2012 Reenergize the Americas 3B: Angel Avila

Threats to Industrial Control
Networks
Defensive Network Security
Consultants (DNSC), LLC
17 October 2012

Contact Information

Angel E. Avila
CISSP, CISA, CEPT, C|EH, CompTIA Sec+
E-mail: angel.e.avila@dnsc-cyber.com
http://www.dnsc-cyber.com
PH: 915-247-8978

2

DNSC Background

• Computer Security Professionals (8 years)
– Specializing in Penetration Testing, Vulnerability
Assessments, Compliance and Auditing

• Experience working on Government (DoD) and
Private Industry systems
• Certifications:
– Certified Information Systems Security Professional (CISSP),
– Certified Information Systems Auditor (CISA),
– Certified Ethical Hacker (C|EH),
– Certified Ethical Penetration Tester (CEPT),
– Certified Information Systems Manager (CISM),
– Certified Penetration Tester (CPT),
– CompTIA Security +
3

Objective

• The intent of this brief is to raise awareness among
the energy community of some of the current threats
that are targeting Industrial Control (IC) networks
including the Smart Grid and the importance of
developing secure critical infrastructure.

4

Why should we care?

• “An aggressor nation or extremist group could use
these kinds of cyber tools to gain control of critical
switches,” Mr. Panetta said. “They could derail
passenger trains, or even more dangerous, derail
passenger trains loaded with lethal chemicals. They
could contaminate the water supply in major cities,
or shut down the power grid across large parts of
the country.” [1]
• Successful attacks against critical infrastructure
assets can potentially lead to loss of life, and life as
we know it.
1. Bumiller, Elisabeth; Shanker, Thomas. “Panetta Warns of Dire Threat of Cyberattack on U.S." New York
Times on the Web 11 Oct. 2012. 15 Oct. 2012 <http://www.nytimes.com/2012/10/12/world/panetta-warns-of-
dire-threat-of-cyberattack.html?_r=0s>
5

IC Network Overview

Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for
6 Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.

Common Mistakes

• Overconfidence: Systems 100% secure
• Refusal to recognize threats: It can’t happen
to me
• Air Gap myth: Systems not connected to IT
network/Internet
• Executive override
– “Intentional” security holes for legitimate business
purposes. ‘Set it and forget it
• Default accounts & passwords
• Lack of authentication
• Inbound/outbound traffic
• Compliance != Secure
7

Adversary
• Cyber Threat Expertise
– Novice: An adversary with no training, only using
open-source (freely available) tools
– Intermediate: An adversary with some training,
some level of funding, uses tools either purchased
or traded on-line
– Expert: An adversary with a mature skill set and
uses custom, open source, and purchased tools
• Foreign sponsored
• Hacktivist

8

Threats to IC Networks
• Advance Persistent Threat (APT)
– Adversary with sophisticated levels of expertise
and significant resources which allow it to create
opportunities to achieve its objectives by using
multiple attack vectors (e.g., cyber, physical, and
deception)
• Maintain a foothold in order to conduct directed
malicious objectives against the target
• EX: Stuxnet-Worm targeting Iranian nuclear reactor
machinery
– Driven by either government agencies or terrorist
organizations
• APT’s pursues its objectives repeatedly over
an extended period of time while countering
victim’s mitigating attempts
9 As defined in NIST Special Publication 800-39, Managing Information Security Risk

Threats to IC Networks (cont.)
• Cyber Threats
– Identified as malicious efforts directed in gaining
access to, exfiltration, data manipulation, and
denial of service towards information systems (IS)
– Directed attacks against confidentiality, integrity,
and availability (CIA)
– Cyber threats can come from anyone

• Supply Chain Threat
– Referred to embedded code being inserted into
devices
– Do you know who is developing your devices?

10

Threats to IC Networks (cont.)
• Outsider Threat
– No credentials, no physical access to the target
network
– Ex: Hacktavists, Foreign State, Terrorists
Organizations, Script Kiddies

• Nearsider Threat
– No credentials, but has access to the target
network
– Ex: Cleaning crew, delivery personnel

• Insider Threat
– Having user and/or root-level credentials to the
target network
11
– Ex: Disgruntle Employee (users/administrators)

IC Network Overview
Outsider/Cyber
Threats

Insider/Nearsider
Threats

Insider/Nearsider
Threats

Advanced
Persistent
Threat

Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for
12 Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.

Attack Vectors

• Web
– SQL Injection
– Broken authentication and session management
• https://www.owasp.org/index.php/Top_10_2010-Main
• Wireless
– Use of weak wireless algorithms WEP and WPA
• Bad Security Practices
– HBGary and Anonymous incident
• http://arstechnica.com/tech-
policy/2011/02/anonymous-speaks-the-inside-story-of-
the-hbgary-hack/
• Social Networking
– Facebook
13

Attack Vectors (cont.)
• SCADA Protocols
– Lack of authentication
– Lack of encryption

• SCADA Systems
– Sinapsi eSolar Light Photovotaic System Monitor
– Bypass authentication using hard-coded
credentials and vulnerable to SQL injection
• Also affects other Solar panel control systems
• ICS-ALERT-12-284-01

• Control systems
– A search engine, Shodan, that used to identify
internet facing Control systems
14 • ICS-ALERT-11-343-01


• How can I traverse through the Smart Grid?
– Advanced Meter Infrastructure (AMI) Smart
Meters shutdown meters through Optical port
• D. Weber, “Looking into the Eye of the Meter”. BlackHat
2012.

