1 / 46

Vulnerability Analysis of 2013 SCADA issues  Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

Vulnerability Analysis of 2013 SCADA issues  Amol Sarwate Director of Vulnerability Labs, Qualys Inc. Agenda. SCADA components 2013 Vulnerability Analysis Recommendations and Proposals. SCADA DCS ICS. A ccidents. liquid pipeline failures

louie
Download Presentation

Vulnerability Analysis of 2013 SCADA issues  Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerability Analysis of 2013 SCADA issues  AmolSarwate Director of Vulnerability Labs, Qualys Inc.

  2. Agenda SCADA components 2013 Vulnerability Analysis Recommendations and Proposals

  3. SCADA DCS ICS

  4. Accidents • liquid pipeline failures • http://www.ntsb.gov/doclib/safetystudies/SS0502.pdf • power failures • http://www.nerc.com/docs/docs/blackout/Status_Report_081104.pdf • other accidents • http://en.wikipedia.org/wiki/List_of_industrial_disasters

  5. Vandalism • vandals destroy insulators • http://www.bpa.gov/corporate/BPAnews/archive • /2002/NewsRelease.cfm?ReleaseNo=297

  6. Insider • disgruntle employee • http://www.theregister.co.uk/2001/10/31 • /hacker_jailed_for_revenge_sewage/

  7. APT • terrorism or espionage • http://www.symantec.com/content/en/us/enterprise/ • media/security_response/whitepapers/w32_duqu_ • the_precursor_to_the_next_stuxnet.pdf

  8. 2009 - 2013 SCADA Vulnerabilities (estimate)

  9. Components Remote Master • Sensors • Meters • Field Devices • Protocols • FEP • Wired • Wireless • PLC • IED • RTU • HMI • DCS • SCADA I/O Communication Field Control Center

  10. Acquisition • Convert parameters like light, temperature, pressure or flow to analog signals

  11. Conversion • Converts analog and discrete measurements to digital information

  12. Communication • Front end processors (FEP) and protocols • Wired or wireless communication

  13. Presentation & Control • Control, monitor and alarming using human machine interface (HMI)

  14. 2013 Vulnerabilities by category

  15. Acquisition • Requires physical access • Field equipment does not contain process information • Information like valve 16 or breaker 9B • Without process knowledge leads to nuisance disruption 0% 11% 22% 66%

  16. Emerson ROC800 Vulnerabilities • CVE-2013-0693: Network beacon broadcasts allows detection • CVE-2013-0692: OSE Debug port service • CVE-2013-0694: Hardcode accounts with passwords • Access: AV:N, AC:L, Au:N • Impact: C:C, I:C, A:C • Patch available from Emerson 0% 11% 22% 66%

  17. Siemens CP 1604 / 1616 Interface Card Vulnerability • Siemens security advisory: SSA-628113 • CVE- 2013-0659: Open Debugging Port in CP 1604/1616 • UDP port 17185 • Access: AV:N, AC:L, Au:N • Impact: C:C, I:C, A:C • Patch available from Siemens 0% 11% 22% 66%

  18. Communication 0% 11% 22% 66%

  19. ModBus Vulnerabilities • CVE-2013-2784: Triangle Research Nano-10 PLC Crafted Packet Handling Remote DoS • CVE-2013-0699: Galil RIO-47100 PLC Crafted Modbus Packet Handling Remote DoS • RBS­-2013-­003: Schneider Electric Multiple Modbus MBAP DoS and RCE Nano-10 PLC RIO-47100 PLC 0% 11% 22% 66%

  20. DNP Vulnerabilities • CVE-2013-2791: MatrikonOPCServer DNP3 Packet Handling buffer overflow • CVE-2013-2798: Schweitzer Real-Time Automation Controllers (RTAC) Local DoS • CVE-2013-2788: SUBNET SubSTATIONServer DNP3 Outstation Slave Remote DoS • CVE-2013-2783: IOServerDNP3 Packet Handling Infinite Loop Schweitzer RTAC Matrikon OPC Server IOServer 0% 11% 22% 66%

