Fear,Uncertainty,andtheDigitalArmageddon

SCADA

PresentedByMorganMarquisBoire
2007SecurityAssessment.com

Whois

Hi,MyNameisMorgan

2007SecurityAssessment.com

Whois

Hi,MyNameisMorgan Imasecurityguy

2007SecurityAssessment.com

Whois

Hi,MyNameisMorgan Imasecurityguy SecurityAssessment.com

2007SecurityAssessment.com

Whois

Hi,MyNameisMorgan Imasecurityguy SecurityAssessment.com Kiwicon

2007SecurityAssessment.com

Introduction

TodaywewillbecoveringSCADA

Whatisit? Whyisitsohiprightnow? Howdowebustit? WhengoodSCADAgoesbad Aretherecyberterroristslurkinginthebushesoutsidemy

SCADAinstallation?

SCADAsecurityandSecuringyourSCADAnetworks Questions

2007SecurityAssessment.com

WhatthehellisSCADA? SCADAis

IndustrialControlSystems(ICS),commonlyreferredtoas

SCADAunderliemuchoftheinfrastructurethatmakeseveryday lifepossibleinthemodernworld.

2007SecurityAssessment.com

WhatthehellisSCADA? SCADAis

IndustrialControlSystems(ICS),commonlyreferredtoas SupervisoryControlandDataAcquisition

SCADAunderliemuchoftheinfrastructurethatmakeseveryday lifepossibleinthefirstworld.

SCADAsystemssupportprocessesthatmanagewatersupply
andtreatmentplants;

Controlpipeslinedistributionsystemsandpowergrids; Operatechemicalandinothercountries,nuclearpowerplants; HVACsystemsHeating,Ventilation,AirConditioning Lift/ElevatorSystems TrafficSignals Masstransitsystems

2007SecurityAssessment.com

WhatthehellisSCADA? SCADANetworksPastandPresent

Thesecouldbedescribedasprimitivewhencomparedtomost
modernnetworks

ProprietaryHardware&Software(Past) Manualsandproceduresnotwidelyavailable Closedsystemsconsideredtobeimmunetooutsidethreats InterconnectedNetworks(Present) UtilityNetworks,CorporateNetworks,Internet DNP3overTCP/IP

Modernstuffissusceptibletomodern(orperhapsnotsomodern) attacks(SYNFlood,Pingofdeath)

2007SecurityAssessment.com

WhatthehellisSCADA?

Sowhatisitactually?

ASCADAsystemusuallyincludessignalhardware(inputand

output),controllers,networks,userinterface(HMI), communicationsequipmentandsoftware.Alltogether,theterm SCADAreferstotheentirecentralsystem.Thecentralsystem usuallymonitorsdatafromvarioussensorsthatareeitherin closeproximityoroffsite(sometimesmilesaway).

2007SecurityAssessment.com

WhatthehellisSCADA? HowdoesSCADAwork?

MultitierSystems PhysicalMeasurement/controlendpoints RTU,PLC Measurevoltage,adjustvalve,flipswitch Intermediateprocessing UsuallybasedonacommonlyusedOSes *nix,Windows,VMS CommunicationInfrastructure Serial,Internet,Wifi Modbus,DNP3,OPC,ICCP

2007SecurityAssessment.com

WhatthehellisSCADA?

2007SecurityAssessment.com

WhatthehellisSCADA? ComponentsofaSCADAnetwork

RTU/PLCReadsinformationonvoltage,flow,thestatusof
switchesorvalves.Controlspumps,switches,valves

MTUMasterTerminalUnitProcessesdatatosendtoHMI HMIHumanMachineInterfaceGUI,WindowsInformation
traditionallypresentedintheformofamimicdiagram

CommunicationnetworkLAN,Wireless,Fiberetcetc

2007SecurityAssessment.com

WhatthehellisSCADA?

