This document discusses common security issues seen in critical infrastructure networks that can enable basic persistent threats. It notes that default passwords, lack of network segmentation, open remote access ports, unrestricted trust relationships, and other issues are often exploited by attackers to compromise these networks. The document provides examples of specific incidents where critical infrastructure networks were hacked by exploiting these basic vulnerabilities.

1. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
1
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
www.dynetics.com
1V## Goes Here
Digital Energy – BPT
BSidesAugusta 2013
Paul Coggin
Internetwork Consulting Solutions Architect
paul.coggin@dynetics.com

2. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
2
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Digital Energy – Basic Persistent Threat
• APT default excuse for any compromise
• Default passwords
• Little to no separation of control, management and data planes
• Layer 2 security issues
• Lack of Perimeter Egress filtering
• Lack of Perimeter Egress authentication
• Trust Relationships
• Integration
• Interdependencies
• Dependencies
• Vendor remote access
• Default database client/server protocol configuration
• Lack of security policies driving network and security infrastructure
configuration
• Flat earth network architecture philosophy
Talented attackers exploiting critical
infrastructure using basic attack
vectors are not an APT.

3. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
3
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Residential
Branch Office
MPLS/IP, DWDM, SONET, ATM
Internet
Video Headend
IPTV/VOD
SIP Proxy
Residential
Telecommuter
SOHO Energy Distribution
Provisioning
Servers
Assurance
Servers
Online and Internal
Billing Servers
Public Network Infrastructure Overview
Water / Sewer
Treatment Plant
Web
server
VoIP GW
Si
Si
SiS
i
SiSi
SiSi SiSi
Enterprise
Policy
Server
DHCP
Server
AAA
Server
Lawful
Intercept
ICS / SCADA
Cell Tower
DWDM
Situational
Awareness Servers
- Vendor/Mfg. Remote
Support
- Internal Tech Staff VPN
- Customer online bill payment
- Misconfigured Backdoor
GPON GigE SONET

4. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
4
UNCLASSIFIED0000-00-yymm Information Engineering Solutions0000-00-yymm
UNCLASSIFIED
0000-00-yymm
UNCLASSIFIED
www.dynetics.com 4
ANSI/ISA99
ICS – Industrial Control Systems
SCADA – Supervisory Control and Data Acquisition
PLC – Programmable Logic Controller
RTU – Remote Terminal Unit
IED – Intelligent Electronic Device
Historian
HMI – Human Machine Interface
Protocols - Modbus, ICCP, DNP3, Others
In many networks there is not a firewall securing the
integration between the Enterprise and ICS/SCADA
network. A multi-homed Windows system is
commonly integrates the two networks
Typically, the ICS/SCADA network utilizes a flat
network architecture. The vendors have VPN,
Telnet and/or SSH holes punched through the
firewall with weak authentication in most cases.
Older systems will have back door modem
connections for vendor remote access.
Reference: www.isa.org - ANSI/ISA99 Standard

5. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
5
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Voice Soft Switch Network
Voice Transport Network
Management
Network
Internet
EMS
The service provider transport and soft switch vendors commonly provide a EMS for
their solution.
The EMS server commonly is multi-homed with one interface connected directly to the
Internet and a second connected to the management network.
The transport and voice technical staff may have the system installed without the
protection of a firewall or VPN.
A number of soft switch EMS systems have been hacked using SSH brute force attacks.
In some cases the EMS is installed behind a firewall with ACL’s trusting any inbound
IP connection destined to the SSH service.
Backup EMS
Internet
Backup
Soft Switch
Soft
Switch

6. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
6
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
What Kind of Ring is It?
Ring Topology
Collapsed Ring Topology
Any disruption to the single
physical fiber run disrupts the
logical ring.
End point devices such as
DSLAMs are configured to
form a ring on both ends of
the fiber run.
One service provider had their fiber
cut between CO’s by copper thieves.
Logical Ring for Regulatory Requirements

7. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
7
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Dual Purposed Online Bill Paying
Web Server & Internal Billing System
AAA
SiSi
Provisioning & Monitoring
EMS
Video On Demand
Services
Voice Services
IPTV
Internet
Middleware
Internal Enterprise LAN
Internal Billing System &
Online Billing Web Server
NetMgtDirectory Traversal led to root access
to Internal billing system that was
also the online billing system for
customers. A billing system vendor
designed architecture.
The billing system vendor argued this
architecture was secure even after
their system was hacked. Billing system hack exposes
provisioning, network
management, IPTV Middleware
etc. to being compromised
through trust relationships.
Power distributors may utilize
the transport and access
network for smart grid services.

8. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
8
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Video On
Demand Services
Voice Services
IPTV
Internet
Services
Secure
Visualiza-on
and
Instrumenta-on
Deep
Inspec-on
and
Monitoring
of
Network
Flows
/
Packets
Diagnosed
Configura-on
Issue
On-­‐Line
Message
Network
Power
Ch
Up
Ch
Dn
Select
Guide
Menu
NLC
3
STB
PC
TV
IP
Phone
GPON
Residential
Customer
Separation of
Service/
VLANs
• Malware existed on Data (ISP) user
computers – Malware sends ICMP
packets to DOS target.
• Transport equipment encapsulated
DOS packets into multicast packets.
• Transport equipment replicated DOS
in hardware to all users.
Private
Virtual
Circuits
• Customer with SVI was alerted to unusual
traffic on multicast VLAN for video.
• Called for remote Incident Analysis/ Forensics
on Network Packets showed multicasting of
“bad Info” and misconfiguration of network
logical data flows
Transport Network Disrupted by
Accidental Misconfiguration
SiSi
On-­‐Line
Message
Network
Power
Ch
Up
Ch
Dn
Select
Guide
Menu
NLC
3
STB
PC
TV
IP
Phone
SM
SM
Service Provider Employee Mistakenly Integrated
Data and Video Networks

9. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
9
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Video On
Demand Services
Voice Services
IPTV
Internet
Services
On-­‐Line
Message
Network
Power
Ch
Up
Ch
Dn
Select
Guide
Menu
NLC
3
STB
PC
TV
IP
Phone
GPON
Residential
Customer
Separation of
Service/
VLANs
Private
Virtual
Circuits
CPE Router Hijacking
SiSi
On-­‐Line
Message
Network
Power
Ch
Up
Ch
Dn
Select
Guide
Menu
NLC
3
STB
PC
TV
IP
Phone
SM
SM
• Hacker attacked DSL
Modems.
• Changed DNS address
to Relay Box.
Deep Inspection and
Monitoring of Network
Flows / Packets
Hijacked web requests and
web traffic redirected to
rogue site
• 6K DSL Routers hacked before stopped
• Router management access with open trust
• Unknown default router password

10. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
10
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Video On
Demand Services
Voice Services
IPTV
Utility CATV Head End Scenario
Vendor aggregates customer VPN’s to
HQ site. The customer inherits the
security risk of the vendor through the
VPN trust relationship.
Vendor was hacked enabling
billing system integration
server to be hacked.
No Segmentation
No PVLAN, VACL
Middleware
Billing System
Integration
TV
SM
On-­‐Line
Message
Network
Power
Ch
Up
Ch
Dn
Select
Guide
Menu
NLC
3
STB
Internet
Vendor
VPN Router
Vendor
HQ
Dedicated VPN
for Remote Mgt
Fiber Node
Cable Modem Termination System (CMTS)
Cable Routers
Routers
downstream
upstream
RF Combiner
CM

11. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
11
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Video On
Demand Services
Voice Services
IPTV
Utility CATV Head End Scenario 2
No Segmentation
No PVLAN, VACL
Freely Pivot between
Vendors & Head End
Exploit Enterprise
Trust Relationships
Middleware
Billing System
Integration
Fiber Node
Cable Modem Termination System (CMTS)
Cable Routers
Routers
downstream
upstream
RF Combiner
CM
TV
SM
On-­‐Line
Message
Network
Power
Ch
Up
Ch
Dn
Select
Guide
Menu
NLC
3
STB
Internet
Vendor
VPN
Routers
Vendor 2
Dedicated VPN for Remote Mgt
Vendor 1
Enterprise
If a vendor network, the CATV head end or the
enterprise network is exploited. The trust
relationships can then be easily used to pivot
between networks.

12. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
12
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Transport Network – Remote Support
OSS / NOC
Optical EMS
Enterprise
Internet
Services
Multi-homed EMS Server
SSH Access for Transport and Access Vendor
Firewall Physically Bypassed
Open Trust Relationship for SSH

13. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
13
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Layer 2 Security Issues Prevalent
Routers
Rogue Insider
Crafted HSRP coup packet
with higher priority
• STP / BPDU
• VTP
• VLAN Hopping
• ARP Poisoning
• FHRP
• Rogue DHCP Server
• Horizontal and Vertical Pivoting
Common Issues Suggested Remediation
• BPDU and Root Guard
• Secure VTP
• Disable Dynamic Trunking
• Dynamic ARP Inspection
• Limit MACs per Port
• Secure FHRP
• DHCP Snooping, Disable DHCP Trust
• PVLAN’s, VACL’s, DHCP Option 82
• L2 NetFlow
• Secure Information Flow Trust Relationships

14. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
14
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Bottom Line
Whitelist the Applications
Whitelist the Network Trust Relationships
Whitelist Trusted Information Flows in Monitoring

15. UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
15
UNCLASSIFIED0000-00-yymm Information Engineering Solutions
Ques-ons?
paul.coggin@dyne-cs.com
@PaulCoggin