welcome to phoenix contact industrial network security seminar

1

Welcome to PHOENIX CONTACT

Industrial network security seminar

Matt Cowell

Phoenix Contact ASE – North Central

[email protected]

847 226 5197

2 | Presentation | Matt Cowell | ASE Central | 24 May 2013

Who am I?

Matt Cowell

ASE (Automation Sales Engineer) – N Central reg.

Tenure – Joined Phoenix Contact Jan 2008

Located Gurnee, IL (north of Chicago)

Responsible for all Phoenix Contact Automation product in N. Central Region

Automation product responsibility includes Ethernet, network security products, controllers and software, Industrial PC’s, HMI’s, I/O, safety and Wireless

Territory includes IL, WI, MN, ND, SD

Background – Various Engineering roles with later years focused in system integration

mailto:[email protected]

2


Agenda

Industrial networking introduction

‘Typical’ network layouts and comparisons to IT

Recent product vulnerabilities

Case studies of recent security breaches

Introduction to basic Hacking techniques

Live demonstration of an industrial attack

Highlighting ease of implementation on live network

Offering simple countermeasures and prevention

General Recommendations

Question Time

Has your network ever been hacked?

How do you know?

Who’s responsibility is network security?

Everyone’s

Don’t assume someone else (IT) has it covered


3

What is a SCADA network?

SCADA = Supervisory Control And Data Acquisition

Commonly associated with an Industrial Control System

(ICS)

Typically a dedicated network interlinking critical devices

that are part of controlling and/or monitoring a plant,

infrastructure or a process



Typical devices – SCADA network

Typically Field Devices

in/near control panel

4

Wastewater SCADA n/w example


Copper

Fiber

Wireless

Main Control

Room

Wastewater SCADA n/w example


Copper

Fiber

Wireless

Main Pump

Station

Sludge

Dewatering Disinfection

Blower

Building

Final

Clarifiers

Reject

Pumps

5

Characteristics of an SCADA network

Often engineer governed

Desire high speed (typically small data transfer – bits vs.

mB)

Deterministic

Acceptable latency typically measured in mS

High reliability data transfer in rugged form factor

Typically comprising various protocols (ModbusTCP, DNP3,

E/IP)

Interconnected via various media (Fiber, copper, wireless,

leased lines etc.)

Originally isolated islands (no WAN or internet connectivity)

Longer system life cycle = more older technology and OS



Internet

Typical IT/Enterprise network

Large network, vast data transfer, variable speed dependent

upon load, latency measured in seconds, isolation of

devices less critical, broadcast traffic common, integrated

security (anti virus/sw firewall)

6


Evolution of connecting SCADA to IT network or internet?

Internet

Router/Firewall

Enterprise/Company level

Access thro

ughout

SCADA/Ind. Network

Why converge? Reporting – Regulatory requirements/Compliance

Convenience – Access from desk, city network

Autonomy & Remote access – Outside access for

contractors

Integration - to database/laboratory

Mistake - Could also be inadvertent


Why consider security now?

Scope of industrial networks has grown beyond conventional “switch

only” networks (layer 2)

Device access from IT/enterprise network is desired

Remote access to SCADA systems is required for support

Industrial devices lack network security features we have become

familiar with (robust NIC’s, win. updates, patches, anti virus, HTTPS

etc.)

Vulnerabilities are being discovered daily

Increase in network devices & trends are relying upon use of ‘the cloud’

Few standards in place yet to enforce security

Stuxnet demonstrated the sophistication and damage that can be

caused by industrial specific malware – don’t wait for stuxnet 2.0

Industrial attacks are becoming more common and brazen - 1/3 of ALL

malware was developed in past year (Stuxnet, Night Dragon, Stars all

made news headlines)

7

Common objections (excuses)

“IT takes care of our firewall and security”

Do they really? So they will handle the consequences of an

attack on the SCADA system? Do they understand ‘SCADA’?

“Our SCADA network is isolated/air-gapped”

Are you sure? Either way Stuxnet (to date the worlds most

effective virus on SCADA) caused significant harm to its target

that was also “isolated”. What about USB or other attack vectors?

“Were just a small site, were not a target”

Really, when you search for devices on Shodan, does the

attacker care where the vulnerable PLC they just found is?

“SCADA Security is too complex and costs too much”

What are the financial consequences of a breach to critical

infrastructure? The risk has never been higher than today!


