the subversive six: hidden risk points in ics

© 2017 Belden Inc. | belden.com | @BeldenInc 1© 2017 Belden Inc. | belden.com | @BeldenInc

Wednesday, March 22, 2017

The Subversive Six:Hidden Risk Points in ICS

Sean McBrideICS Attack Synthesis Lead, FireEye-iSIGHT

David MeltzerChief Research OfficerBelden-Tripwire

Erik SchweigertSoftware Manager, R&DTofino Security, Belden

© 2017 Belden Inc. | belden.com | @BeldenInc 2

Agenda• Risks we can see• The Subversive Six• Mitigations• Summary & Q&A


33% of ICS-Specific Vulnerabilities Have No Fix at Public Disclosure(Since 2010)


Vulnerabilities by ICS Level (or Zones) -Modified Purdue Model

• Not this diagram• Should be oriented this way• Not wanting to use the old

FireEye/Belden/Tripwire architecture slide

Proprietary and Confidential Information. © Copyright 2017 Belden, FireEye/iSIGHT, Tripwire. All Rights Reserved. 5


Level 2 – Highest Vulnerabilities• ICS-specific vulnerability

affecting each level from February 2013 to April 2014

• Vulnerabilities may affect more than one zone


Larger Potential Physical Consequences

- San Bruno PG&E Explosion, 2010


The “Subversive Six”• Outdated hardware

• Vulnerable Windows operating systems

• Weak password management

• Weak file integrity checks

• Unauthenticated protocols

• Undocumented third-party relationships


Outdated hardware• NRC The U.S. Nuclear Regulatory Commission relates that in August 2006, PLCs

and VFDs at Browns Ferry Nuclear Generating Station malfunctioned as a result of excessive network traffic.

• Digital Bond names GED20 substation gateway device as obsolete technology exhibiting serious vulnerabilities.


Vulnerabilities affecting Windows operating systems• In 2015, numerous exploit kits

− Targeting unsupported OS− And supported OS where patches

were available

• Windows 7 (supported thru 2020)

− CVE-2011-5046− CVE-2010-4701− CVE-2010-3227− also affect Windows XP (no

longer supported)

• Publicly available exploit code exists for at least eight vulnerabilities in Windows Server OS, widely used in production and plant environments.− Windows server 2008 (Service Pack 1 and 2 supported to January 2020) − Windows Server 2003 (support ended in July 2015)


Weak password management• Vendor default passwords

easily available online− One group of researchers

actively maintains publicly available lists of hard-coded or default passwords for ICS devices

• Research findings – − dozens of vulnerabilities

involving password weaknesses in ICS devices and software from numerous vendors.

- From September 2016


Weak file integrity checks• PLC worm - In March 2016 researchers demonstrated a PLC

worm that spread from one Siemens PLC to another by modifying control logic. The researchers opine that other PLCs using unencrypted protocols are susceptible to similar attacks.

• Unauthorized firmware modifications - In 2013 a Master's degree candidate from the U.S. Air Force Institute of Technology demonstrated a firmware modification attack against a Rockwell Automation PLC.

• DHS warnings - In 2009 the U.S. Department of Homeland Security (DHS) warned that adversaries my attack industrial environments by pushing rogue firmware uploads to controllers in a plant.


Unauthenticated protocols• Layer 0-1: HART, Foundation Fieldbus, Profibus, CAN

• Layer 1-2: Modbus, DNP3, EtherNet/IP


Undocumented third-party relationships• In January 2013 Russian researchers identified at

least 15 third-party products used by Siemens WinCC. These products exhibited a total of over 1,800 vulnerabilities, one of which was disclosed in 1997.

• Two other examples of third-party issues that affected ICS in recent years are Heartbleed and Poodle. Both weaknesses affected numerous ICS devices; however, many vendors did not release advisories until months after the weaknesses were publicized.


What is Deep Packet Inspection and How Can it Help?• Deep Packet Inspection firewalls are designed to both filter at the:

− TCP/UDP and IP layers (just like a regular firewall)− Session, Presentation and Application layers

• First acts as Layer 3/4 firewall• Then performs DPI• Can inspect commands, services, objects and addresses in SCADA and

process control protocols

Ethernet IP TCP Upper Layers & Data FCS

IP Src & Dest Address

MAC Address (Possible) Dest Port

SCADA Protocol

Commands, Services, Objects, Addresses, etc.

Data


Deep Packet Inspection Terms

Control Plane• The ability to update the underlying

firmware is usually vendor specific • Usually not widely published. This could

be ‘special’ function codes. Think Modbus FC 90 (Schneider Unity/ Programming OFS software)

• You could think of it as doing a Kernel update on a Linux system or doing a Windows update. Has widespread affects to the system.

