Secrets of Crypto Technology Unleashed for Enhanced ICS Cybersecurity

Chris Guo Principal Engineer Ultra Electronics, 3eTI

3eTI SLIDE 2

© 2017 Ultra Electronics

• Overview of Cryptographic Technologies

• Crypto gaining acceptance at rapid speed

• ROI become beneficial

• Applying Crypto to ICS Networks

• ICS Crypto Protocols

• Crypto in ICS Product Designs

• Q & A

Agenda & Background Raise awareness and prompt adoption

Ultra Electronics, 3eT – 20 years of history in

secured software/hardware R&D, provider of secured wireless products for government agencies.

– Provide cyber security solutions, including ICS cyber security to DoD customers

3eTI SLIDE 3

© 2017 Ultra Electronics

• Confidentiality (Privacy)

• Integrity (Replay)

• Availability (DoS Attacks)

• Authentication (Identity)

• Authorization (Privileges)

• Non-repudiation (Undeniable Action)

Key Crypto Security Concepts

3eTI SLIDE 4

© 2017 Ultra Electronics

Cryptographic Technologies Algorithms are the building blocks of meeting security requirements

• Block Ciphers (Symmetric ciphers, AES) – Mode: CCM/CMAC, GCM/GMAC, XTS-AES, KW/KWP

– CCM, GCM offers both privacy and integrity

– CMAC/GMAC integrity only

– KW/KWP for key wrap

• Digital Signatures (Asymmetric ciphers, RSA, ECDSA, DSA) – >=112 bits of security strength

• Secure Hashing (SHA1, SHA2, SHA3) – SHA1 should NOT be used in signature generation, time stamp generation after 2015

– SHA-256 at minimum should be used.

• Message Authentication

• Random Number Generation (Entropy source)

• Other Important Components (Key Gen, Key Derivation, Key Establishment)

3eTI SLIDE 5

© 2017 Ultra Electronics

WHAT’S NEXT?

Disgruntled ex-employee hacks into the water system and floods the community of sewage.

INSIDER ATTACK Maroochy Water System - 2010

The Conficker worm infected the control network causing an instability in the communications.

ENTERPRISE INFECTION “Unnamed” Steel Mill - 2011

The attackers backed their way into network by compromising a 3rd-party vendor to steal data.

BACKDOOR ATTACK Target Retail Stores - 2013

Stuxnet infected the air-gapped control network bypassing causing damage to centrifuge.

.

SCADA MALWARE Natanz Nuclear Facility - 2010

Networks infected with the Shamoon virus erased information causing enterprise network outages.

ENTERPRISE ATTACK Saudi Aramco & RasGas - 2012

A team used a penetration test on PLCs to realize how badly vulnerable their SCADA/ICS were .

PLC ATTACK Project Basecamp - 2012

Hackers disrupted networks to access automation equipment resulted in massive damage.

INSIDER ATTACK “Unnamed” Steel Mill, Germany - 2014

SHODAN discovered over 21,000 miss-configured building automation systems.

MISS-CONFIGURE Google HQ, Wharf - 2013

Iranian hackers tried to open flood gates. Was this a dress rehearsal for something bigger?

BACKDOOR ATTACK New York Dam - 2015

Left 225,000 customers in the dark. 1st successful cyber attack to knock a power grid offline.

.

SCADA ATTACK Ukraine Utilities - 2015

Hack accessed hundreds of PLCs used to manipulate control applications altering chemicals.

PLC ATTACK Kemuri Water Company - 2016

Current State of Industrial Cyber Attacks They are getting worse

3eTI SLIDE 6

© 2017 Ultra Electronics

Application Whitelisting (AWL)

Ensure Proper Configuration Mgt

Reducing Your Attack Surface Area

Build A Defendable Environment

Manage Authentication

Secure Remote Access

Monitor and Respond

1 2 3 4 5 6 7

In 2017, 2700+ incidents were reported to ICS-CERT… many more went unreported or undetected

98% of incidents reported would have

been prevented if they follow strategies outlined in this report

DHS’s Seven ICS Security Strategies Recommendations that go beyond the firewall

3eTI SLIDE 7

© 2017 Ultra Electronics

How Crypto Could Have Helped Prevent the Ukraine Electric Network Grid Attack

Enterprise PC OT Workstation

Control gained through email phishing

Shut down & damage

IT OT

Imagine if crypto technology were applied, will it foil the attack? Assume OT is breached.

Control

3eTI SLIDE 8

© 2017 Ultra Electronics

What Is Needed and How To Apply Cryptographic Technologies • Security for non-repudiation critical operation messages

– Authentication & Authorization

– #5 from DHS strategy

• Apply cryptographic digital signatures (Asymmetric Key) – Proper implementation is important o Use multiple factors, use physical smart card to perform the signing

o Do not use hard coded signing key in the control software

o Design the message to be replay-proof

• Consider message authentication (HMAC) – A symmetric key is used (Can the key be compromised on the other end?)

– Where is the key store implemented? o Inside the application? (Hard code?) It won’t work here since hacker has total control

o Operator input on demand? Still vulnerable since hacker can log key strokes

o Stored on separate hardware such as USB drive? How about those copies in memory?

