acs-2010
DESCRIPTION
SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) ConferenceTRANSCRIPT
![Page 1: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/1.jpg)
Enumerating and Validating ICS Devices
SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010
Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE
Creative Commons License v3.0. 1
![Page 2: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/2.jpg)
Who and what is “Infracritical”?
• Leading industry and business in Critical Infrastructure Protection (CIP).
– Provides guidance and direction to both public and private sectors through information sharing and ‘best practices’.
– Established open public discussion forums on current and relevant topics and affairs.
– Defines strategic vision of ‘future thought’ in infrastructure development and support.
• Liaisons government and industry strategies. • Sponsor and founder of the SCADASEC e-mail list.
2
![Page 3: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/3.jpg)
Presentation Agenda
• Outline results from ‘The Gathering’ (May 2010). • Reasons for having ‘The Gathering’. • Latest projects:
– Enumerate and validate industrial automation/control systems devices (fingerprint).
– Catalog based on genus, manufacturing type, make, model, and results found into a centralized data repository.
– Allow for variances of information found ‘in the wild’. – Enumeration is utilized using ‘open source’ security tools. – Currently performing validation tests against the
Hirschmann ICS firewall (Hirschmann EAGLE TX/TX).
3
![Page 4: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/4.jpg)
Outline Results from ‘The Gathering’ (May 2010)
• Established in May, 2010, ‘The Gathering’ provided a common ground for representation from commercial interests, academia and law enforcement.
• Discussed security concepts, issues and vulnerabilities with ICS equipment that was brought and shared.
• Discussed and shared engineering methods to improve performance of said equipment, both operationally and securely.
4
![Page 5: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/5.jpg)
Reasons for Having ‘The Gathering’
• Need based on a “show ‘n tell” principle.
• Allows participants to see, work and handle ICS equipment that would otherwise not be possible.
• Allow and share ideas, concepts, ideologies between participants.
• Discuss methods of improvement of performance of shared ICS equipment.
• Write recommendations for manufacturers.
5
![Page 6: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/6.jpg)
Other Discoveries
• We are limiting public discussion on these discoveries.
• Schweitzer SEL-3620:
– SSL interface survived the overnight assault from the Mu Dynamics fuzzer device.
– No problems found.
• Another popular industrial switch TELNET interface:
– 158 problems found.
• Write recommendations for manufacturers.
6
![Page 7: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/7.jpg)
Project ‘Enlightenment’
• Validate CSET/CS2SAT network maps.
• Develop and exercise controlled methods of enumerating ICS equipment and appliances.
• Acquire intelligence from ICS equipment supplied from ICS owner-operators and private donators.
• Enumerate through several methods: – IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc.
– control system protocols: Modbus, Profibus, DNP, EthernetIP, etc.
7
![Page 8: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/8.jpg)
Project ‘NINJA’ Network INtelligence Joint Analysis
• Catalog intelligence acquired from ‘The Gatherings’ and from ‘Enlightenment’.
• Centralize data repository for public viewing (vetted).
• Provide sensitive intelligence for dissemination through encrypted methods.
– encrypted email (automatic)
– encrypted web portal(s)
• Website: www.thinklikeninja.com
8
![Page 9: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/9.jpg)
Current Enumeration: Hirschmann EAGLE TX/TX
9
• One of the more recognized industrial automation firewalls.
• Hirschmann Automation and Control (HAC) GmbH acquired by Belden Inc. (formerly Belden Wire & Cable, Inc.) in 2007.
• Hirschmann EAGLE and EAGLE mGuard firewalls’ software written by Innominate Security Technologies.
• Innominate Security Technologies acquired by Phoenix Contacts, Inc. in 2008.
image is actual model of device tested
![Page 10: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/10.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
10
• Actual software from Hirschmann ICS firewall was written by Innominate Security Technologies.
• Software from Innominate can interchangeably be used between Hirschmann and Innominate versions.
• Software and firmware would be synchronized.
• Software after v4.2.3 required a ‘license upgrade’ (even though we had updates up to v7.0.1).
• Firmware after v4.2.3 had similar requirements.
![Page 11: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/11.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
11
• Actual ICS screen shot.
• Tests were performed against two (2) firewalls.
• Firewall #1: Innominate
• Firewall #2: Hirschmann
![Page 12: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/12.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
12
• F/W v3.0.1 (and including v3.1.1) caused ARP tables to be dropped during ‘normal’ port scans, requiring multiple attempts to connect to the firewall.
