scada malware, a proof of concept - roma tre...
TRANSCRIPT
Scada Malware,A Proof of Concept
A. Carcano, I. Nai Fovino, M. Masera, A. TrombettaEuropean Commission Joint Research Centre
Critis 2008, Rome, October 15, 2008
CI Dependence on IT Systems
• Today most of critical infrastructures depend highly on the underlying communication networks.
Central Monitoring Unit
CommunicationsNetwork
Sensor
Remote Terminal Unit 1
Remote Terminal Unit 2
Sensor
Programmable Logic Controller
Sensor
Fiber, Radio, Modem,Microwave, Telephone, Wireless, Powerline Carrier
Adapted from: Joint Program Office for Special Technology Countermeasures Naval Surface Warfare Center, Dahlgren Division
-Remote Control-Remote maintenance-New features
-New Vulnerabilities-New Attack Scenarios-New Threats
Computer Attacks
Most of attacks are Malware basedMost of attacks are Malware basedVirusVirus
WormWorm
TrojanTrojan
diagnostics diagnosticsvibrations
common services
gateway
Process networkcontrol
field bus
actuators / transductorsControl system
Combustionchamber
air
gas
fumesTurbogasTurbine GCompressor Steam
generator
fumeswater
steam
GTurbine
comandsalarms - blocks
supervisionmonitoringdiagnostics
Fieldcontrol
Turbo Gascontrol
Office network
routerWorkstation
Intranet
firewallfirewall
DMZData Network
data server
router
ExternalNetwork
comandscontrol datasupervisionmonitoringdiagnostics
Plantcontrol
Known EffectsUnknown Effects
Need of concrete studieson the effects of Malwareson Critical Infrastrucutres
Problems
• How to simulate malwares on Critical Infrastructures?
• How and where to study their effects?
Malware Simulation: MAlSim Toolkit
• MAlSim Toolkit:• Various families of malware (worms,
viruses, malicious mobile code etc.)• Various species of malware of the
same family (e.g. macro viruses, metamorphic and polymorphic viruses etc.)
• Well-known malware (e.g. Code Red, Nimda, SQL Slammer)
• Non-existent configurations
Power Plant Simulator
Power Plant EnvironmentPower Plant Environment Field NetworkField Network
Process NetworkProcess Network
Data NetworkData Network
DMZ NetworkDMZ Network
Intranet NetworkIntranet Network
Attack SourceAttack Source InsideInside
OutsideOutside
System MeasurementsSystem MeasurementsAnalysis SystemsAnalysis Systems Vulnerabilities RepositoryVulnerabilities Repository
Binaries RepositoryBinaries Repository
InSAWInSAW
Experiments ArchiveExperiments Archive
Ad-Hoc SCADA Malwares
ConsiderationsAbout “SCADA”
Protocols
Such protocols, are normallyused by some dedicated servers in order to send
commands to the field devices
ModBUS
DNP3
ProfiBUS
…Others…- Application layer messaging protocol
- Provides Client/Server communication service
- TCP/IP Implementation - Widely Used
Lack of:
-Integrity controls-Authentication Mechanisms-Non Repudiation Mechanisms- Anti-replay Mechanisms
It is possible to create a set of MalwaresWhich take advantage of such basic vulnerabilities
Attack Scenarios (1)
ModBUS Malware DOS- Attack Scope
- To desynchronize the communication between Master and Slave - To completely avoid the communication stream between Master and
Slaves- Code Implementation
- A Packet builder, which forges in the proper manner ModBUS over TCP packets.
- A Discovery engine, which explores the network in order to identify the IP addresses of the Modbus slaves.
- A Packet deliverer, which sends in an optimized way the previously forged packets to the target slaves, in order to saturate the bandwidth as soon as possible.
- Infection Trigger:
Attack Scenarios (1)
FW-VPN
Master/Secondary
ModBus DOS Worm
Slammer
Slammer Infection Engine
Modbus Packet Generator
Discovery Engine
Malsim Framework
-Slammer-Nimda-Poskiwing(6 october)- …
Test Results
1. Anti-viruses do not recognize the ad-hoc crafted malware
2. Firewalls do not stop the traffic generated by the malware since it has the shape of “legal ModBUStraffic”
Attack Scenarios (2)
ModBUS COM Worm- Attack Scope
– The scope of the Com Worm attack is to take the control of the slaves of the process control architecture by taking advantage of the lack of authentication and integrity countermeasures of the ModBUS protocol.
- Code Implementation- A Packet builder- A Discovery engine- A Strategy & analysis module, which, on the basis of the information
gathered by the discovery engine and some built-in heuristics identifies the strategy to adopt in order to send packets which could create damages to the system.
- A Packet deliverer, which send the forged packets to the target slaves
Experimental tests
• Worm prototypes:- Step 1 Malware: it replicates the MODBUS function 15 (0x0F), used to
force each coil in a sequence of coils to either be ON or OFF in a remote device(valve).
- Step 2 Malware: Through the function 16 it is able to write a block of contiguous Input registers (1 to 123) in a remote device.
- Step 3 Malware: by combining the two ModBUS functions (0x01) (read output values) and (0x0F) used to force a sequence of coils, it revert completely the configuration of the target system (e.g. if a valve is opened it will be closed and viceversa.
Experimental Considerations
• Antiviruses do not identify the new worms
• Firewall completely ignores the attacks since the traffic appears completely legal
• The slaves execute in all the cases all the worm command, without identifying any anomaly.
Conclusion
• Industrial SCADA protocols are far to be considered secure• In this paper we proved that the scenario in which a worm could
take the control of a portion of an industrial plant is nowadays a reality.
• Traditional Antiviruses and FW are inadequate for several reasons:– SCADA systems are very specialized systems, using dedicated
protocols (sometimes proprietary).– Anomaly detection techniques cannot be easily deployed into
industrial systems.– Patches could interfere with some particular ad-hoc sw.
• Future works:- SCADA Intrusion Detection System- Secure SCADA protocols
Old Operating Systems:
• Win NT 3.0 /4.0• Win 2000• BSD• SCO
…Considerations (1)
Rare Patching
Policies
Low “ICT Security Perception”
Considerationsabout Process Sub-Systems
Process Sub-Systems
are typically prone to
traditional malwares
Consequences of pervasive ICT
- Software Vulnerabilities- Architectural Vulnerabilities- ICT Security Policy Vulnerabilities
Consequences- New Attack Scenarios- New Risks- Old Safety studies no more
“actual”
- Need for new Models- Need for new Risk
assessment methods- Need for new experimental - studies
- Infection Triggers:
Attack Scenarios (1)
FW-VPN
Master/Secondary
Social Engineering
E-Mail Forge
Malware Camouflage
Phishing
DNS
Fake Site Creation
DNS Poisoning
Operator PC Infection
ModBus DOS Worm
Slammer
Slammer Infection Engine
Modbus Packet Generator
Discovery Engine
Malsim Framework
-Slammer-Nimda-Poskiwing(6 october)- …