You already know physical security…

Cameras and surveillance

Analogous to IDS (Intrusion Detection System)/logging

Access control – access based upon credentials

Analogous to account/password control policy

Perimeter security – fences, gates, locks

Analogous to firewall’s

Alarms

Analogous to Email/SMS/SNMP/HMI alarms

SIEM (Security Information & Event Management) or IDS

Security guard

Analogous to IT/security focused professional

We generally take physical security very seriously


8

The cyber threat is real….

15 | Presentation | Matt Cowell | ASE Central | 24 May 2013 8:40

Types of cyber incident

Audit

Legitimate attack/test

Vulnerability assessment

Accidental

Broadcast storm, misconfiguration, faulty product etc..

Wrong IP

Non malicious intrusion

Monitoring data, stealing information etc..

Malicious intrusion

Bad intentions/causing harm

Breaking something (equipment/process/data)


9

A few discovered vulnerabilities

All confirmed and published by US CERT (DHS)

Schneider – ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET

MODULE MULTIPLE VULNERABILITES

– ICSA-11-277-01—SCHNEIDER ELECTRIC UNITELWAY DEVICE DRIVER

BUFFER OVERFLOW

– ICSA-11-307-01—SCHNEIDER ELECTRIC VIJEO HISTORIAN WEB SERVER

MULTIPLE VULNERABILITIES

Siemens – ICSA-11-356-01—SIEMENS SIMATIC HMI AUTHENTICATION

VULNERABILITIES

– ICS-ALERT-11-332-02A—SIEMENS SIMATIC WINCC FLEXIBLE

VULNERABILITIES

– ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN

SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200

– ICS-ALERT-11-161-01—SIEMENS SIMATIC S7-1200 PLC VULNERABILITIES


..more discovered vulnerabilities

Rockwell Automation – VU#144233 - Rockwell Automation Allen-Bradley MicroLogix PLC

authentication and authorization vulnerabilities

– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC

EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW

– ICS-ALERT-10-194-01 OPEN UDP PORT IN 1756-ENBT ETHERNET/IP™

COMMUNICATION INTERFACE

– ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE

VULNERABILITY

– ICS-ALERT-12-020-02A—ROCKWELL AUTOMATION CONTROLLOGIX

MULTIPLE PLC VULNERABILITIES

– ICSA-12-088-01A—ROCKWELL AUTOMATION FACTORYTALK

RNADIAGRECEIVER DOS VULNERABILITIES

– ICSA-10-070-02 AUTHENTICATION VULNERABILITY IN ROCKWELL PLC-5

AND SLC 5/0X CONTROLLERS AND ASSOCIATED RSLOGIX SOFTWARE

– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC

EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW


10

..and some others

– ICS−ALERT-11-080-02 MULTIPLE VULNERABILITIES IN ICONICS

GENESIS (32 & 64)

– ICSA-11-173-01—CLEARSCADA REMOTE AUTHENTICATION BYPASS

– ICSA-11-332-01—INVENSYS WONDERWARE INBATCH ACTIVEX

VULNERABILITIES

– ICSA-11-243-03A—GE INTELLIGENT PLATFORMS PROFICY HISTORIAN

DATA ARCHIVER BUFFER OVERFLOW VULNERABILITY

– ICSA-12-243-01— GARRETTCOM PRIVILEGE ESCALATION VIA USE OF

HARD-CODED PASSWORD

– ICSA-12-146-01A—RUGGEDCOM WEAK CRYPTOGRAPHY FOR

PASSWORD VULNERABILITY

– ICS-ALERT-12-020-07A—WAGO I/O 750 MULTIPLE VULNERABILITIES


Network security breach case study: Stuxnet

The industrial virus that brought mass media attention

Complex rootkit exploiting 4 x zero day exploits

Designed to attack Siemens control networks and Win OS

Used stolen digital certificates to look inconspicuous

Could manipulate PLC logic and network traffic

Automatically spreads via USB jump drive

Reports updates back to internet server

Targeted Iran’s uranium enrichment centrifuges causing

significant damage but also spread worldwide

Suspected to be a state sponsored virus

It has a ‘kill date’ coded into it to stop spreading on 6/24/12


11

Network security breach case study: Maroochy Shire wastewater facility

Disgruntled former contractor gained access via insecure

wireless network

Released 264,000 gallons of sewage into rivers

Responsible for killing marine life not to mention create a

stench for residents

This occurred over 3 week period, no one noticed for 1st 2.5

wks.

