sectors through information sharing and ‘best practices’. – Established open public discussion forums on current and relevant topics and affairs. – Defines strategic vision of ‘future thought’ in infrastructure development and support.• Liaisons government and industry strategies.• Sponsor and founder of the SCADASEC e-mail list. 2
  3. 3. Presentation Agenda• Outline results from ‘The Gathering’ (May 2010).• Reasons for having ‘The Gathering’.• Latest projects: – Enumerate and validate industrial automation/control systems devices (fingerprint). – Catalog based on genus, manufacturing type, make, model, and results found into a centralized data repository. – Allow for variances of information found ‘in the wild’. – Enumeration is utilized using ‘open source’ security tools. – Currently performing validation tests against the Hirschmann ICS firewall (Hirschmann EAGLE TX/TX). 3
  4. 4. Outline Results from ‘The Gathering’ (May 2010)• Established in May, 2010, ‘The Gathering’ provided a common ground for representation from commercial interests, academia and law enforcement.• Discussed security concepts, issues and vulnerabilities with ICS equipment that was brought and shared.• Discussed and shared engineering methods to improve performance of said equipment, both operationally and securely. 4
  5. 5. Reasons for Having ‘The Gathering’• Need based on a “show ‘n tell” principle.• Allows participants to see, work and handle ICS equipment that would otherwise not be possible.• Allow and share ideas, concepts, ideologies between participants.• Discuss methods of improvement of performance of shared ICS equipment.• Write recommendations for manufacturers. 5
  6. 6. Other Discoveries• We are limiting public discussion on these discoveries.• Schweitzer SEL-3620: – SSL interface survived the overnight assault from the Mu Dynamics fuzzer device. – No problems found.• Another popular industrial switch TELNET interface: – 158 problems found.• Write recommendations for manufacturers. 6
  7. 7. Project ‘Enlightenment’• Validate CSET/CS2SAT network maps.• Develop and exercise controlled methods of enumerating ICS equipment and appliances.• Acquire intelligence from ICS equipment supplied from ICS owner-operators and private donators.• Enumerate through several methods: – IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc. – control system protocols: Modbus, Profibus, DNP, EthernetIP, etc. 7
  8. 8. Project ‘NINJA’ Network INtelligence Joint Analysis• Catalog intelligence acquired from ‘The Gatherings’ and from ‘Enlightenment’.• Centralize data repository for public viewing (vetted).• Provide sensitive intelligence for dissemination through encrypted methods. – encrypted email (automatic) – encrypted web portal(s)• Website: www.thinklikeninja.com 8
  9. 9. Current Enumeration: Hirschmann EAGLE TX/TX• One of the more recognized industrial automation firewalls.• Hirschmann Automation and Control (HAC) GmbH acquired by Belden Inc. (formerly Belden Wire & Cable, Inc.) in 2007.• Hirschmann EAGLE and EAGLE mGuard firewalls’ software written by Innominate Security Technologies.• Innominate Security Technologies acquired by Phoenix Contacts, Inc. in 2008. image is actual model of device tested  9
  10. 10. Hirschmann Enumeration: Discoveries Found with Firewall• Actual software from Hirschmann ICS firewall was written by Innominate Security Technologies.• Software from Innominate can interchangeably be used between Hirschmann and Innominate versions.• Software and firmware would be synchronized.• Software after v4.2.3 required a ‘license upgrade’ (even though we had updates up to v7.0.1).• Firmware after v4.2.3 had similar requirements. 10
  11. 11. Hirschmann Enumeration: Discoveries Found with Firewall• Actual ICS screen shot.• Tests were performed against two (2) firewalls.• Firewall #1: Innominate• Firewall #2: Hirschmann 11
  12. 12. Hirschmann Enumeration: Discoveries Found with Firewall• F/W v3.0.1 (and including v3.1.1) caused ARP tables to be dropped during ‘normal’ port scans, requiring multiple attempts to connect to the firewall.• F/W v4.0.4 (and higher) did not drop ARP tables.• However -- F/W v4.0.4 while attacked using a vulnerability scan, produced inconsistent fingerprinting results, in most cases, no fingerprint.• NMAP (as of v5.35DC1) thinks Hirschmann is a wireless access point / wireless router. 12
