SlideShare a Scribd company logo

Authentication Issues between entities during protocol message exchange in SCADA Systems

M
Manuel Santander

This presentation will show some vulnerabilities on SCADA protocols.

1 of 54
Download to read offline
Authentication Issues between entities during protocol message exchange in SCADA Systems Manuel Humberto Santander Peláez msantand@isc.sans.org
Agenda • Introduction • SCADA protocols • Authentication Risks • Remediation
SCADA • Supervisory Control and Data Acquisition • Platform used to monitor and control all the variables of a real-time process • Several variables to monitor – Pressure inside a water tube used for distribution – Flow speed of oil – Amount of electric charge passing inside an electricity transmission line
Components of SCADA platform
Components of SCADA platform (2) • Remote Terminal Unit (RTU): – This is a communication device within the SCADA system and is located at the remote substation. – The RTU gathers data from field devices in memory until the MTU request that information. It also process orders from the SCADA like switch off a transmission line – It process the commands ordered by the HMI to the field devices
Components of SCADA platform (3) • Data Acquisition System (DAS): – Gathers information from the MTU – Generates and store alerts that needs attention from the operator because it can cause impact on the system • Master Terminal Unit (MTU): – The MTU is defined as the heart of a SCADA system and is located at the main monitoring center.
Components of SCADA platform (4) • Master Terminal Unit (MTU): – MTU initiates communication with remote units and interfaces with the DAS and the HMI. • Human Machine Interface (HMI): – Interface where the operator logs on to monitor the variables of the system. – Gathers information from the DAS – Sends commands to the MTU and wait for response
Electrical process • Three big steps – Generation – Transmission – Distribution • Energy is created using any of the following methods – Thermoelectrical plans – Nuclear plants – Hydro electrical plants
Electrical process (2) • SCADA platform is vital to perform the following when generation takes place: – Ensure turbines are not having revolutions more than supported – Generators are not working overloaded – Energy being generated matches the amount of energy that the transmission line can handle
Electrical process (3) • Transmission – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
Electrical process (4) • SCADA platform is vital to perform the following when transmission takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – None of them can get overloaded because protections get activated and a blackout appears in all the installations that are controlled by the affected substations
Electrical process (5) • Distribution – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
Electrical process (6) • SCADA platform is vital to perform the following when distribution takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – Monitoring of voltage in user meters looking for high amount of electricity flowing
Agenda • Introduction • SCADA Protocols • Authentication Risks • Remediation
SCADA Protocols • Modbus • IEC 104 • DNP3
Modbus Source: Practical Industrial Data Communications
Modbus (2) • Client/server protocol which operates in a request/response mode • Three variants: – Modbus serial RS-232/RS-485: Implemented on serial networks – Modbus TCP: Used for SCADA platforms where delay is not an issue (Water supply) – Modbus UDP: Used for SCADA platforms where delay is a big issue (Energy)
Modbus (3) Source: Practical Industrial Data Communications
Modbus (4) • Modbus protocol structure – Address field: • Request frames: Address of the device being targeted by the request • Response frame: Address of the device responding to request
Modbus (5) • Modbus protocol structure – Function field • Function requested by the HMI to be performed by the field devices • In response packets, when the function performed is succeeded, the field device echoes it. If some exception occurred, the most significant bit of the field is set to 1
Modbus (6) Function Function Name Type of access Code Physical Discrete Inputs Read Discrete Inputs 2 Read Coils 1 Bit access Internal Bits or Physical Write Single Coil 5 Coils Write Multiple Coils 15 Physical Input Registers Read Input Register 4 Read Holding Registers 3 Write Single Register 6 Data Access 16-bit Write Multiple Registers 16 Internal Registers or access Physical Output Registers Read/Write Multiple 23 Registers Mask Write Register 22 Read FIFO Queue 24 Read File Record 20 File Record Access Write File Record 21
Modbus (7) Function Function Name Type of access Code Read Exception Status 7 Diagnostic 8 Get Com Event Counter 11 Diagnostics Get Com Event Log 12 Report Slave ID 17 Read Device 43 Identification Encapsulated Interface Other 43 Transport
Modbus (8) • Modbus protocol structure – Data field • In request paquets, contains the information required to perform the specific function • In response packets, contains the information requested by the HMI
Modbus (9) • Modbus protocol structure – Error check Field • CRC-16 on the message frame • If packet has errors, the field device does not process it • Timeout is assumed, so the master sends again the packet to attempt again a function execution
IEC 104 • Standard for power system monitoring, control and communications for telecontrol and teleprotection for electric power systems • Completely compatible with: – IEC 60870-5-1: Transmission frame formats for standard 60870-5 – IEC 60870-5-5: Basic application functions
