Architecture

Attack Surface

Real Examples

Suggestions

Vulnerabilities

Attacks

Effects

Solutions ICS Threat Scenarios

Luigi Auriemma

September 2015

SCADA architecture

Every situation is different because it’s an

highly customized environment in which

are used different types of:

- Connections

- Protocols

- Devices

- Software

- Security procedures

- Security products (firewall, AV, IDS)

- Solutions

What’s sure is that more devices will be

connected via TCP/IP, and so, it’s more

easy to get reached by possible attackers.

Yokogawa SCADA architecture example

PLC / RTU / DCS devices

HMI / SCADA

- Siemens

- General Electric

-ABB

- Rockwell

- Invensys / Wonderware

- Schneider Electric

- Indusoft

- Codesys

- Iconics

Operating System

General Software

- Security vulnerabilities

- Design issues

- Bad security practices

- Old software versions

TARGETS

Kernel vulnerabilities Old versions necessary for

some SCADA products

HMI/SCADA ATTACK SURFACE

Server

-side vulnerabilities

through TCP and UDP

open ports

Handling of project files

and other files with

registered extensions

Client

-side vulnerabilities

through the integration in

web browsers:

ActiveX

and

URL protocols

Local privilege escalation

with processes and

services running as

SYSTEM or Administrator

Proprietary protocols used to

allow all the components to

communicate

OPC

Monitor

HMI

Historian

Application

Database

The code is usually poorly written and tested… or ...

Server-side protocols

Web applications

… or not meant for the final product!

Server-side protocols

PLC firmware

SCADA software

Hardcoded accounts, passwords and keys

Left in the code due to design errors, maintainance accounts, backdoors or

just forgotten there by mistake!

It’s a very diffused problem…

Even exploited by Stuxnet

2006

2008

2010

2012

History of the Siemens WinCC

default SQL Server password

abused by Stuxnet for infection

Memory corruption vulnerabilities

- Stack based buffer-overflow

- Heap overflow

- Integer overflow

- Format string

- Array overflow/underflow

- Write a byte/long at relative locations

- Write a byte/long at arbitrary locations

-Use-after-free (project files)

- Double free (project files)

Effects

- Code Execution

- Denial of Service in case of failure

Example:

CVE-2011-5007 –3S CodeSys buffer-overflow

…

Why is it interesting?

Example:

CVE-2011-5007 –3S CodeSys buffer-overflow

…

Why is it interesting?

Because the issue was in a library used also on ABB

PLCs!

(ICSA-12-006-01 and ICSA-12-320-01)

Memory corruption vulnerabilities

Stack protections and secured exception handlers

There are ways to limit the exploitation of these issues.

BUT the software is usually built without stack protections and

with DEP and/or ASLR disabled in modules allowing the

exploitation of the vulnerabilities.

DEP

Data Execution Prevention

ASLR

Address Space Layout Randomization

Effects

- Stealing information and sensitive data

Information disclosure vulnerabilities

- Directory traversal, like ..\..\..\DATA.INI

- Arbitrary files download, like C:\PATH\DATA.INI

- Memory disclosure

Examples:

CVE-2011-4878 –Siemens WinCC

Flexible HmiLoad and miniweb directory

traversal

CVE-2011-4051 –Indusoft WebStudio

CEServer full remote file access

Information disclosure vulnerabilities

CVE-2011-4051 –Indusoft WebStudio

CEServer full remote file access

OPEN

WRITE

READ

DELETE

Effects

- Code Execution via commands executed at next boot/login

- Code Execution by overwrite specific executables

- Manipulate configurations by overwriting existing files

Writing files in arbitrary and relative locations

Example:

CVE-2012-0232 - GE Intelligent Platforms

Proficy Real-Time Information Portal

Directory Traversal

Writing files in arbitrary and relative locations

Example:

CVE-2012-0232 - GE Intelligent Platforms

Proficy Real-Time Information Portal

Directory Traversal

DESTINATION

DATA TO WRITE

Effects

- Code Execution via directory traversal

- Code Execution via shell injection in system()

Arbitrary command execution and injection

Example:

CVE-2011-1566 –IGSS arbitrary

command execution (directory traversal)

Example of this class of vulnerabilities

Effects

-The service doesn’t work

- System unresponsive

- Other processes on the same machine may get affected

Denial of Service

- NULL pointer

- Resource consumption (CPU and memory)

- Unexploitable memory corruption

Example:

CVE-2011-3489 - Rockwell Automation

RSLogix Overflow Vulnerability

Effects

- Code execution

- Stolen information and database

- Authentication bypass

Web vulnerabilities

- SQL injection

- Local and Remote File Inclusion

- CSRF Cross-Site Request Forgery

- XSS Cross-site Scripting

Example:

CVE-2015-6461 –Schneider Electric

Modicon Remote File Inclusion

Example of this class of vulnerabilities

Who reports security vulnerabilities in SCADA and industrial software & devices

External researchers for fun or during the penetration

testing of the products used by their clients, for

example:

- Me till summer 2012

- Scada Strangelove project

- Many researchers via ICS-CERT / vendor

- Many researchers (publicly, not prior to vendor)

Vendors during the internal auditing of their products

0-days in the wild... rare event, for example Stuxnet

Finding the

software or

the firmware

Finding the

hardware

devices

Configuring

the products

Possible

vendor

legal

actions

Finding

updates &

patches

Is it a bug or a

feature?!?

Cool, but…

Patching SCADA and PLC vulnerabilities

The time required by the vendors to fix a vulnerability,

testing the patch and releasing it is very long.

A 0-day may be fixed after various months.

And the situation is similar also for the vulnerabilities

reported directly to the vendor (coordinated disclosure)

PDF: Securing ICS Applications When Vendors Refuse Or Are Slow To Produce a Security Patch

Sometimes there is not even a patch and the

vendor releases a “recommendation” for

limiting the usage and access to the

vulnerable component!

Sometimes the patches are not applied by the customers

because not aware of the issues or to avoid downtimes

and possible problems after patching… if it works why

taking risks?

Repository of Industrial Security

Incidents (RISI)

www.risidata.com

Usual causes:

-Accidental issues and failures

- Angry employees

- General virus attacks

- Targeted cyber attacks

- Phishing

Many infrastructures are reachable from the Internet

Shodan and manual scanning of selected IP ranges to spot

easy-to-crack/open VNC sessions and SCADA products online

Many infrastructures are reachable from the Internet

Project SHINE

Attempt to use Shodan to spot industrial servers

and devices through various queries.

They claim to have found over 2 millions of

devices between 2012 and 2014.

Some statistical results were released.

Many infrastructures are reachable from the Internet

Viss’ results and Project SONAR

Dan Tentler (“Viss”) used SHODAN to find systems meant to be private,

but freely available on the Internet like webcams, VNC servers, SCADA

systems and other industrial related results.

What to do

1. No Internet access

2. Keep your systems updated

3. Strong and unrelated passwords

4. General network security (limit/disable wi-fi, firewall, AV)

5. Microsoft EMET (The Enhanced Mitigation Experience Toolkit)

6. Limit network access to the systems

7. Limit human access to the systems (USB/keyboard)

8. Stay informed

ICS-CERT Official forums

Unofficial forums

Security alerts, news and mailing-lists