A. Carcano, I. Nai Fovino, M. Masera, A. Trombetta European Commission Joint Research Centre Critis 2008, Rome, October 15, 2008

Transcription

1 Scada Malware, A Proof of Concept A. Carcano, I. Nai Fovino, M. Masera, A. Trombetta European Commission Joint Research Centre Critis 2008, Rome, October 15, 2008

2 Outline Motivations Testing Environment Experimental Program Results Conclusion

3 CI Dependence on IT Systems Today most of critical infrastructures depend highly on the underlying communication networks. -Remote Control -Remote maintenance -New features Communications Network Sensor -New Vulnerabilities -New Attack Scenarios -New Threats Remote Terminal Unit 1 Central Monitoring Unit Fiber, Radio, Modem, Microwave, Telephone, Wireless, Powerline Carrier Sensor Remote Terminal Unit 2 Sensor Adapted from: Joint Program Office for Special Technology Countermeasures Naval Surface Warfare Center, Dahlgren Division Programmable Logic Controller

4 Computer Attacks Most of attacks are Malware based Virus Worm Need of concrete studies on the effects of Malwares on Critical Infrastrucutres Field control Turbo Gas control comands alarms - blocks supervision monitoring diagnostics Control system Plant control comands control data supervision monitoring diagnostics control field bus actuators / transductors diagnostics Trojan Unknown Effects common services diagnostics vibrations Process network DMZ data server gateway firewall Known Effects Workstation Intranet router Office network Data Network External Network router gas Combustion chamber steam air Compressor Turbogas Turbine fumes G Steam generator water Turbine fumes G

5 Problems How to simulate malwares on Critical Infrastructures? How and where to study their effects?

6 Malware Simulation: MAlSim Toolkit MAlSim Toolkit: Various families of malware (worms, viruses, malicious mobile code etc.) Various species of malware of the same family (e.g. macro viruses, metamorphic and polymorphic viruses etc.) Well-known malware (e.g. Code Red, Nimda, SQL Slammer) Non-existent configurations

7 Power Plant Simulator Power System Analysis Attack Plant Measurements Source Environment Systems Field Inside Network Vulnerabilities Repository Process Network Outside Data Network InSAW Binaries Repository DMZ Network Experiments Archive Intranet Network

8 Ad-Hoc SCADA Malwares Considerations About SCADA Protocols It is possible to create a set of Malwares Which take advantage of such basic vulnerabilities Such protocols, are normally used by some dedicated servers in order to send commands to the field devices ModBUS ProfiBUS - Application DNP3 layer Others messaging protocol - Provides Client/Server communication service - TCP/IP Implementation - Widely Used Lack of: -Integrity controls -Authentication Mechanisms -Non Repudiation Mechanisms - Anti-replay Mechanisms

9 Attack Scenarios (1) ModBUS Malware DOS - Attack Scope - To desynchronize the communication between Master and Slave - To completely avoid the communication stream between Master and Slaves - Code Implementation - A Packet builder, which forges in the proper manner ModBUS over TCP packets. - A Discovery engine, which explores the network in order to identify the IP addresses of the Modbus slaves. - A Packet deliverer, which sends in an optimized way the previously forged packets to the target slaves, in order to saturate the bandwidth as soon as possible.

10 - Infection Trigger: ModBus DOS Worm Attack Scenarios (1) Modbus Packet Generator Slammer Infection Engine -Slammer -Nimda -Poskiwing (6 october) - Slammer Malsim Framework Discovery Engine FW-VPN Master/Secondary

11 Test Results 1. Anti-viruses do not recognize the ad-hoc crafted malware 2. Firewalls do not stop the traffic generated by the malware since it has the shape of legal ModBUS traffic

12 Attack Scenarios (2) ModBUS COM Worm - Attack Scope The scope of the Com Worm attack is to take the control of the slaves of the process control architecture by taking advantage of the lack of authentication and integrity countermeasures of the ModBUS protocol. - Code Implementation - A Packet builder - A Discovery engine - A Strategy & analysis module, which, on the basis of the information gathered by the discovery engine and some built-in heuristics identifies the strategy to adopt in order to send packets which could create damages to the system. - A Packet deliverer, which send the forged packets to the target slaves

13 Experimental tests Worm prototypes: - Step 1 Malware: it replicates the MODBUS function 15 (0x0F), used to force each coil in a sequence of coils to either be ON or OFF in a remote device(valve). - Step 2 Malware: Through the function 16 it is able to write a block of contiguous Input registers (1 to 123) in a remote device. - Step 3 Malware: by combining the two ModBUS functions (0x01) (read output values) and (0x0F) used to force a sequence of coils, it revert completely the configuration of the target system (e.g. if a valve is opened it will be closed and viceversa.

14 Experimental Considerations Antiviruses do not identify the new worms Firewall completely ignores the attacks since the traffic appears completely legal The slaves execute in all the cases all the worm command, without identifying any anomaly.

15 Conclusion Industrial SCADA protocols are far to be considered secure In this paper we proved that the scenario in which a worm could take the control of a portion of an industrial plant is nowadays a reality. Traditional Antiviruses and FW are inadequate for several reasons: SCADA systems are very specialized systems, using dedicated protocols (sometimes proprietary). Anomaly detection techniques cannot be easily deployed into industrial systems. Patches could interfere with some particular ad-hoc sw. Future works: - SCADA Intrusion Detection System - Secure SCADA protocols

16

17 Considerations (1) Considerations about Process Sub-Systems Low ICT Security Perception Rare Patching Policies Old Operating Systems: Win NT 3.0 /4.0 Win 2000 BSD SCO Process Sub-Systems are typically prone to traditional malwares

18 Consequences of pervasive ICT - Software Vulnerabilities - Architectural Vulnerabilities -ICT Security Policy Vulnerabilities Consequences - New Attack Scenarios - New Risks - Old Safety studies no more actual - Need for new Models - Need for new Risk assessment methods - Need for new experimental - studies

19 Attack Scenarios (1) - Infection Triggers: Social Engineering Forge Malware Camouflage Phishing Fake Site Creation DNS Poisoning -Slammer -Nimda -Poskiwing (6 october) - Modbus Packet Generator Slammer Infection Engine Slammer Malsim Framework FW-VPN Master/Secondary Discovery Engine Operator PC Infection ModBus DOS Worm DNS