IEC 104 (2) • It has the following features: – Supports master initiated messages and master/slave initiated messages – Facility for time sinchronization – Possibility of classifying data being transmitted into 16 different groups to get the data according to the group – Cyclic and spontaneous data updating schemes are provided.
IEC 104 (3) Source: Practical Industrial Data Communications
IEC 104 (4) Source: Practical Industrial Data Communications
IEC 104 (5) Source: Practical Industrial Data Communications
IEC 104 (6) • Link level Link service class Function Explanation Transmit message. No ACK or answer S1 SEND / NO REPLY required Transmit message. S2 SEND / CONFIRM ACK required Transmit message. ACK and answer S3 REQUEST / RESPOND required
IEC 104 (7) Source: Practical Industrial Data Communications
IEC 104 (8) • Control field for unbalanced transmissions Source: Practical Industrial Data Communications
IEC 104 (8) • Control field for balanced transmissions Source: Practical Industrial Data Communications
DNP3 • Set of communication protocols used between components of a SCADA system • Used for communications between RTU and the IED (field devices) • Implements the communication levels established by the enhance performance architecture (EPA)
DNP3 (2) • Enhance performance architecture (EPA) Source: Practical Industrial Data Communications
DNP3 (3) • Message exchange Source: Practical Industrial Data Communications
DNP3 (4) • Frame format Source: Practical Industrial Data Communications
DNP3 (5) • Control Byte Source: Practical Industrial Data Communications
Agenda • Introduction • SCADA Protocols • Authentication Risks • Remediation
Network technologies in SCADA Systems • Many SCADA networks still use RS232/RS485 bus to communicate all components – But also because of the need to access data in a fast way, we also have serial-to- ip gateways to access serial RTU and IED – Lots of hybrid SCADA networks having serial and IP components – Vulnerable from outsiders at the corporate network
Lack of authentication in application protocol • The SCADA protocols does not perform bi-directional authentication to ensure that all parties are trusted – Only commands are sent – Data is sent to the IP address configured as master – All the IP spoofing vulnerabilities works on any MTU or Field device – Any command can be sent
Lack of confidentiality in application protocol • The SCADA protocols does not perform any encryption to protect the information – Modbus, IEC 101/104 and DNP3 transmissions can be checked by any attacker – Man-in-the-middle can be performed on the network – MTU traffic can be intercepted and then redirected to any IED with any desired change – No way to know if traffic is trusted
What could be done? • Let’s see how a master station puts the current timestamp on an IED • Let’s see how the attacker changes it • Can issue writable commands and reading commands • DEMO TIME!
Agenda • Introduction • SCADA Protocols • Authentication Risks • Remediation
What you cannot do with SCADA • Protocol delay is usually a BIG issue in SCADA – Water supply and Oil SCADA tolerates big delays because it does not have consequences in the process – Power SCADA is critical. A delay higher than 5 miliseconds could end in a massive blackout because of failure to open a breaker in a substation – Be careful on what you do to protect your SCADA
SCADA Network Design
Monitor your network • SCADA traffic baseline is mandatory – You need to know what applications are doing transit inside your network – Inside SCADA protocols you monitor applications that gives you information on the industrial process being controlled – Unauthorized applications could indicate a breach trying to perform operations or gather information on IED
Monitor your network (2) • Use Network Intrusion Prevention System – You definitely can use conventional IPS if they are fast enough to avoid delays in your network – Not all of them support SCADA protocols – If you have snort, you can write rules for Modbus and DNP3. Otherwise, you need to write your own rules – Industrial Defender Solution works pretty good as it includes lots of SCADA signatures
Control unauthorized changes to Master Terminal Unit • SCADA platforms are designed to last from 10 to 20 years – Too many technology changes happens in that time – Lots of security issues to deal with – Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process
Control unauthorized changes to Master Terminal Unit (2) • SCADA platforms are designed to last from 10 to 20 years – Too many technology changes happens in that time – Lots of security issues to deal with – Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process
Control unauthorized changes to Master Terminal Unit (3) • Control any changes inside your SCADA servers – Mcafee Integrity control works pretty good – Defines what can be changed by who – Lots of custom logs to choose from – Can send events to any SIEM configured in the Network
Monitor attacks to Master Unit • Host IPS is definitely needed as any attack could change the integrity and stability of a process • Availability is critical to a SCADA system and cannot be altered • Conventional Host IPS performs extensive use of CPU and can affect performance inside SCADA
Monitor attacks to Master Unit (2) • Industrial Defender Host IPS works pretty good • Works seamless with Siemens Spectrum Platform • Does not load the machine or needs extensive bandwith to perform its checks • Central console to perform operations inside the platform
Questions? Comments? Manuel Humberto Santander Peláez http://manuel.santander.name http://twitter.com/manuelsantander msantand@isc.sans.org / manuel@santander.name

