Download presentation
Presentation is loading. Please wait.
1
Network Scanning for Discovering Vulnerabilities
ENSDV Enhance Network Scanning for Discovering Vulnerabilities by Raymond Cordova
2
Introduction Emerging Technology
Early-to-market technologies ideal targets for attack Vulnerabilities with wireless and Internet Protocol Nessus scanner - de-facto industry scanner Design, Implementation and Contribution Demonstration Conclusion 9/18/2018 ENSDV / Cordova
3
NIST 800-82 Guide to Industrial Control Systems Security (ICS) [11]
Emerging Technology NIST Guide to Industrial Control Systems Security (ICS) [11] Emerging Technology integrates wireless and Internet with ICS infrastructure Integration introduces all the vulnerabilities and problems of Wireless and the Internet Protocol into ICS [8] [13] Manual vulnerability discovery impossible 9/18/2018 ENSDV / Cordova
4
$8.1 billion stimulus to secure the Smart Grid[10]
Vulnerabilities Common Vulnerability Exploits (CVE) [2] [12] Several production meters identified as vulnerable ignored and used in production[7] $8.1 billion stimulus to secure the Smart Grid[10] “everyone rides when the ship comes in” even TI’s CC2430 u-controller Regulation, Management and Guidelines not to much and not to little 9/18/2018 ENSDV / Cordova
5
Industrial Control Systems
Use of graphic granted by permission from Dr. Edward Chow, UCCS, 2010 [1] 9/18/2018 ENSDV / Cordova
6
Secure the Smart Grid, cont’d
How can the security of the Smart Grid be guaranteed so we do not experience the problems inherent in new designs and implementations, such as those encountered in the Internet? How can distribution engineers and designers mitigate the inherent security vulnerabilities to realize the benefits of “smart” power distribution? How can the stipulations for utilities to have a plan for due diligence in cyber security be regulated and managed? The government stimulus money given to utilities puts them in a powerful position. Smart Meter Implementation Percentages by Country 9/18/2018 ENSDV / Cordova
7
Nessus Vulnerability Scanner
Automatic scanning solution approved by NERC CIP for use with SCADA, AMI/AMR [9] Vulnerability scanning relies on signatures of “known bad things” Compliance checks compare a system against the “known good” Flexible, reliable, robust, open source, customizable, automatic, GUI, CLI, option for safe checks/scans and still it is inadequate Customize plug-ins to enhance operation to resolve inadequacy How can the security of the Smart Grid be guaranteed so we do not experience the problems inherent in new designs and implementations, such as those encountered in the Internet? How can distribution engineers and designers mitigate the inherent security vulnerabilities to realize the benefits of “smart” power distribution? How can the stipulations for utilities to have a plan for due diligence in cyber security be regulated and managed? The government stimulus money given to utilities puts them in a powerful position. 9/18/2018 ENSDV / Cordova
8
Prototype – Difficulties Encountered
First attempted to procure meters and collection points Cost prohibitive, proprietary constraints, minimal support Inaccessible SCADA systems – focus on Servers/Workstations that control ICS, Smart Grids, LANs, WANs, Enterprise Systems No Access to Nessus ProFeed scanner and SCADA plug-ins Nessus Attack Script Language (NASL) [3] new attack language to learn Full functionality disabled in trial versions of HomeFeed “buggy” when creating plug-ins How can the security of the Smart Grid be guaranteed so we do not experience the problems inherent in new designs and implementations, such as those encountered in the Internet? How can distribution engineers and designers mitigate the inherent security vulnerabilities to realize the benefits of “smart” power distribution? How can the stipulations for utilities to have a plan for due diligence in cyber security be regulated and managed? The government stimulus money given to utilities puts them in a powerful position. 9/18/2018 ENSDV / Cordova
9
Prototype – Difficulties Encountered, cont’d
