Control Systems - LAL
Download
Report
Transcript Control Systems - LAL
Control Systems
Under Attack !!?
…about the Need for
Industrial Cyber-Security
Dr. Stefan Lüders (CERN IT/CO)
5ème Journées Informatiques de l’IN2P3 et du DAPNIA
September 20th 2006
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Cyber Threats ─ Today’s Peril
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Era of Modern
Information Technology
Zombies
Higher
Knowledge/ /
IntruderStandards
Common
Sophistication
Attack
Interconnectivity
Root Kits
IRC Based
Attacking
Controls
BOT nets
(“From Top-Floor to Shop-Floor”)
Denial of Service
Zero Day Exploits
Packet Spoofing
Back Doors
Disabling Audits
Transition Phase
Worms
Automated Probes/Scans
Viruses
(“Controls goes IT”)
War Dialing
Control Systems:
Hijacking Sniffers
Sessions
Era of Legacy
Technology
Exploiting Known Vulnerabilities
Password Cracking
Lower
(“Security
through Obscurity”)
Password Guessing
1980
1985
1990
1995
2000
2005
2010
Controls Goes IT
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Controls networks mate campus / business networks
►
►
►
►
Proprietary field busses replaced by Ethernet & TCP/IP
Field devices connect to Ethernet & TCP/IP
Real time applications based on TCP/IP
VPN connections from the outside onto the controls network
Use of IT protocols & gadgets
►
►
SNMP, SMTP, FTP, Telnet, HTTP (WWW), …
Wireless LAN, notebooks, USB sticks, webcams, …
Migration to the Microsoft Windows platform
►
►
MS Windows not designed for industrial / control systems
OPC/DCOM runs on port 135 (heavily used for RPC)
Threats due to Technique
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Poorly secured systems are being targeted
►
►
►
►
Unpatched systems, OS & applications
Missing anti-virus software or old virus signature files
No firewall protection
Worms are spreading within seconds
Zero Day Exploits: security holes without patches
►
Break-ins occur before patch and/or anti-virus signature available
…but how to patch/update control / engineering PCs ?
…what about anti-virus software & local firewalls ?
Threats due to People
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Passwords are known to several (many?) people
►
No traceability, ergo no responsibility
People are increasingly the weakest link
►
►
►
Use of weak passwords
Infected notebooks are physically carried on site
Users download malware and open “tricked” attachments
Missing/default/weak passwords in applications
…but how to handle Operator accounts ?
…what about password rules ?
“Controls” Is Not “IT” !
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
“Office-IT”
Controls
System Life-Cycle
3 – 5 yrs.
5 – 20 yrs.
Availability
breaks if scheduled OK
24 / 7 / 365
Confidentiality
high
low
Time Criticality
delays tolerated
critical
Security Skills
& Awareness
good
usually poor
Patching
frequent
slow or impossible
Changes
frequent, formal &
coordinated
rare, informal not
always coordinated
Automated Tools
widely used
limited; used with care
Aware or Paranoid ?
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
220-<<<<<<>==<
Haxed by
A¦0n3 >==<>>>>>>
2003/08/11:
W32.Blaster.Worm
220- ¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸
220-/
220-|
Welcome to this fine str0
220-|
Today is: Thursday 12 January, 2006
220-|
220-|
Current througput: 0.000 Kb/sec
220-|
Space For Rent: 5858.57 Mb
220-|
220-|
Running: 0 days, 10 hours, 31 min. and 31 sec.
2000:
Ex-Employee
“wirelessly”
220-|
Usershacks
Connected
: 1 Total : 15
The “Slammer”
220-|2003:
46 times
into sewage
plant andworm
spills disables
220^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^
safety
monitoring
system
basement
of Hyatt
Regency
hotel. of the Davis-
2004: IT intervention, hardware failure
Besse nuclear power plant for 5h.
and use of ISO protocol stopped
2006: Hacked oscilloscope
at magnet
CERN (running
Win
SP2)
SM18
test stand
forXP
24h.
2005: DoS (70”) stopped manual control
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
The “Large Hadron Collider”
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Steer a beam of
85 kg TNT through
a 3mm hole 10000
times per second !
Beam
Bunch
Proton
50 - 150m
World’s largest
superconducting
installation
(27km @ 1.9°K)
worth 2B€
The “ATLAS” Experiment
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
2000 members of
151 institutions from
34 countries
The ATLAS Experiment
7000 tons
Ø22m × 43m
500M€ pure hardware
http://atlas.ch
Control Systems for Experiments
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
The CMS Experiment
500M€ pure hardware
12500 tons, Ø15m × 22m
http://cmsinfo.cern.ch
Standards, if possible !