2007SecurityAssessment.com

WhatthehellisSCADA?

http://www.armfield.co.ukIndustrialFoodTechnology
2007SecurityAssessment.com

WhatthehellisSCADA? ProtocolsofaSCADANetwork RawDataProtocolsModbus/DNP3

Forserialradiolinksmainly,butyoucanrunanythingover Readsdata(measuresvoltage/fluidflowetc)

anythingthesedays,especiallyTCP/IP(forbetterorworse)

Sendscommands(flipsswitches,startspumps)/alerts(its
broken!) HighLevelDataProtocolsICCP/OCP

Designedtosenddata/commandsbetweenapps/databases Providesinfoforhumans Theseprotocolsoftenbridgebetweenofficeandcontrol

networks

2007SecurityAssessment.com

WhatthehellisSCADA?

Letsnotforget

2007SecurityAssessment.com

WhatthehellisSCADA?

LetsnotforgetTheoperator.

2007SecurityAssessment.com

Inkeepingwithtradition

2007SecurityAssessment.com

Sohotrightnow LotsofResearchBeingPublished

BlackHatFederal2k6MaynorandGraham(ISS)SCADA
SecurityandTerrorism:Werenotcryingwolf.

HackintheBox2k7RaoulChiesaandMayhemHacking
SCADA:Howto0wnCriticalNationalInfrastructure Protocols:UsingSulleyFuzzer

Defcon2k7GaneshDevarajanUnravelingSCADA PetroleumSafetyGresserHackingSCADA/SASSystems
WhyisSCADAthehottopicofsecurity?

Virtualisationrootkitsarehardformostpeopletounderstand ThepossibleramificationsofaSCADAcompromiseare
widespread

NewthreatsApparentlywehavecyberterroristsnow
2007SecurityAssessment.com

CyberTerrorist? Maybeinthisroom.

2007SecurityAssessment.com

SoHotRightNow SCADAischanging

Fromproprietary,obscure,andisolatedsystems Towardsstandard,documentedandconnectedones
It'snotthattheseguysdon'tknowwhattheyaredoing.Partofitis thatthesesystemswereengineered20yearsago,andpartofitis thattheengineersdesignedthesethingsassumingtheywouldbe isolated.Butwham!theyarenotisolatedanymore.

AlanPaller,directorofresearch,SANSInstitute

2007SecurityAssessment.com

SCADAProtocols TestingtheSecurityofSCADANetworks

2007SecurityAssessment.com

Scada(in)Security

YoucantestthesecurityofSCADAnetworkswithwhatyouknow now Therestyoucanfindontheinternet YoudontneedSCADAfuzzersor(particularly)customtools

2007SecurityAssessment.com

SCADA(in)Security

YoucantestthesecurityofSCADAnetworkswithwhatyouknow now Therestyoucanfindontheinternet YoudontneedSCADAfuzzersor(particularly)customtools OntocommonSCADAproblems

2007SecurityAssessment.com

SCADA(in)Security LackofAuthentication

Idontmeanlackofstrongauthentication.ImeanNOAUTH!! Theresnousersonanautomatedsystem OPConWindowsrequiresanonymousloginrightsforDCOM

(XPSP2breaksSCADAbecauseanonymousDCOMoffby default) etcetcdonotapply

Normalpoliciesregardingusermanagement,passwordrotation
CantPatch,Wontpatch

SCADAsystemstraditionallyarentpatched Installthesystem,replacethesystemadecadelater Effectsofpatchingasystemcanbeworsethantheeffectsof

compromise?

Verylargevulnerabilitywindow
2007SecurityAssessment.com

SCADA(in)Security ItsaBraveNewInterconnectWorld

ItwasacommonlyheldbeliefthatSCADAnetworkswere
isolated

InrealitytherearefrequentlyNUMEROUSconnections Dialinnetworks,radiobackdoors,wireless,LANconnections,
InsecureByDesign dualhomingviasupportlaptops,connectedtocorporateLANfor easeofmanagementandconvenientdataflow

Anonymousservicestelnet/ftp(nousersremember?) Passwordsdefaultorsimple,NEVERchanged AccesscontrolsnotusedasFirewallscausedelayswhichcan

impactresponseswhichmusthappeninrealtime

Allprotocolscleartext.Speedmoreimportantconfidentiality
2007SecurityAssessment.com

SCADA(in)Security

2007SecurityAssessment.com

JustMisunderstood SCADAhasadifferentsecuritymodeltotraditionalITNetworks

2007SecurityAssessment.com

JustMisunderstood SCADAhasadifferentsecuritymodeltotraditionalITNetworks

2007SecurityAssessment.com

TimeforsomeF.U.D. SecurityRiskdefinedlargelybythreat

Massivepowerblackout OilRefineryexplosion Wastemixedinwithdrinkingwater Damopenscausingflooding TrafficChaos NuclearExplosion?