No Access to ProFeed version of the Nessus scanner SCADA plug-ins Established correspondence with Renaud Deraison for a full version of Nessus ProFeed some functionality disabled in trial versions of HomeFeed “buggy” when creating plug-ins SCADA plug-ins pre-compiled as .nbin binary files Unreadable unless reverse engineered Nessus Attack Script Language (NASL) [3] new attack language to learn Create VM environment with Fedora 12, and XP un-patched Create custom 0-day vulnerability plug-in and audit scripts [6] [7] How can the security of the Smart Grid be guaranteed so we do not experience the problems inherent in new designs and implementations, such as those encountered in the Internet? How can distribution engineers and designers mitigate the inherent security vulnerabilities to realize the benefits of “smart” power distribution? How can the stipulations for utilities to have a plan for due diligence in cyber security be regulated and managed? The government stimulus money given to utilities puts them in a powerful position. 9/18/2018 ENSDV / Cordova
10
Nessus Scanner Centralized automatic scanning tool for a variety of Operating Systems HomeFeed (free) and ProFeed (subscription) versions Vulnerability scanning and Compliance checking local or remote Server/Client with GUI or CLI Knowledgebase designed with the idea to use results of scripts in other scans Script Methodology -> write custom script execute only if necessary use other script results by use of dependencies share by saving to KB, upload report results, plug-ins Plug-in written for and scans for only one vulnerability at a time How can the security of the Smart Grid be guaranteed so we do not experience the problems inherent in new designs and implementations, such as those encountered in the Internet? How can distribution engineers and designers mitigate the inherent security vulnerabilities to realize the benefits of “smart” power distribution? How can the stipulations for utilities to have a plan for due diligence in cyber security be regulated and managed? The government stimulus money given to utilities puts them in a powerful position. 9/18/2018 ENSDV / Cordova
11
Methodology Select the target control system , research IDS logs, network anomalies, security bulletins, etc. Develop a baseline “gold” standard for each control system application Perform baseline scan of target system and patch as necessary Develop an enhanced plug-in for any newly indentified vulnerability Develop an enhanced audit compliance check file for new or required configurations Test plug-ins on prototype, lab, or test equipment Perform post “gold” scan of target system and update standard if needed Compare baseline and subsequent scan for discovery of unauthorized changes Repeat process for new systems – rescan for existing systems and compare at scheduled intervals per policy 9/18/2018 ENSDV / Cordova
12
Nessus Remote or Local Scans
How can the security of the Smart Grid be guaranteed so we do not experience the problems inherent in new designs and implementations, such as those encountered in the Internet? How can distribution engineers and designers mitigate the inherent security vulnerabilities to realize the benefits of “smart” power distribution? How can the stipulations for utilities to have a plan for due diligence in cyber security be regulated and managed? The government stimulus money given to utilities puts them in a powerful position. 9/18/2018 ENSDV / Cordova
13
Prototype Layout How can the security of the Smart Grid be guaranteed so we do not experience the problems inherent in new designs and implementations, such as those encountered in the Internet? How can distribution engineers and designers mitigate the inherent security vulnerabilities to realize the benefits of “smart” power distribution? How can the stipulations for utilities to have a plan for due diligence in cyber security be regulated and managed? The government stimulus money given to utilities puts them in a powerful position. 9/18/2018 ENSDV / Cordova
14
Vulnerability Script Structure
Header Section include scripts to be used with nessusd “compat.inc” Description Section register information “script_name(english:" iepeers.dll 0-day vulnerability …“ Attack Section Script code functions port = get_kb_item("Services/ssh"); if(!port)port = 22; Bugtraq ID BID Open Source Vulnerability Database (OSVDB) osvdb.org 9/18/2018 ENSDV / Cordova
