Security Analysis of the ADS Protocol of a Beckhoff CX2020 PLC. Peter SCHWANKE, Hans HÖFKEN and Marko SCHUBA *

Similar documents
Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

Chapter 5: Vulnerability Analysis

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Studying the Security in VoIP Networks

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Syllabus: The syllabus is broadly structured as follows:

Bank Infrastructure - Video - 1

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

TeamViewer Security Statement

Ethical Hacking and Prevention

Intrusion Detection Systems (IDS)

Instituto Superior Técnico, Universidade de Lisboa Network and Computer Security. Lab guide: Traffic analysis and TCP/IP Vulnerabilities

Frequently Asked Questions WPA2 Vulnerability (KRACK)

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

COMPUTER NETWORK SECURITY

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Network Security and Cryptography. December Sample Exam Marking Scheme

Security context. Technology. Solution highlights

Curso: Ethical Hacking and Countermeasures

CIT 380: Securing Computer Systems. Network Security Concepts

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Project 3: Network Security

Principles of ICT Systems and Data Security

C and C++ Secure Coding 4-day course. Syllabus

Wireless Attacks and Countermeasures

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Strategic Infrastructure Security

CS 356 Operating System Security. Fall 2013

Security and Authentication

A Study of Two Different Attacks to IPv6 Network

Network Security and Cryptography. 2 September Marking Scheme

Intrusion Detection Systems (IDS)

Understanding Cisco Cybersecurity Fundamentals

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Security: The Key to Affordable Unmanned Aircraft Systems

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

CCNA Cybersecurity Operations 1.1 Scope and Sequence

Penetration Testing with Kali Linux

Cyber security tips and self-assessment for business

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

CCNA Cybersecurity Operations. Program Overview

The following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using

Implementing Cisco Network Security (IINS) 3.0

Green Lights Forever: Analyzing the Security of Traffic Infrastructure

Blue Team Handbook: Incident Response Edition

Microsoft Exam Security fundamentals Version: 9.0 [ Total Questions: 123 ]

Chapter 11: Networks

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Security report Usuario de Test

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Chapter 11: It s a Network. Introduction to Networking

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Training for the cyber professionals of tomorrow

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

CISSP - Certified Information Systems Security Professional

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Certified Secure Web Application Engineer

A (sample) computerized system for publishing the daily currency exchange rates

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

CSE 565 Computer Security Fall 2018

Vulnerability Assessment in Smart Grids. Jinyuan Stella Sun UTK Fall 2016

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

CIS 5373 Systems Security

Chapter 2. Switch Concepts and Configuration. Part II

Remote Desktop Security for the SMB

Trusted Platform Module explained

CPTE: Certified Penetration Testing Engineer

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

Cybersecurity with Automated Certificate and Password Management for Surveillance

Endpoint Security - what-if analysis 1

Section 4 Cracking Encryption and Authentication

Question: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break.

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

What action do you want to perform by issuing the above command?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Advanced Network Troubleshooting Using Wireshark (Hands-on)

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

Network Security Platform 8.1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Transcription:

2017 2nd International Conference on Computer, Network Security and Communication Engineering (CNSCE 2017) ISBN: 978-1-60595-439-4 Security Analysis of the ADS Protocol of a Beckhoff CX2020 PLC Peter SCHWANKE, Hans HÖFKEN and Marko SCHUBA * FH Aachen, University of Applied Sciences, Eupenerstr. 70, Aachen, Germany *Corresponding author Keywords: ICS, SCADA, Security, Pentest, Beckhoff, CX2020, PLC. Abstract. ICSs (Industrial Control Systems) and its subset SCADA systems (Supervisory Control and Data Acquisition) are getting exposed to a constant stream of new threats. The increasing importance of IT security in ICS requires viable methods to assess the security of ICS, its individual components, and its protocols. This paper presents a security analysis with focus on the communication protocols of a single PLC (Programmable Logic Controller). The PLC, a Beckhoff CX2020, is examined and new vulnerabilities of the system are revealed. Based on these findings recommendations are made to improve security of the Beckhoff system and its protocols. Introduction In times of expanded networking of industrial plants with state-of-the-art information and communication technology, industrial control systems are getting exposed to a constant stream of new threats. Despite the benefits of connected devices in the industry, e.g., in the context of the so-called industry 4.0 trend, connectivity also results in significant security risks, particularly as formerly isolated devices might contain vulnerabilities unknown to system manufacturers, integrators and users. Therefore, independent security analyses and penetration tests by security experts become an even more essential control in the management of information security in ICS environments. This paper applies a security analysis on PLC level, in particular to the system and protocols of a Beckhoff CX2020 PLC being produced since 2014 and running Microsoft Windows 7 Embedded operating systems [1]. Beckhoff Automation Beckhoff Automation GmbH is a German family-owned company, producing automation systems, industrial embedded PCs and software [2]. The product range of Beckhoff Automation is divided into four segments: IPC (Industrial PCs), I/O (Input/Output), Motion, and Automation. Figure 1. CX2020 PLC [1]. The Beckhoff CX2020 (cf. Figure 1) is a modern IPC being produced since 2014 and running Microsoft Windows 7 Embedded operating systems [1]. Equipped with powerful hardware, the CX2020 is capable of supervising and controlling multiple sections of a production process at the same time. Beckhoff s TwinCAT software uses the TCP-based protocol ADS for communication between different parts of a SCADA environment, such as engineering workstation and PLC [16]. An analysis of a similar PLC, a Beckhoff CX5020, by Bonney et al. revealed a number of vulnerabilities 71

