380 likes | 389 Views
Control Systems Under Attack !!?. …about the Need for Industrial Cyber-Security. Dr. Stefan L üders (CERN IT/CO) 5 ème Journées Informatiques de l’IN2P3 et du DAPNIA September 20 th 2006. 1. The Fact: Controls goes IT. 2. The Risk: CERN's Control Systems.
E N D
Control SystemsUnder Attack !!? …about the Need forIndustrial Cyber-Security Dr. Stefan Lüders (CERN IT/CO)5èmeJournées Informatiques de l’IN2P3 et du DAPNIA September 20th 2006
1. The Fact: Controls goes IT 2. The Risk: CERN's Control Systems 3. The Problem: Failing Vulnerability Scans 4. The Mitigation: Defense-In-Depth
Zombies Higher IRC Based AttackingControls Root Kits BOT nets Denial of Service Zero Day Exploits Packet Spoofing Worms Back Doors Automated Probes/Scans Disabling Audits Viruses War Dialing Hijacking Sessions Sniffers Exploiting Known Vulnerabilities Password Cracking Password Guessing Lower 1980 1985 1990 1995 2000 20052010 Cyber Threats ─ Today’s Peril Era of Modern Information Technology(“From Top-Floor to Shop-Floor”) Transition Phase (“Controls goes IT”) Intruder Knowledge /Attack Sophistication Control Systems: Era of Legacy Technology (“Security through Obscurity”) Common Standards /Interconnectivity
Controls Goes IT • Controls networks mate campus / business networks • Proprietary field busses replaced by Ethernet & TCP/IP • Field devices connect to Ethernet & TCP/IP • Real time applications based on TCP/IP • VPN connections from the outside onto the controls network • Use of IT protocols & gadgets • SNMP, SMTP, FTP, Telnet, HTTP (WWW), … • Wireless LAN, notebooks, USB sticks, webcams, … • Migration to the Microsoft Windows platform • MS Windows not designed for industrial / control systems • OPC/DCOM runs on port 135 (heavily used for RPC)
Threats due to Technique • Poorly secured systems are being targeted • Unpatched systems, OS & applications • Missing anti-virus software or old virus signature files • No firewall protection • Worms are spreading within seconds • Zero Day Exploits: security holes without patches • Break-ins occur before patch and/or anti-virus signature available • …but how to patch/update control / engineering PCs ? • …what about anti-virus software & local firewalls ?
Threats due to People • Passwords are known to several (many?) people • No traceability, ergo no responsibility • People are increasingly the weakest link • Use of weak passwords • Infected notebooks are physically carried on site • Users download malware and open “tricked” attachments • Missing/default/weak passwords in applications • …but how to handle Operator accounts ? • …what about password rules ?
System Life-Cycle 3 – 5 yrs. 5 – 20 yrs. Availability breaks if scheduled OK 24 / 7 / 365 Confidentiality high low Time Criticality delays tolerated critical Security Skills& Awareness good usually poor Patching frequent slow or impossible Changes rare, informal not always coordinated frequent, formal & coordinated Automated Tools widely used limited; used with care “Controls” Is Not “IT” ! “Office-IT” Controls
220-<<<<<<>==< Haxed by A¦0n3 >==<>>>>>> 220- ¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸ 220-/ 220-| Welcome to this fine str0 220-| Today is: Thursday 12 January, 2006 220-| 220-| Current througput: 0.000 Kb/sec 220-| Space For Rent: 5858.57 Mb 220-| 220-| Running: 0 days, 10 hours, 31 min. and 31 sec. 220-| Users Connected : 1 Total : 15 220-| • ^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^ 2000: Ex-Employee hacks “wirelessly” 46 times into sewage plant and spills basement of Hyatt Regency hotel. 2004: IT intervention, hardware failure and use of ISO protocol stopped SM18 magnet test stand for 24h. 2003: The “Slammer” worm disables safety monitoring system of the Davis-Besse nuclear power plant for 5h. 2006: Hacked oscilloscope at CERN (running Win XP SP2) 2005: DoS (70”) stopped manual control Aware or Paranoid ? 2003/08/11: W32.Blaster.Worm
1. The Fact: Controls goes IT 2. The Risk: CERN's Control Systems
Steer a beam of85 kg TNT througha 3mm hole 10000 times per second ! Beam Bunch Beam Orbit Vacuum Cryogenics Quench Protection Beam Position Timing Facility Management Cooling & Ventilation Radio Frequency Pre-Accelerators Beam Dump Access Control Safety Radiation Monitoring Electricity Alarmhandling Machine Protection Proton 50 - 150m World’s largest superconducting installation (27km @ 1.9°K)worth 2B€ The “Large Hadron Collider”
About 100 million data channels 2000 members of151 institutions from34 countries Run Control Experiment Triggering Data Acquisition (Sub-)Detectors The “ATLAS” Experiment The ATLAS Experiment7000 tonsØ22m × 43m 500M€ pure hardware http://atlas.ch