He was later arrested and sentenced to prison


SCADA is a target


12

500,000 reasons to be afraid


Why do people ‘hack’?

There are a number of motivators, including:

Ego

Criminal

Political/Spying

Hacktivism

Terrorism

War

Personal gain

Corporate gain

Sabotage

Retribution

Personal Concern


13

How do people hack? Inside job/disgruntled employee - abusing network privileges

Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form

Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force

DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.

Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter

Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.

Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.

Ransomware – Specific infection that demands a ransom money or will lock you out from files or threaten to delete them by specific deadline - NEW

Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.

Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing

Exploiting vulnerabilities – latest windows updates, stuxnet

How easy is it to ‘hack’ a facility?

Just ask Google

Wireless breach

Wardriving

If no access to the inside network, first have to find it:

Specialist search engines

Public IP and Port scans

Social engineering via Trojan or Phishing

Vulnerabilities

Easy targets

Publically available online and being found daily

Dedicated tools to make life easier

…..as we will see


14


Our demonstration scenario

Perimeter

192.168.0.100

192.168.0.102

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)

Master

Lean

Managed

Switch

PLC

Slave

Attacking

PC Internet

1.2.3.4

LAN WAN

Router


4. DoS Attack

DE:MO Time

15


4. DoS Attack

Perimeter

192.168.0.100

192.168.0.102

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)

Master

Lean

Managed

Switch

PLC

Slave

Attacking

PC Internet

1.2.3.4

LAN WAN


4. Denial Of Service attack

What did we learn?

With information collected by simply monitoring and exploring the network, we can now break it

Network adapters (particularly on Industrial devices) can be overwhelmed if you send excessive packets

This can manifest in many devastating ways – preventing legitimate communications and in some cases locking up the device requiring power cycle or losing its program

Recommendations:

Use Firewalls to control/restrict access

Use managed switches with bandwidth limitation or routers to prevent excess traffic

Enable monitors/logging to watch and automatically notify of dangerous traffic levels

16


Control the ‘inside’

Prevent unnecessary access to industrial devices/network

Use a firewall to control traffic rules

Be careful of open ports and ‘backdoors’

Ensure adequate encryption when using wireless (WPA2) &

long, unusual pass phrase

Restrict USB drive usage

Be careful of infected internal PC’s – a Virus or Trojan can

run on the inside ‘inside job’, cause havoc and send

information out

Its claimed 60-70% of all security breaches are carried out

by insiders


The solution?

mGuard Industrial Router, Firewall and VPN

Internet

Here

There

Partial

17

Not just my advice..

Use of a firewall is a common recommendation by the US

CERT for posted vulnerabilities


It gets worse…


Cybersecurity Act of 2012

13

18

Example SCADA Specifications


2.4 ETHERNET SWITCH

A.General: Furnish and install fiber-optic Ethernet switches as shown.

B.Features:

• 100/1000 base-T (auto-sensing).

• Minimum of five (5) RJ-45 ports. Ethernet ports shall be

expanded as needed to interconnect all system components.

• Minimum of two (2) fiber optic ports for one (1) fiber pair. Fiber

optic ports shall be expanded as needed to interconnect all

system components.

• LED for indicating port status.

• Internal Panel mounting kit.

• Failsafe output relay to indicate malfunction with unit.

• FCC Part 15, Class A compliant

• Provide management software for multilevel security, web

based configuration and remote monitoring.

• Powered by circuit on Uninterruptible Power Supply.

C. Product and manufacturer:

ConneXium Switches Model 499-NOS-27100.

No Substitutions.

2.5 FIBER-TO-COPPER MEDIA CONVERTERS

A. Fiber optic converters shall convert Ethernet TCP/IP network data to a format

suitable for transmission over multi-mode fiber optic cable.

B.Features: Converters shall provide:

• Full-duplex 100M/1000Gbps Ethernet operation.

• Multimode fiber optic media support.

• Remote and local interface status.

C. Provide suitable transformers to convert 120VAC power to appropriate voltage

necessary to provide power to Transceivers.

D. For control panel mounting, converter shall be DIN-rail mountable.

E. Product and manufacturer:

• IFS.

