Hacking SCADA: 2011 A Year in Review

:: jonathan pollet red tiger security

1
Jonathan Pollet CISSP, PCIP, CAP
12 Years of Electrical Engineering, SCADA, Industrial Controls, and IT
Experience
PLC Programming and SCADA System Design and Commissioning
Wireless RF and Telecommunications Design and Startup
Front-end Web Development for SCADA data
Backend Database design for SCADA data
Acting CIO for Major Oil Company for 2 years Enterprise IT Management

Last 8 Years Focused on SCADA and IT Security

Published White Papers on SCADA Security early in 2001
Focused research and standards development for SCADA Security since 2002
Conducted over 120 security assessments on Critical Infrastructure systems
Conducted over 75 International conferences and workshops on CIP
Developed safe security assessment methodology for live SCADA Systems
Co-developed the SCADA Security Advanced 5-day training course

2
red tiger security
Consulting
Cyber Vulnerability Assessments for NERC CIP-005/007
SCADA / Wireless Telemetry Penetration Testing
Network Architecture Analysis / Design
Cyber Security Compliance Assistance
Development of SCADA Test Beds (Malaysia, Qatar, UAE, University of Tulsa,
University of Houston, and several private industry clients)

Training
5-SCADA Security Advanced Course (SANS)
2-Day SCADA Security Course (BlackHat)

Research
Applicability and Usability of Cyber Security Solutions for SCADA / ICS
Product Evaluations
Various DHS Research Initiatives for ICS
Standards Development

3
 outline
the world has changed its digital and connected
threats have changed they are digital and connected

electric SCADA systems have changed they are digital and

connected

the number of SCADA Vulnerability Disclosures and Exploits have

exploded in the past year (2010-2011)
100 SCADA bugs in 100 days

ICS-CERT facts and statistics

0-day Market
how can bad stuff get in? VIDEOS
direct compromise of vulnerable services

pivot on the historian in the DMZ

what can be done to SCADA / ICS devices once you are in? - VIDEOS

4
major world ISP and telecom trunks

5
malware can spread at the rate of 125 machines
per second

within ten minutes of the start of the SQL Slammer worm, 75,000 machines
were already infected. This included many critical infrastructure systems

6
new hacking techniques leverage social networking
platforms to establish trusted connections

Targets Developed Using:

Open Source Intelligence Gathering
Social Engineering
Targeted Spear Phishing

Malicious Payloads delivered through:

Attachments
IM links
Compromised websites
USB devices
Smart Phones

7
anyone know this girl?

Within 2 months, Robin Sage had amassed a large social network of

high-ranking military and government officials.

8
malicious attachments

PDF

MS Products
Word, Excel, etc

The usual suffixes

mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg, rar, emf, shs,
js, vb, yourcompany.com.zip, cab, mda, zip, mdb, scr, aiff, mde,
cpl, msi, vbs, aif, m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse,
qef, scf, chm, <#>.txt, wsf, fli, vbe

9
adobe is still leading the pact J

Targeted%A2acks%

4.52% 7.39%

MS%PowerPoint%
48.87%
MS%Excel%
39.22% MS%Word%
Adobe%Acrobat%

hIp://www.f secure.com/weblog/archives/00001676.html

10
malware most utilized attack vector

Malware

Other

66.8% Phishing
7.7%
Physical Loss
8.6%
3.1% Denial of Service
1.8% 11.8%
0.2% Unauthorized Access
Attempt
Inappropriate Use

11
usb toolkits provide fast physical access
autorun not required

U3 not required

registers as a HID device

requires 30 seconds with a host

can be left behind or retrieved

victim host beacons to a C&C server and

can be remotely controlled

accounts, passwords, and any data the

host is connected to can be retrieved
through Internet connection or stored for
later retrieval

12
anyone want a
free mouse?

13
android = rootkit in your pocket that knows your
location, and has access to your email, data, bank
accounts, and the Internet

14
we now have to worry about our phones
Google pulled more than 50 apps
in March from the Android
Marketplace after security
researcher found a Trojan that
used applications to spread. The
Trojan, called DroidDream,
infected more than a quarter
million Android phones. One sign
of a DroidDream infection was
resource consumption due to the
way the malware exploits the
phone.

SOURCE: DroidDream used a

fake bowling game to infect
devices. Image courtesy of
Lookout Mobile Security

15
electrical SCADA systems have changed too

16
all we had to worry about before was physical
access

17
now SCADA systems are digital and connected

18
modern SCADA systems are running on the same
OS as corporate desktops

19
they send data in the clear, without any
requirement for encryption or authentication

20
the SCADA control rooms and are morphing
into IT data rooms

21
the trend for new control room installations is to
keep the servers in data rooms and only leave the
screens, keyboards, and mice in the control room

22
from a cyber perspective, SCADA systems look
similar to business systems

Cisco ASA firewalls or equivalent

Cisco 3750 / 6509 switch fabric

Servers and workstations running

on Windows platforms
(WinXP/2003/Vista/7/2008)

Active Directory

File/Print servers

However. They often lack the

protection that typical
Corporate IT systems have

23
SCADA and ICS Systems are Low Hanging Fruit for
Security Researchers why?

SCADA and ICS Hardware/Software do not go through the same rigorous

security lifecycle process as Information Technology systems

On average, Microsoft will put their software through 100,000 various

fuzzing loops and debugging processes to test for crashes and bugs.and
yet we still find plenty of vulnerabilities still being discovered and
reported for Microsoft software

Control System vendors, if they actually test their systems for bugs at all,
will typically only run their applications through basic regression tests,
and this process is maybe 5% of what Microsoft does to test their code.

The SCADA / ICS world lags the IT world typically by 5 to 10 years, so we

are only recently seeing the larger Control System vendors building plans
to test their products for security flaws.

All of those thousands of legacy products out there were NEVER tested
for simple cyber security flaws like buffer overflows.

24
100 SCADA bugs in 100 days - McCorkle & Rios
Terry McCorkle (Boing Red Team by day, security researcher by night)

Billy Rios (Google Security Lead by day, security researcher by night)

Teamed up as friends and ran the project independent from their

employers resources

All data and SCADA/ICS software used in their research was found FREE on
the web (over 3600 SCADA and ICS executable files found using:
+HMI +Download + filetype :(exe,zip,msi)
+HMI +<Vendor Name> +Download

Used simple fuzzers:

Comraider (ActiveX)
FileFuzz (bitflipper)
Sully and Peach (allows custom fuzzings)
Blasty.py (Service Fuzzer)

25
100 SCADA bugs in 100 days - McCorkle & Rios
Downloaded over 380 HMI
and Control Workbench
software packages, but only
tested 76 of them

Found 665 bugs

all unique crashes

Found 75 exploitable bugs

out of 665 bugs.

Reported all to ICS-CERT, who

worked with the vendors for
remediation next steps and sent
out advisories to the community

Most bugs and crashes were code problems that were straight out of the
90s Simple Buffer Overflows

They would setup the automated fuzzing software at night, go to sleep, and
find bugs and crashes in the morning or set the fuzzers in the morning,
and come back home from work and find more waiting for them at night.

26
interesting ICS-CERT facts
753% increase in vulnerability disclosures to
ICS-CERT over the past year.

Most new vulnerability reports have been from

researchers without a ICS background.

Researchers are developing an interest in

SCADA systems especially since they are
connecting the dots and seeing the connections
between the cyber and kinetic world.

SCADA and ICS Systems are the low hanging

fruit. It is simplistic for researchers to find and
exploit flaws in the code.

Motivation?
Glory, Fame, $$ ??

27
the 0day market is booming
Nation States

Underground

Commercial market
ZDI (HP)
iDefence

Bug bounty programs

Luigi Auriemma sold GE vulns to ZDi after GE refused to pay for
them
In March 2011, disclosed 34 SCADA specific vulnerabilities all at
once then in September released another bundle of
vulnerabilities and exploit code for 6 more SCADA vendors

Brokers
Researchers and Buyers
ExploitHub

28
Exploit Frameworks that now contain SCADA-
specific exploit modules
Metasploit 17 Exploit Modules

Core Impact 17 Exploit Modules

Canvas 53 Exploit Modules

Gleg Agora SCADA+ Exploit pack for Immunity
CANVAS
they are aggressively acquiring SCADA vulns and
creating exploits
2 ICS vendors have purchased the CANVAS modules
Canvas is $8,930
Gleg pack is $5,000 and the canvas package is 3,930.