• F/W v4.0.4 (and higher) did not drop ARP tables.
• However -- F/W v4.0.4 while attacked using a vulnerability scan, produced inconsistent fingerprinting results, in most cases, no fingerprint.
• NMAP (as of v5.35DC1) thinks Hirschmann is a wireless access point / wireless router.
![Page 13: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/13.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
13
Partial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –v
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT
…
Device type: WAP|specialized|print server|storage-misc|general purpose|broadband
router|firewall, Running (JUST GUESSING) : Linux 2.4.X|2.6.X (98%), HP embedded
(94%), Netgear RAIDiator 4.X (94%), MontaVista Linux 2.4.X (94%), Actiontec
embedded (93%), Fortinet embedded (91%), Google embedded (91%)
OS fingerprint not ideal because: Timing level 3 (Normal) used
Aggressive OS guesses: DD-WRT v23 (Linux 2.4.36) (98%), Linux 2.4.21 (embedded)
(95%), DD-WRT v23 (Linux 2.4.34) (95%), HP 4200 PSA (Print Server Appliance)
model J4117A (94%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (94%),
MontaVista embedded Linux 2.4.17 (94%), Actiontec GT701 DSL modem (93%), Linux
2.4.20 (92%), Fortinet FortiGate-60B or -100A firewall (91%), Google Mini search
appliance (91%)
No exact OS matches for host (test conditions non-ideal).
…
![Page 14: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/14.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
14
• Ports open on INTERNAL network interface include:
- 22 (SSH), 53 (DNS), 443 (HTTPS) and 1720 (H.323)
• Enumeration utilized for device included testing from: - SNMP and HTTPS connections
- Enumeration method utilizes an ‘open source’ tool.
- One tool that will be heavily utilized is NMAP v5 (and newer).
- NMAP (as of Version 4) allows integration of a scripting language.
- The NMAP Scripting Engine (NSE) utilizes the LUA language (www.lua.org) and tailors the code (www.nmap.org/nsedoc).
- Over 150 (and growing) common scripts available from Insecure.
![Page 15: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/15.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
15
• During one vulnerability scan, NMAP had difficulties fingerprinting its operating system (it is running an embedded Linux v2.4.36).
• Device is currently available for evaluation for the general public.
• Access has been granted to the INTERNAL network interface.
• Use the command-line (CLI) version of NMAP – Mac and UNIX/Linux versions appear to work better with NSE script.
• Script written specifically for enumerating the Hirschmann.
• Script is currently in ‘draft mode’, and is being finalized.
• Current version of enumeration script is ‘mguard-10091201.nse’.
![Page 16: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/16.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
16
If the Hirschman EAGLE mGuard TX/TX enumeration script is utilized, output will look something like this:
# nmap --script=./mguard-10091201.nse 1.1.1.1 -PN Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 12:48 CDT
Nmap scan report for xxx (1.1.1.1)
Host is up (0.0096s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp open https
| mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE
| ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION
| ............Flash ID : 420401db459c83e7
|_............Manufacturer of device : Hirschmann
1720/tcp filtered H.323/Q.931 Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds
NOTE the flash ID number; ID obtained via SSL certificate.
![Page 17: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/17.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
17
If the verbose feature of the Hirschman EAGLE mGuard TX/TX enumeration script is utilized:
# nmap --script=./mguard-10091201.nse 1.1.1.1 –PN –v
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 10:24 PDT
NSE: Loaded 1 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 10:24
Completed Parallel DNS resolution of 1 host. at 10:24, 0.06s elapsed
Initiating Connect Scan at 10:24
Scanning xxxx (1.1.1.1) [1000 ports]
Discovered open port 53/tcp on 1.1.1.1
Discovered open port 22/tcp on 1.1.1.1
Discovered open port 443/tcp on 1.1.1.1
Completed Connect Scan at 10:24, 5.62s elapsed (1000 total ports)
NSE: Script scanning 1.1.1.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:24
Completed NSE at 10:25, 6.06s elapsed
...
