SCADA (in)security rises

(in lingua inglese)
ICS are critical, vulnerable, exposed
Identifying their weaknesses is paramount
Security testing can be done safely (if with some limitations)
Specific methodologies and expertise are needed

Scarica il PDF Scarica il PDF
Aggiungi ai preferiti Aggiungi ai preferiti

Atti di convegni o presentazioni contenenti case history
mcT Petrolchimico Milano novembre 2016 Quale futuro per la Cyber Security?

da Alessia De Giosa
mcT Petrolchimico Milano 2016Segui aziendaSegui


Parole chiave: 

Estratto del testo
Milano, 24 novembre 2016 Gli atti dei convegni e più di 8.000 contenuti su SCADA (in)security rises $whoami Associate professor @ POLIMI Founder, Secure Network Co-founder, Motivum inc. Director & Fellow, ISSA BoG Member & Senior Member, IEEE Computer Society Review board member @ Black Hat Briefings Typical SCADA ecosystem SCADA/ICS Security For years SCADA/ICS systems relied on security through obscurity Industrial systems, which have been designed and intended to be alone, became magically connected to the world No perception of modern security threats and risks SCADA/ICS Security As traditional IT networks, SCADA environments host critical data and information projects, plans, chemical secrets They have a direct impact on the physical world Cyber-physical systems security versus information security Attacking Chemical Plants August 2013 '' multiple vulnerabilities in the industrial wireless products of three vendors have been reported. Customers are nuclear, oil and gas, refining, petro-chemical, utility, and wastewater companies 2014 '' Lucas Apa and Carlos Penagos released a public advisory describing four vulnerabilities affecting some OleumTech Wireless Products Attacking Chemical Plants Site Security Key '' the pre shared key is the project creation calendar time . Insecure because it is easily guessable. OleumTech protocol data was not encrypted, allowing attackers to identify sensor node information OTA, as well as the topology of gateways and transmitters. Attacking Chemical Plants Attacking Chemical Plants Threat '' an attacker in a ~ 60 km range could inject false values on the wireless gateways, modifying measurements used to make critical decisions Targeting a wireless transmitter that monitors the process temperature could make a chemical react and explode If failsafe mechanisms are not implemented They demonstrated the scenario on a virtual simulator In 2014, a steel mill in Germany suffered significant damage due to a cyberattack. Attackers gained access to the corporate network via a phishing attack and then to the plant network in order to comprise multiple individual controllers. The furnace was unable to shut down properly leading to physical damage The Steel Mill Incident The Steel Mill Incident Spear Phishing email to operators Compromise host on Corporate Network Pivot into the Plant Network Exploitation Phase Controllers The First Hacker-caused Power Outage 23rd December 2015: power outage across several Western Ukraine''s regions The attack to the power grid was not an opportunistic attack but an aimed, well-planned attack Multiple systems were infected by the BlackEnergy malware The First Hacker-caused Power Outage Spear Phishing email to operators Use of BlackEnergy malware VPN and Credentials Theft Network and Host Discovery UPS Firmware Modification Power Outage What are some key characteristics' Access vector: spear phishing Access vector: VPN Access vector: Wireless protocols Exploitation: firmware modification or reconfiguration (relatively easy because of little/no protection) SCADA/ICS Security Assessment Penetration testing goal is usually data In this case we care about the safe operations of the plant Intrinsic critical nature of systems Typically, no testing or quality environment
Methodology must reduce to ~0 any effect on the actual controlled process Perform a penetration test to demonstrate depth of access, while not actually executing delivery of payload on SCADA systems SCADA/ICS Security Assessment White or gray box assessment strategy Extensive, horizontal analysis and vertical exploits on a subset of pre-defined and authorized targets Assessment activity is supervised by the customer A proper knowledge of the controlled process is required to identify a potential issue and react SCADA/ICS Security Assessment Corporate Network Assessment SCADA Network Assessment PLC/RTU Devices Testing Policies and Procedures Review Testing SCADA network systems and services with the support of Customer personnel Canonical corporate network assessment with a focus on network segregation or isolation Internal policies review in order to spot issues in the organization processes Fuzz testing on adopted protocols. Lab testing preferred over production environment testing Corporate Network Assessment Corporate Network Assessment Scenario-driven attacks Corporate networks are likely to have been assessed before, but context-dependent scenarios need to be evaluated Verify proper network segregation between corporate network and SCADA network. Is it possible to jump from one network into the other' Network attacks against users who have access to the SCADA network or systems e.g., abusing whitelisted workstation to pivot on the SCADA network SCADA Network Assessment SCADA Network Assessment Again, scenario-driven attacks Simulating attacks from malicious employees Simulating attacks against legitimate employees Vulnerability research on adopted software solutions Production systems testing should be carefully supervised by personnel or operators A Point of Contact (PoC) should be available in order to handle any incidents Vulnerabilities exploiting must be specifically authorized and monitored by the Customer SCADA Network Assessment Network attacks against servers could be expected Pivoting through internal user web browsers to attack internal web applications is less obvious Many web applications are vulnerable to Cross-Site Request Forgery (CSRF) Attacks CSRF attacks are completely transparent to the user and may affect any system they are currently logged into CSRF attacks do not require a compromised workstation Using penetration testing tools focused on client-side attacks makes pivoting easier e.g., BeEF (The Browser Exploitation Framework) PLC/RTU Devices Testing PLC/RTU Device Testing Devices are often considered out of scope ''because they are critical' (... that''s a good one!) Approaches we found sometimes effective: In-lab devices testing (if available, rare)
Custom protocols reversing and fuzzing (demonstrate a vuln
even if you cannot exploit the device itself) Policies & Procedures Review Targeting non-technological issues
Identify process-related security weaknesses
Focus on SCADA/ICS systems management Conclusions ICS are critical, vulnerable, exposed
Identifying their weaknesses is paramount
Security testing can be done safely (if with some limitations)
Specific methodologies and expertise are needed Thank you

In evidenza

2G Italia
Cogenerazione e trigenerazione dal leader tecnologico mondiale
Grassi Mobil™ - Formulati per fornire elevate prestazioni anche in condizioni operative estreme
SD Project
SPAC : Il Software per la progettazione Elettrica
© Eiom - All rights Reserved     P.IVA 00850640186