vulnerability analysis of 2013 scada issues amol sarwate director of vulnerability labs, qualys ...
DESCRIPTION
Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc. Agenda. SCADA components 2013 Vulnerability Analysis Recommendations and Proposals. SCADA DCS ICS. A ccidents. liquid pipeline failures - PowerPoint PPT PresentationTRANSCRIPT
Hosted by OWASP & the NYC Chapter
Vulnerability Analysis of 2013 SCADA issues
Amol SarwateDirector of Vulnerability Labs, Qualys Inc.
Hosted by OWASP & the NYC Chapter
SCADA components2013 Vulnerability AnalysisRecommendations and Proposals
Agenda
Hosted by OWASP & the NYC Chapter
SCADADCSICS
Hosted by OWASP & the NYC Chapter
Hosted by OWASP & the NYC Chapter
Accidentsliquid pipeline failureshttp://www.ntsb.gov/doclib/safetystudies/SS0502.pdf
power failureshttp://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf
other accidentshttp://en.wikipedia.org/wiki/List_of_industrial_disasters
Hosted by OWASP & the NYC Chapter
Vandalism
vandals destroy insulatorshttp://www.bpa.gov/corporate/BPAnews/archive/2002/NewsRelease.cfm?ReleaseNo=297
Hosted by OWASP & the NYC Chapter
Insider
disgruntle employee http://www.theregister.co.uk/2001/10/31
/hacker_jailed_for_revenge_sewage/
Hosted by OWASP & the NYC Chapter
APT
terrorism or espionage
http://www.symantec.com/content/en/us/enterprise/
media/security_response/whitepapers/w32_duqu_
the_precursor_to_the_next_stuxnet.pdf
Hosted by OWASP & the NYC Chapter
2009 - 2013 SCADA Vulnerabilities
(estimate)
Hosted by OWASP & the NYC Chapter
Components• Sensors• Meters• Field Devices
I/O
• PLC• IED• RTU
Remote• Protocols• FEP• Wired• Wireless
Communication
• HMI• DCS• SCADA
Master
Field Control Center
Hosted by OWASP & the NYC Chapter
AcquisitionConvert parameters like light, temperature, pressure or flow to analog signals
Hosted by OWASP & the NYC Chapter
ConversionConverts analog and discrete measurements to digital information
Hosted by OWASP & the NYC Chapter
CommunicationFront end processors (FEP) and protocolsWired or wireless communication
Modbus DNP 3 OPC
ICCP ControlNet BBC 7200
ANSI X3.28 DCP 1 Gedac 7020
DeviceNet DH+ ProfiBus
Tejas TRE UCA
Hosted by OWASP & the NYC Chapter
Presentation & ControlControl, monitor and alarming using human machine interface (HMI)
Hosted by OWASP & the NYC Chapter
2013 Vulnerabilities by category
Acquisition Conversion Communication Presentation & Control
0%
11%
22%
66%
Hosted by OWASP & the NYC Chapter
Acquisition– Requires physical access– Field equipment does not contain process information– Information like valve 16 or breaker 9B– Without process knowledge leads to nuisance
disruption
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Emerson ROC800 Vulnerabilities
– CVE-2013-0693: Network beacon broadcasts allows detection– CVE-2013-0692: OSE Debug port service– CVE-2013-0694: Hardcode accounts with passwords– Access: AV:N, AC:L, Au:N– Impact: C:C, I:C, A:C
– Patch available from Emerson
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Siemens CP 1604 / 1616 Interface Card Vulnerability
0% 11% 22% 66%
– Siemens security advisory: SSA-628113– CVE- 2013-0659: Open Debugging Port in CP 1604/1616– UDP port 17185– Access: AV:N, AC:L, Au:N– Impact: C:C, I:C, A:C
– Patch available from Siemens
Hosted by OWASP & the NYC Chapter
Communication
General ModBus DNP C37.118 IGMP SNMP FTP/TFTP SSH/SSL
24%
12%
16%
12%
4% 4%
16%
12%
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
ModBus Vulnerabilities
– CVE-2013-2784: Triangle Research Nano-10 PLC Crafted Packet Handling Remote DoS– CVE-2013-0699: Galil RIO-47100 PLC Crafted Modbus Packet Handling Remote DoS– RBS -2013- 003: Schneider Electric Multiple Modbus MBAP DoS and RCE
0% 11% 22% 66%
Nano-10 PLC RIO-47100 PLC
Hosted by OWASP & the NYC Chapter
DNP Vulnerabilities– CVE-2013-2791: MatrikonOPC Server DNP3 Packet Handling buffer overflow– CVE-2013-2798: Schweitzer Real-Time Automation Controllers (RTAC) Local DoS– CVE-2013-2788: SUBNET SubSTATION Server DNP3 Outstation Slave Remote DoS– CVE-2013-2783: IOServer DNP3 Packet Handling Infinite Loop
0% 11% 22% 66%
