1 / 38

Control Systems Under Attack !!?

Control Systems Under Attack !!?. …about the Need for Industrial Cyber-Security. Dr. Stefan L üders (CERN IT/CO) 5 ème Journées Informatiques de l’IN2P3 et du DAPNIA September 20 th 2006. 1. The Fact: Controls goes IT. 2. The Risk: CERN's Control Systems.

hollisl
Download Presentation

Control Systems Under Attack !!?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Control SystemsUnder Attack !!? …about the Need forIndustrial Cyber-Security Dr. Stefan Lüders (CERN IT/CO)5èmeJournées Informatiques de l’IN2P3 et du DAPNIA September 20th 2006

  2. 1. The Fact: Controls goes IT 2. The Risk: CERN's Control Systems 3. The Problem: Failing Vulnerability Scans 4. The Mitigation: Defense-In-Depth

  3. Zombies Higher IRC Based AttackingControls Root Kits BOT nets Denial of Service Zero Day Exploits Packet Spoofing Worms Back Doors Automated Probes/Scans Disabling Audits Viruses War Dialing Hijacking Sessions Sniffers Exploiting Known Vulnerabilities Password Cracking Password Guessing Lower 1980 1985 1990 1995 2000 20052010 Cyber Threats ─ Today’s Peril Era of Modern Information Technology(“From Top-Floor to Shop-Floor”) Transition Phase (“Controls goes IT”) Intruder Knowledge /Attack Sophistication Control Systems: Era of Legacy Technology (“Security through Obscurity”) Common Standards /Interconnectivity

  4. Controls Goes IT • Controls networks mate campus / business networks • Proprietary field busses replaced by Ethernet & TCP/IP • Field devices connect to Ethernet & TCP/IP • Real time applications based on TCP/IP • VPN connections from the outside onto the controls network • Use of IT protocols & gadgets • SNMP, SMTP, FTP, Telnet, HTTP (WWW), … • Wireless LAN, notebooks, USB sticks, webcams, … • Migration to the Microsoft Windows platform • MS Windows not designed for industrial / control systems • OPC/DCOM runs on port 135 (heavily used for RPC)

  5. Threats due to Technique • Poorly secured systems are being targeted • Unpatched systems, OS & applications • Missing anti-virus software or old virus signature files • No firewall protection • Worms are spreading within seconds • Zero Day Exploits: security holes without patches • Break-ins occur before patch and/or anti-virus signature available • …but how to patch/update control / engineering PCs ? • …what about anti-virus software & local firewalls ?

  6. Threats due to People • Passwords are known to several (many?) people • No traceability, ergo no responsibility • People are increasingly the weakest link • Use of weak passwords • Infected notebooks are physically carried on site • Users download malware and open “tricked” attachments • Missing/default/weak passwords in applications • …but how to handle Operator accounts ? • …what about password rules ?

  7. System Life-Cycle 3 – 5 yrs. 5 – 20 yrs. Availability breaks if scheduled OK 24 / 7 / 365 Confidentiality high low Time Criticality delays tolerated critical Security Skills& Awareness good usually poor Patching frequent slow or impossible Changes rare, informal not always coordinated frequent, formal & coordinated Automated Tools widely used limited; used with care “Controls” Is Not “IT” ! “Office-IT” Controls

  8. 220-<<<<<<>==< Haxed by A¦0n3 >==<>>>>>> 220- ¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸ 220-/ 220-| Welcome to this fine str0 220-| Today is: Thursday 12 January, 2006 220-| 220-| Current througput: 0.000 Kb/sec 220-| Space For Rent: 5858.57 Mb 220-| 220-| Running: 0 days, 10 hours, 31 min. and 31 sec. 220-| Users Connected : 1 Total : 15 220-| • ^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^ 2000: Ex-Employee hacks “wirelessly” 46 times into sewage plant and spills basement of Hyatt Regency hotel. 2004: IT intervention, hardware failure and use of ISO protocol stopped SM18 magnet test stand for 24h. 2003: The “Slammer” worm disables safety monitoring system of the Davis-Besse nuclear power plant for 5h. 2006: Hacked oscilloscope at CERN (running Win XP SP2) 2005: DoS (70”) stopped manual control Aware or Paranoid ? 2003/08/11: W32.Blaster.Worm

  9. 1. The Fact: Controls goes IT 2. The Risk: CERN's Control Systems

  10. Steer a beam of85 kg TNT througha 3mm hole 10000 times per second ! Beam Bunch Beam Orbit Vacuum Cryogenics Quench Protection Beam Position Timing Facility Management Cooling & Ventilation Radio Frequency Pre-Accelerators Beam Dump Access Control Safety Radiation Monitoring Electricity Alarmhandling Machine Protection Proton 50 - 150m World’s largest superconducting installation (27km @ 1.9°K)worth 2B€ The “Large Hadron Collider”

  11. About 100 million data channels 2000 members of151 institutions from34 countries Run Control Experiment Triggering Data Acquisition (Sub-)Detectors The “ATLAS” Experiment The ATLAS Experiment7000 tonsØ22m × 43m 500M€ pure hardware http://atlas.ch