Recommended

Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsLiving Online
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 

Recommended

Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsLiving Online
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Sergey Gordeychik
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
10 Reasons to Use Functional Safety Solution Kits
10 Reasons to Use Functional Safety Solution Kits10 Reasons to Use Functional Safety Solution Kits
10 Reasons to Use Functional Safety Solution KitsRenesas Electronics Corporation
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2David Spinks
 
Mina2
Mina2Mina2
Mina2ducquoc_vn
 
Memory, IPC and L4Re
Memory, IPC and L4ReMemory, IPC and L4Re
Memory, IPC and L4ReVasily Sartakov
 

More Related Content

What's hot

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Sergey Gordeychik
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 

What's hot (20)

DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
10 Reasons to Use Functional Safety Solution Kits
10 Reasons to Use Functional Safety Solution Kits10 Reasons to Use Functional Safety Solution Kits
10 Reasons to Use Functional Safety Solution Kits
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 

Similar to Authentication Issues between entities during protocol message exchange in SCADA Systems

Eucnc rina-tutorial
Eucnc rina-tutorialEucnc rina-tutorial
Eucnc rina-tutorialICT PRISTINE
 
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation PlantsAvoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation PlantsManuel Santander
 
Chapter-05-IO (2).ppt
Chapter-05-IO (2).pptChapter-05-IO (2).ppt
Chapter-05-IO (2).pptMyName1sJeff
 
Microchip's PIC Micro Controller
Microchip's PIC Micro ControllerMicrochip's PIC Micro Controller
Microchip's PIC Micro ControllerMidhu S V Unnithan
 
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)Ming-Hung Hseih
 
Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled InterruptsAnshuman Biswal
 
ARM Cortex-M3 Training
ARM Cortex-M3 TrainingARM Cortex-M3 Training
ARM Cortex-M3 TrainingRaghav Nayak
 
IDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptxIDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptxaskaripayalo
 
Ppt on six month training on embedded system & IOT
Ppt on six month training on embedded system & IOTPpt on six month training on embedded system & IOT
Ppt on six month training on embedded system & IOTpreetigill309
 
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7Eleni Trouva
 

Similar to Authentication Issues between entities during protocol message exchange in SCADA Systems (20)

Mina2
Mina2Mina2
Mina2
 
Memory, IPC and L4Re
Memory, IPC and L4ReMemory, IPC and L4Re
Memory, IPC and L4Re
 