29
Night Dragon APT attacks on US Energy and Chemical
companies moved from the Internet, through Corporate IT
systems, and into the SCADA systems

30
so how does bad stuff get in?
the perfect ESP J

31
ideally, we would like to keep all of the Critical
Cyber Assets (CCAs) on the inside working while
blocking all of the bad stuff

32
we have to share information, so we create
islands of operations and then DMZs between
security zones

Internet

Corporate IT
SCADA DMZ SCADA LAN RTUs
PLCs
Meters

33
unfortunately, we become under pressure to open
holes for communications between what used to be
trusted security zones

Internet

Corporate IT
SCADA DMZ SCADA LAN RTUs
PLCs
Meters

34
scenario 1 - direct compromise of vulnerable
services
From open source intelligence gathering, Google searches, or
social engineering, an attacker determines the asset is
running an Emerson DeltaV DCS system

The attacker has no accounts on the system, no passwords,

and is an unauthorized entity that has gained access to the
network

What is possible?

35
36
scenario 2 attacker pivots off of the historian,
which is accessible from the corporate IT LAN

What is
possible?

37
38
Scenario 3 now with routed access into SCADA
LAN, what can we do with the controllers?

enumeration of functions
denial of service
denial of access
denial of control
manipulation of view

39
function
enumeration

40
denial of service

41
denial of access

Controller has a Login/Write Access password option

16 character limit

Vendor specific Modbus/TCP function code

Password stored in the Flash of the controller

This procedure cannot be undone if you forget the password.

The PLC must be sent for repair

42
denial of access

Quick script to sweep the network, find controllers supporting

this function code, and configure a password.

43
denial of access

Locked Out. We just turned the PCN into some blinking bricks.

44
denial of control

Several vectors
At the Operator stations
On the wire (Ethernet)
At the source (Controller/IED)

45
46
manipulation of view

47
48
49
50
the sky is not falling (yet)

Security can seem overwhelming

Break it down into functional layers

Most Security Frameworks (i.e. NERC CIP, ISA S99,

ISO 270001, DHS CFATS, etc) seem to break the
required controls into:
Technical Controls
Procedural Controls

51
52
technologies that are holding back the tide
1. Physical Security & Remote Access
- Full Session Logging Solutions for VPN connections

2. Network Perimeter
- UTM devices (Fortinet, Juniper, Cisco ASA)
- Application Aware Firewalls (palo alto networks, barracuda appliances, etc..)
- Industrial Firewalls (Emerson, Honeywell, Torfino, M-Guard, Endian)
- Network Monitoring Tools (Solarwinds, LogicMonitor, Nagios...)
- Vulnerability Scanning Appliances (Nessus, Rapid7 Nexpose, Nmap, etc..)
- IDS/IPS solutions (Snort, Sourcefire, etc..)
- Centralized SEM solutions (Nitro Security, Industrial Defender, LogLogic,
etc...)

3. SCADA DMZ
- OPC tunnelers (Matrikon, Kepware)
- PI-toPI Trusts (OSI Soft)

53
technologies that are holding back the tide
4. Control Room Servers and Workstations
- Application Whitelisting (Core Trace, Bit9, Mcafee AV
- USB-port locking (BitLocker, USB Lock...)

5. / 6. SCADA Protocols and Embedded Controllers

- Protocol-aware firewalls (Torfino)
- Device-level firewalls (Torfino, M-Guard, Honeywell, Emerson)
- Data Diodes and Unidirectional diodes (Waterfall)

54
lastlystep your game up :)

The best defense spends most of their time understanding the

offense

Get training

Get plugged into RSS feeds and threat watch lists

Practice offensive techniques

Stand up an internal lab

Try things

Weave Penetration Testing into your overall strategy

55
 contact info / q & a

Jonathan Pollet, CAP, CISSP, PCIP

Founder, Principal Consultant
Red Tiger Security, USA
office: +1.877.387.7733
mobile: +1.281.748.6401
fax: +1.800.864.6249
jpollet@redtigersecurity.com
www.redtigersecurity.com

Credits
:: Ty Bodell for assistance with the demos
:: Thievery Corporation and Pendulum for the soundtracks

56