  12. About one million control channels Safety Gas Distribution Smoke Radiation Cooling & Ventilation Magnet Cryogenics Sniffer High Voltage Electricity Control Systems for Experiments The CMS Experiment500M€ pure hardware 12500 tons, Ø15m × 22m http://cmsinfo.cern.ch

  13. standarddesktop PCs Standards, if possible ! ► Common of the shelf hardware ► Standard (controls) software ► Standard communication protocols

  14. ► Complex, expensive & unique ► Highly interconnected & interdependend ► Very high external bandwidth ► Large external user community Concerned about Cyber-Security ► High number of control systems ► COTS & standards where possible ► The GRID: World Wide Processing

  15. 1. The Fact: Controls goes IT 2. The Risk: CERN's Control Systems 3. The Problem: Failing Vulnerability Scans

  16. Going for the "low hanging fruits" ! • Running “Nessus” vulnerability scan(used in Office-IT) • Running “Netwox” DoS attackwith random fragments • Running “Ethereal” network sniffer The TOCSSiC • COTS automation systems arewithout security protections • Programmable Logic Controllers (PLCs),field devices, power supplies, … • Security not integrated into their designs • Creation of theTeststand On Controls System Security at CERN (TOCSSiC)

  17. Control Systems under Attack ! • 28 devices from 7 different manufacturers (51 tests in total) • All devices fully configured but running idle • …PLCs under load seem to fail even more likely !!! • …results improve with more recent firmware versions 

  18. 2005: DoS (70”) stopped manual control TOCSSiC Findings (1) • The device crashed… • Sending specially crafted IP packetscauses the TCP/IP fragmentationre-assembly code to……improperly handle overlapping IP fragments (“Nestea” attack) …loose network connectivity (Linux “zero length fragment” bug) • Sending continuous stream of extremely large and incorrectfragmented IP packets lead to consumption of all CPU resources(“jolt2” DoS attack) • Sending special malformed packets (“oshare” attack) • …violation of TCP/IP standards !!!

  19. TOCSSiC Findings (2) • FTP server crashed • Sending a too long command or argument • Issuing a “CEL aaa…aaa” command (VxWorks) • FTP server allows to connect to third party hosts(i.e. provides anattacker platform) • FTP server allows anonymous login • Telnet server crashed • After flooding it with “^D” characters • Sending a too long user name • Sending too many “Are you there ?” commands • …both are legacy protocols w/o encryption !

  20. TOCSSiC Findings (3) • HTTP server crashed • Requesting a URL with too many characters(e.g. “http://<IP>/cgi-bin/aaa…aaa” or “http://<IP>/jsp/aaa...aaa”) • Using up all resources (“WWW infinite request” attack) • HTTP server directory available • Using “http://<IP>/../..” GET request (directory traversal) • …who needs web servers & e-mailing on PLCs ? • ModBus server crashed by scanning port 502 • …protocols are well documented (“Google hacking”) !

  21. TOCSSiC Findings (4) • PLCs are unprotected • Can be stopped w/o problems (needs just a bit “googling”) • Passwords are not encrypted • PLC might even come without authorization schemes • …authorization, data integrity checks and encryption • must become mandatory ! • PLCs are really unprotected • Services (HTTP, SMTP, FTP, Telnet, …) can not be disabled • Neither local firewall nor antivirus software • … lock the configuration down by default ! • Fixed SNMP community names “public” & “private” • …community names must be changeable !

  22. So what...?

  23. Scripts Rules Policy Honeyd Snort Tripwire Scientific Linux CERN 3 SCADA Honeynet Project • Demonstrating the existence of the risk • Vulnerabilities already proven by e.g. TOCSSiC • …threats have not been demonstrated (yet)… • Understanding of mal-traffic on CERN’s network • Simulating two brands of PLCs • Using Honeyd • Strengthening the box • Recording of all traffic • Periodic file checks chroot • Daily reports

  24. FTP (login only) FTP (tcp 21) FTP (tcp 21) • Telnet (login only) Telnet (tcp 23) • HTTP(identical functionalities asreal PLC web server, incl.directory traversal vulnerability) HTTP (tcp 80) HTTP (tcp 80) • Siemens S7(“read”, “write”, “switch on/off”) S7 (tcp 102) • SNMP(values cloned from real PLC) SNMP (udp 161) • Modbus(all functions memory-persistent) Modbus (tcp 502) Honeyd Simulation Scripts • Nmap signature PLC #1 PLC #1

  25. (No) Results so far… • Nov. 2005:4 pots (à two PLCs) deployed inside CERN • Only observation: the usual “slight fever” on CERN’s campus network • 3 pots deployed on controls network • No interactions observed  • Mar. 2006:3 pots visible on ports 102/tcp & 502/tcp from the Internet • Lots of “noise” observed, e.g. SSH scans, but nothing on 102 nor 502 ►No dedicated interaction with honeynet so far...

  26. Panic or Don’t Panic ? ► Controls goes IT... ► ...but COTS automation systems are without security protections. ► CERN has started to follow up with vendors, government bodies & research. ► However: No proof-of-attack, yet, at CERN !