• In many/most cases there is no authentication on these protocols that provide this functionality. Need DPI for this.

Data Plane• Think user data traffic • HMI presents data to the plant

operator such as:• Temperature values• Pressure controls• Any monitored values that

are usually functions of ladder logic

• The actual process data• Typical protocols:

• Modbus/TCP• EtherNet/IP (CIP)• DNP3


Signature-Based Deep Packet Inspection?• A signature-based system is only a reactive mechanism. The signatures are usually built

from an already discovered vulnerability. Need a better proactive method.• Signatures provide a shallow inspection and require signature database updates (Internet

access on the plant floor - no no)• Signature is typically made for a specific vulnerability, so if one byte changes in the attack

vector you have to build a new signature to mitigate it• Effectively building a Blacklist rather than Whitelist• For open source / published protocols a signature based methodology is insufficient – full

protocol inspection is a must− One use could be for a proprietary protocol where only basic byte checking is required.

• There must be a more complete way!


Signatures – Depth Matters

18

• Depth more important than Breadth

• Breadth with no depth has little to no value

• A signature that validates a single byte should not be toted as ‘supporting that protocol’ – need to disregard marketing fluff

• Need to question claims like “We support 500 protocols” – how deep?


Tofino™ Xenon Industrial Security Appliance The Tofino Xenon delivers advanced cyber security protection for industrial networks, securing critical assets at Layer 2, making it easier to deploy and transparent to the network• No IP or network architecture changes needed• Protects endpoint devices

(PLCs, RTUs, IEDs, DCS, HMIs, Historians, Controller Consoles, etc)

• Easy to deploy with Plug and Protect™ - no downtime• Secure Zones and Conduits (IEC-62443)• Deep Packet Inspection for industrial protocols to enforce security

policy− DNP3 and IEC 104− Modbus/TCP− OPC− EtherNet/IP− Others coming

• Auto-generates firewall rules, and controls access and egress from secure zones


• Assessment and Recommendations

• Industrial Ethernet Infrastructure Design

• Security Configuration Monitoring− Asset Discovery and configurations

• Security Event Logging• Vulnerability Management• Industrial Networking Appliances

− Firewalls, Routing, Switches , Serial Communications, Media Converters, Wireless Security, POE

− Industrial Protocol Security− Deep Packet Inspection

Belden, FireEye, Tripwire Industrial Security Solutions


• Get a plan and program for ICS security− Call in consultants to assess and recommend− Merge ICS security governance with enterprise security governance

• Inventory your control systems and automate the maintenance − Software, Hardware, Firmware versions− Controllers− Function/impact

• Segment your network, and consider “easy button” such as Tofino− Passively listens, suggests firewall rules− A “bump on the wire,” creating a secure zone and requiring no IP or

subnet changes− Review firewall placement and rules− Review router configurations

Summary: Reducing Risk, Increasing Efficiency, and Faster Response


• Incident Response - investigation help to figure out if there has been a compromise• Compromise Assessment - help identifying if there is current or past breach activity in the environment• Inquiring about a health check assessment – basic information• NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015• Belden ICS Security website - product information, blog, news• FireEye Threat Research Blog• Belden Industrial Security Blog• iSight Resources • SANS Institute - SANS 2016 State of ICS Security Report• Belden Whitepaper - Cybersecurity in Electrical Substations• Belden Whitepaper – Understanding Deep Packet Inspection and Industrial Protocols• Tripwire State-of-Security Blog • ICS-CERT Compilation of reference documents• SCADA Hacker website – Resources link• Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems

Resources

https://www.fireeye.com/services/mandiant-incident-response.html

https://www.fireeye.com/services/mandiant-compromise-assessment.html

https://www.fireeye.com/services/mandiant-security-program-assessment.html

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

http://info.belden.com/ics-security

https://www.fireeye.com/blog/threat-research.html

http://www.belden.com/blog/industrialsecurity/index.cfm

https://www.isightpartners.com/resource-center/

http://info.belden.com/iit/sans-2016-ics-survey-report-bc-lp

http://info.belden.com/cwp-cyber-security-electrical-substations-lp

http://info.belden.com/dpi-tk-lp

http://www.tripwire.com/state-of-security/

https://ics-cert.us-cert.gov/Standards-and-References#estab

https://www.scadahacker.com/library/index.html

https://www.amazon.com/Industrial-Network-Security-Second-Infrastructure/dp/0124201148/ref=sr_1_2?ie=UTF8&qid=1469633139&sr=8-2&keywords=industrial+cyber+security