  13. 13. Hirschmann Enumeration: Discoveries Found with FirewallPartial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –vStarting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT…Device type: WAP|specialized|print server|storage-misc|general purpose|broadbandrouter|firewall, Running (JUST GUESSING) : Linux 2.4.X|2.6.X (98%), HP embedded(94%), Netgear RAIDiator 4.X (94%), MontaVista Linux 2.4.X (94%), Actiontecembedded (93%), Fortinet embedded (91%), Google embedded (91%)OS fingerprint not ideal because: Timing level 3 (Normal) usedAggressive OS guesses: DD-WRT v23 (Linux 2.4.36) (98%), Linux 2.4.21 (embedded)(95%), DD-WRT v23 (Linux 2.4.34) (95%), HP 4200 PSA (Print Server Appliance)model J4117A (94%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (94%),MontaVista embedded Linux 2.4.17 (94%), Actiontec GT701 DSL modem (93%), Linux2.4.20 (92%), Fortinet FortiGate-60B or -100A firewall (91%), Google Mini searchappliance (91%)No exact OS matches for host (test conditions non-ideal).… 13
  14. 14. Hirschmann Enumeration: Discoveries Found with Firewall• Ports open on INTERNAL network interface include: - 22 (SSH), 53 (DNS), 443 (HTTPS) and 1720 (H.323)• Enumeration utilized for device included testing from: - SNMP and HTTPS connections- Enumeration method utilizes an ‘open source’ tool.- One tool that will be heavily utilized is NMAP v5 (and newer).- NMAP (as of Version 4) allows integration of a scripting language.- The NMAP Scripting Engine (NSE) utilizes the LUA language (www.lua.org) and tailors the code (www.nmap.org/nsedoc).- Over 150 (and growing) common scripts available from Insecure. 14
  15. 15. Hirschmann Enumeration: Discoveries Found with Firewall• During one vulnerability scan, NMAP had difficulties fingerprinting its operating system (it is running an embedded Linux v2.4.36).• Device is currently available for evaluation for the general public.• Access has been granted to the INTERNAL network interface.• Use the command-line (CLI) version of NMAP – Mac and UNIX/Linux versions appear to work better with NSE script.• Script written specifically for enumerating the Hirschmann.• Script is currently in ‘draft mode’, and is being finalized.• Current version of enumeration script is ‘mguard-10091201.nse’. 15
  16. 16. Hirschmann Enumeration: Discoveries Found with FirewallIf the Hirschman EAGLE mGuard TX/TX enumeration script is utilized, output will look something like this:# nmap --script=./mguard-10091201.nse 1.1.1.1 -PN Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 12:48 CDT Nmap scan report for xxx (1.1.1.1) Host is up (0.0096s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION | ............Flash ID : 420401db459c83e7  NOTE the flash ID number; |_............Manufacturer of device : Hirschmann ID obtained via SSL certificate. 1720/tcp filtered H.323/Q.931 Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds 16
  17. 17. Hirschmann Enumeration: Discoveries Found with FirewallIf the verbose feature of the Hirschman EAGLE mGuard TX/TX enumeration script is utilized:# nmap --script=./mguard-10091201.nse 1.1.1.1 –PN –v Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 10:24 PDT NSE: Loaded 1 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 10:24 Completed Parallel DNS resolution of 1 host. at 10:24, 0.06s elapsed Initiating Connect Scan at 10:24 Scanning xxxx (1.1.1.1) [1000 ports] Discovered open port 53/tcp on 1.1.1.1 Discovered open port 22/tcp on 1.1.1.1 Discovered open port 443/tcp on 1.1.1.1 Completed Connect Scan at 10:24, 5.62s elapsed (1000 total ports) NSE: Script scanning 1.1.1.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 10:24 Completed NSE at 10:25, 6.06s elapsed ... 17
  18. 18. Hirschmann Enumeration: Discoveries Found with Firewall(continued from p.17) Nmap scan report for xxx (1.1.1.1) Host is up (0.096s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https | mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE | ** PHASE 1: TLS/SSL certificate verification | ....Step 1: SSL certificate info : CONFIRMED | ....Step 2: SSL certificate MD5 hash information | ............Flash ID : 420401db459c83e7 | ............Organization name : Hirschmann Automation and Control GmbH | ............SSL certificate MD5 : c93063872150383b879a69f65ab6d7e5 | ............SSL certificate version: 4.2.1 or newer 18
