Presentation on theme: "Control Systems under Attack !? Cyber Threats Todays Peril Vulnerabilities in Controls Findings of the TOCSSiC First Steps for Mitigation Stefan Lüders."— Presentation transcript:
Control Systems under Attack !? Cyber Threats Todays Peril Vulnerabilities in Controls Findings of the TOCSSiC First Steps for Mitigation Stefan Lüders (CERN IT/CO) ICALEPCS 2005 October 14th, 2005 A Teststand On Control System Security at CERN
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20052 / 17 Aware or Paranoid ? 2000: Ex-Employee hacks wirelessly 46 times into sewage plant and spills basement of Hyatt Regency hotel. 2003: The Slammer worm disables safety monitoring system of the David- Besse nuclear power plant for 5h. 2003/08/11: W32.Blaster.Worm 2004: IT intervention, hardware failure and use of ISO protocol stopped SM18 magnet test stand for 24h. 2005: DoS (70) stopped manual control
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20053 / 17 Common Standards / Interconnectivity Cyber Threats Todays Peril Zombies BOT nets Attacking Controls Intruder Knowledge / Attack Sophistication 1980 1985 1990 1995 2000 2005 2010 Higher Lower Packet Spoofing Password Guessing Password Cracking Exploiting Known Vulnerabilities Disabling Audits Hijacking Sessions Sniffers Back Doors War Dialing Denial of Service Automated Probes/Scans IRC Based Zero Day Exploits Viruses Worms Root Kits Control Systems: Era of Legacy Technology (Security through Obscurity) Era of Modern Information Technology (From Top-Floor to Shop-Floor) Transition Phase (Controls goes IT)
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20054 / 17 Controls Networks mate Business Networks Proprietary field busses replaced by Ethernet & TCP/IP Field devices connect to Ethernet & TCP/IP Real time applications based on TCP/IP VPN connections from the outside onto the Controls Network Use of IT protocols & gadgets: SNMP, SMTP, FTP, Telnet, HTTP (WWW), … Wireless LAN, Notebooks, USB sticks, … Migration to the Microsoft Windows platform Windows not designed for Industrial / Control Systems OPC/DCOM runs on port 135 (heavily used for RPC) Controls Goes IT
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20055 / 17 Poorly secured systems are being targeted Worms are spreading within seconds Unpatched systems, O/S & applications Missing anti-virus software or old virus signature files No firewall protection Zero Day Exploits: security holes without patches Break-ins occur before patch and/or anti-virus available Threats due to Technique …but how to patch/update Control PCs ? …what about anti-virus software ?
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20056 / 17 Passwords are known to several (many?) people No traceability, ergo no responsibility People are increasingly the weakest link Use of weak passwords Infected notebooks are physically carried on site Users download malware and open tricked attachments Missing/default/weak passwords in applications Threats due to People …but how to handle Operator accounts ? …what about password rules ?
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20057 / 17 COTS Automation Systems are without security protections Programmable Logic Controllers (PLCs), field devices, power supplies, … Security not integrated into their designs Creation of the Teststand On Controls System Security at CERN The TOCSSiC Running Nessus vulnerability scan (used in Office IT) Running Netwox DoS attack with random fragments Running Ethereal network sniffer
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20058 / 17 Controls under Attack ! 20 devices from 6 different manufacturers (35 tests in total) All devices fully configured but running idle …PLCs under load seem to fail even more frequently !!! …results improve with more recent firmware versions
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20059 / 17 TOCSSiC Findings (1) Device crashed Sending specially crafted IP packets causes the TCP/IP fragmentation re-assembly code to … … improperly handle overlapping IP fragments (Nestea attack) … loose network connectivity (Linux zero length fragment bug) Sending continuous stream of extremely large and incorrect fragmented IP packets leads to consumption of all CPU resources (jolt2 DoS attack) Sending special malformed packets (oshare attack) …violation of TCP/IP standards !!!
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200510 / 17 TOCSSiC Findings (2) FTP server crashed Sending a too long command or argument Issuing a CEL aaa…aaa command (VxWorks) FTP server allows to connect to third party hosts (i.e. provides an attacker platform) FTP server allows anonymous login Telnet server crashed After flooding it with ^D characters Sending a too long user name Sending too many Are you there commands …both are legacy protocols w/o encryption !
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200511 / 17 TOCSSiC Findings (3) HTTP server crashed Requesting a URL with too many characters (e.g. http:// /cgi-bin/aaa…aaa or http:// /jsp/aaa...aaa) Using up all resources (WWW infinite request attack) HTTP server directory available Using http:// /../.. get request …who needs web servers & e-mailing on PLCs ? ModBus server crashed by scanning port 502 …protocols are well documented (Google hacking) !
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200512 / 17 PLCs are un-protected Can be stopped w/o problems (needs just a bit googling) Passwords are not encrypted Might even come without authentication Still allow for legacy commands TOCSSiC Findings (4) …authentication & encryption should be mandatory ! Fixed SNMP community names public and private …why can community names not be changed ?
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200513 / 17 TOCSSiC Follow Up Disclosing vulnerabilities to vendors and manufacturers Exchanging information with Government Bodies, Industry & Research Forum on OPC security and future devs CERN produced a Security Policy for Controls Forum on the development of Windows For Controls with Microsoft
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200514 / 17 Apply Defence-in-Depth approach Protect each layer of your Control System Separate Controls and Business Networks Reduce and control inter-communication Use managed systems where possible Ensure prompt security updates: O/S, applications, anti-virus, … Swapping to Linux or Mac is NOT more secure Ensure security protections before connecting Check for up-to-date patches and anti-virus files Your Ways to Mitigate ? (1)
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200515 / 17 Use strong passwords and sufficient logging Check that default passwords are changed in all applications Passwords must be kept secret: beware of Google Hacking Ensure traceability of access (who and from where) Make security an objective Raise awareness in your Users community Contact your vendor / manufacturer Check your firmware versions Do you really want all those Bells & Whistles ? Join the MS MUG and the OPC FoundationMS MUGOPC Foundation Your Ways to Mitigate ? (2)
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200516 / 17 Conclusions Adoption of modern IT standards exposes Control Systems to security risks Control PCs, PLCs & other automation devices are intrinsically vulnerable Make security an objective
Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200517 / 17 Thank you very much ! Special Acknowledgements go to: J. Brahy & R. Brun (CERN AB/CO) and J. Rochez (CERN IT/CO) J. Arnold (EPFL, Lausanne) and B. Figon (ESIEE, Amiens)