Do You Lock Your House - icalepcs 2005

Download Report

Transcript Do You Lock Your House - icalepcs 2005

Control Systems under Attack !?
A Teststand On Control System Security at CERN
► Cyber Threats ─ Today’s Peril
► Vulnerabilities in Controls
► Findings of the TOCSSiC
► First Steps for Mitigation
Stefan Lüders (CERN IT/CO)
ICALEPCS 2005 ─ October 14th, 2005
Aware or Paranoid ?
2003/08/11: W32.Blaster.Worm
2000: Ex-Employee hacks “wirelessly”
The “Slammer”
46 times 2003:
into sewage
plant andworm
spills disables
safety
monitoring
system
basement
of Hyatt
Regency
hotel. of the David2004: IT intervention, hardware failure
Besse nuclear power plant for 5h.
and use of ISO protocol stopped
SM18 magnet test stand for 24h.
2005: DoS (70”) stopped manual control
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
2 / 17
Cyber Threats ─ Today’s Peril
Era of Modern
Information Technology
Zombies
Higher
Knowledge/ /
IntruderStandards
Common
Sophistication
Attack
Interconnectivity
Root Kits
IRC Based
Attacking
Controls
BOT nets
(“From Top-Floor to Shop-Floor”)
Denial of Service
Zero Day Exploits
Packet Spoofing
Back Doors
Disabling Audits
Transition Phase
Worms
Automated Probes/Scans
Viruses
(“Controls goes IT”)
War Dialing
Control Systems:
Hijacking Sniffers
Sessions
Era of Legacy
Technology
Exploiting Known Vulnerabilities
Password Cracking
Lower
(“Security
through Obscurity”)
Password Guessing
1980
1985
1990
1995
2000
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
2005
2010
3 / 17
Controls Goes IT
► Controls Networks mate Business Networks
►
►
►
►
Proprietary field busses replaced by Ethernet & TCP/IP
Field devices connect to Ethernet & TCP/IP
Real time applications based on TCP/IP
VPN connections from the outside onto the Controls Network
► Use of IT protocols & gadgets:
►
►
SNMP, SMTP, FTP, Telnet, HTTP (WWW), …
Wireless LAN, Notebooks, USB sticks, …
► Migration to the Microsoft Windows platform
►
►
Windows not designed for Industrial / Control Systems
OPC/DCOM runs on port 135 (heavily used for RPC)
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
4 / 17
Threats due to Technique
► Poorly secured systems are being targeted
►
►
►
►
Worms are spreading within seconds
Unpatched systems, O/S & applications
Missing anti-virus software or old virus signature files
No firewall protection
► Zero Day Exploits: security holes without patches
►
Break-ins occur before patch and/or anti-virus available
…but how to patch/update Control PCs ?
…what about anti-virus software ?
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
5 / 17
Threats due to People
► Passwords are known to several (many?) people
►
No traceability, ergo no responsibility
► People are increasingly the weakest link
►
►
►
Use of weak passwords
Infected notebooks are physically carried on site
Users download malware and open “tricked” attachments
► Missing/default/weak passwords in applications
…but how to handle Operator accounts ?
…what about password rules ?
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
6 / 17
The TOCSSiC
► COTS Automation Systems are
without security protections
►
►
Target Device(s)
Programmable Logic Controllers (PLCs),
field devices, power supplies, …
Security not integrated into their designs
Switch 1Gbps
► Creation of the
Teststand On Controls System
Security at CERN
►
►
►
Running “Nessus” vulnerability scan
(used in Office IT)
Running “Netwox” DoS attack
with random fragments
Vulnerability Configurator
Tester
Running “Ethereal” network sniffer
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
Hub 100Mbps
Traffic
Analyzer
7 / 17
Controls under Attack !
► 20 devices from 6 different manufacturers (35 tests in total)
► All devices fully configured but running idle
Crashed
21%
Crashed
32%
Failed
Passed 18%
68%
Passed
61%
…PLCs under load seem to fail even more frequently !!!
…results improve with more recent firmware versions 
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
8 / 17
TOCSSiC Findings (1)
► Device crashed
►
Sending specially crafted IP packets causes the TCP/IP
fragmentation re-assembly code to …
… improperly handle overlapping IP fragments (“Nestea” attack)
… loose network connectivity (Linux “zero length fragment” bug)
►
►
Sending continuous stream of extremely large and incorrect
fragmented IP packets leads to consumption of all CPU resources
(“jolt2” DoS attack)
Sending special malformed packets (“oshare” attack)
…violation of TCP/IP standards !!!
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
9 / 17
TOCSSiC Findings (2)
► FTP server crashed
►
►
Sending a too long command or argument
Issuing a “CEL aaa…aaa” command (VxWorks)
► FTP server allows to connect to third party hosts
(i.e. provides an attacker platform)
► FTP server allows anonymous login
► Telnet server crashed
►
►
►
After flooding it with “^D” characters
Sending a too long user name
Sending too many “Are you there” commands
…both are legacy protocols w/o encryption !
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
10 / 17
TOCSSiC Findings (3)
► HTTP server crashed
►
►
Requesting a URL with too many characters
(e.g. “http://<IP>/cgi-bin/aaa…aaa” or “http://<IP>/jsp/aaa...aaa”)
Using up all resources (“WWW infinite request” attack)
► HTTP server directory available
►
Using “http://<IP>/../..” get request
…who needs web servers & e-mailing on PLCs ?
► ModBus server crashed by scanning port 502
…protocols are well documented
(“Google hacking”) !
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
11 / 17
TOCSSiC Findings (4)
► PLCs are un-protected
►
►
►
►
Can be stopped w/o problems (needs just a bit “googling”)
Passwords are not encrypted
Might even come without authentication
Still allow for legacy commands
…authentication & encryption should be mandatory !
► Fixed SNMP community names “public” and “private”
…why can community names not be changed ?
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
12 / 17
TOCSSiC Follow Up
► CERN produced a
“Security Policy for Controls”
► Disclosing vulnerabilities
to vendors and manufacturers
► Exchanging information with
Government Bodies, Industry & Research
► Forum on the development of
“Windows For Controls” with Microsoft
► Forum on OPC security and future dev’s
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
13 / 17
Your Ways to Mitigate ? (1)
► Apply “Defence-in-Depth” approach
►
Protect each layer of your Control System
► Separate Controls and Business Networks
►
Reduce and control inter-communication
► Use managed systems where possible
►
►
Ensure prompt security updates: O/S, applications, anti-virus, …
Swapping to Linux or Mac is NOT more secure
► Ensure security protections before connecting
►
Check for up-to-date patches and anti-virus files
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
14 / 17
Your Ways to Mitigate ? (2)
► Use strong passwords and sufficient logging
►
►
►
Check that default passwords are changed in all applications
Passwords must be kept secret: beware of “Google Hacking”
Ensure traceability of access (who and from where)
► Make security an objective
►
Raise awareness in your Users community
► Contact your vendor / manufacturer
►
►
Check your firmware versions
Do you really want all those “Bells & Whistles” ?
► Join the MS MUG and the OPC Foundation
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
15 / 17
Conclusions
► Adoption of modern IT standards exposes
Control Systems to security risks
► Control PCs, PLCs & other automation devices
are intrinsically vulnerable
► Make security an objective
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
16 / 17
Thank you very much !
► Special Acknowledgements go to:
►
►
J. Brahy & R. Brun (CERN AB/CO) and J. Rochez (CERN IT/CO)
J. Arnold (EPFL, Lausanne) and B. Figon (ESIEE, Amiens)
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005
17 / 17