in a previous version of TwinCAT and ADS [19], particularly, as the authentication mechanisms lack cryptographic protection of user credentials, thus allowing simple password sniffing and replay attacks for local attackers or brute force cracking attacks by remote users (without sniffing). Protocol Security Analysis Setup The main target of the analysis is to identify vulnerabilities of the Beckhoff CX2020 and its protocols. To simplify the analysis setup while at the same time keeping it as realistic as possible, the system under test is completely virtualized. There are major advantages of analyses in a virtual setup. Virtual machines are reproducible and nearly hardware-independent. Certain states can be restored and virtual machines can be observed more easily. Virtualization environment All virtual machines are created for VirtualBox, which is a free and open-source virtualization software developed by Oracle [3]. Several virtual machines can be virtually networked inside VirtualBox. CX2020 VM For integration of the CX2020 PLC in a completely virtualized test setup, the examined physical PLC is fully reproduced in a virtual machine. This is possible because of the x86-architecture and the Microsoft Windows Embedded Standard 7 operating system of the PLC. Virtualization is performed in two steps. (1) Creating a Hard Disk Image: For a complete virtualization of an existing CX2020 PLC, a 1:1 hard disk image is created that can be imported to a virtual machine. The image is generated using a bootable version of Acronis True Image 2016 [4]. (2) Virtualization in VirtualBox: The created hard disk image is imported to a Microsoft Windows 7 32-Bit based virtual machine for VirtualBox. All virtual hardware resources are set to match the hardware of the original machine as close as possible, to get the most realistic performance: 2048 MB RAM, no audio support and two network adapters. Engineering Workstation VM In addition to the CX2020 VM, an Engineering Workstation VM is created. Beckhoff TwinCAT extended Automation Engineering (XAE) is installed with a Microsoft Windows 7 32-Bit operating system. Engineering Workstations are used to observe, program and control various processes in SCADA systems by communicating with other SCADA related devices. Attacker VMs Another Microsoft Windows 7 32-Bit based VM is created to play the role of an attacker. Besides TwinCAT XAE, several security related testing and analyzing applications are installed for use, including Cain & Abel (a well-known ARP-Spoofing tool [5]), Canape (a network testing tool for arbitrary protocols [6]), OllyDbg (an assembly level debugger [7]), Signsrch (a tool for searching signatures inside files and executables [8]), and Wireshark (a network protocol analyzer [9]). In addition to the Windows attacker VM, a Kali 2.0 VM [10] is installed to run automated port and vulnerability scans with the tools Nmap [11], Nessus [12] and OpenVAS [13]. Networking All virtual machines are interconnected in a simple switched network to observe and attack SCADA related activities in particular. The virtualized analysis setup consists of two legitimate machines, the system under test (Beckhoff PLC) and the Engineering Workstation (running TwinCAT XAE), and the attacking machine, which are interconnected using a switch, i.e. all nodes are in the same IP subnet. Analysis Results The following chapter describes the analysis steps and the vulnerabilities that have been identified during the analysis. Nmap Port Scan The first step of the analysis is a scan of the PLC for open ports that might be exploitable. An Nmap port scan of the CX2020 PLC results in six open TCP or UDP Ports. (1) TCP Port 80: This is the port of a web server. By default a Microsoft Internet Information Services 7 (IIS 7) web server is running on the system. The web server is reachable and the index page presents an IIS 7 default splash screen. A configuration interface can be accessed via <ip>/config to obtain hardware 72