2007SecurityAssessment.com

TimeforsomeF.U.D. SecurityRiskdefinedlargelybythreat

Massivepowerblackout OilRefineryexplosion Wastemixedinwithdrinkingwater Damopenscausingflooding TrafficChaos NuclearExplosion? Lackofcreaturecomforts?(whenHVACSCADAfails)

2007SecurityAssessment.com

TimeforsomeF.U.D. RiskisworsethesedaysbecausehackingisEASY!

2007SecurityAssessment.com

TimeforsomeF.U.D. RiskisworsethesedaysbecausehackingisEASY!

Bustoutyouraircrack,nmap,nessus,metasploit,wicrawl,buy yourselfaRussian0daypackandyourereadytobepartofthe problem

2007SecurityAssessment.com

IwaspromisedsomeFUD

RichardClarkantiterroradvisortotheBushadministration cybersecurityczarandterrorismexpert

Mockintrusionscenarioshavealwayssucceeded

2007SecurityAssessment.com

IwaspromisedsomeFUD

RichardClarkantiterroradvisortotheBushadministration cybersecurityczarandterrorismexpert

Mockintrusionscenarioshavealwayssucceeded

Wheresmydigitalarmageddon???

Letswatchavideothenwellhaveacoupleofcasestudies

2007SecurityAssessment.com

IwaspromisedsomeFUD WhenGoodSCADAGoesSERIOUSLYWRONG

About3:28p.m.,Pacificdaylighttime,onJune10,1999,a16

inchdiametersteelpipelineownedbyOlympicPipeLine Companyrupturedandreleasedabout237,000gallonsof gasolineintoacreekthatflowedthroughWhatcomFallsParkin Bellingham,Washington.About1.5hoursaftertherupture,the gasolineignitedandburnedapproximately1.5milesalongthe creek.Two10yearoldboysandan18yearoldyoungman diedasaresultoftheaccident.Eightadditionalinjurieswere documented.Asinglefamilyresidenceandthecityof Bellingham'swatertreatmentplantwereseverelydamaged.As ofJanuary2002,Olympicestimatedthattotalpropertydamages wereatleast$45million.

2007SecurityAssessment.com

10thJune,1999

2007SecurityAssessment.com

IwaspromisedsomeFUD Thiswasanaccident

TheOlympicPipelineSCADAsystemconsistedofTeledyne

BrownEngineeringSCADAVectorsoftware,version3.6.1., runningontwoDigitalEquipmentCorporation(DEC)VAXModel 4000300computerswithVMSoperatingsystemVersion7.1.In additiontothetwomainSCADAcomputers(OLY01and02),a similarlyconfiguredDECAlpha300computerrunning Alpha/VMSwasusedasahostfortheseparateModisette Associates,Inc.,pipelineleakdetectionsystemsoftware package.

2007SecurityAssessment.com

IwaspromisedsomeFUD WormAttack

InAugust2003Slammerinfectedaprivatecomputernetworkat
theidledDavisBessenuclearpowerplantinOakHarbor,Ohio, disablingasafetymonitoringsystemfornearlyfivehours. NIST,GuidetoSCADA

SlammerwormcrashedOhionukeplantnetworkKevin
Poulson http://www.securityfocus.com/news/6767

2007SecurityAssessment.com

IwaspromisedsomeFUD WormAttack

TheSlammerwormenteredtheDavisBesseplantthrougha

circuitousroute.Itbeganbypenetratingtheunsecurednetwork ofanunnamedDavisBessecontractor,thensquirmedthrough aT1linebridgingthatnetworkandDavisBesse'scorporate network.TheT1line,investigatorslaterfound,wasoneof multipleingressesintoDavisBesse'sbusinessnetworkthat completelybypassedtheplant'sfirewall,whichwasprogrammed toblocktheportSlammerusedtospread.