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
standard
desktop PCs
Concerned about Cyber-Security
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
The TOCSSiC
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
COTS automation systems are
without security protections
►
►
Target Device(s)
Programmable Logic Controllers (PLCs),
field devices, power supplies, …
Security not integrated into their designs
Switch 1Gbps
Creation of the
Teststand On Controls System
Security at CERN (TOCSSiC)
►
►
►
Running “Nessus” vulnerability scan
(used in Office-IT)
Running “Netwox” DoS attack
with random fragments
Running “Ethereal” network sniffer
Hub 100Mbps
Vulnerability
Tester
Configurator
Traffic
Analyzer
Control Systems under Attack !
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
28 devices from 7 different manufacturers (51 tests in total)
All devices fully configured but running idle
Crashed
18%
Crashed
26%
Passed
74%
Failed
16%
Passed
66%
…PLCs under load seem to fail even more likely !!!
…results improve with more recent firmware versions
TOCSSiC Findings (1)
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
The device crashed…
►
Sending specially crafted IP packets
causes the TCP/IP fragmentation
re-assembly code to…
2005: DoS (70”) stopped manual control
…improperly handle overlapping IP fragments (“Nestea” attack)
…loose network connectivity (Linux “zero length fragment” bug)
►
►
Sending continuous stream of extremely large and incorrect
fragmented IP packets lead to consumption of all CPU resources
(“jolt2” DoS attack)
Sending special malformed packets (“oshare” attack)
…violation of TCP/IP standards !!!
TOCSSiC Findings (2)
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
FTP server crashed
►
►
Sending a too long command or argument
Issuing a “CEL aaa…aaa” command (VxWorks)
FTP server allows to connect to third party hosts
(i.e. provides an attacker platform)
FTP server allows anonymous login
Telnet server crashed
►
►
►
After flooding it with “^D” characters
Sending a too long user name
Sending too many “Are you there ?” commands
…both are legacy protocols w/o encryption !
TOCSSiC Findings (3)
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
HTTP server crashed
►
►
Requesting a URL with too many characters
(e.g. “http://<IP>/cgi-bin/aaa…aaa” or “http://<IP>/jsp/aaa...aaa”)
Using up all resources (“WWW infinite request” attack)
HTTP server directory available
►
Using “http://<IP>/../..” GET request (directory traversal)
…who needs web servers & e-mailing on PLCs ?
ModBus server crashed by scanning port 502
…protocols are well documented (“Google hacking”) !
TOCSSiC Findings (4)
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
PLCs are unprotected
►
►
►
Can be stopped w/o problems (needs just a bit “googling”)
Passwords are not encrypted
PLC might even come without authorization schemes
…authorization, data integrity checks and encryption
must become mandatory !
PLCs are really unprotected
►
►
Services (HTTP, SMTP, FTP, Telnet, …) can not be disabled
Neither local firewall nor antivirus software
… lock the configuration down by default !
Fixed SNMP community names “public” & “private”
…community names must be changeable !
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
SCADA Honeynet Project
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
► Demonstrating the existence of the risk
►
Vulnerabilities already proven by e.g. TOCSSiC
…threats have not been demonstrated (yet)…
► Understanding of mal-traffic on CERN’s network
► Simulating two brands of PLCs
►
►
►
►
►
Using Honeyd
Strengthening the box
Recording of all traffic
Periodic file checks
Daily reports
Scripts
Rules
Policy
Snort
Tripwire
Honeyd
chroot
Scientific Linux CERN 3
Honeyd Simulation Scripts
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
► Nmap signature
► FTP (login only)
PLC #1
FTP (tcp 21)
► Telnet (login only)
Telnet (tcp 23)
► HTTP
(identical functionalities as
real PLC web server, incl.
directory traversal vulnerability)
HTTP (tcp 80)
PLC #1
FTP (tcp 21)
HTTP (tcp 80)
► Siemens S7
(“read”, “write”, “switch on/off”)
S7 (tcp 102)
► SNMP
(values cloned from real PLC)
SNMP (udp 161)
► Modbus
Modbus (tcp 502)
(all functions memory-persistent)
(No) Results so far…
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
► Nov. 2005:
4 pots (à two PLCs) deployed inside CERN
►
Only observation: the usual “slight fever” on CERN’s campus network
3 pots deployed on controls network
►
No interactions observed
► Mar. 2006:
3 pots visible on ports 102/tcp & 502/tcp from the Internet
►
Lots of “noise” observed, e.g. SSH scans, but nothing on 102 nor 502
Panic or Don’t Panic ?
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Crashed
18%
Failed
16%
Passed
66%
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Defense-In-Depth
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
“Defence-in-Depth” means security on each layer !
►
►
►
►
►
►
…the security of the device itself,
…the firmware and operating system,
…the network connections & protocols,
…the software applications (e.g. PLC programming software),
…third party software, and
…users, developers & operators
Manufacturers and vendors are part of the solution !
