Security in Industrial Environments2. © Fraunhofer IOSB
OBJECTIVE
◼ Awareness for security in industrial environments
◼ Teaser for different techniques to improve the security
Seite 2
Anne Borcherding – Industrial Security
4. © Fraunhofer IOSB
Industry 4.0
◼ Greater efficiency through intelligent crosslinking of
product development, production, logistics and customers
◼ Individual, flexible production
◼ New business models through service orientation
Seite 4
Machine Learning
Predictive Maintenance
Condition Monitoring
Industrial Internet of Things
Anne Borcherding – Industrial Security
5. © Fraunhofer IOSB
Industrial Networks of the Past
Seite 5
Internet
Office-Net
Wireless Devices Directly Plugged Devices
Printer
Wireless Router Switch
Control Workstation PLC HMI
Process
Industrial Network
Air Gap
Anne Borcherding – Industrial Security
6. © Fraunhofer IOSB
Industrial Networks nowadays
Seite 6
Internet
Office-Net
Wireless Devices Directly Plugged Devices
Printer
Wireless Router Switch
Control Workstation PLC HMI
Process
Industrial Network
Firewall
Anne Borcherding – Industrial Security
7. © Fraunhofer IOSB
Future Industrial Networks
Seite 7
Internet
Office-Net
Wireless Devices Directly Plugged Devices
Printer
Wireless Router Switch
Control Workstation PLC HMI
Process
Industrial Network
Firewall
Anne Borcherding – Industrial Security
8. © Fraunhofer IOSB
Attacks on Industrial Networks
TRITON
Seite 8
Petrochemical Plant
Chemical
Process
Office Network
Industrial Network
◼ Attack on a petrochemical plant
◼ Aim: Explosion
Anne Borcherding – Industrial Security
9. © Fraunhofer IOSB
Attacks on Industrial Networks
TRITON
Seite 9
Petrochemical Plant
Chemical
Process
Office Network
Industrial Network
◼ Attack on a petrochemical plant
◼ Aim: Explosion
Anne Borcherding – Industrial Security
10. © Fraunhofer IOSB
Attacks on Industrial Networks
TRITON
Seite 10
Petrochemical Plant
Chemical
Process
Office Network
Industrial Network
◼ Attack on a petrochemical plant
◼ Aim: Explosion
Anne Borcherding – Industrial Security
11. © Fraunhofer IOSB
Attacks on Industrial Networks
TRITON
Seite 11
Petrochemical Plant
Chemical
Process
Office Network
Industrial Network
◼ Attack on a petrochemical plant
◼ Aim: Explosion
Anne Borcherding – Industrial Security
12. © Fraunhofer IOSB
Attacks on Industrial Networks
TRITON
Seite 12
Petrochemical Plant
Chemical
Process
Office Network
Industrial Network
◼ Attack on a petrochemical plant
◼ Aim: Explosion
Anne Borcherding – Industrial Security
13. © Fraunhofer IOSB
Attacks on Industrial Networks
TRITON
Seite 13
Petrochemical Plant
Chemical
Process
Office Network
Industrial Network
◼ Attack on a petrochemical plant
◼ Aim: Explosion
Anne Borcherding – Industrial Security
14. © Fraunhofer IOSB
Vulnerabilities in Industrial Networks
Ripple20
CVE Severity (CVSS)
CVE-2020-11901 9.0
CVE-2020-11898 9.1
CVE-2020-11896 10.0
Seite 14
Integer Overflow
Missing Input Validation
Predictable Transaction IDs
Heap Overflow
Anne Borcherding – Industrial Security
15. © Fraunhofer IOSB
Top 10 Threats
Top 10 Threats Trend
Infiltration of Malware via Removable Media and External Hardware
Malware Infection via Internet and Intranet
Human Error and Sabotage
Compromosing of Extranet and Cloud Components
Social Engineering and Fishing
(D)Dos Attacks
Control Components Connected to the Internet
Intrusion via Remote Access
Technical Malfunctions and Force Majeure
Compromising of Smartphones in the Production Environment
Seite 15
Source: Industrial Control System SecurityTop 10 Threats and Countermeasures 2019,
Federal Office for Information Security
Anne Borcherding – Industrial Security
16. © Fraunhofer IOSB
Improving Security
Seite 16
based on IEC62443
Processes
Components
Systems
Anne Borcherding – Industrial Security
19. © Fraunhofer IOSB
Automated Black Box Security Testing
Seite 19
Test Device
Device under Test
Anne Borcherding – Industrial Security
20. © Fraunhofer IOSB
Automated Black Box Security Testing
Seite 20
Test Device
Device under Test
Input
Output
Anne Borcherding – Industrial Security
21. © Fraunhofer IOSB
Automated Black Box Security Testing
Seite 21
Testing Monitoring
Test Device
Device under Test
Input
Output
Anne Borcherding – Industrial Security
22. © Fraunhofer IOSB
Web Security Scanners
Seite 22
Web Vulnerability Scanners Web Application Scanners
DB
Versions?
Known?