2007SecurityAssessment.com

IwaspromisedsomeFUD DigruntledEmployee

VitekBoden,in2000,wasarrested,convictedandjailed

becausehereleasedmillionsoflitersofuntreatedsewageusing hiswirelesslaptop.IthappenedinMaroochyShire,Queensland, asrevengeagainsthisaformeremployer.

http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_reven
ge_sewage/

2007SecurityAssessment.com

IwaspromisedsomeFUD DigruntledEmployee

"Marinelifedied,thecreekwaterturnedblackandthestenchwas
unbearableforresidents,"saidJanelleBryantoftheAustralian EnvironmentalProtectionAgency. TheMaroochydoreDistrictCourtheardthat49yearoldVitekBoden hadconductedaseriesofelectronicattacksontheMaroochyShire sewagecontrolsystemafterajobapplicationhehadmadewasrejected bythearea'sCouncil.Atthetimehewasemployedbythecompanythat hadinstalledthesystem.Bodenmadeatleast46attemptstotake controlofthesewagesystemduringMarchandApril2000. On23April,thedateofBoden'slasthackingattempt,policewhopulled overhiscarfoundradioandcomputerequipment. LaterinvestigationsfoundBoden'slaptophadbeenusedatthetimeof theattacksandhisharddrivecontainedsoftwareforaccessingand controllingthesewagemanagementsystem.

2007SecurityAssessment.com

IwaspromisedsomeFUD Sabotage

ThomasC.Reed,RonaldRegansSecretary,describedinhis

bookAttheabysshowtheU.S.arrangedfortheSovietsto receiveintentionallyflawedSCADAsoftwaretomanagetheir naturalgaspipelines."Thepipelinesoftwarethatwastorunthe pumps,turbines,andvalueswasprogrammedtogohaywire, afteradecentinterval,toresetpumpspeedsandvalvesettings toproducepressuresfarbeyondthoseacceptabletopipeline jointsandwelds."A3kilotonexplosionwastheresult,in1982in Siberia.

http://www.themoscowtimes.ru/stories/2004/03/18/014.html

2007SecurityAssessment.com

IwaspromisedsomeFUD Otherincidents

In1992,aformerChevronemployeedisableditsemergency
alertsystemin22states.Thiswasntdiscovereduntilan emergencydidnotraisetheappropriatealarms

In1997,ateenagerbrokeintoNYNEXandcutoffWorcester

AirportinMassachusettsfor6hoursbyaffectinggroundandair communications managedtocontroltheworldslargestnaturalgaspipeline (Gazprom) WhiletheBlasterwormwasnotthecause,manyrelated systemswerefoundtobeinfected

In2000theRussiangovernmentannouncedthathackershad In2003,theeastcoastofAmericaexperiencedablackout. ComputersandmanualsseizedinAlQaeda(allegedly)training

campswerefullofSCADAinformationrelatedtodamsandother suchstructures
2007SecurityAssessment.com

O.K.toomuchFUD

ThedigitalArmageddonhasnthappenedyet

Storiesareobviouslyexaggeratedtostirupoutrage Blasterdidnotcausetheeastcoastpoweroutage Storiesofteenagedhackersarefrequentlyexaggerated WhileAlQaedahadSCADAinformation,nothingindictateda

planinvolvingSCADA Nobodyhaseverbeenkilledbyacyberterrorist Direpredictionshavethusfarbeenincorrect.

IDCnamed2003theyearofcyberterrorism,predictingthata

majorcyberterrorismeventwouldbringtheinternettoitsknees.

2007SecurityAssessment.com

TheWayForward GoodthingshappeninginSCADAsecurity

ThereareagrowingnumberofstandardsinSCADASecurity

SomeexcellentpracticalguidesalaNISTfromNSAandother criticalinfrastructuregroups. Letsdosomegood!

2007SecurityAssessment.com

SecuringSCADA

SecuringYourSCADA

2007SecurityAssessment.com

SecuringSCADA

SecuringYourSCADA

Notanallinclusivelist!!

2007SecurityAssessment.com

SecuringSCADA

SecuringYourSCADA

Notanallinclusivelist!! Lotsofgoodinformationonline

2007SecurityAssessment.com

SecuringSCADA

SecuringYourSCADA

Notanallinclusivelist!! Lotsofgoodinformationonline Muchofitiscommonsense/IndustryBestPractice

Somepracticalsteps

2007SecurityAssessment.com

SecuringSCADA IdentifyAllConnectionstoSCADANetworks

2007SecurityAssessment.com

SecuringSCADA IdentifyAllConnectionstoSCADANetworks

InternalLAN,WANconnections,includingbusinessnetworks TheInternet Wirelessnetworkdevices,includingradio,satelliteetc Modemordialupconnections Connectionstovendors,regulatoryservicesorbusiness

partners

2007SecurityAssessment.com

SecuringSCADA IdentifyAllConnectionstoSCADANetworks

InternalLAN,WANconnections,includingbusinessnetworks TheInternet Wirelessnetworkdevices,includingradio,satelliteetc Modemordialupconnections Connectionstovendors,regulatoryservicesorbusiness

partners

Conductathoroughriskanalysistoassesstheriskandnecessityof eachconnectiontotheSCADAnetwork Developacomprehensiveunderstandingofhowtheseconnections areprotected

2007SecurityAssessment.com

SecuringSCADA DisconnectUnnecessaryConnectionstoSCADANetworks

2007SecurityAssessment.com

SecuringSCADA DisconnectUnnecessaryConnectionstoSCADANetworks IsolatetheSCADAnetworkfromothernetworkconnectionstoget thehighestdegreeofsecuritypossible.

Whileconnectionstoothernetworksallowefficientand

convenientpassingofdata,itssimplynotworththerisk.

UtilisationofDMZsanddatawarehousingcanfacilitatethesecure transferofdatafromSCADAtobusinessnetworks.

2007SecurityAssessment.com

SecuringSCADA EnsureSecurityBestPracticeisFollowedonanyRemaining Connections

2007SecurityAssessment.com

SecuringSCADA EnsureSecurityBestPracticeisFollowedonanyRemaining Connections Conductpenetrationtesting

Theresnosubstituteforhavinganactualhumanattemptan
intrusionintoyournetwork Implement:

Firewalls IntrusionDetection/PreventionSystems(IDS/IPS) VulnerabilityAssessment RegularAudits

2007SecurityAssessment.com

SecuringSCADA HardenYourSCADANetworks!

2007SecurityAssessment.com

SecuringSCADA HardenYourSCADANetworks! SCADAcontrolserversbuiltoncommercialoropensource operatingsystemsfrequentlyrundefaultservices

ThisissueiscompoundedwhenSCADAnetworksare
interconnectedwithothernetworks Removeunusedservicesespeciallythoseinvolvinginternetaccess, emailservices,remotemaintenanceetc WorkwithSCADAvendorsinordertoindentify(in)secure configurations

2007SecurityAssessment.com

SecuringSCADA HardenYourSCADANetworks! SCADAcontrolserversbuiltoncommercialoropensource operatingsystemsfrequentlyrundefaultservices

ThisissueiscompoundedwhenSCADAnetworksare
interconnectedwithothernetworks Removeunusedservicesespeciallythoseinvolvinginternetaccess, emailservices,remotemaintenanceetc WorkwithSCADAvendorsinordertoindentify(in)secure configurations Thespooks(NSA)haveasomeusefulguidelinesinthisarea

2007SecurityAssessment.com

SecuringSCADA DontRelyonSecurityThroughObscurity

2007SecurityAssessment.com

SecuringSCADA DontRelyonSecurityThroughObscurity SomeSCADAsystemsuseunique,proprietaryprotocols

Relyingontheseforsecurityisnotagoodidea

2007SecurityAssessment.com

SecuringSCADA DontRelyonSecurityThroughObscurity SomeSCADAsystemsuseunique,proprietaryprotocols

Relyingontheseforsecurityisnotagoodidea
Demandthatvendorsdisclosethenatureofvendorbackdoorsor interfacestoyourSCADAsystems Demandthatvendorsprovidesystemsthatcanbesecured!

2007SecurityAssessment.com

SecuringSCADA ImplementSecurityfeatureprovidedbySCADAvendors

WhilemostolderSCADAsystemshavenosecurityfeatures
newerSCADAsystemsoftendo

2007SecurityAssessment.com

SecuringSCADA ImplementSecurityfeatureprovidedbySCADAvendors

WhilemostolderSCADAsystemshavenosecurityfeatures
newerSCADAsystemsoftendo easeofinstallation security

Moreoftenthannotthough,theseareturnedoffbydefaultfor Factorydefaultsoftenprovidemaximumusabilityandminimum Ensurethatstrongauthenticationisusedforcommunications.

Connectionsviamodems,wireless,andwirednetworks representasignificantvulnerabilitytoSCADAnetworks

2007SecurityAssessment.com

SecuringSCADA ImplementSecurityfeatureprovidedbySCADAvendors

WhilemostolderSCADAsystemshavenosecurityfeatures
newerSCADAsystemsoftendo easeofinstallation security

Moreoftenthannotthough,theseareturnedoffbydefaultfor Factorydefaultsoftenprovidemaximumusabilityandminimum Ensurethatstrongauthenticationisusedforcommunications.

Connectionsviamodems,wireless,andwirednetworks representasignificantvulnerabilitytoSCADAnetworks. accesscontrols!!!!@#$@#$

^^^^Successfulwardialing/wardrivingcouldbypassallother

2007SecurityAssessment.com

SecuringSCADA ConductPhysicalSecuritySurveys

2007SecurityAssessment.com

SecuringSCADA ConductPhysicalSecuritySurveys

AnylocationwhichhasaconnectiontotheSCADAnetwork Inventoryaccesspoints.Thisincludes: Remotetelephone Cables/FiberOpticLinksthatcouldbetapped Terminals Wireless/Radio

mustbeconsideredatarget(especiallyunmannedorunguarded sites)

2007SecurityAssessment.com

SecuringSCADA ConductPhysicalSecuritySurveys

AnylocationwhichhasaconnectiontotheSCADAnetwork Inventoryaccesspoints.Thisincludes: Remotetelephone Cables/FiberOpticLinksthatcouldbetapped Terminals Wireless/Radio

mustbeconsideredatarget(especiallyunmannedorunguarded sites)

EnsurethatthisincludesALLremotesitesconnectedtotheSCADA network
2007SecurityAssessment.com

SecuringSCADA IntrusionDetectionandIncidentResponse

Tobeabletorespondtocyberattacksyouneedtobeableto
detectthem essential

Alertingofsuspiciousactivityfornetworkadministratorsis Loggingonallsystems Incidentresponseproceduresmustbeinplacetoalloweffect

responsetoanattack

2007SecurityAssessment.com

SecuringSCADA Allthegoodstuffthatyouknowandlove(withcatchphrasesthat youveheardamilliontimesbefore)

Backups/DisasterRecovery Backgroundchecks Limitnetworkaccess(principleofleastprivilege) Defenseindepth Trainingforstaff(avoidsocialengineering)

2007SecurityAssessment.com

Conclusion AttacksareeasierthanbeforeandSCADAisimportant TheWorldisntgoingtoexplodetomorrow DontlettheFUDoverwhelmyou DOsecureyourSCADAnetworks WhiletherearemanybigproblemstobesolvedwithSCADA security,thisfieldisinitsinfancywhereITsecurityiscomparatively teenaged. Usecommonsense

2007SecurityAssessment.com

GreetingsandThanks SecurityAssessment.com SoSD InsomniaSec TheKiwiconCrue ISIGNZ NZISF

2007SecurityAssessment.com

Questions?

http://www.securityassessment.com morgan@securityassessment.com

2007SecurityAssessment.com