Eucnc rina-tutorial
Eucnc rina-tutorialEucnc rina-tutorial
Eucnc rina-tutorial
 
Lect02
Lect02Lect02
Lect02
 
Modbus.ppt
Modbus.pptModbus.ppt
Modbus.ppt
 
modbus.ppt
modbus.pptmodbus.ppt
modbus.ppt
 
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation PlantsAvoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
 
rdma-intro-module.ppt
rdma-intro-module.pptrdma-intro-module.ppt
rdma-intro-module.ppt
 
Presentation on risc pipeline
Presentation on risc pipelinePresentation on risc pipeline
Presentation on risc pipeline
 
Chapter-05-IO (2).ppt
Chapter-05-IO (2).pptChapter-05-IO (2).ppt
Chapter-05-IO (2).ppt
 
Microchip's PIC Micro Controller
Microchip's PIC Micro ControllerMicrochip's PIC Micro Controller
Microchip's PIC Micro Controller
 
Tos tutorial
Tos tutorialTos tutorial
Tos tutorial
 
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
 
Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled Interrupts
 
ARM Cortex-M3 Training
ARM Cortex-M3 TrainingARM Cortex-M3 Training
ARM Cortex-M3 Training
 
IDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptxIDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptx
 
infiniband.pdf
infiniband.pdfinfiniband.pdf
infiniband.pdf
 
I/O System
I/O SystemI/O System
I/O System
 
Ppt on six month training on embedded system & IOT
Ppt on six month training on embedded system & IOTPpt on six month training on embedded system & IOT
Ppt on six month training on embedded system & IOT
 
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
 

More from Manuel Santander

Ciberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaCiberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaManuel Santander
 
Respuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaRespuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaManuel Santander
 
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónCiberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónManuel Santander
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
Monitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityMonitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityManuel Santander
 
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Manuel Santander
 

More from Manuel Santander (6)

Ciberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaCiberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casa
 
Respuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaRespuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energía
 
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónCiberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 
Monitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityMonitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA Security
 
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
 

Authentication Issues between entities during protocol message exchange in SCADA Systems

