Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.c4-security.com Eyal Udassin – C4 Security. www.c4-security.com Contents Introduction The Problem – Security by Obscurity The Solution – Behavioral.

Similar presentations


Presentation on theme: "Www.c4-security.com Eyal Udassin – C4 Security. www.c4-security.com Contents Introduction The Problem – Security by Obscurity The Solution – Behavioral."— Presentation transcript:

1 Eyal Udassin – C4 Security

2 Contents Introduction The Problem – Security by Obscurity The Solution – Behavioral Attack Recommendations

3 About C4 Based in Israel Based in Israel Consists of security experts, reverse engineers and protocol analysts Consists of security experts, reverse engineers and protocol analysts Provide “red team” penetration tests to utilities, financial institutions and governmental agencies Provide “red team” penetration tests to utilities, financial institutions and governmental agencies Our team’s skills enable us to find and exploit vulnerabilities in proprietary systems Our team’s skills enable us to find and exploit vulnerabilities in proprietary systems Experts in SCADA security Experts in SCADA security Contact: / Contact: /

4 Introduction Terminology Terminology SCADA – Supervisory Command and Data Acquisition SCADA – Supervisory Command and Data Acquisition DCS – Distributed Control Systems DCS – Distributed Control Systems C&C Systems for electricity, water, sewage, gas, oil, trains, petrochemical plants etc. C&C Systems for electricity, water, sewage, gas, oil, trains, petrochemical plants etc. Energy management systems (EMS) are SCADA systems as they control network nodes dispersed over a large geographical area Energy management systems (EMS) are SCADA systems as they control network nodes dispersed over a large geographical area These systems bring power to your home These systems bring power to your home

5 Introduction National infrastructure utilities directly affect the well-being of nations’ civilians, thus it is a prime target for terrorists National infrastructure utilities directly affect the well-being of nations’ civilians, thus it is a prime target for terrorists The “Holy Grail” for an attacker in the SCADA environment is the Control Center The “Holy Grail” for an attacker in the SCADA environment is the Control Center We strongly believe that in order to thwart such attacks, it is necessary to conduct the same offensive research We strongly believe that in order to thwart such attacks, it is necessary to conduct the same offensive research

6 Typical Control Center Elements

7 Background 3 Critical vulnerabilities in GE-Fanuc Cimplicity and Proficy were disclosed by us at S (including a stable heap overflow) 3 Critical vulnerabilities in GE-Fanuc Cimplicity and Proficy were disclosed by us at S (including a stable heap overflow) Even this was the first time that taking control over the SCADA server was demonstrated, there were a few engineers who doubted that it would allow an attacker to cause real damage Even this was the first time that taking control over the SCADA server was demonstrated, there were a few engineers who doubted that it would allow an attacker to cause real damage Skeptics fuel progress – time for stage II Skeptics fuel progress – time for stage II

8 The Problem The #1 claim from big-scale SCADA operations is: Even if you assume complete control over our control center – you will not be able to cause substantial physical damage as: Even if you assume complete control over our control center – you will not be able to cause substantial physical damage as: 1. You’re not a control engineer, so you wont understand what you’re seeing on the HMI 2. You wont find any documentation on the network to allow you to map the SCADA network addresses and their datapoints to their “meaning” – what they control in the physical world

9 The Problem Without a mapping of the addresses & datapoints to physical locations and controlled devices, it is very difficult to generate malicious packets Without a mapping of the addresses & datapoints to physical locations and controlled devices, it is very difficult to generate malicious packets Such a map can usually be found on the operators workstations and the SCADA server as a tag database. Each tag is a user friendly name given to an address/datapoint Such a map can usually be found on the operators workstations and the SCADA server as a tag database. Each tag is a user friendly name given to an address/datapoint “We keep the mapping only in paper copy” etc. “We keep the mapping only in paper copy” etc. Mmmm… strange, but let’s play along Mmmm… strange, but let’s play along

