welcome to phoenix contact industrial network security seminar
TRANSCRIPT
1
Welcome to PHOENIX CONTACT
Industrial network security seminar
Matt Cowell
Phoenix Contact ASE – North Central
847 226 5197
2 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Who am I?
Matt Cowell
ASE (Automation Sales Engineer) – N Central reg.
Tenure – Joined Phoenix Contact Jan 2008
Located Gurnee, IL (north of Chicago)
Responsible for all Phoenix Contact Automation product in N. Central Region
Automation product responsibility includes Ethernet, network security products, controllers and software, Industrial PC’s, HMI’s, I/O, safety and Wireless
Territory includes IL, WI, MN, ND, SD
Background – Various Engineering roles with later years focused in system integration
2
3 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Agenda
Industrial networking introduction
‘Typical’ network layouts and comparisons to IT
Recent product vulnerabilities
Case studies of recent security breaches
Introduction to basic Hacking techniques
Live demonstration of an industrial attack
Highlighting ease of implementation on live network
Offering simple countermeasures and prevention
General Recommendations
Question Time
Has your network ever been hacked?
How do you know?
Who’s responsibility is network security?
Everyone’s
Don’t assume someone else (IT) has it covered
4 | Presentation | Matt Cowell | ASE Central | 24 May 2013
3
What is a SCADA network?
SCADA = Supervisory Control And Data Acquisition
Commonly associated with an Industrial Control System
(ICS)
Typically a dedicated network interlinking critical devices
that are part of controlling and/or monitoring a plant,
infrastructure or a process
5 | Presentation | Matt Cowell | ASE Central | 24 May 2013
6 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Typical devices – SCADA network
Typically Field Devices
in/near control panel
4
Wastewater SCADA n/w example
7 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Copper
Fiber
Wireless
Main Control
Room
Wastewater SCADA n/w example
8 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Copper
Fiber
Wireless
Main Pump
Station
Sludge
Dewatering Disinfection
Blower
Building
Final
Clarifiers
Reject
Pumps
5
Characteristics of an SCADA network
Often engineer governed
Desire high speed (typically small data transfer – bits vs.
mB)
Deterministic
Acceptable latency typically measured in mS
High reliability data transfer in rugged form factor
Typically comprising various protocols (ModbusTCP, DNP3,
E/IP)
Interconnected via various media (Fiber, copper, wireless,
leased lines etc.)
Originally isolated islands (no WAN or internet connectivity)
Longer system life cycle = more older technology and OS
9 | Presentation | Matt Cowell | ASE Central | 24 May 2013
10 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Internet
Typical IT/Enterprise network
Large network, vast data transfer, variable speed dependent
upon load, latency measured in seconds, isolation of
devices less critical, broadcast traffic common, integrated
security (anti virus/sw firewall)
6
11 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Evolution of connecting SCADA to IT network or internet?
Internet
Router/Firewall
Enterprise/Company level
Access thro
ughout
SCADA/Ind. Network
Why converge? Reporting – Regulatory requirements/Compliance
Convenience – Access from desk, city network
Autonomy & Remote access – Outside access for
contractors
Integration - to database/laboratory
Mistake - Could also be inadvertent
12 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Why consider security now?
Scope of industrial networks has grown beyond conventional “switch
only” networks (layer 2)
Device access from IT/enterprise network is desired
Remote access to SCADA systems is required for support
Industrial devices lack network security features we have become
familiar with (robust NIC’s, win. updates, patches, anti virus, HTTPS
etc.)
Vulnerabilities are being discovered daily
Increase in network devices & trends are relying upon use of ‘the cloud’
Few standards in place yet to enforce security
Stuxnet demonstrated the sophistication and damage that can be
caused by industrial specific malware – don’t wait for stuxnet 2.0
Industrial attacks are becoming more common and brazen - 1/3 of ALL
malware was developed in past year (Stuxnet, Night Dragon, Stars all
made news headlines)
7
Common objections (excuses)
“IT takes care of our firewall and security”
Do they really? So they will handle the consequences of an
attack on the SCADA system? Do they understand ‘SCADA’?
“Our SCADA network is isolated/air-gapped”
Are you sure? Either way Stuxnet (to date the worlds most
effective virus on SCADA) caused significant harm to its target
that was also “isolated”. What about USB or other attack vectors?
“Were just a small site, were not a target”
Really, when you search for devices on Shodan, does the
attacker care where the vulnerable PLC they just found is?
“SCADA Security is too complex and costs too much”
What are the financial consequences of a breach to critical
infrastructure? The risk has never been higher than today!