  • 1. Authentication Issues between entities during protocol message exchange in SCADA Systems Manuel Humberto Santander Peláez msantand@isc.sans.org
  • 2. Agenda • Introduction • SCADA protocols • Authentication Risks • Remediation
  • 3. SCADA • Supervisory Control and Data Acquisition • Platform used to monitor and control all the variables of a real-time process • Several variables to monitor – Pressure inside a water tube used for distribution – Flow speed of oil – Amount of electric charge passing inside an electricity transmission line
  • 5. Components of SCADA platform (2) • Remote Terminal Unit (RTU): – This is a communication device within the SCADA system and is located at the remote substation. – The RTU gathers data from field devices in memory until the MTU request that information. It also process orders from the SCADA like switch off a transmission line – It process the commands ordered by the HMI to the field devices
  • 6. Components of SCADA platform (3) • Data Acquisition System (DAS): – Gathers information from the MTU – Generates and store alerts that needs attention from the operator because it can cause impact on the system • Master Terminal Unit (MTU): – The MTU is defined as the heart of a SCADA system and is located at the main monitoring center.
  • 7. Components of SCADA platform (4) • Master Terminal Unit (MTU): – MTU initiates communication with remote units and interfaces with the DAS and the HMI. • Human Machine Interface (HMI): – Interface where the operator logs on to monitor the variables of the system. – Gathers information from the DAS – Sends commands to the MTU and wait for response
  • 8. Electrical process • Three big steps – Generation – Transmission – Distribution • Energy is created using any of the following methods – Thermoelectrical plans – Nuclear plants – Hydro electrical plants
  • 9. Electrical process (2) • SCADA platform is vital to perform the following when generation takes place: – Ensure turbines are not having revolutions more than supported – Generators are not working overloaded – Energy being generated matches the amount of energy that the transmission line can handle
  • 10. Electrical process (3) • Transmission – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
  • 11. Electrical process (4) • SCADA platform is vital to perform the following when transmission takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – None of them can get overloaded because protections get activated and a blackout appears in all the installations that are controlled by the affected substations
  • 12. Electrical process (5) • Distribution – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
  • 13. Electrical process (6) • SCADA platform is vital to perform the following when distribution takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – Monitoring of voltage in user meters looking for high amount of electricity flowing
  • 14. Agenda • Introduction • SCADA Protocols • Authentication Risks • Remediation
  • 15. SCADA Protocols • Modbus • IEC 104 • DNP3
  • 16. Modbus Source: Practical Industrial Data Communications
  • 17. Modbus (2) • Client/server protocol which operates in a request/response mode • Three variants: – Modbus serial RS-232/RS-485: Implemented on serial networks – Modbus TCP: Used for SCADA platforms where delay is not an issue (Water supply) – Modbus UDP: Used for SCADA platforms where delay is a big issue (Energy)
  • 18. Modbus (3) Source: Practical Industrial Data Communications
  • 19. Modbus (4) • Modbus protocol structure – Address field: • Request frames: Address of the device being targeted by the request • Response frame: Address of the device responding to request
  • 20. Modbus (5) • Modbus protocol structure – Function field • Function requested by the HMI to be performed by the field devices • In response packets, when the function performed is succeeded, the field device echoes it. If some exception occurred, the most significant bit of the field is set to 1
  • 21. Modbus (6) Function Function Name Type of access Code Physical Discrete Inputs Read Discrete Inputs 2 Read Coils 1 Bit access Internal Bits or Physical Write Single Coil 5 Coils Write Multiple Coils 15 Physical Input Registers Read Input Register 4 Read Holding Registers 3 Write Single Register 6 Data Access 16-bit Write Multiple Registers 16 Internal Registers or access Physical Output Registers Read/Write Multiple 23 Registers Mask Write Register 22 Read FIFO Queue 24 Read File Record 20 File Record Access Write File Record 21
  • 22. Modbus (7) Function Function Name Type of access Code Read Exception Status 7 Diagnostic 8 Get Com Event Counter 11 Diagnostics Get Com Event Log 12 Report Slave ID 17 Read Device 43 Identification Encapsulated Interface Other 43 Transport
  • 23. Modbus (8) • Modbus protocol structure – Data field • In request paquets, contains the information required to perform the specific function • In response packets, contains the information requested by the HMI
  • 24. Modbus (9) • Modbus protocol structure – Error check Field • CRC-16 on the message frame • If packet has errors, the field device does not process it • Timeout is assumed, so the master sends again the packet to attempt again a function execution
  • 25. IEC 104 • Standard for power system monitoring, control and communications for telecontrol and teleprotection for electric power systems • Completely compatible with: – IEC 60870-5-1: Transmission frame formats for standard 60870-5 – IEC 60870-5-5: Basic application functions
  • 26. IEC 104 (2) • It has the following features: – Supports master initiated messages and master/slave initiated messages – Facility for time sinchronization – Possibility of classifying data being transmitted into 16 different groups to get the data according to the group – Cyclic and spontaneous data updating schemes are provided.
