Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSidesAugusta ICS SCADA Defense

2,408 views

Published on

Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.

Published in: Technology

BSidesAugusta ICS SCADA Defense

  1. 1. Chris Sistrunk, PE Sr. Consultant Mandiant
  2. 2. @chrissistrunk  Electrical Engineer  Mandiant, Entergy (11 years)  SCADA Expert  Loves Security  DNP3 User Group  Button Pusher but I like Blue
  3. 3. http://securityreactions.tumblr.com/post/30866100673/how-i-audit-scada-systems
  4. 4. What happens when you use nmap (or a fuzzer) on an ICS?
  5. 5.  Latin for “bulwark”  @jadamcrain and I started in April 2013  26 advisories / 32 tickets  24 DNP3, 1 Modbus, 1 Telegyr 8979  Aegis ICS Fuzzing Framework - OSS www.automatak.com/robus www.automatak.com/aegis
  6. 6. TCP 20000 TCP 19999 (TLS) UDP 20000 Ref from IEEE Std 1815-2012
  7. 7.  ICS/SCADA lags IT by 10-15 years  735 SCADA-related vulns on OSVDB.org since 2011. “Like kicking a puppy”  Positive vs. Negative Testing: The front yard is mowed, but the back yard is overgrown.
  8. 8. Let’s take a step back and ask some questions:  What’s the risk if this device is compromised? ◦ Probability * Impact = Risk ◦ Check out my RTU risk score pres from S4x13  What is the ICS device talking to?  Does it uses serial or IP protocols…or both?  How do we defend unsecured protocols?  Is the physical security sufficient?  Will you be called at 2AM?
  9. 9. The answers to the questions tell you that you have to do something to protect the device(s)  What types of mitigations exist?  Which ones will you use? ◦ Defense in depth – more than one! ◦ Belt and suspenders!  When will they be deployed? ◦ The sooner the better!
  10. 10.  Software/firmware patches/device upgrades  Robust RTU/PLC and master configurations  Robust IP network configurations  ICS Protocol-aware network tools  Proper physical security  Employee awareness  Secure coding and SDL for Vendors
  11. 11. NERC/CIP? CFATS? ????
  12. 12.  If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known vulnerability (such as DNP3, modbus) …GO GET IT  Properly test it before you roll it out  If you’re not used to patching your SCADA system, please work with your vendors to do this to minimize downtime
  13. 13.  USE DNP3-SA! (application layer security) ◦ Correct master only talks to the correct RTU ◦ But it won’t protect against all “bugs”  Disable unused serial and network ports  Use a possible workaround (ex: auto restart)  Check the default settings ◦ DNP3 or other protocols may be factory configured ◦ If not used, disable them! ◦ ICS devices are on SHODAN  Many appear to have the same configurations
  14. 14.  What does SCADA stand for? ◦ Supervisory Control and Data Acquisition  What is the standard TCP port for modbus? ◦ 502  What are the 2 start bytes for DNP3? ◦ 0x0564  What year was STUXNET discovered? ◦ 2010  What ICS protocol did HAVEX malware use? ◦ OPC
  15. 15.  When possible, DISABLE functions that aren’t required in your production systems  DNP3 function code examples ◦ Cold and/or Warm Restarts (FC 13 & 14) ◦ Start/Stop Application (FC 17 & 18) ◦ Save Configuration (FC 19) old Activate Configuration (FC 31) new ◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)  If you can’t disable these, use IDS/IPS or DPI Firewalls to alert on unwanted SCADA traffic
  16. 16.  Segment your ICS/SCADA WAN ◦ Routers, Firewalls, DMZs, & VLANs ◦ This can help isolate the network when needed  Understand your network! ◦ The bad guys sure will  Use encryption and authentication ◦ Use DNP3-SA and TLS ◦ Remote access VPNs, radios, etc ◦ Look at IEC 62351 standard (dovetails with SA)  No ICS protocols on Corporate WAN
  17. 17. Examples of SCADA tools and Enterprise networks that understand ICS  Protocol analyzers such as Wireshark, ASE & TMW RTU Test Sets  IDS/IPS such as SNORT, Bro, CyberX SilentDefense ICS, McAfee ADM, Bayshore Networks, and Checkpoint  Routers such as the Cisco CGR 2010  Field firewall w/ICS Deep Packet Inspection ◦ Secure Crossing and Tofino
  18. 18.  Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network  Security Operations Center ◦ Security Analyst(s) using a SIEM ◦ Log aggregation ◦ Anomaly and intrusion detection ◦ Indicators of Compromise (IOCs)  Security Onion (Linux distro)  www.securityonion.net
  19. 19. We in SCADA Security are in
  20. 20. 1986
  21. 21. RTU Corp SCADAnet Is this happening in your ICS??? Your Company Cust 2 Inside cover of The Cuckoo’s Egg Internet Pump Plant 1 DMZ Cust 1 Hist Plant 2 HMI
  22. 22.  http://www.liquidmatrix.org/blog/2014/07/01/is-there- a-cuckoo-in-your-control-system/  tl;dr ◦ ≥1 person who really cares! ◦ Security Onion (or other NSM) ◦ ICS Honeypot (Conpot, etc)  Full Packet Capture (even serial)
  23. 23. So, Chris, why haven’t we seen many ICS incidents? You can’t see where you aren’t looking!
  24. 24. Put. NSM. In. Your. ICS/SCADA. NOW
  25. 25.  What is the proper amount of physical security? It depends…  If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay?  Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6  Harden your external barriers  The better the defenses, the more time it buys you to respond
  26. 26. 3/8” Mesh ASTM Grade 6 These may buy you extra time to respond
  27. 27. “Thieves hit our store last night. This is how they circumvented the door alarm…” via http://redd.it/1pn1xi
  28. 28.  Train your folks on ICS/SCADA security ◦ Security Conferences, several training classes available ◦ http://ics-cert.us-cert.gov/Training-Available-Through- ICS-CERT ◦ GICSP Certification  Security awareness is important  Have a questioning attitude  Report suspicious computer or personal activity/incidents ◦ Who do you call? ◦ Internal hotline, supervisor, SOC, etc ◦ ICS-CERT (877-776-7585)
  29. 29.  Ask your vendors for DNP3-SA if they don’t have it or are already working on it  Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack ◦ Positive Tests: FAT/SAT ◦ Negative Tests: Fuzzing (it’s not new folks!)
  30. 30.  DNP3 isn’t a special case. Other ICS protocols will see the same fate. Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP…  You can defend your SCADA.  Early testing both slave/server AND master/client sides of the protocol are important!  Compliance != Security, but the culture is important.  Don’t count on the government to protect your critical systems…it’s your job.

×