3eTI SLIDE 9

© 2017 Ultra Electronics

Enterprise Networks

External Networks

Remote Access

Authentication Server

Mirrored Data Servers

Report/Alarm Server

HMI

Application Server

SCADA Server

Support Networks

Process Control Networks

Engineering Terminal

Wireless

PLC

PLC

PLC

Data/Historian Server

PCs, IT Networks

Embedded Devices (PLCs, etc.) & Serial Buses

Control Network

Facility Network

Office Network

Industrial Process

Infrastructure Automation

Facility Monitoring

Applying Crypto to ICS Networks Typical ICS Architecture

3eTI SLIDE 10

© 2017 Ultra Electronics

Protect the LAN

• IEEE 802.11ae – Media Access Control Security (MACsec)

– Point-to-point security on Ethernet links between directly connected nodes o AES_GCM provide both data frame privacy and integrity

o Secure session rekey

– Encrypt all frames such as LLDP, ARP, LCAP and DHCP

– Prevent most Layer 2 threats o ARP Snooping/spoofing

o passive wiretapping (Network reconnaissance)

o man-in-the-middle, masquerading, reply

o Denial of service

o Intrusion

• Reduce attack surface (DHS Strategy #3)

• Wire-speed encryption on switches

Network without MACsec

Network with MACsec

3eTI SLIDE 11

© 2017 Ultra Electronics

Protect the IP Network Use secure remote access (DHS Strategy #6)

• VPN widely used

• TLS (Transport Layer Security) – Prefer version 1.1 and 1.2

– Tighten up TLS cipher suite configuration o Use Forward Secrecy (FS), it’s also called PFS

o DH group with at least 1024 bits. 2048 bits and higher is preferred. (LogJam, FREAK Attack)

o Use ECDHE if possible

o FS is deployed by Google, Twitter web services, whatsapp, Facebook

o Disable weak cipher, weak DH groups to counter “Downgrade” attacks

– Watch for TLS CVEs

• IPsec – ESP cipher shall provide both privacy & integrity (AES_GCM)

– Use IKEv2 if possible

– Choose strong cipher list for both IKE-SA and ESP phase

3eTI SLIDE 12

© 2017 Ultra Electronics

Crypto in ICS Protocol Case Study: Siemens S7Comm, S7 Commplus

• S7Comm – Clear text, no security protection

– Malware, live worm implemented on S7-300, S7-400 PLCs in 2011 & 2015

• S7Commplus – Designed to address trust between PLC & TIA (HMI)

– S7-1200v3 is the first release

– Use 2-bytes session ID from PLC and expect 2-bytes Object ID from TIA for secret handshake

– Quickly hacked: Object ID=session ID+ 0x80

– S7-1200v4 uses more “encryptions”: total of 3 o 1st “encryption” is Object ID= XOR (session ID+80)

o 2nd and 3rd “encryption” is private

o But they are packed in a Windows DLL so anyone can access them.

o Hacked in 2017

Source: Cheng Lei “The spear to break the security wall of S7CommPlus” DefCom 25

3eTI SLIDE 13

© 2017 Ultra Electronics

ICS Protocol Security Design Lessons learned

• Clearly define the security goal – In S7, if the security objective is setup trust PLC—TIA

– Then asymmetric cipher could be the best fit

• Use open standard cryptographic technology – They are heavily scrutinized, tested and readily available

• Protect the whole protocol packet frame

3eTI SLIDE 14

© 2017 Ultra Electronics

Crypto in ICS Product Designs

•Need to address crypto in both software and hardware • ICS/IoT devices are all hackable, due to poor to no security design

3eTI SLIDE 15

© 2017 Ultra Electronics

• Firmware analysis – Use disassembler

– Attack string manipulation functions

– Modify binary then download it to IoT ( Not digitally signed, no integrity)

• Defense – Firmware compression

– Obfuscation

– Encryption

– Digital signature

– Address space randomization

– Stack cookie

– Better hardware design to protect the firmware o UART trace leftover?

o Bootloader with console?

o JTAG pin left over?

o FLASH read?

How a Hacker Attacks ICS Devices

Example: Cisco’s Catalyst 3000 switch takes Kaspersky research scientist 3 month to gain total control with known CVE telnet vulnerability. Reason: Slightly “obfuscated” firmware and stack cookie

3eTI SLIDE 16

© 2017 Ultra Electronics

Hardware Security TPM (Trusted Platform Module)

• TPM is the corner stone for hardware security – International standard for secure cryptoprocessor

– Integrate keys into hardware

– Secure key storage, generation

– Enable trust anchor

– This is why Apple iPhone latest can’t be jailbroken

• Fit need of ICS – Example: setup a trust chain

PLC made by Foreign

Manufacture PLC Vendor

Certified Solution Provider

PLC Owner PLC Owner

Onsite Engineer

3eTI SLIDE 17

© 2017 Ultra Electronics

Summary Cryptographic technologies enhance ICS cybersecurity • Seriously consider implementing crypto technology

– Hackers are sophisticated crypto power users (Ransom-ware)

– As a defender, ICS needs cryptographic technology

• Adopt CoT technology – IEEE 802.1ae

– VPN

• Strategically build a software & hardware security capabilities framework – Even if partially

• Use open standard cryptographic technology – Software module/library

– Hardware TPM

– Don’t roll your own crypto

Chris Guo Principal Engineer Ultra Electronics, 3eTI Direct: +1 301.944.1294 Email: chris.guo@ultra-3eti.com www.ultra-3eti.com info@ultra-3eti.com

Questions