information and to modify system settings of the device. Authentication is required to gain access to the configuration interface. (2) TCP Port 515: This is a port opened for the print server NiPrint LPD-LPR. The print server is installed and running on the PLC by default. The Line Printer Daemon (LPD) is listening for incoming print jobs from remote systems, transported via TCP. (3) TCP Port 3389: The Remote Desktop Protocol (RDP) is running on Port 3389 by default. It provides a graphical interface to view and control other computers over the network [14]. (4) TCP Port 4852: This port is used for the protocol OPC Unified Architecture (UA). OPC UA is an industrial machine-to-machine protocol, developed by the OPC Foundation [15]. (5) TCP Port 48898: This port is used for the protocol Automation Device Specification (ADS). ADS is a proprietary protocol and part of Beckhoff s TwinCAT system. It was developed by Beckhoff to provide device- and fieldbus-independent communication between various software modules [16]. It is used to remotely acquire data from various systems and to control their tasks. (6) UDP Port 137: This port is used for the NetBios name service which distributes the NetBIOS name of the respective machine via TCP upon request [17]. NetBIOS is used for File and Print Sharing under all current versions of Microsoft Windows. Vulnerability Scanning In a second step, ports are scanned using standard vulnerability scanners. An information disclosure vulnerability, relating the integrated Microsoft IIS7 Web server, can be identified by Nessus and OpenVAS. Service and version of the Web server can be identified by http header information and the default Microsoft IIS7 welcome page. OpenVAS indicates a second vulnerability, documented as CVE-2003-1141. This vulnerability occurs in older versions of the installed NiPrint LPD-LFR print server and was published in 2003. A Buffer overflow in NiPrint allows remote attackers to execute arbitrary code via a long string to TCP port 515 [18]. This detected vulnerability is a false positive finding of OpenVAS, proven by the fact, that this vulnerability is not exploitable on the PLC. In older firmware versions of the PLC, a well known vulnerability exists, documented as CVE-2015-1635. Also described as MS15-034 vulnerablity, a Denial of Service attack is possible. This vulnerability is fixed in firmware version CX1800-0411-0009v389. ADS Protocol Encryption Shortcomings TwinCAT 3.0 introduces encryption for user credentials, which is enabled by default. The software adds symmetric encryption methods to prevent login credentials from being read by attackers via man in the middle attacks [20]. In order to evaluate the quality of the employed cryptographic mechanisms, the ADS protocol can be sniffed and further investigated using the tool Wireshark. In a first step the encrypted values of test usernames (or test passwords) are extracted from the Wireshark ADS trace. Several tests with unchanged login credentials lead to the same encrypted values, independent of other variables like IP address of the target or source computer. Received credentials are decrypted and verified by TwinCAT on the CX2020, which can be observed by debugging the virtual machine during runtime as seen in Figure 2. Figure 2. Debugging TwinCAT: storage and processing of unencrypted credentials. The encryption algorithm in use can be determined by specifically debugging communication related software components of TwinCAT. By manipulating existing values in the executed program, the encryption algorithm is proven to use Rijndael substitution boxes. A comparison with the AESalgorithm shows, that TwinCAT apparently uses AES-128 for encryption. The AES-128 key used by TwinCAT to encrypt all login credentials is fixed. Its value is known to the authors and Beckhoff but not publicly revealed as part of this paper. With knowledge of the implemented encryption method and the fixed key, all encrypted ADS packages can be decrypted immediately. 73