13 | Presentation | Matt Cowell | ASE Central | 24 May 2013
You already know physical security…
Cameras and surveillance
Analogous to IDS (Intrusion Detection System)/logging
Access control – access based upon credentials
Analogous to account/password control policy
Perimeter security – fences, gates, locks
Analogous to firewall’s
Alarms
Analogous to Email/SMS/SNMP/HMI alarms
SIEM (Security Information & Event Management) or IDS
Security guard
Analogous to IT/security focused professional
We generally take physical security very seriously
14 | Presentation | Matt Cowell | ASE Central | 24 May 2013
8
The cyber threat is real….
15 | Presentation | Matt Cowell | ASE Central | 24 May 2013 8:40
Types of cyber incident
Audit
Legitimate attack/test
Vulnerability assessment
Accidental
Broadcast storm, misconfiguration, faulty product etc..
Wrong IP
Non malicious intrusion
Monitoring data, stealing information etc..
Malicious intrusion
Bad intentions/causing harm
Breaking something (equipment/process/data)
16 | Presentation | Matt Cowell | ASE Central | 24 May 2013
9
A few discovered vulnerabilities
All confirmed and published by US CERT (DHS)
Schneider – ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET
MODULE MULTIPLE VULNERABILITES
– ICSA-11-277-01—SCHNEIDER ELECTRIC UNITELWAY DEVICE DRIVER
BUFFER OVERFLOW
– ICSA-11-307-01—SCHNEIDER ELECTRIC VIJEO HISTORIAN WEB SERVER
MULTIPLE VULNERABILITIES
Siemens – ICSA-11-356-01—SIEMENS SIMATIC HMI AUTHENTICATION
VULNERABILITIES
– ICS-ALERT-11-332-02A—SIEMENS SIMATIC WINCC FLEXIBLE
VULNERABILITIES
– ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN
SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200
– ICS-ALERT-11-161-01—SIEMENS SIMATIC S7-1200 PLC VULNERABILITIES
17 | Presentation | Matt Cowell | ASE Central | 24 May 2013
..more discovered vulnerabilities
Rockwell Automation – VU#144233 - Rockwell Automation Allen-Bradley MicroLogix PLC
authentication and authorization vulnerabilities
– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC
EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW
– ICS-ALERT-10-194-01 OPEN UDP PORT IN 1756-ENBT ETHERNET/IP™
COMMUNICATION INTERFACE
– ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE
VULNERABILITY
– ICS-ALERT-12-020-02A—ROCKWELL AUTOMATION CONTROLLOGIX
MULTIPLE PLC VULNERABILITIES
– ICSA-12-088-01A—ROCKWELL AUTOMATION FACTORYTALK
RNADIAGRECEIVER DOS VULNERABILITIES
– ICSA-10-070-02 AUTHENTICATION VULNERABILITY IN ROCKWELL PLC-5
AND SLC 5/0X CONTROLLERS AND ASSOCIATED RSLOGIX SOFTWARE
– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC
EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW
18 | Presentation | Matt Cowell | ASE Central | 24 May 2013
10
..and some others
– ICS−ALERT-11-080-02 MULTIPLE VULNERABILITIES IN ICONICS
GENESIS (32 & 64)
– ICSA-11-173-01—CLEARSCADA REMOTE AUTHENTICATION BYPASS
– ICSA-11-332-01—INVENSYS WONDERWARE INBATCH ACTIVEX
VULNERABILITIES
– ICSA-11-243-03A—GE INTELLIGENT PLATFORMS PROFICY HISTORIAN
DATA ARCHIVER BUFFER OVERFLOW VULNERABILITY
– ICSA-12-243-01— GARRETTCOM PRIVILEGE ESCALATION VIA USE OF
HARD-CODED PASSWORD
– ICSA-12-146-01A—RUGGEDCOM WEAK CRYPTOGRAPHY FOR
PASSWORD VULNERABILITY
– ICS-ALERT-12-020-07A—WAGO I/O 750 MULTIPLE VULNERABILITIES
19 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Network security breach case study: Stuxnet
The industrial virus that brought mass media attention
Complex rootkit exploiting 4 x zero day exploits
Designed to attack Siemens control networks and Win OS
Used stolen digital certificates to look inconspicuous
Could manipulate PLC logic and network traffic
Automatically spreads via USB jump drive
Reports updates back to internet server
Targeted Iran’s uranium enrichment centrifuges causing
significant damage but also spread worldwide
Suspected to be a state sponsored virus
It has a ‘kill date’ coded into it to stop spreading on 6/24/12
20 | Presentation | Matt Cowell | ASE Central | 24 May 2013
11
Network security breach case study: Maroochy Shire wastewater facility
Disgruntled former contractor gained access via insecure
wireless network
Released 264,000 gallons of sewage into rivers
Responsible for killing marine life not to mention create a
stench for residents
This occurred over 3 week period, no one noticed for 1st 2.5
wks.
