Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ICS Security 101 by Sandeep Singh

913 views

Published on

ICS Security 101 by Sandeep Singh @ Combined null Delhi & OWASP Delhi March 2017 Meetup

Published in: Technology
  • Be the first to comment

ICS Security 101 by Sandeep Singh

  1. 1. ICS Security 101Sandeep Singh
  2. 2. Agenda • What is ICS? • IT vs ICS • ICS Components • ICS Protocols • PLCs • Common issues with ICS Security • Pentesting ICS (approach and methodology) • Securing ICS • So you want to learn ICS Security?
  3. 3. What is industrial control system
  4. 4. Where do we see ICS in use? • Food manufacturing plants • Power plants • Building automation systems (AC/HVAC) • Water treatment • Chemical plants • Oil & Gas • Telcos • Weapons Control System • Dams, etc.
  5. 5. The confusion IoT Critical Infrastructure Industrial Control Systems
  6. 6. IT vs ICS Confidentiality Integrity Availibility Availability Integrity Confidentiality ICS IT
  7. 7. IT vs ICS IT ICS Security patches Applied regularly on standard systems Only recently provided by vendors. Applied once a year tops Antivirus Deployed on all Windows machines, centrally managed Sowly starting to show up. Some vendors used to / stil forbid AV usage (lack of support if AV is installed) Not managed System Administration Centralized, dedicated teams, standard operations and procedures Lack of local skills, heterogeneous environments, lots of different tools to use, vendor support is mandatory IAM Nominative accounts Generic, shared accounts, no password policy Availibility Service interruptions are ok, especially outside business hours Real-time operations, downtime is unacceptable or very costly Protocols Standard, TCP/IP protocols that include authentication and encryption Lot of vendor-specific protocol, no security built in to the protocols Impact No people endangered Possible impact of people, envrionment, industrial gear
  8. 8. A look into the past  1969: First PLCs  1973: Modbus protocol invented  1986: PLCs controlled by PCs  1992: TCP/IP for PLCs  2003: Web servers for PLCs  2017: AD is coming!
  9. 9. ICS Components • Sensors and Actuators: allow interaction with the physical world (pressure sensor, valves, motors, …) • Local HMI: Human-Machine Interface, permits the supervision and control of a subprocess • PLC: Programmable logic controller: manages the sensor and actuators • Supervisor screen: remote supervision of the industrial process • Data Historian: Records all data from the production and Scada networks • RTU: Remote Terminal Unit (standalone PLC) • IED: Intelligent Electronic Device (smart sensor)
  10. 10. ICS Protocols
  11. 11. Industrial protocols  At the beginning, specific protocols on specific physical layer (RS232, RS285, 4-20 current loop)  Some protocols were adapted to TCP/IP, like Modbus, and other were developed to allow interoperability. Currently, the most used seem to be :  HART / Wireless HART  Profibus  Modbus  Profinet / S7  DNP3  OPC
  12. 12. Modbus protocol  Serial communication protocol invented in 1979 by Schneider Electric  Developed for industrial application  Royalty-free  Now one of the standards for industrial applications Security?  Clear-text  No authentication How it works:  Master/Slave protocol  Master must regularly poll the slaves to get information  Modbus addresses are 8 bits long  There is no object description: a request returns a value, without any context or unit.
  13. 13. Modbus protocol  Modbus was originally made for serial communications  It is now often used over TCP MODBUS/TCP FRAME FORMAT
  14. 14. Modbus protocol  The most common Modbus functions allow to read and write data from/to a PLC  Other functions, such as file read and diagnostics functions also exist  Undocumented Modbus function codes can also be used to perform specific actions Commonly used MODBUS function codes Function name Function code Read coils 1 Write single coils 5 Read holding registers 3 Write single register 6 Write multiple registers 16 Read/Write multiple registers 23 All documented MODBUS function codes: https://en.wikipedia.org/wiki/Modbus
  15. 15. S7 protocol  Proprietary protocol by Siemens  TCP port 102  Based on COTP (Connection-Oriented Transport Protocol, RFC905)  No security  New version of the protocol available starting with version 4 and up of the PLC firmware : provides mutual authentication and communication Encryption  Security features analyzed by Quarkslab, see the talk from SSTIC https://www.sstic.org/2015/presentation/analyse_de_scurite_de_technologies_propritai res_scada/
  16. 16. DNP3 protocol  Standard protocol, developed by GE in the 90’s  Slave/Slave : Information can be share at the initiative of any device  Layer 2 protocol (just top of physical layer), ported to TCP/IP  Integrity is verified using CRC  Data reporting communication : only send the data that has changed (simplified), or at the initiative of the PLC/RTU  Used for smartgrids in the US  Secure DNP3 introduced in 2007 - Works on serial and TCP versions - Challenge/response to exchange a session key (using PSK) - Can be done at startup, every XX minutes, or only for sensitive actions (write requests for example) - Possible to use secure DNP3 over TLS
  17. 17. PLC  Real-time digital computer used for automation  Replaces electrical relays  Lots of analogue or digital inputs & outputs  Rugged devices (immune to vibration, electrical noise, temperature, dust, …)