10 Translation to IT Security Terms Security by obscurity Security by obscurity To be completely honest – it’s one of the few places where it might actually work! To be completely honest – it’s one of the few places where it might actually work! Two “shortcuts” to beating security by obscurity are missing: Two “shortcuts” to beating security by obscurity are missing: Can’t trigger events Can’t trigger events Few (if any) string anchors Few (if any) string anchors

11 Translation to IT Security Terms Example packets: 0a 07 d9 08 3b 92 0b af 00 0b 0a 07 d9 08 3b 92 0b af 00 0b Trip a breaker (92ob) – address (d9083b) Trip a breaker (92ob) – address (d9083b) 0a b5 cc b 0a b5 cc b Read generation frequency (9101) on plant #11 – address ( 80b5cc ) Read generation frequency (9101) on plant #11 – address ( 80b5cc )

12 The Solution Base assumptions: The Good The Good Assumption 1 – Security by obscurity works. We will never know what the data “means” Assumption 1 – Security by obscurity works. We will never know what the data “means” Already discussed Already discussed No “silver bullet” – can’t cause “aurora” style attack as we don’t what kind of generator is used nor where is it located logically No “silver bullet” – can’t cause “aurora” style attack as we don’t what kind of generator is used nor where is it located logically Assumption 2 – Even if we’ll have the map, causing substantial damage is difficult Assumption 2 – Even if we’ll have the map, causing substantial damage is difficult Complexity – mitigated by getting a control engineer on-board Complexity – mitigated by getting a control engineer on-board Safety mechanisms – 3 cases in the past year where these failed due to mechanical or human error Safety mechanisms – 3 cases in the past year where these failed due to mechanical or human error

13 Base Assumptions (cont.) The Bad The Bad Assumption 3 – Control protocols are simple Assumption 3 – Control protocols are simple 95% are Start/Stop, TLV, or fixed size and format 95% are Start/Stop, TLV, or fixed size and format Assumption 4 – We own the communication server (aka FEP) Assumption 4 – We own the communication server (aka FEP) This is were we left off in our previous research, for more details see: This is were we left off in our previous research, for more details see: The Ugly The Ugly Assumption 5 - Humans need more electricity when they are awake Assumption 5 - Humans need more electricity when they are awake

14 Daily Electricity Demand England England

15 Daily Electricity Demand The Czech Republic The Czech Republic

16 Daily Electricity Demand Scotland Scotland

17 Attack Vector The main goal of the control center is to keep the grid balance - generation should match the demand The main goal of the control center is to keep the grid balance - generation should match the demand From the previous graphs we see that: From the previous graphs we see that: In the morning the grid utilization is increased In the morning the grid utilization is increased In the evening it is decreased In the evening it is decreased How does this work to our advantage? How does this work to our advantage? Let’s turn night into day, and vice versa Let’s turn night into day, and vice versa No need to know what we’re sending as the operators already took care of that for us No need to know what we’re sending as the operators already took care of that for us

18 Malware Design Install malware on the comm. Server Install malware on the comm. Server Stage I – Learning Mode Stage I – Learning Mode Sniff traffic to and from the field (easy to distinguish) Sniff traffic to and from the field (easy to distinguish) Create request/response pairs with a timestamp for day & night classification Create request/response pairs with a timestamp for day & night classification Auto-identify “problematic” fields Auto-identify “problematic” fields CRC/Parity Fields CRC/Parity Fields Timestamps Timestamps Counters Counters Simple statistical computations Simple statistical computations

19 Malware Design Stage II – Active mode Stage II – Active mode When enough packet data is collected, wait for the next critical time of day (dawn, nightfall) When enough packet data is collected, wait for the next critical time of day (dawn, nightfall) Drop all messages coming from the SCADA server Drop all messages coming from the SCADA server Instead, sent the commands of the opposite timeframe to the field Instead, sent the commands of the opposite timeframe to the field

