190 likes | 421 Views
SCADA Security, DNS Phishing . Avesta Hojjati, Commuter science department Advisor Dr Akbar Namin Texas Tech University . What is SCADA?. Supervisory Control And Data Acquisition, type of Industrial Control System (ICS). Computer based Communication through IPv4 & IPv6
E N D
SCADA Security, DNS Phishing Avesta Hojjati, Commuter science department Advisor Dr Akbar Namin Texas Tech University
What is SCADA? • Supervisory Control And Data Acquisition, type of Industrial Control System (ICS). • Computer based • Communication through IPv4 & IPv6 • Uses PLC (Programing Logic Controller) as the main operator
Main Areas of Concern • Security and authentication in the design, deployment and operation of existing SCADA networks • The premise that SCADA systems are secure because they use specialized protocols and have proprietary interfaces • The premise that SCADA networks are secure because they have been physically secured • The premise that SCADA networks are secure because they are not exposed to the Internet
SCADA Vulnerabilities • DoS (Denial of Service). Vulnerabilities found in FactoryTalk Services Platform and RSLinx Enterprise • November 2011: The cyber-security of the North American power grid is "in a state of near chaos," according to a report by a respected U.S. energy consultancy monitoring the industry's transition to wireless digital technologies. • Critical Remote Code Execution (CRCE). Vulnerabilities found in Modbus Serial Driver, product by Schneider Electric • September 2010: Iran admits that the Stuxnet worm had infected at least 30,000 computers in the country. The worm, which researchers have dubbed the most sophisticated malware ever, targets Windows PCs that manage large-scale SCADA systems at manufacturing and utility companies.) • Most SCADA protocols were never intended for use on publically accessible networks, and in some cases, not even on IP networks. MODBUS, a common SCADA protocol, was originally designed for use only within simple process control Networks to enable low speed serial communications between clients and servers
Securing SCADA Networks • Patch host operating systems, applications and SCADA components • Control application communications between SCADA networks and other networks • Control application communications within SCADA networks • Control what and who are allowed to interact with SCADA networks and systems • Monitor all networks closely and react quickly to viruses and attacks
What is DNS? • The DNS(Domain Name System)translates Internet domain and host names to IP addresses. DNS automatically converts the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites. (wiki)
DNS Phishing (Fake HTTP request) • Redirecting all incoming traffic to a fake server • Enables to launch additional attacks, or collect traffic logs that contain sensitive information • Capturing all in-bound email • Allows the attacker to send email on their behalf, using the victim organization's domain and cashing-in on their positive reputation
DNS Phishing (Fake HTTP request) • Taking over the registration of a domain • Attackers take over the registration of a domain and change the authoritative DNS servers This was the type of attack used by the Syrian Electronic Army. They gained access to the domain registration accounts operated by Melbourne IT, changed the authoritative DNS servers to ns1.syrianelectronicarmy.com and ns2.syrianarmyelectronicarmy.com. • Cache poisoning • Attackers inject malicious DNS data into the recursive DNS servers operated by Internet Service Providers (ISPs). The damage cause by this attack is localized to specific users connecting to the compromised servers
Demonstrating an attack usingBackTrackUsing ARP spoofing Technique (Address Resolution Protocol)
Avoidance • Good security practices such as strong passwords, IP acceptable client lists (ACLs) and social engineering training will help guard against attack • DNSSTOP( Domain Name Server STOP) • A curses-based application that displays various tables of DNS statistics • DSC (Domain Statistics Collector) • DNS Statistics Collector is designed to collect and aggregate statistics from busy authoritative servers, such as those used by TLD (Top-Level Domain) and root server operators. • Traffic Gist • A network traffic statistics collection tool. Gist can collect statistics about live traffic and do postmortem packet capture analysis
Limiting Recursion to Authorized Clients For DNS servers that are deployed within an organization or Internet Service Provider, the resolver should be configured to perform recursive queries on behalf of authorized clients only. These requests typically should only come from clients within the organization’s network address range. We highly recommend that all server administrators restrict recursion to only clients on the organization’s network. BIND9 In the global options, include the following [10]:acl corpnets { 192.168.1.0/24; 192.168.2.0/24; }; options { allow-query { any; }; allow-recursion { corpnets; };};
References • http://www.fastandeasyhacking.com/ (Armitage) • http://ettercap.github.io/ettercap/ (Ettercap) • Siemens PLS Simulator (S7 Seriese)