Based on this knowledge, an attacker could sniff an ADS login packet exchange and use the decrypted credentials to gain full access to the PLC, even remotely. ADS Protocol Further Problems Apart from the problems described above, the authentication weaknesses in TwinCAT described in [19] can be still exploited in the new TwinCAT version to gain access to any device communicating via ADS. Attackers can gain access to a CX2020 PLC using ADS without any knowledge of valid login credentials: In the first step a so-called ADS-AmsNetId needs to be obtained by sniffing ADS traffic or by simple guessing (brute force). The ADS-AmsNetIds can then be used to craft valid ADS messages, which masquerade an attacker as a legitimate (already authenticated) machine, as the receiving PLC will only compare the ADS-AmsNetId with the ones received previously. As a result the message will be accepted and full access to the PLC is possible. Recommendations Based on the existing vulnerabilities in the Beckhoff products the following recommendations are given to improve the products, in particular, TwinCAT and ADS. Protect against brute force password attacks (1) The PLC should be locked after a limited number of unsuccessful login attempts. Alternatively, the time period between attempts should be increased after unsuccessful attempts. (2) In general there should be a limit w.r.t. the number of attempts per minute (e.g.. one attempt per five seconds, which is sufficient for human users). Improve authentication weaknesses (1) After initial authentication protect subsequent messages as well, e.g., using classical Message Authentication Codes (and not easy to attack mechanisms like ADSAmsNetId). (2) If not employed yet: Protect the passwords on the machines by storing them as salted hash values per user. (3) Do not use a fixed key for encryption but a key that can be changed by users. Consider different key management solutions ranging from deploying user-defined symmetric keys to a public key infrastructure (PKI). Protect against replay attacks (1) Employ typical countermeasures that ensure that old messages cannot be reused. This can be achieved using challenge response mechanisms, nonces (numbers used only once), time stamps etc. Usually, replay countermeasures are implemented as part of MACs. Conclusions In today s ICS and SCADA systems, IT security needs to be considered during the complete product life cycle, i.e., during planning, design, deployment and operation, as potential security threats are growing along with the global interconnection of SCADA systems. Attackers can cause great damage to entire production lines by exploiting known or unknown vulnerabilities in a single system. The security analysis performed as part of this paper reveals that modern PLCs, like the CX2020, are vulnerable to attacks due to inadequate protocol security implemented by the manufacturers. Unsecure protocols and default configurations should not be used in modern SCADA systems. System security could already be improved significantly, if manufacturers would employ standard security techniques in their systems and protocols. The paper also illustrates the importance of testing the security of ICS, as many of those systems are used to control critical processes. Failure of such processes due to lack of basic security mechanisms in ICS cannot be tolerated. As security analyses or pentests often cannot be performed in an operational environment, the analysis of virtualized SCADA systems can be seen as efficient and safe alternative, particularly, when it comes to the discovery of HW independent vulnerabilities. References [1] Beckhoff Automation, CX2020, https://www.beckhoff.de/default.asp?embedded_pc/ cx2020.htm, 74

[2] Beckhoff Automation, New Automation Technology, http://beckhoff.de/default.asp?beckhoff/ default.htm, [3] Oracle VM, VirtualBox, https://www.virtualbox.org, [4] Acronis, True Image User Guide, http://dl2.acronis.com/u/pdf/ati2016_userguide_en-us.pdf, [5] oxid.it, Cain & Abel, http://www.oxid.it/cain.html, [6] Context Information Security, Canape, https://www.contextis.com/services/research/canape/, [7] Oleh Yuschuk, OllyDbg, http://www.ollydbg.de/, [8] Luigi Auriemma, Multiplatform Tools, http://aluigi.altervista.org/mytoolz.htm, accessed Nov. 8, 2016. [9] Wireshark, About Wireshark, https://www.wireshark.org/, [10] Offensive Security, Kali Linux, https://www.kali.org/, [11] Nmap, Nmap, https://nmap.org/, [12] Tenable network security, Nessus, https://www.tenable.com/products/nessus-vulnerabilityscanner, [13] OpenVAS, OpenVAS, http://www.openvas.org/, [14] Microsoft, Understanding the Remote Desktop Protocol, https://support.microsoft.com/en-us/ kb/186607, [15] OPC, Unified Architecture, https://opcfoundation.org/about/opc-technologies/opc-ua/, accessed Nov. 8, 2016. [16] Beckhoff Automation, TwinCAT ADS, https://infosys.beckhoff.com/english.php?content=../ content/1033/tcadscommon/html/tcadscommon_intro.htm, [17] Network Working Group, Protocol Standard for a NetBios Service, https://tools.ietf.org/html/ rfc1001, [18] Common Vulnerabilities and Exposures, CVE-2003-1141, http://cve.mitre.org/cgi-bin/ cvename.cgi?name=cve-2003-1141, [19] Bonney G., Hofken H., Paffen B., Schuba M. ICS/SCADA Security - Analysis of a Beckhoff CX5020 PLC, ICISSP 2015, 2015. [20] Beckhoff Automation, New Features TwinCAT 3, https://www.beckhoff.de/default.asp?twincat/ new features twincat 3 1.htm?id=1905053020927774, 75

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback