Welcome to PHOENIX CONTACT
Hacking SCADA networks MIPSYCON 2015
Matt Cowell
Phoenix Contact Sr. ASE – North Central
847 226 5197
@m_p_cowell on Twitter
Happy CIS&R month!
2 | Presentation | Matt Cowell | ASE Central | 13 November 2015
https://www.whitehouse.gov/the-press-office/2015/10/29/presidential-proclamation-critical-infrastructure-security-and
3 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Who am I?
Matt Cowell
Sr. ASE (Automation Sales Engineer) – N. Central
Tenure – Joined Phoenix Contact Jan 2008
Located Gurnee, IL (north of Chicago)
Responsible for all Phoenix Contact Automation product in N. Central Region
Automation product responsibility includes Ethernet, network security products, controllers and software, Industrial PC’s, HMI’s, I/O, safety and Wireless
Territory includes IL, WI, MN, ND, SD
Background – Various Engineering roles with later years focused in system integration
Question Time
Have any of your networks/systems ever been breached
(hacked)?
How do you know?
Who’s responsibility is cyber security?
Everyone’s
Don’t assume someone else (IT) has it covered
6 | Presentation | Matt Cowell | ASE Central | 13 November 2015
7 | Presentation | Matt Cowell | ASE Central | 13 November 2015
SCADA system - Typical devices
Typically Field Devices
in/near control panel
11 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Evolution of connecting SCADA to IT network or internet?
Internet
Router/Firewall
Enterprise/Company level
Acce
ss th
rou
gh
ou
t
SCADA/Ind. Network
12 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Evolution of connecting SCADA to IT network or internet?
Internet
Router/Firewall
Enterprise/Company level
Acce
ss th
rou
gh
ou
t
SCADA/Ind. Network
Why converge? Reporting – Regulatory requirements/Compliance
Convenience – Access from desk, city network
Autonomy & Remote access – Outside access for
contractors
Integration - to database/laboratory/billing
Mistake - Could also be inadvertent
13 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Why consider security now?
Scope of industrial networks has grown beyond conventional “switch
only” networks (layer 2)
Networks are becoming more ‘interconnected’
Device access from IT/enterprise network is desired
Remote access to SCADA systems is required for support
Industrial devices lack network security features we have become
familiar with (robust NIC’s, win. updates, patches, anti virus, etc)
Vulnerabilities are being discovered daily
Increase in network devices & trends are relying upon use of ‘the cloud’
Few standards in place yet to enforce security
Stuxnet demonstrated the sophistication and damage that can be
caused by industrial specific malware – don’t wait for stuxnet 2.0
Industrial attacks are becoming more common and brazen and usually
make headline news.
You already know physical security…
Cameras and surveillance
Analogous to IDS (Intrusion Detection System)/logging
Access control – access based upon credentials
Analogous to account/password control policy
Perimeter security – fences, gates, locks
Analogous to firewall’s & data diodes
Alarms
Analogous to Email/SMS/SNMP/HMI alarms
SIEM (Security Information & Event Management) or IDS
Security guard
Analogous to IT/security focused professional
We generally take physical security very seriously
15 | Presentation | Matt Cowell | ASE Central | 13 November 2015
….How real is the cyber threat?
16 | Presentation | Matt Cowell | ASE Central | 13 November 2015 8:40
Attack statistics
ICS CERT – Responded to 245 ‘ICS’ attacks in 2014
ICS CERT – Reported 159 ‘ICS’ product vulnerabilities
DELL – SCADA attacks doubled in 2014 (vs 2013)
18 | Presentation | Matt Cowell | ASE Central | 13 November 2015
http://www.hackmageddon.com/
https://www.dell.com/learn/us/en/uscorp1/press-releases/2015-04-13-dell-annual-threat-report
https://ics-cert.us-cert.gov/sites/default/files/documents/Year_in_Review_FY2014_Final.pdf
ICS CERT – incidents by sector
19 | Presentation | Matt Cowell | ASE Central | 13 November 2015
https://ics-cert.us-cert.gov/sites/default/files/documents/Year_in_Review_FY2014_Final.pdf
ICS CERT – incidents by access vector
20 | Presentation | Matt Cowell | ASE Central | 13 November 2015
APT!
