Security testing in critical systems

  • 1,011 views
Uploaded on

Cyber security threats and testing strategies for Real Time and Critical National Infrastructure (CNI) systems

Cyber security threats and testing strategies for Real Time and Critical National Infrastructure (CNI) systems

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,011
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
57
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Security Testing in Critical Systems An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
  • 2. Who am I ? • Worked in computers & electronics since 1969 • Founded First•Base Technologies in 1989 (one of the first ethical hacking firms) • Primary roles: - Social engineer & penetration tester - Conference speaker - TV and radio security ‘expert’ - Member of ISACA Security Advisory Group - ISACA Conference Task Force member - Expert at the Corporate Executive Programme - Chair of Advisory board at CSA UK & IrelandSlide 2 © First Base Technologies 2011
  • 3. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusionsSlide 3 © First Base Technologies 2011
  • 4. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusionsSlide 4 © First Base Technologies 2011
  • 5. Industrial Control Systems • Supervisory Control And Data Acquisition (SCADA) - computer systems that monitor and control industrial, infrastructure, or facility-based processes • Programmable Logic Controller (PLC) - a computer used for automation of electromechanical processes, such as control of machinery • Programmable Automation Controller (PAC) - a compact controller that combines the features and capabilities of a PC-based control system with that of a typical PLC • Remote Terminal Unit (RTU) or Intelligent Electronic Device (IED) - a microprocessor-controlled device that interfaces objects in the physical world to a distributed control system or SCADASlide 5 © First Base Technologies 2011
  • 6. Simple SCADA systemSlide 6 © First Base Technologies 2011
  • 7. Waste water treatment plantSlide 7 © First Base Technologies 2011
  • 8. Network Architecture • RTUs and IEDs are proprietary devices running embedded operating systems • These originally used serial communications with field bus protocols such as Modbus, BITBUS, PROFIBUS etc. • Field bus protocols are now frequently encapsulated in TCP/IP • SCADA controllers manage communications, analyse data and display the alerts and events • Industrial systems now use UNIX or Windows in controllers and embedded in some field devices • This has exposed industrial systems to the same IT security challenges as commercial systemsSlide 9 © First Base Technologies 2011
  • 9. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusionsSlide 10 © First Base Technologies 2011
  • 10. Authentication Problems • Default (manufacturer) passwords • Very poor quality passwords • Passwords never changed • Passwords common across many devices • Shared credentials • No passwords / anonymous logins • Remote access via modem • Systems replaced less often than commercial systems: no cleanup, more opportunity for information leakageSlide 11 © First Base Technologies 2011
  • 11. Systems not Patched or Hardened • Many systems running on legacy (unsupported) operating systems • Patching can break applications • Patching can violate some vendors’ service contracts • Systems never taken off-line, as downtime can cause massive problems • Systems are rarely hardened as it is believed this may impact the application • SCADA applications themselves often contain vulnerabilities • Frequently no anti-malware softwareSlide 12 © First Base Technologies 2011
  • 12. Insecure Protocols • Field bus protocols were not designed to be secure • Most field devices use proprietary IP stacks that are prone to DoS attacks and buffer overflows • Field bus protocols designed for serial comms, so no built in authentication – all legitimate packets will be processed • Most communication is in plain text • Default SNMP strings …Slide 13 © First Base Technologies 2011
  • 13. Lack of Segmentation • Firewalls usually only between the corporate network and the industrial network (if at all) • Firewalls may be badly configured, industrial protocols difficult to control - All field bus traffic may be on one port - Cannot risk blocking critical messages • Wireless can bypass firewalls • Traditionally SCADA systems were isolated … not any more • Systems therefore vulnerable to malware, especially wormsSlide 14 © First Base Technologies 2011