  21. Security Analysis of SCADA protocols Modbus and DNP free tool: http://code.google.com/p/scadascan/ 0% 11% 22% 66%

  22. SSH, FTP, TFTP, IGMP, SNMP • CVE-2013-0137: Monroe Electronics Default root SSHKey Remote Access • CVE-2012-4697: TURCK BL20 / BL67 FTP Service Hardcoded Admin Credentials • CVE-2013-2800: OSIsoft PI Interface for IEEE C37.118 Memory Corruption • CVE-2013-0689: Emerson RTU TFTPServer File Upload Arbitrary Code Execution • CVE-2013-3634: Siemens Scalance X200 IRT SNMPCommand Execution • Korenix Multiple JetNet Switches TFTP Server Arbitrary File Creation • RuggedComROX-II IGMP Packet Saturation RSTP BPDU Prioritization Weakness • Korenix Multiple JetNet Switches SSL / SSH Hardcoded Private Keys 0% 11% 22% 66%

  23. Presentation & Control 0% 11% 22% 66%

  24. Presentation & Control • CVE-2013-2299: Advantech WebAccess /broadWeb/include/gAddNew.aspXSS • CVE-2013-0684: Invensys Wonderware Information Server (WIS) SQL Injection • CVE-2013-3927: Siemens COMOS Client Library Local DatabaseObject Manipulation • CVE-2013-0680: Cogent DataHub CraftedHTTPRequest Header Parameter Stack Overflow • CVE-2013-0652: General Electric (GE) Intelligent ProficyJavaRemote Method Invocation • CVE-2008-0760: SafeNet Sentinel Protection Server HTTP Request Directory TraversalandArbitrary File Access • CVE-2012-3039: MoxaOnCellGatewayPredictable SSH / SSLConnection Key Generation • WeidmüllerWaveLine Router Web Interface config.cgi Configuration ManipulationCSRF 0% 11% 22% 66%

  25. Real world issues • Control system network connected to corporate network or internet 0% 11% 22% 66%

  26. Real world issues • No authentication • No per user authentication 0% 11% 22% 66%

  27. Real world issues • Delayed patching if any 0% 11% 22% 66%

  28. Real world issues • Default passwords • Shared passwords • No password change policy 0% 11% 22% 66%

  29. Real world issues • Systems not restarted in years 0% 11% 22% 66%

  30. Real world issues • Off-the-shelf software • Operating system, Database, Browser, Web Server 0% 11% 22% 66%

  31. Real world issues • Un-necessary services 0% 11% 22% 66%

  32. Real world issues • Internal differences between IT and SCADA engineers 0% 11% 22% 66%

  33. System Wide Challenges • Long life cycle of a SCADA system • SCADA system long life cycle

  34. System Wide Challenges • Cost and difficulty of an upgrade • SCADA system long life cycle

  35. Proposals • SCADA network auditing

  36. Proposals • Is you SCADA system exposed on the internet?

  37. Proposals • Password policy, access control and access roles

  38. Proposals • Are all services necessary?

  39. Proposals • Use secure protocols

  40. Proposals • Strategy for Software Update and patching

  41. Proposals • SCADA test environment

  42. Proposals • Keep up-to-date with vulnerabilities

  43. Proposals • Apply experience from IT network management

  44. ScadaScan • Current version • Scan network range • Works with TCP/IP • Identifies Modbus TCP slaves • Identifies DNP 3 TCP slaves • Beta version • SCADA master vulnerability scanning • SNMP support • HTTP support • 1.0 Release • User configurable signature files • Authenticated support for Windows and *nix • Code cleanup

  45. Thank You Twitter: @amolsarwate http://code.google.com/p/scadascan/ https://community.qualys.com

More Related