15
iepeers_dll_0day.nasl Code excerpts
. . . include("compat.inc"); if (description) { script_id(50003); script_name(english:" iepeers.dll 0-day vulnerability in Internet Explorer versions 6 or 7 "); script_summary(english:"Checks Internet Explorer version for 0-day free-after-use vulnerability."); … script_set_attribute(attribute:"risk_factor", value: "Medium"); script_family(english:"Windows"); script_dependencies("smb_hotfixes.nasl"); script_require_ports(139, 445); } Header Description Attack Script Bugtraq ID BID Open Source Vulnerability Database (OSVDB) osvdb.org 9/18/2018 ENSDV / Cordova
16
Nessus Vulnerability Enhanced Scan Result, cont’d
Run Scan 9/18/2018 ENSDV / Cordova
17
Audit File Script Structure
Check Type Section Define type of check and plugin version <check_type: “Unix”> … </check_type> Custom Item Section Custom script contents <custom_item> type:FILE_CONTENT_CHECK … expect:"PermitRootLogin no" </custom_item> Bugtraq ID BID Open Source Vulnerability Database (OSVDB) osvdb.org 9/18/2018 ENSDV / Cordova
18
<check_type:"Unix> <custom_item> type:FILE_CONTENT_CHECK
FC12 Audit File Script Check Type <check_type:"Unix> <custom_item> type:FILE_CONTENT_CHECK description:"Check if PermitRootLogin is set to no and not commented for server." file:"/etc/ssh/sshd_config" regex:"^ *[^#]*PermitRootLogin *" expect:"PermitRootLogin no" </custom_item> </check_type> Custom Item Run Scan Closing Tags 9/18/2018 ENSDV / Cordova
19
Nessus Audit Enhanced Scan Result, cont’d
Run Scan 9/18/2018 ENSDV / Cordova
20
Scan Results of ISSG lab subnets 60 and 62
Run Scan 9/18/2018 ENSDV / Cordova
21
versions 3 and later do not exhibit this vulnerability
Future Work Continue meaningful research in the lab setup of MPS2530 controllers with Nessus Research compiler and interpreter for .nbin script development for Smart Grid applications Possible creation of custom plug-ins to check the ZigBee stack version for Pseudo Random Number Generator (PRNG) vulnerability versions 3 and later do not exhibit this vulnerability 9/18/2018 ENSDV / Cordova
22
Conclusion Emerging Technology presents many opportunities, both good and bad Methodology to enhance network scanning used to discover vulnerabilities Nessus Profeed an excellent candidate for an automated enhanced vulnerability and compliance scanning tool solution NASL language used to “attack” the systems with a scan Many difficulties encountered, mostly a problem with no access to SCADA systems 9/18/2018 ENSDV / Cordova
23
References 9/18/2018 ENSDV / Cordova
[1] Chow, Edward Dr., Graphic use granted by permission of Dr. Edward Chow at UCCS website [2] Common Vulnerabilities and Exposures (CVE) [3] Deraison, Renaud, Reference Manual for Nessus Attack Scripting Language, Version 1.4.0, Manual at website at [4] Digital Bond research project with example audit files. [5] Guide to Industrial Control Systems (ICS) Security, Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) [6] Information on 0-day vulnerability discovered in the wild March [[7] Information on 0-day vulnerability discovered in the wild March 2010. [8] Journal of Energy Security, Making a Secure Smart Grid a Reality, Sub-paragraph, Weaknesses in the Smart Grid, p. 3-7, October com_content&view=article&id= 218:making-a-secure-smart-grid-a-reality&catid=100:issuecontent&Itemid=352 [9] NERC approval of Nessus Scanner [10]Smart Grid Stimulus Funding Revealed!, p.3, October [11] Stouffer,Keith and Falco, Joe and Scarfone, Karen Final Public Draft, Special Publication , Recommendations of the National Institute of Standards and Technology, Guide to Industrial Control Systems (ICS) Security [12] Weiss, Joseph, “Current Status of Cyber Security of Control Systems”, Testimony of Joseph M. Weiss Control Systems Cyber Security Expert before the Committee on Commerce, Science, and Transportation U.S. Senate March 19, 2009. 9/18/2018 ENSDV / Cordova
24
Questions ? ? 9/18/2018 ENSDV / Cordova
25
Nessus Scanner Windows 7 Scan Report
Plug-in output Plug-in Output Bugtraq ID BID Open Source Vulnerability Database (OSVDB) osvdb.org 9/18/2018 ENSDV / Cordova
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.