https://ics-cert.us-cert.gov/sites/default/files/documents/Year_in_Review_FY2014_Final.pdf
Verizon report
Malware events affecting
utilities…
22 | Presentation | Matt Cowell | ASE Central | 13 November 2015
http://www.verizonenterprise.com/DBIR/2015/
A few discovered vulnerabilities
All confirmed and published by US CERT (DHS)
41 total vulnerabilities posted (including) ICSA-15-169-02 : Schneider Electric Wonderware System Platform Vulnerabilities
ICSA-11-307-01 : Schneider Electric Vijeo Historian Web Server Multiple Vulnerabilities
ICSA-13-217-02 : Schneider Electric Vijeo Citect, CitectSCADA, PowerLogic SCADA Vulnerability
ICSA-14-259-01A : Schneider Electric SCADA Expert ClearSCADA Vulnerabilities (Update A)
ICSA-12-018-01B : Schneider Electric Quantum Ethernet Module Hard-Coded Credentials
(Update B)
ICSA-14-273-01 : SchneiderWEB Server Directory Traversal Vulnerability
ICSA-11-173-01 : ClearSCADA Remote Authentication Bypass
ICSA-14-086-01A : Schneider Electric Serial Modbus Driver Buffer Overflow (Update A)
ICSA-14-093-01 : Schneider Electric OPC Factory Server Buffer Overflow
ICSA-14-086-01 : Schneider Electric Serial Modbus Driver Buffer Overflow
ICSA-13-077-01B : Schneider Electric PLCs Vulnerabilities (Update B)
ICSA-15-085-01A : Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014
Vulnerabilities (Update A)
23 | Presentation | Matt Cowell | ASE Central | 13 November 2015
As of 11/2/15
A few discovered vulnerabilities
75 total vulnerabilities posted (including) ICSA-15-050-01 : Siemens SIMATIC STEP 7 TIA Portal Vulnerabilities
ICSA-15-020-01 : Siemens SCALANCE X-300/X408 Switch Family DOS Vulnerabilities
ICSA-12-256-01 : Siemens WinCC WebNavigator Multiple Vulnerabilities
ICSA-14-098-03 : Siemens Ruggedcom WIN Products BEAST Attack Vulnerability
ICSA-13-149-01 : Siemens SCALANCE Privilege Escalation Vulnerabilities
ICSA-12-158-01 : Siemens WinCC Multiple Vulnerabilities
ICSA-12-212-02 : Siemens SIMATIC S7-400 PN CPU DoS
ICSA-14-114-02 : Siemens SIMATIC S7-1200 CPU Web Vulnerabilities
ICSA-14-079-02 : Siemens SIMATIC S7-1200 Vulnerabilities
24 | Presentation | Matt Cowell | ASE Central | 13 November 2015
As of 11/2/15
..more discovered vulnerabilities
ICSA-13-095-02A : Rockwell Automation FactoryTalk and RSLinx Vulnerabilities (Update A)
ICSA-15-111-02 : Rockwell Automation RSLinx Classic Vulnerability
ICSA-11-175-01 : Rockwell FactoryTalk Diag Viewer Memory Corruption
ICSA-14-021-01 : Rockwell RSLogix 5000 Password Vulnerability
ICSA-14-254-02 : Rockwell Micrologix 1400 DNP3 DOS Vulnerability
ICSA-14-294-01 : Rockwell Automation Connected Components Workbench ActiveX Component
Vulnerabilities
ICSA-12-088-01A : Rockwell Automation FactoryTalk RNADiagReceiver (UPDATE A)
ICSA-10-070-01A : Rockwell Automation RSLinx Classic EDS Vulnerability (Update A)
ICSA-13-011-03 : Rockwell Automation ControlLogix PLC Vulnerabilities
ICSA-11-273-03A : Rockwell RSLogix Overflow Vulnerability (Update A)
ICSA-10-070-02 : Rockwell PLC5/SLC5/0x/RSLogix Security Vulnerability
ICSA-11-161-01 : Rockwell RSLinx EDS Vulnerability
ICSA-15-132-02 : Rockwell Automation RSView32 Weak Encryption Algorithm on Passwords
ICSA-15-062-02 : Rockwell Automation FactoryTalk DLL Hijacking Vulnerabilities
ICSA-12-342-01B : Rockwell Allen-Bradley MicroLogix, SLC 500, and PLC-5 Fault Generation
Vulnerability (Update B)
25 | Presentation | Matt Cowell | ASE Central | 13 November 2015
..and some others
ICSA-12-212-01 : ICONICS GENESIS32/BizViz Security Configurator Authentication Bypass
Vulnerability
ICSA-14-023-01 : GE Proficy Vulnerabilities
ICSA-15-167-01 : GarrettCom Magnum Series Devices Vulnerabilities
ICSA-12-243-01 : GarrettCom - Use of Hard-Coded Password
ICSA-13-042-01 : MOXA EDR-G903 Series Multiple Vulnerabilities
ICSA-15-160-01 : N-Tron 702W Hard-Coded SSH and HTTPS Encryption Keys
ICSA-12-354-01A : Ruggedcom ROS Hard-Coded RSA SSL Private Key (Update A)
ICSA-12-146-01A : RuggedCom Weak Cryptography for Password Vulnerability (Update A)
ICSA-13-340-01 : RuggedCom ROS Multiple Vulnerabilities
ICSA-12-249-02 : WAGO IO 758 Default Linux Credentials
26 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Network security breach case study: Stuxnet
The industrial virus that brought mass media attention
Complex rootkit exploiting 4 x zero day exploits
Designed to attack Siemens control networks and Win OS
Used stolen digital certificates to look inconspicuous
Could manipulate PLC logic and network traffic
Automatically spreads via USB jump drive
Reports updates back to internet server
Targeted Iran’s uranium enrichment centrifuges causing
significant damage but also spread worldwide
Suspected to be a state sponsored virus
It has a ‘kill date’ coded into it to stop spreading on 6/24/12
27 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Network security breach case study: Stuxnet
The industrial virus that brought mass media attention