  • 27. IEC 104 (3) Source: Practical Industrial Data Communications
  • 28. IEC 104 (4) Source: Practical Industrial Data Communications
  • 29. IEC 104 (5) Source: Practical Industrial Data Communications
  • 30. IEC 104 (6) • Link level Link service class Function Explanation Transmit message. No ACK or answer S1 SEND / NO REPLY required Transmit message. S2 SEND / CONFIRM ACK required Transmit message. ACK and answer S3 REQUEST / RESPOND required
  • 31. IEC 104 (7) Source: Practical Industrial Data Communications
  • 32. IEC 104 (8) • Control field for unbalanced transmissions Source: Practical Industrial Data Communications
  • 33. IEC 104 (8) • Control field for balanced transmissions Source: Practical Industrial Data Communications
  • 34. DNP3 • Set of communication protocols used between components of a SCADA system • Used for communications between RTU and the IED (field devices) • Implements the communication levels established by the enhance performance architecture (EPA)
  • 35. DNP3 (2) • Enhance performance architecture (EPA) Source: Practical Industrial Data Communications
  • 36. DNP3 (3) • Message exchange Source: Practical Industrial Data Communications
  • 37. DNP3 (4) • Frame format Source: Practical Industrial Data Communications
  • 38. DNP3 (5) • Control Byte Source: Practical Industrial Data Communications
  • 39. Agenda • Introduction • SCADA Protocols • Authentication Risks • Remediation
  • 40. Network technologies in SCADA Systems • Many SCADA networks still use RS232/RS485 bus to communicate all components – But also because of the need to access data in a fast way, we also have serial-to- ip gateways to access serial RTU and IED – Lots of hybrid SCADA networks having serial and IP components – Vulnerable from outsiders at the corporate network
  • 41. Lack of authentication in application protocol • The SCADA protocols does not perform bi-directional authentication to ensure that all parties are trusted – Only commands are sent – Data is sent to the IP address configured as master – All the IP spoofing vulnerabilities works on any MTU or Field device – Any command can be sent
  • 42. Lack of confidentiality in application protocol • The SCADA protocols does not perform any encryption to protect the information – Modbus, IEC 101/104 and DNP3 transmissions can be checked by any attacker – Man-in-the-middle can be performed on the network – MTU traffic can be intercepted and then redirected to any IED with any desired change – No way to know if traffic is trusted
  • 43. What could be done? • Let’s see how a master station puts the current timestamp on an IED • Let’s see how the attacker changes it • Can issue writable commands and reading commands • DEMO TIME!
  • 44. Agenda • Introduction • SCADA Protocols • Authentication Risks • Remediation
  • 45. What you cannot do with SCADA • Protocol delay is usually a BIG issue in SCADA – Water supply and Oil SCADA tolerates big delays because it does not have consequences in the process – Power SCADA is critical. A delay higher than 5 miliseconds could end in a massive blackout because of failure to open a breaker in a substation – Be careful on what you do to protect your SCADA
  • 47. Monitor your network • SCADA traffic baseline is mandatory – You need to know what applications are doing transit inside your network – Inside SCADA protocols you monitor applications that gives you information on the industrial process being controlled – Unauthorized applications could indicate a breach trying to perform operations or gather information on IED
  • 48. Monitor your network (2) • Use Network Intrusion Prevention System – You definitely can use conventional IPS if they are fast enough to avoid delays in your network – Not all of them support SCADA protocols – If you have snort, you can write rules for Modbus and DNP3. Otherwise, you need to write your own rules – Industrial Defender Solution works pretty good as it includes lots of SCADA signatures
  • 49. Control unauthorized changes to Master Terminal Unit • SCADA platforms are designed to last from 10 to 20 years – Too many technology changes happens in that time – Lots of security issues to deal with – Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process
  • 50. Control unauthorized changes to Master Terminal Unit (2) • SCADA platforms are designed to last from 10 to 20 years – Too many technology changes happens in that time – Lots of security issues to deal with – Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process
  • 51. Control unauthorized changes to Master Terminal Unit (3) • Control any changes inside your SCADA servers – Mcafee Integrity control works pretty good – Defines what can be changed by who – Lots of custom logs to choose from – Can send events to any SIEM configured in the Network
  • 52. Monitor attacks to Master Unit • Host IPS is definitely needed as any attack could change the integrity and stability of a process • Availability is critical to a SCADA system and cannot be altered • Conventional Host IPS performs extensive use of CPU and can affect performance inside SCADA
  • 53. Monitor attacks to Master Unit (2) • Industrial Defender Host IPS works pretty good • Works seamless with Siemens Spectrum Platform • Does not load the machine or needs extensive bandwith to perform its checks • Central console to perform operations inside the platform
  • 54. Questions? Comments? Manuel Humberto Santander Peláez http://manuel.santander.name http://twitter.com/manuelsantander msantand@isc.sans.org / manuel@santander.name