He was later arrested and sentenced to prison
21 | Presentation | Matt Cowell | ASE Central | 24 May 2013
SCADA is a target
22 | Presentation | Matt Cowell | ASE Central | 24 May 2013
12
500,000 reasons to be afraid
23 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Why do people ‘hack’?
There are a number of motivators, including:
Ego
Criminal
Political/Spying
Hacktivism
Terrorism
War
Personal gain
Corporate gain
Sabotage
Retribution
Personal Concern
24 | Presentation | Matt Cowell | ASE Central | 24 May 2013
13
How do people hack? Inside job/disgruntled employee - abusing network privileges
Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form
Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force
DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.
Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter
Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.
Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.
Ransomware – Specific infection that demands a ransom money or will lock you out from files or threaten to delete them by specific deadline - NEW
Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.
Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing
Exploiting vulnerabilities – latest windows updates, stuxnet
How easy is it to ‘hack’ a facility?
Just ask Google
Wireless breach
Wardriving
If no access to the inside network, first have to find it:
Specialist search engines
Public IP and Port scans
Social engineering via Trojan or Phishing
Vulnerabilities
Easy targets
Publically available online and being found daily
Dedicated tools to make life easier
…..as we will see
26 | Presentation | Matt Cowell | ASE Central | 24 May 2013
14
27 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Our demonstration scenario
Perimeter
192.168.0.100
192.168.0.102
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)
Master
Lean
Managed
Switch
PLC
Slave
Attacking
PC Internet
1.2.3.4
LAN WAN
Router
28 | Presentation | Matt Cowell | ASE Central | 24 May 2013
4. DoS Attack
DE:MO Time
15
29 | Presentation | Matt Cowell | ASE Central | 24 May 2013
4. DoS Attack
Perimeter
192.168.0.100
192.168.0.102
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)
Master
Lean
Managed
Switch
PLC
Slave
Attacking
PC Internet
1.2.3.4
LAN WAN
30 | Presentation | Matt Cowell | ASE Central | 24 May 2013
4. Denial Of Service attack
What did we learn?
With information collected by simply monitoring and exploring the network, we can now break it
Network adapters (particularly on Industrial devices) can be overwhelmed if you send excessive packets
This can manifest in many devastating ways – preventing legitimate communications and in some cases locking up the device requiring power cycle or losing its program
Recommendations:
Use Firewalls to control/restrict access
Use managed switches with bandwidth limitation or routers to prevent excess traffic
Enable monitors/logging to watch and automatically notify of dangerous traffic levels
16
31 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Control the ‘inside’
Prevent unnecessary access to industrial devices/network
Use a firewall to control traffic rules
Be careful of open ports and ‘backdoors’
Ensure adequate encryption when using wireless (WPA2) &
long, unusual pass phrase
Restrict USB drive usage
Be careful of infected internal PC’s – a Virus or Trojan can
run on the inside ‘inside job’, cause havoc and send
information out
Its claimed 60-70% of all security breaches are carried out
by insiders
32 | Presentation | Matt Cowell | ASE Central | 24 May 2013
The solution?
mGuard Industrial Router, Firewall and VPN
Internet
Here
There
Partial
17
Not just my advice..
Use of a firewall is a common recommendation by the US
CERT for posted vulnerabilities
33 | Presentation | Matt Cowell | ASE Central | 24 May 2013
It gets worse…
34 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Cybersecurity Act of 2012
13
18
Example SCADA Specifications
35 | Presentation | Matt Cowell | ASE Central | 24 May 2013
2.4 ETHERNET SWITCH
A.General: Furnish and install fiber-optic Ethernet switches as shown.
B.Features:
• 100/1000 base-T (auto-sensing).
• Minimum of five (5) RJ-45 ports. Ethernet ports shall be
expanded as needed to interconnect all system components.
• Minimum of two (2) fiber optic ports for one (1) fiber pair. Fiber
optic ports shall be expanded as needed to interconnect all
system components.
• LED for indicating port status.
• Internal Panel mounting kit.
• Failsafe output relay to indicate malfunction with unit.
• FCC Part 15, Class A compliant
• Provide management software for multilevel security, web
based configuration and remote monitoring.
• Powered by circuit on Uninterruptible Power Supply.
C. Product and manufacturer:
ConneXium Switches Model 499-NOS-27100.
No Substitutions.
2.5 FIBER-TO-COPPER MEDIA CONVERTERS
A. Fiber optic converters shall convert Ethernet TCP/IP network data to a format
suitable for transmission over multi-mode fiber optic cable.
B.Features: Converters shall provide:
• Full-duplex 100M/1000Gbps Ethernet operation.
• Multimode fiber optic media support.
