Vulnerability analysis of 2013 SCADA issues. Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

Transcription

1 Vulnerability analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc.

2 Agenda SCADA components 2013 Vulnerability Analysis Recommendations and Proposals

3 SCADA DCS ICS

4

5 Accidents liquid pipeline failures power failures other accidents

6 Vandalism vandals destroy insulators /2002/NewsRelease.cfm?ReleaseNo=297

7 Insider disgruntle employee /hacker_jailed_for_revenge_sewage/

8 APT terrorism or espionage media/security_response/whitepapers/w32_duqu_ the_precursor_to_the_next_stuxnet.pdf

9 Components Field Control Center

10 Acquisition Convert parameters like light, temperature, pressure or flow to analog signals

11 Conversion Converts analog and discrete measurements to digital information

12 Communication Front end processors (FEP) and protocols Wired or wireless communication Modbus DNP 3 OPC ICCP ControlNet BBC 7200 ANSI X3.28 DCP 1 Gedac 7020 DeviceNet DH+ ProfiBus Tejas TRE UCA

13 Presentation & Control Control, monitor and alarming using human machine interface (HMI)

14 SCADA Vulnerabilities (estimate)

15 2013 Vulnerabilities by category 66% 0% 11% 22% Acquisition Conversion Communication Presentation & Control

16 Acquisition Requires physical access Field equipment does not contain process information Information like valve 16 or breaker 9B Without process knowledge leads to nuisance disruption 0% 11% 22% 66%

17 Emerson ROC800 Vulnerabilities CVE : Network beacon broadcasts allows detection CVE : OSE Debug port service CVE : Hardcode accounts with passwords Access: AV:N, AC:L, Au:N Impact: C:C, I:C, A:C Patch available from Emerson 0% 11% 22% 66%

18 Siemens CP 1604 / 1616 Interface Card Vulnerability Siemens security advisory: SSA CVE : Open Debugging Port in CP 1604/1616 UDP port Access: AV:N, AC:L, Au:N Impact: C:C, I:C, A:C Patch available from Siemens 0% 11% 22% 66%

19 Communication 24% 16% 16% 12% 12% 12% 4% 4% General ModBus DNP C IGMP SNMP FTP/TFTP SSH/SSL 0% 11% 22% 66%

20 ModBus Vulnerabilities CVE : Triangle Research Nano-10 PLC Crafted Packet Handling Remote DoS CVE : Galil RIO PLC Crafted Modbus Packet Handling Remote DoS RBS : Schneider Electric Multiple Modbus MBAP DoS and RCE Nano-10 PLC RIO PLC 0% 11% 22% 66%

21 DNP Vulnerabilities CVE : MatrikonOPC Server DNP3 Packet Handling buffer overflow CVE : Schweitzer Real-Time Automation Controllers (RTAC) Local DoS CVE : SUBNET SubSTATION Server DNP3 Outstation Slave Remote DoS CVE : IOServer DNP3 Packet Handling Infinite Loop Schweitzer RTAC Matrikon OPC Server IOServer 0% 11% 22% 66%

22 Security Analysis of SCADA protocols Modbus and DNP free tool: 0% 11% 22% 66%

23 SSH, FTP, TFTP, IGMP, SNMP CVE : Monroe Electronics Default root SSH Key Remote Access CVE : TURCK BL20 / BL67 FTP Service Hardcoded Admin Credentials CVE : OSIsoft PI Interface for IEEE C Memory Corruption CVE : Emerson RTU TFTP Server File Upload Arbitrary Code Execution CVE : Siemens Scalance X200 IRT SNMP Command Execution Korenix Multiple JetNet Switches TFTP Server Arbitrary File Creation RuggedCom ROX-II IGMP Packet Saturation RSTP BPDU Prioritization Weakness Korenix Multiple JetNet Switches SSL / SSH Hardcoded Private Keys 0% 11% 22% 66%

24 Presentation & Control 26% 31% 13% 9% 5% 3% 5% 4% 5% Generic XSS SQL Injection Database Generic Web Directory & File Disclosure CSRF ActiveX Crypto 0% 11% 22% 66%

25 Presentation & Control CVE : Advantech WebAccess /broadweb/include/gaddnew.asp XSS CVE : Invensys Wonderware Information Server (WIS) SQL Injection CVE : Siemens COMOS Client Library Local Database Object Manipulation CVE : Cogent DataHub Crafted HTTP Request Header Parameter Stack Overflow CVE : General Electric (GE) Intelligent Proficy Java Remote Method Invocation CVE : SafeNet Sentinel Protection Server HTTP Request Directory Traversal and Arbitrary File Access CVE : Moxa OnCell Gateway Predictable SSH / SSL Connection Key Generation Weidmüller WaveLine Router Web Interface config.cgi Configuration Manipulation CSRF 0% 11% 22% 66%

26 Real world issues Control system network connected to corporate network or internet 0% 11% 22% 66%

27 Real world issues No authentication No per user authentication 0% 11% 22% 66%

28 Real world issues Delayed patching if any 0% 11% 22% 66%

29 Real world issues Default passwords Shared passwords No password change policy 0% 11% 22% 66%

30 Real world issues Systems not restarted in years 0% 11% 22% 66%

31 Real world issues Off-the-shelf software Operating system, Database, Browser, Web Server 0% 11% 22% 66%

32 Real world issues Un-necessary services 0% 11% 22% 66%

33 Real world issues Internal differences between IT and SCADA engineers 0% 11% 22% 66%

34 System Wide Challenges SCADA system long life cycle Long life cycle of a SCADA system

35 System Wide Challenges SCADA system long life cycle Cost and difficulty of an upgrade

36 Proposals SCADA network auditing

37 Proposals Is you SCADA system exposed on the internet?

38 Proposals Password policy, access control and access roles

39 Proposals Are all services necessary?

40 Proposals Use secure protocols

41 Proposals Strategy for Software Update and patching

42 Proposals SCADA test environment

43 Proposals Keep up-to-date with vulnerabilities

44 Proposals Apply experience from IT network management

45 ScadaScan Current version Scan network range Works with TCP/IP Identifies Modbus TCP slaves Identifies DNP 3 TCP slaves Beta version SCADA master vulnerability scanning SNMP support HTTP support 1.0 Release User configurable signature files Authenticated support for Windows and *nix Code cleanup

46 Thank You