►
Security demands should be included into orders and call for tenders
(Too?) Many Standards, Guidelines, …
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
►
“Security for Manufacturing and Control Systems”
“Integrating Electronic Security into Manufacturing…”
(American National Standards Institute & Int'l Society for Measurement and Control)
(ANSI/ISA SP99 TR1 & TR2)
►
“Code of Practice for Information Security Management”
(Int'l Organization for Standardization / Int'l Electrotechnical Commission / British Standard)
(ISO/IEC 17799:2005, BS7799, ISO27000)
►
Common Criteria (ISO/IEC 15408)
►
“System Protection Profile for Industrial Control Systems”
(U.S. National Institute of Standards and Technology NIST)
►
“Cyber-Security Vulnerability Assessment Methodology Guidance”
(U.S. Chemical Industry Data Exchange CIDX)
►
“Good Automated Manufacturing Practices: Guideline for Automated
System Security” (Int’l Society for Pharmaceutical Engineering ISPE)
►
NERC standards (North American Electric Reliability Council)
►
AGA standards (American Gas Association)
Ground Rules for Cyber-Security
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Separate controls and
campus networks
►
►
►
Use centrally managed systems
wherever possible
Reduce and control
inter-communication
Deploy IDS
Apply policy for
remote access
►
Ensure prompt security updates:
applications,
anti-virus,
OS,
etc.
Deploy proper
access control
►
►
►
Use strong
authentication and sufficient logging
Ensure traceability of access
(who, when, and from where)
Passwords must be kept secret:
beware of “Google Hacking”
Make security
an objective
►
Raise awareness in the
User community
Network Segregation
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Campus network for desktop computing
Controls networks / domains
►
►
►
►
Domain Manager with
technical responsibility
Authorization procedure for
new connections
Only operational devices, but neither
laptops nor wireless
Additional protection for PLCs, etc.
CERN
CERN Campus Network
General Purpose Network
Firewall /
Gateway
Network monitoring
►
►
Statistics & intrusion detection
Disconnection if threat for others
Restricted cross-communication
►
►
Filter traffic (firewall or ACLs)
Use application gateways or a DMZ
Controls Networks
Experiment Network
(several)
Restricted Cross-Communication
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Remote interactive access from “outside”
►
►
►
►
Using (Windows) Terminal Servers
“outside” means “office”, “home”, “wireless”
Methods to access controls applications
Methods to access local control PCs
CERN Campus Network
Interactive access to the “outside”
►
Rules for web-browsing,
automatic e-mails, file transfer, etc.
“Fat-Pipe” data transfer to IT/Tier0
Essential services are “trusted”
►
DNS, NTP, Oracle, data storage, …
Controls Networks
(several)
Central Software Installation
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
User-driven PC management
►
►
►
►
►
220-<<<<<<>==< Haxed by A¦0n3 >==<>>>>>>
220- ¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸
220-/
220-|
Welcome to this fine str0
220-|
Today is: Thursday 12 January, 2006
220-|
220-|
Current througput: 0.000 Kb/sec
220-|
Space For Rent: 5858.57 Mb
220-|
220-|
Running: 0 days, 10 hours, 31 min. and 31 sec.
220-|
Users Connected : 1 Total : 15
220-|
220
^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°
Pass flexibility and responsibility to the User
(S)HE decides WHEN to install WHAT on WHICH control PCs
(instead of the IT department)
IT will send out email notifications of new patches to be installed
(S)HE has to ensure security
However, PCs might be blocked if threat for others
Implementations for
►
►
Windows XP, Windows Server (web-based interface)
CERN Scientific Linux 3/4/5 (terminal-based) using
CERN Computer Management
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Install…
►
►
►
►
Centrally managed OS & SW
User applications
Automatically &
network-based
On many PCs in parallel
Configure…
►
►
Look & Feel
Access rights & restrictions
Full remote control of…
►
►
►
►
Configuring
Installation
Patching
Rebooting
… this works even for oscilloscopes !!!
Policies on Access Control
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
No emailing on the controls networks
Strategy for operator accounts
►
►
►
►
►
Role Based Access Control
User credentials for authentication
Role assignment for authorization
Dependent on accelerator status
Strict rules for remote access
However, still problematic areas
►
►
User privileges in commercial controls applications
Security of OPC
Raising User Awareness
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Awareness raising
►
►
Campaigns to inform Users of control systems about ‘Industrial Security’
At CERN and in the HEP community
Interaction with vendors of control systems
►
►
Discussion on the TOCSSiC results and their mitigation
Discussions on
“Requirements for the
Cyber-Security of Control Systems”
Dialog with other Users, researchers, and government bodies
Summary
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
Nature is beautiful !!!
Dr. Stefan Lüders (CERN IT/CO) ― 5ème Journées Informatiques de l’IN2P3 et du DAPNIA ― September 20th 2006
1970
1973
1982
1979
1992
1986
2008?
1995
2000
2001