• Remote and local interface status.
C. Provide suitable transformers to convert 120VAC power to appropriate voltage
necessary to provide power to Transceivers.
D. For control panel mounting, converter shall be DIN-rail mountable.
E. Product and manufacturer:
• IFS.
• Or Equal.
2.8 SWITCHES AND MEDIA CONVERTERS
A. Provide Switches meeting the following requirements
1. Provide Phoenix Contact switch SFN6TX2FXST. Switch to operate on 24VDC.
Switch to have six (6) RJ45 copper ports and two (2) fiber ports with ST
connections
2. Provide one switch in each remote I/O cabinet and one switch for PLC B-C
B. Provide fiber optic media converter(s) as shown on the drawings, called for in the
specifications or as required to result in a complete and working system
1. Media converter(s) shall operate on either 120VAC or 24VAC power and shall be
supported by a UPS
2. Provide media converter with RJ-45 port for copper cable and ST connector for
fiber optic cable.
3. Provide one media converter for PLC C-B and two additional media converters to
be used by the owner.
No Firewall or security mentioned
2.9 NETWORK SECURITY
A. Provide central managed switches meeting the following requirements
1. Provide Phoenix Contact switch MCS 14TX/2FX. Switch to operate on 24VDC.
Switch to have six (14) RJ45 copper ports and two (2) fiber ports with SC
connections
2. Provide one switch in lockable, main control cabinet
3. VLAN support to be enabled
B. Provide one (1) firewall per each lockable, RTU cabinet
1. Firewall rules to be configured to allow only port 502 inbound from main PLC IP
address to RTU PLC IP address.
2. DoS prevention to be active
C. Provide one (1) firewall for the lockable, main control cabinet
1. Firewall rules to be configured to allow only port TCP 502 inbound from main
SCADA PC IP address to main PLC IP address.
2. DoS prevention to be active
D. A designated ICS must be implemented on the SCADA network
E. VPN must be configured for outside remote access
F. Control and SCADA network must implement a defense in depth, layered approach as per
ISA-99
11:45
Defense in Depth in practice
www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
Zones
Firewalls
DMZ
IDS/Logging
19
37 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Summary - Prevention is better than cure
Many industrial devices are vulnerable…not just AB MLX 1100
An Air gap is a good line of defense if possible but not complete
Understand your network and data flows. Document!
Adopt a defense in depth strategy employing various layers of security
Keep an inventory of networked devices and watch for vulnerabilities/updates
Implement layer 1 security solutions, lockable panels, patch cables etc..
Use updated AV/Spyware and ensure any PC’s are routinely patched/updated
When interconnecting devices/panels use a firewall
Isolate industrial devices and restrict network access to only those that need it (access control)
Consider specialist firewall functions (DoS prevention, CIFS monitoring)
VLAN’s and MAC filtering can be used to provide some defense using managed switches
38 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Summary - Prevention is better than cure
Use VPN for ALL remote connections
Restrict use of USB jump drives (disable PC autorun feature, consider encrypted jump drives, don’t allow anyone’s stick)
Restrict/prevent web access to internet from control network
Try to use HTTPS exclusively when using passwords/secure webpages
Consider using network logging, SNMP, Alerts, Intrusion detection, Honeypots – how else will you know something bad happened?
When using wireless always encrypt with minimum of WPA2 for WIFI
Be aware of smartphone vulnerabilities and their place in SCADA
Implement authentication/authorization policy including how to handle access credentials for former employee’s/contractors
Security is not a one and done solution – continuously evolving standards, new vulnerabilities – someone has to stay on top of things
Security is also more than just a one product solution – it’s a way of life
Security requires behavioral diligence from EVERYONE
20
39 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Summary - Prevention is better than cure
Change default passwords and use ‘strong’ passwords
Take ownership, don’t assume it is already covered – ask questions
Take advantage of online resources
Talk to a specialist and consider getting a vulnerability assessment
Educate all employees
Evaluate your system conceptually using the free US CERT - CSET tool (risk analysis)
Devise a cyber security policy – what are your security goals?
Require changes that affect the network be to reviewed/approved beforehand
Patch management – risk vs reward to patching holes in a running system. Where, when and how. Alternatives?
Devise a response/recovery plan to any potential events and have secure backups of all critical code
Final Thought
40 | Presentation | Matt Cowell | ASE Central | 24 May 2013
21
41 | Presentation | Matt Cowell | ASE Central | 24 May 2013
Thank You – Questions?
Distrust and caution are the parents of security - Benjamin Franklin
12:00
Online Resources
www.us-cert.gov http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
www.isa.org
www.nist.gov
www.phoenixcontact.com http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf
42 | Presentation | Matt Cowell | ASE Central | 24 May 2013