About one million control channels Safety Gas Distribution Smoke Radiation Cooling & Ventilation Magnet Cryogenics Sniffer High Voltage Electricity Control Systems for Experiments The CMS Experiment500M€ pure hardware 12500 tons, Ø15m × 22m http://cmsinfo.cern.ch
standarddesktop PCs Standards, if possible ! ► Common of the shelf hardware ► Standard (controls) software ► Standard communication protocols
► Complex, expensive & unique ► Highly interconnected & interdependend ► Very high external bandwidth ► Large external user community Concerned about Cyber-Security ► High number of control systems ► COTS & standards where possible ► The GRID: World Wide Processing
1. The Fact: Controls goes IT 2. The Risk: CERN's Control Systems 3. The Problem: Failing Vulnerability Scans
Going for the "low hanging fruits" ! • Running “Nessus” vulnerability scan(used in Office-IT) • Running “Netwox” DoS attackwith random fragments • Running “Ethereal” network sniffer The TOCSSiC • COTS automation systems arewithout security protections • Programmable Logic Controllers (PLCs),field devices, power supplies, … • Security not integrated into their designs • Creation of theTeststand On Controls System Security at CERN (TOCSSiC)
Control Systems under Attack ! • 28 devices from 7 different manufacturers (51 tests in total) • All devices fully configured but running idle • …PLCs under load seem to fail even more likely !!! • …results improve with more recent firmware versions
2005: DoS (70”) stopped manual control TOCSSiC Findings (1) • The device crashed… • Sending specially crafted IP packetscauses the TCP/IP fragmentationre-assembly code to……improperly handle overlapping IP fragments (“Nestea” attack) …loose network connectivity (Linux “zero length fragment” bug) • Sending continuous stream of extremely large and incorrectfragmented IP packets lead to consumption of all CPU resources(“jolt2” DoS attack) • Sending special malformed packets (“oshare” attack) • …violation of TCP/IP standards !!!
TOCSSiC Findings (2) • FTP server crashed • Sending a too long command or argument • Issuing a “CEL aaa…aaa” command (VxWorks) • FTP server allows to connect to third party hosts(i.e. provides anattacker platform) • FTP server allows anonymous login • Telnet server crashed • After flooding it with “^D” characters • Sending a too long user name • Sending too many “Are you there ?” commands • …both are legacy protocols w/o encryption !
TOCSSiC Findings (3) • HTTP server crashed • Requesting a URL with too many characters(e.g. “http://<IP>/cgi-bin/aaa…aaa” or “http://<IP>/jsp/aaa...aaa”) • Using up all resources (“WWW infinite request” attack) • HTTP server directory available • Using “http://<IP>/../..” GET request (directory traversal) • …who needs web servers & e-mailing on PLCs ? • ModBus server crashed by scanning port 502 • …protocols are well documented (“Google hacking”) !
TOCSSiC Findings (4) • PLCs are unprotected • Can be stopped w/o problems (needs just a bit “googling”) • Passwords are not encrypted • PLC might even come without authorization schemes • …authorization, data integrity checks and encryption • must become mandatory ! • PLCs are really unprotected • Services (HTTP, SMTP, FTP, Telnet, …) can not be disabled • Neither local firewall nor antivirus software • … lock the configuration down by default ! • Fixed SNMP community names “public” & “private” • …community names must be changeable !
Scripts Rules Policy Honeyd Snort Tripwire Scientific Linux CERN 3 SCADA Honeynet Project • Demonstrating the existence of the risk • Vulnerabilities already proven by e.g. TOCSSiC • …threats have not been demonstrated (yet)… • Understanding of mal-traffic on CERN’s network • Simulating two brands of PLCs • Using Honeyd • Strengthening the box • Recording of all traffic • Periodic file checks chroot • Daily reports
FTP (login only) FTP (tcp 21) FTP (tcp 21) • Telnet (login only) Telnet (tcp 23) • HTTP(identical functionalities asreal PLC web server, incl.directory traversal vulnerability) HTTP (tcp 80) HTTP (tcp 80) • Siemens S7(“read”, “write”, “switch on/off”) S7 (tcp 102) • SNMP(values cloned from real PLC) SNMP (udp 161) • Modbus(all functions memory-persistent) Modbus (tcp 502) Honeyd Simulation Scripts • Nmap signature PLC #1 PLC #1
(No) Results so far… • Nov. 2005:4 pots (à two PLCs) deployed inside CERN • Only observation: the usual “slight fever” on CERN’s campus network • 3 pots deployed on controls network • No interactions observed • Mar. 2006:3 pots visible on ports 102/tcp & 502/tcp from the Internet • Lots of “noise” observed, e.g. SSH scans, but nothing on 102 nor 502 ►No dedicated interaction with honeynet so far...
Panic or Don’t Panic ? ► Controls goes IT... ► ...but COTS automation systems are without security protections. ► CERN has started to follow up with vendors, government bodies & research. ► However: No proof-of-attack, yet, at CERN !