-1 UNION SELECT 1 INTO @,@
'& cat /etc/passwd
AND 1=1–
…
Scanner Scanner
Anne Borcherding – Industrial Security
23. © Fraunhofer IOSB
Web Application Scanners
Seite 23
0%
20%
40%
60%
80%
100%
Nikto Skipfish Vega Wapiti ZAP Cumulative
Percentage
of
Vulnerabilities
found
manually
Vulnerability Scanner
Vulnerabilities Found Automatically
Vulnerabilities found
Source: Pfrang, S., Borcherding, A., Meier, D., et al. 2019. Automated security testing for web applications on industrial automation and control systems. at -
Automatisierungstechnik. 67(5): 383-401
Anne Borcherding – Industrial Security
Web Application Scanners
only find half of the
vulnerabilities found manually
But they are a lot faster
24. © Fraunhofer IOSB
Helper-in-the-Middle
Seite 24
Web application
scanner
Test device
Device
under
test
Proxy
Authentication
Watchdog
Crawling
Dynamic Content
Borcherding, A., Pfrang, S., Haas, C., Weiche, A., & Beyerer, J. (2020). Helper-in-the-Middle: Supporting web application scanners targeting industial control systems,
SECRYPT 17th International Conference on Security and Cryptography
Anne Borcherding – Industrial Security
25. © Fraunhofer IOSB
Helper-in-the-Middle
Seite 25
Web application
scanner
Test device
Device
under
test
Proxy
ISuTest
1. alert
2. interrupt
4. resume
3. restart
Anne Borcherding – Industrial Security
Borcherding, A., Pfrang, S., Haas, C., Weiche, A., & Beyerer, J. (2020). Helper-in-the-Middle: Supporting web application scanners targeting industial control systems,
SECRYPT 17th International Conference on Security and Cryptography
26. © Fraunhofer IOSB
Helper-in-the-Middle
Seite 26
143 133
35
928
743
73
0
100
200
300
400
500
600
700
800
900
1000
PROFINET Buscoupler OPC UA Gateway Firewall
Number
of
true
positive
reports
True Positive Reports, Summarized over the WAS
Bare Proxy
Anne Borcherding – Industrial Security
Proxy helps to
improve performance
Borcherding, A., Pfrang, S., Haas, C., Weiche, A., & Beyerer, J. (2020). Helper-in-the-Middle: Supporting web application scanners targeting industial control systems,
SECRYPT 17th International Conference on Security and Cryptography
29. © Fraunhofer IOSB
Network Fuzzing
Seite 29
Ethernet
Image Source: https://commons.wikimedia.org/wiki/File:TCP_header.png
TCP Package
Anne Borcherding – Industrial Security
30. © Fraunhofer IOSB
Network Fuzzing
Seite 30
Ethernet
Image Source: https://commons.wikimedia.org/wiki/File:TCP_header.png
TCP Package
Anne Borcherding – Industrial Security
31. © Fraunhofer IOSB
Network Fuzzing
◼ Full test of 2 Bytes: 216 possibilities
➢ Assuming 1 test per second, this will last for 18,2 hours
Seite 31
Anne Borcherding – Industrial Security
32. © Fraunhofer IOSB
Network Fuzzing
◼ Full test of 2 Bytes: 216 possibilities
➢ Assuming 1 test per second, this will last for 18,2 hours
Seite 32
Heuristics
Anne Borcherding – Industrial Security
33. © Fraunhofer IOSB
Network Fuzzing
◼ Full test of 2 Bytes: 216 possibilities
➢ Assuming 1 test per second, this will last for 18,2 hours
◼ Using experience from ealier projects and detected vulnerabilities
◼ Examples
◼ Integer: minimum, maximum, 2𝑛, 2𝑛−1
◼ String: "A" ∗ 𝑠𝑒𝑙𝑓. 𝑠𝑖𝑧𝑒(), "2019-02-31"
Seite 33
Heuristics
Anne Borcherding – Industrial Security
34. © Fraunhofer IOSB
Bus Coupler Study
◼ 6 Profinet bus coupler from different German manufacturers
◼ Security tests of the Profinet implementation (DCE/RPC and PNIO-CM)
◼ ~ 70 000 test cases per bus coupler
Seite 34
Anne Borcherding – Industrial Security
35. © Fraunhofer IOSB
Bus Coupler Study
◼ 6 Profinet bus coupler from different German manufacturers
◼ Security tests of the Profinet implementation (DCE/RPC and PNIO-CM)
◼ ~ 70 000 test cases per bus coupler
◼ Szenario A: without PLC
◼ Szenario B: with PLC
Seite 35
ISuTest DUT
Switch
Process
PLC
Anne Borcherding – Industrial Security
36. © Fraunhofer IOSB
Bus Coupler Study
Seite 36
Source: Steffen Pfrang, Anne Borcherding: Security-Testing für industrielle Automatisierungskomponenten: Ein Framework, sein Einsatz und Ergebnisse am Beispiel von
Profinet-Buskopplern,16. Deutscher IT-Sicherheitskongress des BSI, 2019
Anne Borcherding – Industrial Security
All bus couplers are vulnerable
Similarity of stacks is visible
37. © Fraunhofer IOSB
Summary
◼ Transformation of industrial networks
◼ Recent attacks, vulnerabilities, and threats
◼ Web Application Scanners
◼ Fuzzing
Seite 37
Anne Borcherding – Industrial Security