SANS ICS Europe 2018 Munich, Germany

Transcription

1 SANS ICS Europe 2018 Munich, Germany A Real Cyber Physical Experience: Red Teaming on a Power Plant Can Demirel, CSSA, GICSP ICS Cyber Security Services Team Lead biznet.com.tr info@biznet.com.tr 1

2 About us Since 2000 Cyber Security focus only TR, NL 75+ employees in total 20 penetration testers 9+ years penetration testing experience ICS Security focus since 2015 Oil & Gas Power Distribution Power Generation Mining Pipeline biznet.com.tr 2

3 By 2021, Disruptive attacks on unsecured OT networks will have led to environmental damage or/and harm to people. * By 2021, Gartner expects that the needs of security and risk management leaders for industrial process control penetration testing will double, from 10% to 20%. ** * Published: 25 April 2018 ID: G **Published: 30 December 2016 ID: G biznet.com.tr info@biznet.com.tr 3

4 Back to basics! Vulnerability Assessment Penetration Testing Industrial Penetration Testing Industrial Red Teaming Should be able to demonstrate intrusion to ICS and manipulate the process. biznet.com.tr 4

5 Kill Chain Phase 1: IT Pentester Phase 2: OT Pentester Kill Chain Intrusion to Corporate Network Intrusion to ICS Network Penetration to Supervisory Level Penetration to Controller Level Intrusion to Safety Systems Next Steps biznet.com.tr 5

6 Phase 1 Corporate WLAN Camera Server File Server ICS Firewall End User Server Jump Box OT Firewall Stolen Laptop Terminal WLAN Hand Terminal Web Server Mobile Server biznet.com.tr info@biznet.com.tr 6

7 Wrap-up of Phase 1 Intrusion to Corporate Network Prepare for Breadth-First Breadth-First Intrusion to ICS Physical Security hand terminal WLAN is identified Access granted for WEP WLAN OWA is identified addresses are harvested Access granted for a domain user account Sensitive configuration file is identified Local admin password hashes and terminal IP addresses are identified Access granted to ICS using password hashes and IP addresses IT Pentester biznet.com.tr info@biznet.com.tr 7

8 State of ICS Vulnerabilities 63% 71% 61% Loss of Control Loss of View Both Loss of Control and Loss of View Source: biznet.com.tr 8

9 Facts for Phase 2 IT Pentesters; Do not have proper road map for process manipulation Do not have process knowledge at all Miss the most critical assets Do not understand if they are able to manipulate process In our cyber-physical LAB, more than %75 of IT Pentesters crashed the controllers. biznet.com.tr info@biznet.com.tr 9

10 Phase 2 ICS OT Firewall OPC SIS/ESD OT Pentester HMI Supervisory Level PLC Controller Level Process IT Pentester Server &Workstation biznet.com.tr info@biznet.com.tr 10

11 Wrap-up of Phase 2 Intrusion to Supervisory Level Intrusion to Controller Level Intrusion to Safety Level OPC, HMI, Workstation, Engineering PC, Industrial SW etc. Using Supervisory components Well-known services on controllers Vendor specific service and protocols Using Supervisory components Well-known services on controllers Vendor specific service and protocols IT Pentester OT Pentester biznet.com.tr info@biznet.com.tr 11

12 Case 1: Industrial Switch Fact: Some plants are signal sensitive. In case of pocket loss, it is possible trip turbines. POST /goform/portsetting HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: Accept-Language: en-us,en;q=0.7,tr;q=0.3 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; LCJB; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Content-Length: 45 DNT: 1 Host: <vulnerablehost> Pragma: no-cache Cookie: AccountName508=****; Password508=****; lasttime= Connection: close PortSettingSubmit.x=51&PortSettingSubmit.y=15 ICS Cert: ICSA biznet.com.tr info@biznet.com.tr 12

13 Case 2: Controllers Reported on: Status: We are still waiting for a proper patch from vendor. xx affected by directory traversal vulnerability which allows an attacker to read sensitive files such as etc/passwd and etc/shadow on their OS. A successful attacker may be able to gain full control of the Controller with root privileges which may cause all power tribune to shutdown. /%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow biznet.com.tr info@biznet.com.tr 13

14 Take Aways Intrusion to ICS networks just a matter of time Industrial process knowledge is a must! Industrial Red Teaming requires ICS infrastructure knowledge Industrial Red Teaming is not just a device testing/vulnerability assessment ICS Security is not only a technical issue (Worldwide common password usage) The biggest problem: Mitigation biznet.com.tr info@biznet.com.tr 15

15 Questions?