20 Malware Design What will happen in Active Mode? What will happen in Active Mode? Example – sunrise time Example – sunrise time Electricity demand constantly rises Electricity demand constantly rises The field devices will receive night-time command – e.g. “disconnect aux. power plant from the grid”, “lower power output from main power plant” etc. The field devices will receive night-time command – e.g. “disconnect aux. power plant from the grid”, “lower power output from main power plant” etc. Operators will try to connect more power plants, without success as the commands are ignored Operators will try to connect more power plants, without success as the commands are ignored Network instability – supply will not meet the demand Network instability – supply will not meet the demand Potentially causing blackouts Potentially causing blackouts May change electric frequency May change electric frequency

21 Advanced Attack Vector An even nastier approach is to record communication between the comm. server and SCADA server as well An even nastier approach is to record communication between the comm. server and SCADA server as well When the systems goes from “learn mode” to “active mode” perform two actions: When the systems goes from “learn mode” to “active mode” perform two actions: Send the control data to the field as previously mentioned Send the control data to the field as previously mentioned Don’t drop the SCADA server requests, send responses which it expects at this time from the field Don’t drop the SCADA server requests, send responses which it expects at this time from the field

22 Advanced Attack Vector Expected result Expected result Field devices are performing the exact opposite of their required behavior Field devices are performing the exact opposite of their required behavior SCADA operators see that everything is running smoothly SCADA operators see that everything is running smoothly

23 Design Advantages Little to zero knowledge on the network design and implementation is required Little to zero knowledge on the network design and implementation is required One time insertion of the malware, no need for ongoing communications One time insertion of the malware, no need for ongoing communications Physical impact is likely Physical impact is likely

24 Drawbacks There are always exceptions There are always exceptions “We sign all messages” - ~<1%, very modern “We sign all messages” - ~<1%, very modern Unique network architectures Unique network architectures Prior knowledge of the protocols used will greatly increase the chance of impact as the “learn mode” will be well defined Prior knowledge of the protocols used will greatly increase the chance of impact as the “learn mode” will be well defined Independent safety controls will alert the operators, and might contain the damage to a certain degree Independent safety controls will alert the operators, and might contain the damage to a certain degree Looking for guinea pigs! Looking for guinea pigs!

25 Recommendations Relax Relax Not FUD. It’s not going to happen tomorrow Not FUD. It’s not going to happen tomorrow Not to be underestimated though - acknowledged by control center engineers from 3 T&D utilities Not to be underestimated though - acknowledged by control center engineers from 3 T&D utilities The goal is to increase awareness of the importance of securing your SCADA network The goal is to increase awareness of the importance of securing your SCADA network

26 Recommendations Several potential mitigations Several potential mitigations Strong authentication of messages between the SCADA server and communication server Strong authentication of messages between the SCADA server and communication server Field communication solutions Field communication solutions Encrypt or digitally sign messages Encrypt or digitally sign messages Obfuscation with key swap every X days (Rrushi – S4 2007) Obfuscation with key swap every X days (Rrushi – S4 2007) Chaffing – switch live/simulation between two FEPs every day Chaffing – switch live/simulation between two FEPs every day These solutions address the question – “How do I minimize the damage to my assets, even after my control center is compromised?” These solutions address the question – “How do I minimize the damage to my assets, even after my control center is compromised?”

27 Summary Choose your field protocols with security in mind Choose your field protocols with security in mind Asset owners - demand quality software, which undergoes an ongoing assessment of its resilience to attack Asset owners - demand quality software, which undergoes an ongoing assessment of its resilience to attack And on top of that - prevent control center compromise (assumption #4). Be prepared, audit yourselves! And on top of that - prevent control center compromise (assumption #4). Be prepared, audit yourselves! “All that is necessary for evil to triumph is for good men to do nothing” “All that is necessary for evil to triumph is for good men to do nothing” Edmund Burke, 1770 Edmund Burke, 1770

28


Download ppt "Www.c4-security.com Eyal Udassin – C4 Security. www.c4-security.com Contents Introduction The Problem – Security by Obscurity The Solution – Behavioral."

Similar presentations


Ads by Google