– Over 40+ million ZigBee electric meters are
deployed with concentration in Texas, California,
Texas, Michigan, and Virginia.
• Zigbee Alliance: Heile, Bob,
https://docs.zigbee.org/zigbee-docs/dcn/10-6056.pdf

15

• AMI provides the ability to
remotely control devices in the
HAN
- Turn off lights, Raise Tstat,
etc...
• Detailed energy use collected
over regular time intervals.
- Consumers can view energy
usage real time
• ZigBee is being used in HANs
within the Smart Grid
• Sniffing traffic
• Replay attacks
• Denial-of-Service

Smart Grid using ZigBee Home
16 Area Network (HAN)

Conclusion

• Real-world threats are constantly trying to
exploit various IC installations
• Reliability vs. Security
• Awareness and being proactive helps reduce
the risk of your network being exploited

17

Contact Information
• Angel E. Avila CISSP, CISA, C|EH, CEPT, CompTIA Security +
angel.e.avila@dnsc-cyber.com

• Richard G. Coy CISSP, CISA, C|EH, CPT, CEPT
richard.g.coy@dnsc-cyber.com

• Francisco J. Leyva CISSP, CISA, C|EH, CISM, CEPT
francisco.j.leyva@dnsc-cyber.com

• Humberto Mendoza CISSP, CISA, C|EH, CISM, CEPT
humberto.mendoza@dnsc-cyber.com

• Daniel Chacon CISSP, CISSA, C|EH, CISM, CEPT
daniel.chacon@dnsc-cyber.com

http://www.dnsc-cyber.com
19

• ZigBee Overview
– Low Power (Long Battery Life), low data rate wireless
protocol
– 250 Kbps throughput rate (low data rate)
– Short Range (10 – 100 meters)
– Supports star and mesh network topology
– Easily add and remove nodes to the network

• Why Zigbee ?
– WIFI transceivers are too expensive, more power to
operate
– Bluetooth as a Frequency Hopping Spread Spectrum
requires more power to operate
– Zigbee consumes less power than WIFI and Bluetooth
– Zigbee designed specifically for monitoring and
automation
– Zigbee is good solution for smart meters in Advanced
Meter Infrastructure(AMI)

• ZigBee Exploitation using KillerBee[1]
- zbid–list available ZigBee devices connected to PC
- zbdump–"tcpdump-w" clone for capturing ZigBee traffic
- zbconvert–convert capture file formats
- zbreplay–Replay attack
- zdsniff–over-the-air (OTA) crypto key sniffer
- zbfind–GUI for locating ZigBee networks
- zbgoodfind–search memory dump for crypto key
- zbassocflood–association flood attack (DoS)
- spoofing attacks when used with Software Defined Radio

1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf

• ZigBee Security
– KillerBee[1] open source software is a tool suite used to
test and exploit ZigBee networks
– Hacker community has made many software modifications
to the KillerBee[1] tool suite
– KillerBee[1] tool suite is flashed on a RZUSB ($40.00)
through Joint Test Action Group (JTAG) interface.
• AVR JTAG ICE mkII ($300.00) used to flash RZUSB
AVR JTAG ICE
RZUSB Programmer


• Problem: Demand for power
exceeds the supply
• AMI provides the ability to
remotely control devices in the
HAN
- Turn off lights, Raise Tstat,
etc...
• Detailed energy use collected
over regular time intervals
- Consumers can view energy
usage real time
• Consumers can adjust power to
reduce cost
• Utility companies can better
manage supply and demand
Smart Grid using ZigBee Home
Area Network (HAN)

• ZigBee
– Exploitation using KillerBee[1]
- zbid–list available ZigBee devices connected to PC
- zbdump–"tcpdump-w" clone for capturing ZigBee traffic
- zbconvert–convert capture file formats
- zbreplay–Replay attack
- zdsniff–over-the-air (OTA) crypto key sniffer
- zbfind–GUI for locating ZigBee networks
- zbgoodfind–search memory dump for crypto key
- zbassocflood–association flood attack (DoS)
- spoofing attacks when used with Software Defined Radio


2012 Reenergize the Americas 3B: Angel Avila

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2012 Reenergize the Americas 3B: Angel Avila

Similar to 2012 Reenergize the Americas 3B: Angel Avila (20)

More from Reenergize

More from Reenergize (20)

Recently uploaded

Recently uploaded (20)

2012 Reenergize the Americas 3B: Angel Avila