  27. 1. The Fact: Controls goes IT 2. The Risk: CERN's Control Systems 3. The Problem: Failing Vulnerability Scans 4. The Mitigation: Defence-In-Depth

  28. Defense-In-Depth • “Defence-in-Depth” means security on each layer ! • …the security of the device itself, • …the firmware and operating system, • …the network connections & protocols, • …the software applications (e.g. PLC programming software), • …third party software, and • …users, developers & operators • Manufacturers and vendors are part of the solution ! • Security demands should be included into orders and call for tenders "Controls goes IT" ― also for 'Industrial Security' !!!

  29. (Too?) Many Standards, Guidelines, … • “Security for Manufacturing and Control Systems”“Integrating Electronic Security into Manufacturing…” (American National Standards Institute & Int'l Society for Measurement and Control)(ANSI/ISA SP99 TR1 & TR2) • “Code of Practice for Information Security Management”(Int'l Organization for Standardization / Int'l Electrotechnical Commission / British Standard)(ISO/IEC 17799:2005, BS7799, ISO27000) • Common Criteria (ISO/IEC 15408) • “System Protection Profile for Industrial Control Systems”(U.S. National Institute of Standards and Technology NIST) • “Cyber-Security Vulnerability Assessment Methodology Guidance”(U.S. Chemical Industry Data Exchange CIDX) • “Good Automated Manufacturing Practices: Guideline for Automated System Security” (Int’l Society for Pharmaceutical Engineering ISPE) • NERC standards (North American Electric Reliability Council) • AGA standards (American Gas Association)

  30. Ground Rules for Cyber-Security • Use centrally managed systems wherever possible • Ensure prompt security updates:applications, anti-virus,OS,etc. • Separate controls andcampus networks • Reduce and controlinter-communication • Deploy IDS • Apply policy forremote access • Deploy proper • access control • Use strongauthentication and sufficient logging • Ensure traceability of access(who, when, and from where) • Passwords must be kept secret: beware of “Google Hacking” • Make security • an objective • Raise awareness in the User community

  31. Network Segregation • Campus network for desktop computing • Controls networks / domains • Domain Manager withtechnical responsibility • Authorization procedure fornew connections • Only operational devices, but neither laptops nor wireless • Additional protection for PLCs, etc. • Network monitoring • Statistics & intrusion detection • Disconnection if threat for others • Restricted cross-communication • Filter traffic (firewall or ACLs) • Use application gateways or a DMZ

  32. Restricted Cross-Communication • Remote interactive access from “outside” • Using (Windows) Terminal Servers • “outside” means “office”, “home”, “wireless” • Methods to access controls applications • Methods to access local control PCs • Interactive access to the “outside” • Rules for web-browsing,automatic e-mails, file transfer, etc. • “Fat-Pipe” data transfer to IT/Tier0 • Essential services are “trusted” • DNS, NTP, Oracle, data storage, …

  33. Central Software Installation 220-<<<<<<>==< Haxed by A¦0n3 >==<>>>>>> 220- ¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸ 220-/ 220-| Welcome to this fine str0 220-| Today is: Thursday 12 January, 2006 220-| 220-| Current througput: 0.000 Kb/sec 220-| Space For Rent: 5858.57 Mb 220-| 220-| Running: 0 days, 10 hours, 31 min. and 31 sec. 220-| Users Connected : 1 Total : 15 220-| • ^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^ "Poorly secured systems are being targeted." • User-driven PC management • Pass flexibility and responsibility to the User • (S)HE decides WHEN to install WHAT on WHICH control PCs(instead of the IT department) • IT will send out email notifications of new patches to be installed • (S)HE has to ensure security • However, PCs might be blocked if threat for others • Implementations for • Windows XP, Windows Server (web-based interface) • CERN Scientific Linux 3/4/5 (terminal-based) using

  34. CERN Computer Management • Install… • Centrally managed OS & SW • User applications • Automatically &network-based • On many PCs in parallel • Configure… • Look & Feel • Access rights & restrictions • Full remote control of… • Configuring • Installation • Patching • Rebooting • … this works even for oscilloscopes !!!

  35. Policies on Access Control • However, still problematic areas • User privileges in commercial controls applications • Security of OPC "People are increasingly the weakest link." • No emailing on the controls networks • Strategy for operator accounts • Role Based Access Control • User credentials for authentication • Role assignment for authorization • Dependent on accelerator status • Strict rules for remote access

  36. Raising User Awareness • Awareness raising • Campaigns to inform Users of control systems about ‘Industrial Security’ • At CERN and in the HEP community • Interaction with vendors of control systems • Discussion on the TOCSSiC results and their mitigation • Discussions on“Requirements for theCyber-Security of Control Systems” • Dialog with other Users, researchers, and government bodies

  37. Do you want to act BEFORE or AFTER the incident ? Controls Systems move towards IT-based solutions. The control systems of the LHC are complex, expensive & unique. COTS Automation Systems are without security protections. A Defence-In-Depth approach offers 100%-ε mitigation. Summary

  38. 1973 1979 1970 Merci beaucoup !!! 1992 1982 1986 2008? 2000 1995 2001 Nature is beautiful !!!

More Related