control systems under attack !? cyber threats todays peril vulnerabilities in controls findings of...
TRANSCRIPT
Control Systems under Attack !?
► Cyber Threats ─ Today’s Peril► Vulnerabilities in Controls► Findings of the TOCSSiC► First Steps for Mitigation
Stefan Lüders (CERN IT/CO)ICALEPCS 2005 ─ October 14th, 2005
A Teststand On Control System Security at CERN
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 2 / 17
Aware or Paranoid ?
2000: Ex-Employee hacks “wirelessly”46 times into sewage plant and spills basement of Hyatt Regency hotel.
2003: The “Slammer” worm disables safety monitoring system of the David-Besse nuclear power plant for 5h.
2003/08/11: W32.Blaster.Worm
2004: IT intervention, hardware failure and use of ISO protocol stoppedSM18 magnet test stand for 24h.
2005: DoS (70”) stopped manual control
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 3 / 17
Com
mon
Sta
nd
ard
s /
In
terc
on
necti
vit
yCyber Threats ─ Today’s Peril
Zombies
BOT nets
AttackingControls
Intr
ud
er
Kn
ow
led
ge /
Att
ack S
op
his
ticati
on
1980 1985 1990 1995 2000 2005 2010
Higher
Lower
Packet Spoofing
Password Guessing
Password Cracking
Exploiting Known Vulnerabilities
Disabling Audits
HijackingSessions
Sniffers
Back Doors
War Dialing
Denial of Service
Automated Probes/Scans
IRC Based
Zero Day Exploits
Viruses
Worms
Root Kits
Control Systems:Era of Legacy Technology
(“Security through Obscurity”)
Era of ModernInformation Technology
(“From Top-Floor to Shop-Floor”)
Transition Phase
(“Controls goes IT”)
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 4 / 17
► Controls Networks mate Business Networks► Proprietary field busses replaced by Ethernet & TCP/IP► Field devices connect to Ethernet & TCP/IP► Real time applications based on TCP/IP► VPN connections from the outside onto the Controls Network
► Use of IT protocols & gadgets:► SNMP, SMTP, FTP, Telnet, HTTP (WWW), …► Wireless LAN, Notebooks, USB sticks, …
► Migration to the Microsoft Windows platform► Windows not designed for Industrial / Control Systems► OPC/DCOM runs on port 135 (heavily used for RPC)
Controls Goes IT
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 5 / 17
► Poorly secured systems are being targeted► Worms are spreading within seconds ► Unpatched systems, O/S & applications► Missing anti-virus software or old virus signature files► No firewall protection
► Zero Day Exploits: security holes without patches► Break-ins occur before patch and/or anti-virus available
Threats due to Technique
…but how to patch/update Control PCs ?
…what about anti-virus software ?
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 6 / 17
► Passwords are known to several (many?) people► No traceability, ergo no responsibility
► People are increasingly the weakest link► Use of weak passwords► Infected notebooks are physically carried on site► Users download malware and open “tricked” attachments
► Missing/default/weak passwords in applications
Threats due to People
…but how to handle Operator accounts ?
…what about password rules ?
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 7 / 17
► COTS Automation Systems arewithout security protections
► Programmable Logic Controllers (PLCs),field devices, power supplies, …
► Security not integrated into their designs
► Creation of theTeststand On Controls System Security at CERN
The TOCSSiC
VulnerabilityTester
Configurator TrafficAnalyzer
Target Device(s)
Hub 100Mbps
Switch 1Gbps
► Running “Nessus” vulnerability scan(used in Office IT)
► Running “Netwox” DoS attackwith random fragments
► Running “Ethereal” network sniffer
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 8 / 17
Controls under Attack !
► 20 devices from 6 different manufacturers (35 tests in total)► All devices fully configured but running idle
…PLCs under load seem to fail even more frequently !!!
…results improve with more recent firmware versions
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 9 / 17
TOCSSiC Findings (1)
► Device crashed► Sending specially crafted IP packets causes the TCP/IP
fragmentation re-assembly code to …
… improperly handle overlapping IP fragments (“Nestea” attack)
… loose network connectivity (Linux “zero length fragment” bug)
► Sending continuous stream of extremely large and incorrect fragmented IP packets leads to consumption of all CPU resources (“jolt2” DoS attack)
► Sending special malformed packets (“oshare” attack)
…violation of TCP/IP standards !!!
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 10 / 17
TOCSSiC Findings (2)
► FTP server crashed► Sending a too long command or argument► Issuing a “CEL aaa…aaa” command (VxWorks)
► FTP server allows to connect to third party hosts(i.e. provides an attacker platform)
► FTP server allows anonymous login
► Telnet server crashed► After flooding it with “^D” characters► Sending a too long user name► Sending too many “Are you there” commands
…both are legacy protocols w/o encryption !
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 11 / 17
TOCSSiC Findings (3)
► HTTP server crashed► Requesting a URL with too many characters
(e.g. “http://<IP>/cgi-bin/aaa…aaa” or “http://<IP>/jsp/aaa...aaa”)► Using up all resources (“WWW infinite request” attack)
► HTTP server directory available► Using “http://<IP>/../..” get request
…who needs web servers & e-mailing on PLCs ?
► ModBus server crashed by scanning port 502
…protocols are well documented(“Google hacking”) !
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 12 / 17
► PLCs are un-protected► Can be stopped w/o problems (needs just a bit “googling”)► Passwords are not encrypted► Might even come without authentication► Still allow for legacy commands
TOCSSiC Findings (4)
…authentication & encryption should be mandatory !
► Fixed SNMP community names “public” and “private”
…why can community names not be changed ?
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 13 / 17
TOCSSiC Follow Up
► Disclosing vulnerabilitiesto vendors and manufacturers
► Exchanging information withGovernment Bodies, Industry & Research
► Forum on OPC security and future dev’s
► CERN produced a“Security Policy for Controls”
► Forum on the development of “Windows For Controls” with Microsoft
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 14 / 17
► Apply “Defence-in-Depth” approach► Protect each layer of your Control System
► Separate Controls and Business Networks► Reduce and control inter-communication
► Use managed systems where possible► Ensure prompt security updates: O/S, applications, anti-virus, …► Swapping to Linux or Mac is NOT more secure
► Ensure security protections before connecting► Check for up-to-date patches and anti-virus files
Your Ways to Mitigate ? (1)
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 15 / 17
► Use strong passwords and sufficient logging► Check that default passwords are changed in all applications► Passwords must be kept secret: beware of “Google Hacking”► Ensure traceability of access (who and from where)
► Make security an objective► Raise awareness in your Users community
► Contact your vendor / manufacturer► Check your firmware versions► Do you really want all those “Bells & Whistles” ?
► Join the MS MUG and the OPC Foundation
Your Ways to Mitigate ? (2)
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 16 / 17
Conclusions
► Adoption of modern IT standards exposesControl Systems to security risks
► Control PCs, PLCs & other automation devicesare intrinsically vulnerable
► Make security an objective
Stefan Lüders: “Control Systems Under Attack !?” @ ICALEPCS 2005 17 / 17
Thank you very much !
► Special Acknowledgements go to:► J. Brahy & R. Brun (CERN AB/CO) and J. Rochez (CERN IT/CO)► J. Arnold (EPFL, Lausanne) and B. Figon (ESIEE, Amiens)