Schweitzer RTAC IOServerMatrikon OPC Server
Hosted by OWASP & the NYC Chapter
Modbus and DNP free tool:
http://code.google.com/p/scadascan/
Security Analysis of SCADA protocols
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
SSH, FTP, TFTP, IGMP, SNMP
– CVE-2013-0137: Monroe Electronics Default root SSH Key Remote Access– CVE-2012-4697: TURCK BL20 / BL67 FTP Service Hardcoded Admin Credentials– CVE-2013-2800: OSIsoft PI Interface for IEEE C37.118 Memory Corruption– CVE-2013-0689: Emerson RTU TFTP Server File Upload Arbitrary Code Execution– CVE-2013-3634: Siemens Scalance X200 IRT SNMP Command Execution– Korenix Multiple JetNet Switches TFTP Server Arbitrary File Creation– RuggedCom ROX-II IGMP Packet Saturation RSTP BPDU Prioritization Weakness– Korenix Multiple JetNet Switches SSL / SSH Hardcoded Private Keys
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Presentation & Control
0% 11% 22% 66%
Generic XSS
SQL In
jection
Databas
e
Generic
Web
Director
y & File
Disclosu
reCSR
F
ActiveXCry
pto
26%
5%3%
5%
31%
13%
4%
9%5%
Hosted by OWASP & the NYC Chapter
Presentation & Control– CVE-2013-2299: Advantech WebAccess /broadWeb/include/gAddNew.asp XSS– CVE-2013-0684: Invensys Wonderware Information Server (WIS) SQL Injection– CVE-2013-3927: Siemens COMOS Client Library Local Database Object Manipulation– CVE-2013-0680: Cogent DataHub Crafted HTTP Request Header Parameter Stack Overflow– CVE-2013-0652: General Electric (GE) Intelligent Proficy Java Remote Method Invocation– CVE-2008-0760: SafeNet Sentinel Protection Server HTTP Request Directory Traversal and
Arbitrary File Access– CVE-2012-3039: Moxa OnCell Gateway Predictable SSH / SSL Connection Key Generation– Weidmüller WaveLine Router Web Interface config.cgi Configuration Manipulation CSRF
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Real world issues
Control system network connected to corporate network or internet
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Real world issues
No authenticationNo per user authentication
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Real world issues
Delayed patching if any
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Real world issuesDefault passwordsShared passwords
No password change policy
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Real world issues
Systems not restarted in years
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Real world issuesOff-the-shelf software
Operating system, Database, Browser, Web Server
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Real world issues
Un-necessary services
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
Real world issues
Internal differences between IT and SCADA engineers
0% 11% 22% 66%
Hosted by OWASP & the NYC Chapter
System Wide ChallengesSCADA system long life cycle
Long life cycle of a SCADA system
Hosted by OWASP & the NYC Chapter
System Wide ChallengesSCADA system long life cycle
Cost and difficulty of an upgrade
Hosted by OWASP & the NYC Chapter
Proposals
SCADA network auditing
Hosted by OWASP & the NYC Chapter
Proposals
Is you SCADA system exposed on the internet?
Hosted by OWASP & the NYC Chapter
Proposals
Password policy, access control and access roles
Hosted by OWASP & the NYC Chapter
Proposals
Are all services necessary?
Hosted by OWASP & the NYC Chapter
Proposals
Use secure protocols
Hosted by OWASP & the NYC Chapter
Proposals
Strategy for Software Update and patching
Hosted by OWASP & the NYC Chapter
Proposals
SCADA test environment
Hosted by OWASP & the NYC Chapter
Proposals
Keep up-to-date with vulnerabilities
Hosted by OWASP & the NYC Chapter
Proposals
Apply experience from IT network management
Hosted by OWASP & the NYC Chapter
ScadaScanCurrent version
Scan network rangeWorks with TCP/IPIdentifies Modbus TCP slavesIdentifies DNP 3 TCP slaves
Beta versionSCADA master vulnerability scanningSNMP supportHTTP support
1.0 ReleaseUser configurable signature filesAuthenticated support for Windows and *nixCode cleanup
Hosted by OWASP & the NYC Chapter
Thank YouTwitter: @amolsarwatehttp://code.google.com/p/scadascan/https://community.qualys.com