• Or Equal.

2.8 SWITCHES AND MEDIA CONVERTERS

A. Provide Switches meeting the following requirements

1. Provide Phoenix Contact switch SFN6TX2FXST. Switch to operate on 24VDC.

Switch to have six (6) RJ45 copper ports and two (2) fiber ports with ST

connections

2. Provide one switch in each remote I/O cabinet and one switch for PLC B-C

B. Provide fiber optic media converter(s) as shown on the drawings, called for in the

specifications or as required to result in a complete and working system

1. Media converter(s) shall operate on either 120VAC or 24VAC power and shall be

supported by a UPS

2. Provide media converter with RJ-45 port for copper cable and ST connector for

fiber optic cable.

3. Provide one media converter for PLC C-B and two additional media converters to

be used by the owner.

No Firewall or security mentioned

2.9 NETWORK SECURITY

A. Provide central managed switches meeting the following requirements

1. Provide Phoenix Contact switch MCS 14TX/2FX. Switch to operate on 24VDC.

Switch to have six (14) RJ45 copper ports and two (2) fiber ports with SC

connections

2. Provide one switch in lockable, main control cabinet

3. VLAN support to be enabled

B. Provide one (1) firewall per each lockable, RTU cabinet

1. Firewall rules to be configured to allow only port 502 inbound from main PLC IP

address to RTU PLC IP address.

2. DoS prevention to be active

C. Provide one (1) firewall for the lockable, main control cabinet

1. Firewall rules to be configured to allow only port TCP 502 inbound from main

SCADA PC IP address to main PLC IP address.

2. DoS prevention to be active

D. A designated ICS must be implemented on the SCADA network

E. VPN must be configured for outside remote access

F. Control and SCADA network must implement a defense in depth, layered approach as per

ISA-99

11:45

Defense in Depth in practice

www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

Zones

Firewalls

DMZ

IDS/Logging

19


Summary - Prevention is better than cure

Many industrial devices are vulnerable…not just AB MLX 1100

An Air gap is a good line of defense if possible but not complete

Understand your network and data flows. Document!

Adopt a defense in depth strategy employing various layers of security

Keep an inventory of networked devices and watch for vulnerabilities/updates

Implement layer 1 security solutions, lockable panels, patch cables etc..

Use updated AV/Spyware and ensure any PC’s are routinely patched/updated

When interconnecting devices/panels use a firewall

Isolate industrial devices and restrict network access to only those that need it (access control)

Consider specialist firewall functions (DoS prevention, CIFS monitoring)

VLAN’s and MAC filtering can be used to provide some defense using managed switches



Use VPN for ALL remote connections

Restrict use of USB jump drives (disable PC autorun feature, consider encrypted jump drives, don’t allow anyone’s stick)

Restrict/prevent web access to internet from control network

Try to use HTTPS exclusively when using passwords/secure webpages

Consider using network logging, SNMP, Alerts, Intrusion detection, Honeypots – how else will you know something bad happened?

When using wireless always encrypt with minimum of WPA2 for WIFI

Be aware of smartphone vulnerabilities and their place in SCADA

Implement authentication/authorization policy including how to handle access credentials for former employee’s/contractors

Security is not a one and done solution – continuously evolving standards, new vulnerabilities – someone has to stay on top of things

Security is also more than just a one product solution – it’s a way of life

Security requires behavioral diligence from EVERYONE

20



Change default passwords and use ‘strong’ passwords

Take ownership, don’t assume it is already covered – ask questions

Take advantage of online resources

Talk to a specialist and consider getting a vulnerability assessment

Educate all employees

Evaluate your system conceptually using the free US CERT - CSET tool (risk analysis)

Devise a cyber security policy – what are your security goals?

Require changes that affect the network be to reviewed/approved beforehand

Patch management – risk vs reward to patching holes in a running system. Where, when and how. Alternatives?

Devise a response/recovery plan to any potential events and have secure backups of all critical code

Final Thought


21


Thank You – Questions?

Distrust and caution are the parents of security - Benjamin Franklin

12:00

Online Resources

www.us-cert.gov http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

www.isa.org

www.nist.gov

www.phoenixcontact.com http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf


http://www.us-cert.gov/



http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf



http://www.isa.org/

http://www.nist.gov/

http://www.phoenixcontact.com/

http://www.phoenixcontact.com/water