  18. 18. PLC Programming  “Ladder Logic” was the first programming language for PLC.
  19. 19. Other languages..  SoMachine is the software provided by Schneider Electric to program the entry level PLCs.  PLCs used in big plants are usually programmed using Unity Pro.  Unity Pro has no free/demo version
  20. 20. PLC programming  Create a project  Define the hardware setup  Create variables  Define the program  Test  Debug  Push to PLC  START
  21. 21. Common issues with ICS security  Organization & awareness  Network segmentation  Vulnerability management  Security in protocols  Third Party management  Security monitoring & detection
  22. 22. Approaching ICS Pentests
  23. 23. ICS security assessments  Types of Security assessments - Security Posture Audits (interview and artifact reviews) - Physical Security Assessments (policy and walkthroughs) - Network Capture Assessments (passive network) - Vulnerability Scanning (actve network) - Penetration Testing (active network and hands-on)  Each assessment type fills looks at the system from different perspectives and angles  Most common time to do penetration tests on control systems are during equipment acquisitions
  24. 24. What to pentest?  All connectivity from corporate networks to control networks  All remote access connectivity into the control network  Any link carrying control traffic across public or semi-public links  Any new system before it is implemented  Any system changes or updates that are being tested in test or staging environments  Web applications running on top of devices such as RTUs, PLC, HMIs  Fuzzing ICS protocol implementations
  25. 25. Port scanning on ICS networks is dangerous  Nmap is the de-facto tool for port scanning but can be really dangerous on ICS  Two stories from NIST SP800-82  A ping sweep broke for over $50,000 in product at a semi-conductor factory  The blocking of gas distribution for several hours after a pentester went slightly off-perimeter during an assessment for a gas company  Nmap useful setup for scanning  Reduce scanning speed! Use « --scan-delay=1 » to scan one port at a time  Perform a TCP scan instead of a SYN scan / do not perform UDP scan  Do not use fingerprinting functions, and manually select scripts (do not use “– sC”)
  26. 26. PLCSCAN  https://code.google.com/archive/p/plcscan/ by SCADAStrangeLove (http://scadastrangelove.org/)  Scans for ports 102 (Siemens) and 502 (Modbus) and tries to pull information about the PLC (modules, firmware version,…)  Not exhaustive since not all PLCs use Modbus or are Siemens
  27. 27. Attacking standard services  Most PLCs have standard interfaces, such as HTTP and FTP  Lets’ say security was not the first thing in mind when introducing these features …  On Schneider M340  FTP credentials are hardcoded (sysdiag /factorycast@schneider)  Allows you to retrieve the password file for the web UI
  28. 28. Metasploit for everything  /auxiliary/scanner/scada/modbusclient (can perform read/write operations on coils and registers)  Unauthenticated actions on PLC  /auxiliary/scanner/scada/modicon_command (STOP/RUN)  /auxiliary/scanner/scada/modicon_stux_transfer (Logic download/upload)
  29. 29. Securing ICS
  30. 30. Securing ICS  ICS security standards  ANSSI  ISA99  NIST SP800-82 Revision 2  ENISA Guidelines  NERC CIP  System Hardening  Network Segmentation  Corporate network to ICS network pivoting is a problem  Segregate while allowing some communications  Two network cards  Security monitoring
  31. 31. So you want to learn ICS Security? – ICS Security Resources
  32. 32. Connect! • SCADAsec email list at Infracritical  ICS Security Conferences  DigitalBond’s S4  SANS ICS Summit  4SICS  EnergySec  Oil and Gas Security Summit
  33. 33. Information Sharing  National Council of ISACs  Downstream Natural Gas (www.dngisac.com)  Electricity (www.esisac.com)  Oil & Natural Gas (www.ongisac.com)  Water (www.waterisac.com)
  34. 34. Books  Robust Control System Networks, Ralph Langner  Industrial Network Security, 2nd Edition, Knapp & Langill  Cybersecurity for Industrial Control Systems, Macaulay & Singer  Countdown to Zero Day, Kim Zetter  Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky & Brodsky  Hacking Exposed Industrial Control Systems, Bodungen, et al
  35. 35. Books  Robust Control System Networks, Ralph Langner  Industrial Network Security, 2nd Edition, Knapp & Langill  Cybersecurity for Industrial Control Systems, Macaulay & Singer  Countdown to Zero Day, Kim Zetter  Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky & Brodsky  Hacking Exposed Industrial Control Systems, Bodungen, et al
  36. 36. Training ICS-CERT  Free online training and resources  Free 5-day Red vs Blue ICS exercise ICS Vendor Training SANS ICS410 and ICS515 Red Tiger Security, Lofty Perch, SCADAhacker
  37. 37. Intelligence Sources ICS-CERT portal ISAC Portals FBI Infragaurd Twitter #ICS #SCADA Google Shodan.io
  38. 38. This slide deck is generously borrowed from the following talks: Pentesting ICS 101 - https://www.defcon.org/html/defcon- 24/dc-24-workshops.html#Soullie How to get into ICS security – RSA Conference 2016 What the hell is ICS security – Bsides Tampa 2016
  39. 39. Thank you Sandeep Singh @sandy1sm Email: sandeep.singh@owasp.org san@null.co.in Thank you 

×