  • 14. Stuxnet (you had to ask) • Self-replicates through removable drives exploiting a vulnerability allowing auto- execution • Spreads in a LAN through a vulnerability in the Windows Print Spooler • Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability • Copies and executes itself on remote computers through network shares • Copies and executes itself on remote computers running a WinCC database server • Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded • Updates itself through a peer-to-peer mechanism within a LAN • Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed • Contacts a command and control server that allows the hacker to download and execute code, including updated versions • Contains a Windows rootkit that hide its binaries • Attempts to bypass security products • Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system • Hides modified code on PLCs, essentially a rootkit for PLCs Symantec: W32.Stuxnet Dossier version 1.4 (February 2011)Slide 15 © First Base Technologies 2011
  • 15. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusionsSlide 16 © First Base Technologies 2011
  • 16. Problems with Testing While a ping sweep was being performed on an active SCADA network that controlled 9-foot robotic arms, it was noticed that one arm became active and swung around 180 degrees. The controller for the arm was in standby mode before the ping sweep was initiated. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems SecuritySlide 17 © First Base Technologies 2011
  • 17. Problems with Testing A ping sweep was being performed on an ICS network to identify all hosts that were attached to the network, for inventory purposes. It caused a system controlling the creation of integrated circuits in the fabrication plant to hang. This test resulted in the destruction of $50,000 worth of wafers. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems SecuritySlide 18 © First Base Technologies 2011
  • 18. Problems with Testing A gas utility hired an IT security consulting organization to conduct penetration testing on its corporate IT network. The consulting organization carelessly ventured into a part of the network that was directly connected to the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours. NIST Special Publication 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems SecuritySlide 19 © First Base Technologies 2011
  • 19. Areas for Review • Perimeter • Network infrastructure • Active Directory etc. • Host operating systems • Applications • PLCs, RTUs, IEDs, etc.Slide 20 © First Base Technologies 2011
  • 20. Security Review / Audit • Identification of devices and networks: - Router configs, router tables, switch tables, physical cable checks, packet sniffing • Identification of services: - Local port verification (netstat), scan of test or development system • Identification of vulnerabilities: - Local banner grabbing, scan of test or development system Penetration Testing of Industrial Control Systems Sandia National LaboratoriesSlide 21 © First Base Technologies 2011
  • 21. Perimeter • Identify all external connections • Review firewall rules • Review remote access methods • Check for wireless networks • Check physical access • If if doubt: test duplicate systemsSlide 22 © First Base Technologies 2011
  • 22. Network Infrastructure • Review router configs • Review switch tables • Conduct physical cable checks • Conduct packet sniffing and analysis • If if doubt: test duplicate systemsSlide 23 © First Base Technologies 2011
  • 23. Active Directory • Audit Active Directory - Manual inspection - Interviews - Offline inspectionSlide 24 © First Base Technologies 2011
  • 24. Host Operating Systems • Review hardening • Review patch levels • Review password quality • Review share and directory permissions • Review remote access • If if doubt: test duplicate systemsSlide 25 © First Base Technologies 2011
  • 25. Applications • Review ports and services • Review OS credentials • Review password quality • Review remote access • Consider code review • If if doubt: test duplicate systemsSlide 26 © First Base Technologies 2011
  • 26. PLCs, RTUs, IEDs, etc. • Review hardening • Review patch levels • Review password quality (if any) • Conduct packet sniffing • If if doubt: test duplicate systemsSlide 27 © First Base Technologies 2011
  • 27. Agenda • Overview of critical systems • Vulnerabilities and concerns • Security testing • Summary and conclusionsSlide 28 © First Base Technologies 2011
  • 28. Summary and Conclusions • Industrial systems now use UNIX or Windows exposing them to the same IT security challenges as commercial systems • Systems still considered to be isolated, but they are not • Systems not patched or hardened • All devices will have authentication problems • Systems replaced less often than commercial systems: no cleanup, more opportunity for information leakage • Field bus protocols were not designed to be secure • Poor segmentation and firewalling • Conventional scanning and testing can cause serious problems • Audit and careful manual inspection rather than pen testSlide 29 © First Base Technologies 2011
  • 29. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.comSlide 30 © First Base Technologies 2011