![Page 18: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/18.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
18
(continued from p.17) Nmap scan report for xxx (1.1.1.1)
Host is up (0.096s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
| mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE
| ** PHASE 1: TLS/SSL certificate verification
| ....Step 1: SSL certificate info : CONFIRMED
| ....Step 2: SSL certificate MD5 hash information
| ............Flash ID : 420401db459c83e7
| ............Organization name : Hirschmann Automation and Control GmbH
| ............SSL certificate MD5 : c93063872150383b879a69f65ab6d7e5
| ............SSL certificate version: 4.2.1 or newer
![Page 19: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/19.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
19
(continued from p.18) | ** PHASE 2: File presence verification
| ....Step 1: Existence of "/favicon.ico"
| ............File favicon.ico MD5 : 7449c1f67008cc3bfabbc8f885712207
| ............Server type/version : 4.2.1 or newer
| ....Step 2: Existence of "/gai.js"
| ............File gai.js MD5 : e7696a86648dcdb6efb2e497e5a8616b
| ............Server type/version : 4.2.1
| ....Step 3: Existence of "/style.css"
| ............File style.css MD5 : d71581409253d54902bea82107a1abb2
| ............Server type/version : 4.2.1
| ** PHASE 3: HTML pattern matching verification
| ....Step 1: Confirmation of HTML code per version
| ............HTML code verified : CONFIRMED
| ............HTML code variant : Hirschmann
| ....Step 2: Confirmation web server verification
| ............Web server verified : CONFIRMED
| ............Web server name/type : fnord
| ............Web server version : 1.6
![Page 20: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/20.jpg)
Hirschmann Enumeration: Discoveries Found with Firewall
20
(continued from p.19) | ** PHASE 4: Documentation
| ....Step 1: Documentation exist? : YES
|.............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_BAT54_SW_Rel754_en.pdf
|_............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_EAGLE_401_EN.pdf
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds
![Page 21: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/21.jpg)
The following is a sample taken from the startup log while connected to the console:
...
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.o
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.o
Warning: loading max6625 will taint the kernel: non-GPL license – Proprietary
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.o
Warning: loading power will taint the kernel: non-GPL license – Proprietary
Eagle: PHY sysctl directory registered.
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
...
Thoughts about this?
Hirschmann Enumeration: Discoveries Found with Firewall
21
![Page 22: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/22.jpg)
Hirschmann Enumeration: Summary of the Unit
22
• This unit allows secured side to configure firewall. - Cross site scripting (XSS) and session hijacking vulnerable.
- Malware that gets inside secured networks can still cause damage.
- Other propagation methods for malware include USB, VLAN attacks/mistakes, operator errors, crossed cables, etc.
- Need out-of-band commands of the firewall.
• Licensing problems could make unit a deliberate target.
• ARP table ought to have hard-wired option.
• Not a stateful firewall; not aware of industrial protocols.
![Page 23: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/23.jpg)
One More Thing… Interesting Coincidence?
23
• At the time of writing this presentation, the firewall was probed from several IP addresses from China; one of them is shown below: 2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast
address to master interface
2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification
string from 202.116.160.75
2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast
address from master interface
2000-01-01_16:01:37.33267 user.info: Jan 1 16:01:37 kernel: IPSEC EVENT: KLIPS device ipsec0 shut
down.
• Here’s the WHOIS information for this IP address: inetnum: 202.116.160.0 - 202.116.175.255
netname: SCAU-CN
descr: ~{;*DOE)R54sQ'~}
descr: South China Agricultural University
descr: Guangzhou, Guangdong 510642, China
country: CN
![Page 24: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/24.jpg)
Next Gathering:
24
• Mu Dynamics has been very supportive.
• Location and time. • SCADA CYBER SECURITY WORKSHOP
November 3-4, 2010, Southern Methodist University, Dallas, TX • http://www.nacmast.com/scada-workshop-registration
• Continue “Enlightenment” and “NINJA” programs. • Introduce and educate next generation of SCADA security specialists.
• Gather data on other user-provided devices.
• Work on CSET validation software.
• Discuss theoretical and practical issues with devices we test.
![Page 25: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/25.jpg)
Conclusion
25
• Combined between ‘The Gatherings’ and intelligence gathered from/through enumeration and validation tests, we feel that there will be more to come … much more.
• So far, we have a small suite of scripts for the following: • Hirschmann Automation Control GmbH (HAC)
• Allen-Bradley (aka Rockwell)
• Rockwell Automation
• Siemens
• Electro Industries / Gaugetech (EIG)
![Page 26: ACS-2010](https://reader034.vdocuments.site/reader034/viewer/2022042501/557c68dfd8b42aa80a8b458f/html5/thumbnails/26.jpg)
Questions? Bob Radvanovsky, (630) 673-7740
Jacob Brodsky, (443) 285-3514 [email protected]
Creative Commons License v3.0. 26