protecting your dnp3 networks
DESCRIPTION
Your SCADA system has a DNP3 vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed.TRANSCRIPT
Protecting Your DNP3 Networks
Chris Sistrunk, PESr. Consultant
Mandiant
Let’s assume that your SCADA device has a faulty DNP3
stack…
http://threatpost.com/copa-data-patches-dnp3-scada-vulnerability“Crain and Sistrunk have discovered a boatload of ICS vulnerabilities over the years”
…because of these guys(well bad vendor coding really)
DNPtha-reeeeeee
Let’s take a step back and ask some questions: What’s the risk if this device is
compromised?◦ Probability * Impact = Risk◦ Check out my RTU risk score pres from S4x13
What is the device talking to? Is it DNP3 serial or IP…or both? Is the physical security sufficient? Will you be called at 2AM?
Now What?
How I Audit SCADA systems
The answers to the questions tell you that you have to do something to protect the device(s) What types of mitigations exist? Which ones will you use?
◦ Defense in depth – more than one!◦ Belt and suspenders!
When will they be deployed?◦ The sooner the better!
Anticipate…Mitigate!
Software/firmware patches/device upgrades Robust device and master configurations Robust IP network configurations DNP3-aware network tools Proper physical security Employee awareness
Secure coding and SDL for Vendors
DNP3 Vulnerability Mitigation
NERC/CIP?DNP3 Vulnerability Mitigation
If there is a software or firmware patch or hardware upgrade that’s out there that fixes a known DNP3 vulnerability…GO GET IT
Properly test it before you roll it out If you’re not used to patching your SCADA
system, please work with your vendors to do this to minimize downtime
Get The Bug Fix!
USE DNP3-SA! (application layer security)◦ Correct master only talks to the correct RTU◦ But it won’t protect against all “bugs”
Disable unused serial and network ports Use a possible workaround (ex: auto restart) Check the default settings
◦ DNP3 or other protocols may be factory configured◦ If not used, disable them!◦ DNP3 devices are on SHODAN
Many appear to have the same congfigurations
Robust Device/Master Configuration
When possible, DISABLE functions that aren’t required in your production systems◦ Cold and/or Warm Restarts (FC 13 & 14)◦ Start/Stop Application (FC 17 & 18)◦ Save Configuration (FC 19) old
Activate Configuration (FC 31) new◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)
If you can’t disable these, use IDS/IPS or DPI Firewalls to prevent unwanted DNP3 traffic
Robust Device/Master Configuration
Segment your SCADA WAN◦ Routers, Firewalls, DMZs, & VLANs◦ This can help isolate the network when needed
Understand your network!◦ The bad guys sure will
Use encryption and authentication◦ Use DNP3-SA and TLS◦ Remote access VPNs, radios, etc◦ Look at IEC 62351 standard (dovetails with SA)
No SCADA protocols on Corporate WAN
Robust IP Networks
Examples of tools used in SCADA and Enterprise networks understand DNP3 Protocol analyzers such as Wireshark, ASE &
TMW RTU Test Sets IDS/IPS such as SNORT, Bro, McAfee ADM,
and Checkpoint Routers such as the Cisco CGR 2010 Field firewall w/ DNP3 Deep Packet
Inspection◦ Secure Crossing & Tofino (in the works)
DNP3-Aware Network Tools
Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network
Security Operations Center◦ Security Analyst(s) using a SIEM◦ Log aggregation◦ Anomaly and intrusion detection◦ Indicators of Compromise (IOCs)◦ Full packet capture
Security Onion (Linux distro) www.securityonion.net
Network Security Monitoring
What is the proper amount of physical security? It depends…
If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay?
Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6
Harden your external barriers The better the defenses, the more time it
buys you to respond
Proper Physical Security
Physical Security
3/8” Mesh
ASTM Grade 6
These may buy youextra time to respond
“Thieves hit our store last night. This is how they circumvented the
door alarm…”
via http://redd.it/1pn1xi
Because people follow directions…you know what happens next
Train your folks on ICS/SCADA security◦ Security Conferences, several training classes available◦ http://
ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT◦ GICSP Certification
Security awareness is important Have a questioning attitude Report suspicious computer or personal
activity/incidents◦ Who do you call?◦ Internal hotline, supervisor, SOC, etc◦ ICS-CERT (877-776-7585)
Employee Awareness
Ask your vendors for DNP3-SA if they don’t have it or are already working on it
Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack◦ Positive Tests: FAT/SAT◦ Negative Tests: Fuzzing (it’s not new folks!)
DNP3 Will Be Here A While
DNP3 isn’t a special case. Other ICS protocols will see the same fate
Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP… You can defend your SCADA Early testing both slave/server AND
master/client sides of the protocol are important!
Compliance != Security, but the culture is important
Don’t count on the government to protect your critical systems…it’s your job
Conclusions
Ideas? Questions?