Complex rootkit exploiting 4 x zero day exploits
Designed to attack Siemens control networks and Win OS
Used stolen digital certificates to look inconspicuous
Could manipulate PLC logic and network traffic
Automatically spreads via USB jump drive
Reports updates back to internet server
Targeted Iran’s uranium enrichment centrifuges causing
significant damage but also spread worldwide
Suspected to be a state sponsored virus
It has a ‘kill date’ coded into it to stop spreading on 6/24/12
28 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Network security breach case study: Havex
First detected summer 2014
Primarily cyber espionage campaign but could've easily
been repurposed for malicious intent
Havex malware was created by a well resourced group
known as “Dragonfly” or “Energetic Bear”
Targeted energy grid operators, power generation plants,
petroleum pipelines & industrial OEM’s
Victims were located in various countries including US
Used multiple attack vectors including compromising ICS
software, spam and watering hole attacks.
Communicates with a C&C server for control and updates
Used OPC DA to communicate while evading detection
29 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Network security breach case study: Havex
First detected summer 2014
Primarily cyber espionage campaign but could've easily
been repurposed for malicious intent
Havex malware was created by a well resourced group
known as “Dragonfly” or “Energetic Bear”
Targeted energy grid operators, power generation plants,
petroleum pipelines & industrial OEM’s
Victims were located in various countries including US
Used multiple attack vectors including compromising ICS
software, spam and watering hole attacks.
Communicates with a C&C server for control and updates
Used OPC DA to communicate while evading detection
30 | Presentation | Matt Cowell | ASE Central | 13 November 2015
500,000 reasons to be afraid
36 | Presentation | Matt Cowell | ASE Central | 13 November 2015
https://threatpost.com/shodan-search-engine-project-enumerates-internet-facing-critical-
infrastructure-devices-010913/77385/
500,000 reasons to be afraid
37 | Presentation | Matt Cowell | ASE Central | 13 November 2015
https://threatpost.com/shodan-search-engine-project-enumerates-internet-facing-critical-
infrastructure-devices-010913/77385/
Powergrid honeypot
38 | Presentation | Matt Cowell | ASE Central | 13 November 2015
http://www.scmagazineuk.com/4sics-what-hackers-do-when-they-access-a-power-grid-honeypot/article/448391/
Powergrid honeypot
39 | Presentation | Matt Cowell | ASE Central | 13 November 2015
http://www.scmagazineuk.com/4sics-what-hackers-do-when-they-access-a-power-grid-honeypot/article/448391/
Why do people ‘hack’?
There are a number of motivators, including:
Ego
Criminal
Political/Spying
Hacktivism
Terrorism
War
Personal gain
Corporate gain
Sabotage
Retribution
Personal Concern
51 | Presentation | Matt Cowell | ASE Central | 13 November 2015
How do people hack? Inside job/disgruntled employee - abusing network privileges
Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form
Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force
DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.
Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter
Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.
Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.
Ransomware – Specific infection that demands a ransom money or will lock you out from files or threaten to delete them by specific deadline - NEW
Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.
Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing
Exploiting vulnerabilities – latest windows updates, stuxnet
How do people hack? Inside job/disgruntled employee - abusing network privileges
Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form
Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force
DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.
Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter
Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.
Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.
Ransomware – Specific infection that demands a ransom money or will lock you out from files or threaten to delete them by specific deadline - NEW
Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.
Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing
Exploiting vulnerabilities – latest windows updates, stuxnet
How easy is it to ‘hack’ a facility?
Just ask Google
Wireless breach
Wardriving
If no access to the inside network, first have to find it:
Specialist search engines
Public IP and Port scans
Social engineering via Trojan or Phishing
Vulnerabilities
Easy targets
Publically available online and being found daily
Dedicated tools to make life easier
…..as we will see
54 | Presentation | Matt Cowell | ASE Central | 13 November 2015
How easy is it to ‘hack’ a facility?