  19. 19. Hirschmann Enumeration: Discoveries Found with Firewall(continued from p.18) | ** PHASE 2: File presence verification | ....Step 1: Existence of "/favicon.ico" | ............File favicon.ico MD5 : 7449c1f67008cc3bfabbc8f885712207 | ............Server type/version : 4.2.1 or newer | ....Step 2: Existence of "/gai.js" | ............File gai.js MD5 : e7696a86648dcdb6efb2e497e5a8616b | ............Server type/version : 4.2.1 | ....Step 3: Existence of "/style.css" | ............File style.css MD5 : d71581409253d54902bea82107a1abb2 | ............Server type/version : 4.2.1 | ** PHASE 3: HTML pattern matching verification | ....Step 1: Confirmation of HTML code per version | ............HTML code verified : CONFIRMED | ............HTML code variant : Hirschmann | ....Step 2: Confirmation web server verification | ............Web server verified : CONFIRMED | ............Web server name/type : fnord | ............Web server version : 1.6 19
  20. 20. Hirschmann Enumeration: Discoveries Found with Firewall(continued from p.19) | ** PHASE 4: Documentation | ....Step 1: Documentation exist? : YES |.............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_BAT54_SW_Rel754_en.pdf |_............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_EAGLE_401_EN.pdf Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds 20
  21. 21. Hirschmann Enumeration: Discoveries Found with FirewallThe following is a sample taken from the startup log while connected to the console:...Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.oUsing /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.oWarning: loading max6625 will taint the kernel: non-GPL license – ProprietarySee http://www.tux.org/lkml/#export-tainted for information about tainted modulesUsing /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.oWarning: loading power will taint the kernel: non-GPL license – ProprietaryEagle: PHY sysctl directory registered.See http://www.tux.org/lkml/#export-tainted for information about tainted modules...Thoughts about this? 21
  22. 22. Hirschmann Enumeration: Summary of the Unit• This unit allows secured side to configure firewall. - Cross site scripting (XSS) and session hijacking vulnerable. - Malware that gets inside secured networks can still cause damage. - Other propagation methods for malware include USB, VLAN attacks/mistakes, operator errors, crossed cables, etc. - Need out-of-band commands of the firewall.• Licensing problems could make unit a deliberate target.• ARP table ought to have hard-wired option.• Not a stateful firewall; not aware of industrial protocols. 22
  23. 23. One More Thing… Interesting Coincidence?• At the time of writing this presentation, the firewall was probed from several IP addresses from China; one of them is shown below: 2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast address to master interface 2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification string from 202.116.160.75 2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast address from master interface 2000-01-01_16:01:37.33267 user.info: Jan 1 16:01:37 kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.• Here’s the WHOIS information for this IP address: inetnum: 202.116.160.0 - 202.116.175.255 netname: SCAU-CN descr: ~{;*DOE)R54sQ~} descr: South China Agricultural University descr: Guangzhou, Guangdong 510642, China country: CN 23
  24. 24. Next Gathering:• Mu Dynamics has been very supportive.• Location and time. • SCADA CYBER SECURITY WORKSHOP November 3-4, 2010, Southern Methodist University, Dallas, TX • http://www.nacmast.com/scada-workshop-registration• Continue “Enlightenment” and “NINJA” programs. • Introduce and educate next generation of SCADA security specialists. • Gather data on other user-provided devices. • Work on CSET validation software.• Discuss theoretical and practical issues with devices we test. 24
  25. 25. Conclusion• Combined between ‘The Gatherings’ and intelligence gathered from/through enumeration and validation tests, we feel that there will be more to come … much more.• So far, we have a small suite of scripts for the following: • Hirschmann Automation Control GmbH (HAC) • Allen-Bradley (aka Rockwell) • Rockwell Automation • Siemens • Electro Industries / Gaugetech (EIG) 25
  26. 26. Questions? Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jacob Brodsky, (443) 285-3514 jbrodsky@infracritical.comCreative Commons License v3.0. 26

×