1. The Fact: Controls goes IT 2. The Risk: CERN's Control Systems 3. The Problem: Failing Vulnerability Scans 4. The Mitigation: Defence-In-Depth
Defense-In-Depth • “Defence-in-Depth” means security on each layer ! • …the security of the device itself, • …the firmware and operating system, • …the network connections & protocols, • …the software applications (e.g. PLC programming software), • …third party software, and • …users, developers & operators • Manufacturers and vendors are part of the solution ! • Security demands should be included into orders and call for tenders "Controls goes IT" ― also for 'Industrial Security' !!!
(Too?) Many Standards, Guidelines, … • “Security for Manufacturing and Control Systems”“Integrating Electronic Security into Manufacturing…” (American National Standards Institute & Int'l Society for Measurement and Control)(ANSI/ISA SP99 TR1 & TR2) • “Code of Practice for Information Security Management”(Int'l Organization for Standardization / Int'l Electrotechnical Commission / British Standard)(ISO/IEC 17799:2005, BS7799, ISO27000) • Common Criteria (ISO/IEC 15408) • “System Protection Profile for Industrial Control Systems”(U.S. National Institute of Standards and Technology NIST) • “Cyber-Security Vulnerability Assessment Methodology Guidance”(U.S. Chemical Industry Data Exchange CIDX) • “Good Automated Manufacturing Practices: Guideline for Automated System Security” (Int’l Society for Pharmaceutical Engineering ISPE) • NERC standards (North American Electric Reliability Council) • AGA standards (American Gas Association)
Ground Rules for Cyber-Security • Use centrally managed systems wherever possible • Ensure prompt security updates:applications, anti-virus,OS,etc. • Separate controls andcampus networks • Reduce and controlinter-communication • Deploy IDS • Apply policy forremote access • Deploy proper • access control • Use strongauthentication and sufficient logging • Ensure traceability of access(who, when, and from where) • Passwords must be kept secret: beware of “Google Hacking” • Make security • an objective • Raise awareness in the User community
Network Segregation • Campus network for desktop computing • Controls networks / domains • Domain Manager withtechnical responsibility • Authorization procedure fornew connections • Only operational devices, but neither laptops nor wireless • Additional protection for PLCs, etc. • Network monitoring • Statistics & intrusion detection • Disconnection if threat for others • Restricted cross-communication • Filter traffic (firewall or ACLs) • Use application gateways or a DMZ
Restricted Cross-Communication • Remote interactive access from “outside” • Using (Windows) Terminal Servers • “outside” means “office”, “home”, “wireless” • Methods to access controls applications • Methods to access local control PCs • Interactive access to the “outside” • Rules for web-browsing,automatic e-mails, file transfer, etc. • “Fat-Pipe” data transfer to IT/Tier0 • Essential services are “trusted” • DNS, NTP, Oracle, data storage, …
Central Software Installation 220-<<<<<<>==< Haxed by A¦0n3 >==<>>>>>> 220- ¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸ 220-/ 220-| Welcome to this fine str0 220-| Today is: Thursday 12 January, 2006 220-| 220-| Current througput: 0.000 Kb/sec 220-| Space For Rent: 5858.57 Mb 220-| 220-| Running: 0 days, 10 hours, 31 min. and 31 sec. 220-| Users Connected : 1 Total : 15 220-| • ^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^ "Poorly secured systems are being targeted." • User-driven PC management • Pass flexibility and responsibility to the User • (S)HE decides WHEN to install WHAT on WHICH control PCs(instead of the IT department) • IT will send out email notifications of new patches to be installed • (S)HE has to ensure security • However, PCs might be blocked if threat for others • Implementations for • Windows XP, Windows Server (web-based interface) • CERN Scientific Linux 3/4/5 (terminal-based) using
CERN Computer Management • Install… • Centrally managed OS & SW • User applications • Automatically &network-based • On many PCs in parallel • Configure… • Look & Feel • Access rights & restrictions • Full remote control of… • Configuring • Installation • Patching • Rebooting • … this works even for oscilloscopes !!!
Policies on Access Control • However, still problematic areas • User privileges in commercial controls applications • Security of OPC "People are increasingly the weakest link." • No emailing on the controls networks • Strategy for operator accounts • Role Based Access Control • User credentials for authentication • Role assignment for authorization • Dependent on accelerator status • Strict rules for remote access
Raising User Awareness • Awareness raising • Campaigns to inform Users of control systems about ‘Industrial Security’ • At CERN and in the HEP community • Interaction with vendors of control systems • Discussion on the TOCSSiC results and their mitigation • Discussions on“Requirements for theCyber-Security of Control Systems” • Dialog with other Users, researchers, and government bodies
Do you want to act BEFORE or AFTER the incident ? Controls Systems move towards IT-based solutions. The control systems of the LHC are complex, expensive & unique. COTS Automation Systems are without security protections. A Defence-In-Depth approach offers 100%-ε mitigation. Summary
1973 1979 1970 Merci beaucoup !!! 1992 1982 1986 2008? 2000 1995 2001 Nature is beautiful !!!