Just ask Google
Wireless breach
Wardriving
If no access to the inside network, first have to find it:
Specialist search engines
Public IP and Port scans
Social engineering via Trojan or Phishing
Vulnerabilities
Easy targets
Publically available online and being found daily
Dedicated tools to make life easier
…..as we will see
55 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Even easier if you have $8k
56 | Presentation | Matt Cowell | ASE Central | 13 November 2015
http://www.forbes.com/sites/thomasbrewster/2015/10/21/scada-zero-day-exploit-sales/
57 | Presentation | Matt Cowell | ASE Central | 13 November 2015
4. Attack demonstration
Perimeter
192.168.0.100
192.168.0.102
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)
Master
Lean
Managed
Switch
PLC
Slave
Attacking
PC Internet
1.2.3.4
LAN WAN
58 | Presentation | Matt Cowell | ASE Central | 13 November 2015
4. Denial Of Service attack
What did we learn?
With information we collected by learning the network, we can now break it
Network adapters (particularly on Industrial devices) can be overwhelmed if you send excessive packets
This can manifest in many devastating ways – preventing legitimate communications and in some cases locking up the device requiring power cycle or losing its program
Recommendations:
Use Firewalls to control/restrict access
Use managed switches with bandwidth limitation or routers to prevent excess traffic
Enable monitors/logging to watch and automatically notify of dangerous traffic levels
59 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Control the ‘inside’
Prevent unnecessary access to industrial devices/network
Use a firewall to control traffic rules
Be careful of open ports and ‘backdoors’
Ensure adequate encryption when using wireless (WPA2) &
long, unusual pass phrase
Restrict USB drive usage
Be careful of infected internal PC’s – a Virus or Trojan can
run on the inside ‘inside job’, cause havoc and send
information out
Its claimed 60-70% of all security breaches are carried out
by insiders
So WHAT do you do?
Take measures to harden/design in security to your control
system
Take advantage of Managed switches – port control (disable
unused ports, RADIUS authentication, MAC table lookup
etc)
Utilize industrial Firewalls – packet filtering rules, logging,
authentication (user firewall or VPN), CIFS, eliminates
additional burden on existing hardware
60 | Presentation | Matt Cowell | ASE Central | 13 November 2015
61 | Presentation | Matt Cowell | ASE Central | 13 November 2015
The solution?
mGuard Industrial Router, Firewall and VPN
Partial
62 | Presentation | Matt Cowell | ASE Central | 13 November 2015
The solution?
mGuard Industrial Router, Firewall and VPN
Partial
Not just my advice..
Use of a firewall is a common recommendation by the US
CERT for posted vulnerabilities
63 | Presentation | Matt Cowell | ASE Central | 13 November 2015
It gets worse…
64 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Cybersecurity Act of 2012
13
It gets worse…
65 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Cybersecurity Act of 2012
13
What is ‘critical infrastructure’?
16 sectors
66 | Presentation | Matt Cowell | ASE Central | 13 November 2015
DOE…”Doh!”
67 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Attackers successfully compromised U.S.
Department of Energy computer systems
more than 150 times between 2010 and
2014, a review of federal records obtained
by USA TODAY finds
http://www.usatoday.com/story/news/2015/09/09/cyber-attacks-doe-energy/71929786/
http://gizmodo.com/department-of-energy-hacked-over-150-times-in-four-year-1730259071
Standards & guidelines
NIST 800-82 R2 guidelines
NERC CIP v5
Remember high/medium BES begins Apr 1st 2016
ISA 62443 (formerly known as ISA-99).
68 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Standards & guidelines
NIST 800-82 R2 guidelines
NERC CIP v5
Remember high/medium BES begins Apr 1st 2016
ISA 62443 (formerly known as ISA-99).
69 | Presentation | Matt Cowell | ASE Central | 13 November 2015
CIP Requirement Controls
CIP 002 Critical Cyber Asset Identification
CIP 003 Security Management Controls
CIP 004 Personnel and Training
CIP 005 Electronic Security Perimeter(s)
CIP 006 Physical Security of Critical Cyber Asset’s (CCA)
CIP 007 Systems Security Management
CIP 008 Incident Reporting and Response Planning
CIP 009 Recovery Plans for Critical Cyber Assets
CIP 014 Physical security
Defense in Depth in practice
www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
Zones
Firewalls
DMZ
IDS/Logging
Summary
Like it or not – critical control systems are becoming more
interconnected (IoT/IIoT)
This is not just an IT problem – controls engineers need to
know more about network security
The risk of a attack is great
NERC CIP v5 is a big deal
Key starting points:
Know/document your network
Implement basic access control mechanisms
Log network traffic
Have a proactive patching strategy!
71 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Final Thought
72 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Thank you
73 | Presentation | Matt Cowell | ASE Central | 13 November 2015
Matt Cowell Sr. Automation Sales Engineer
847 226 5197
@m_p_cowell