Embed Size (px)
DESCRIPTION
Citation preview
Threats to Industrial Control Networks
Defensive Network Security Consultants (DNSC), LLC
17 October 2012
Angel E. AvilaCISSP, CISA, CEPT, C|EH, CompTIA Sec+E-mail: [email protected]://www.dnsc-cyber.comPH: 915-247-8978
Contact Information
2
DNSC Background
• Computer Security Professionals (8 years)– Specializing in Penetration Testing, Vulnerability
Assessments, Compliance and Auditing
• Experience working on Government (DoD) and Private Industry systems
• Certifications: – Certified Information Systems Security Professional (CISSP), – Certified Information Systems Auditor (CISA), – Certified Ethical Hacker (C|EH), – Certified Ethical Penetration Tester (CEPT),– Certified Information Systems Manager (CISM), – Certified Penetration Tester (CPT), – CompTIA Security +
3
Objective
• The intent of this brief is to raise awareness among the energy community of some of the current threats that are targeting Industrial Control (IC) networks including the Smart Grid and the importance of developing secure critical infrastructure.
4
Why should we care?
• “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” [1]
• Successful attacks against critical infrastructure assets can potentially lead to loss of life, and life as we know it.
1. Bumiller, Elisabeth; Shanker, Thomas. “Panetta Warns of Dire Threat of Cyberattack on U.S." New York Times on the Web 11 Oct. 2012. 15 Oct. 2012 <http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?_r=0s>5
IC Network Overview
Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.6
Common Mistakes
• Overconfidence: Systems 100% secure• Refusal to recognize threats: It can’t happen to
me• Air Gap myth: Systems not connected to IT
network/Internet• Executive override
– “Intentional” security holes for legitimate business purposes. ‘Set it and forget it
• Default accounts & passwords• Lack of authentication• Inbound/outbound traffic• Compliance != Secure
7
Adversary• Cyber Threat Expertise
– Novice: An adversary with no training, only using open-source (freely available) tools
– Intermediate: An adversary with some training, some level of funding, uses tools either purchased or traded on-line
– Expert: An adversary with a mature skill set and uses custom, open source, and purchased tools
• Foreign sponsored• Hacktivist
8
Threats to IC Networks• Advance Persistent Threat (APT)
– Adversary with sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception)
• Maintain a foothold in order to conduct directed malicious objectives against the target
• EX: Stuxnet-Worm targeting Iranian nuclear reactor machinery
– Driven by either government agencies or terrorist organizations
• APT’s pursues its objectives repeatedly over an extended period of time while countering victim’s mitigating attempts
As defined in NIST Special Publication 800-39, Managing Information Security Risk 9
Threats to IC Networks (cont.)• Cyber Threats
– Identified as malicious efforts directed in gaining access to, exfiltration, data manipulation, and denial of service towards information systems (IS)
– Directed attacks against confidentiality, integrity, and availability (CIA)
– Cyber threats can come from anyone
• Supply Chain Threat– Referred to embedded code being inserted into
devices– Do you know who is developing your devices?
10
Threats to IC Networks (cont.)• Outsider Threat
– No credentials, no physical access to the target network
– Ex: Hacktavists, Foreign State, Terrorists Organizations, Script Kiddies
• Nearsider Threat– No credentials, but has access to the target
network– Ex: Cleaning crew, delivery personnel
• Insider Threat– Having user and/or root-level credentials to the
target network– Ex: Disgruntle Employee (users/administrators)
11
IC Network Overview
Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.
Outsider/Cyber Threats
Advanced Persistent
Threat
Insider/Nearsider Threats
Insider/Nearsider Threats
12
Attack Vectors
• Web– SQL Injection– Broken authentication and session management
• https://www.owasp.org/index.php/Top_10_2010-Main• Wireless
– Use of weak wireless algorithms WEP and WPA• Bad Security Practices
– HBGary and Anonymous incident• http://arstechnica.com/tech-policy/2011/02/anonymo
us-speaks-the-inside-story-of-the-hbgary-hack/• Social Networking
13
Attack Vectors (cont.)
• SCADA Protocols– Lack of authentication– Lack of encryption
• SCADA Systems– Sinapsi eSolar Light Photovotaic System Monitor– Bypass authentication using hard-coded
credentials and vulnerable to SQL injection• Also affects other Solar panel control systems• ICS-ALERT-12-284-01
• Control systems– A search engine, Shodan, that used to identify
internet facing Control systems• ICS-ALERT-11-343-0114
Attack Vectors (cont.)
• How can I traverse through the Smart Grid?– Advanced Meter Infrastructure (AMI) Smart
Meters shutdown meters through Optical port• D. Weber, “Looking into the Eye of the Meter”. BlackHat
2012.
– Over 40+ million ZigBee electric meters are deployed with concentration in Texas, California, Texas, Michigan, and Virginia.
• Zigbee Alliance: Heile, Bob, https://docs.zigbee.org/zigbee-docs/dcn/10-6056.pdf
15
Attack Vectors (cont.)
Smart Grid using ZigBee Home Area Network (HAN)
• AMI provides the ability to remotely control devices in the HAN- Turn off lights, Raise Tstat, etc...
• Detailed energy use collected over regular time intervals.- Consumers can view energy usage real time
• ZigBee is being used in HANs within the Smart Grid• Sniffing traffic
• Replay attacks• Denial-of-Service
16
Conclusion
• Real-world threats are constantly trying to exploit various IC installations
• Reliability vs. Security
• Awareness and being proactive helps reduce the risk of your network being exploited
17
Questions
• ??
18
Contact Information• Angel E. Avila CISSP, CISA, C|EH, CEPT, CompTIA Security +
• Richard G. Coy CISSP, CISA, C|EH, CPT, [email protected]
• Francisco J. Leyva CISSP, CISA, C|EH, CISM, [email protected]
• Humberto Mendoza CISSP, CISA, C|EH, CISM, CEPT [email protected]
• Daniel Chacon CISSP, CISSA, C|EH, CISM, [email protected]
http://www.dnsc-cyber.com19
Backup
20
Attack Vectors (cont.)• ZigBee Overview
– Low Power (Long Battery Life), low data rate wireless protocol
– 250 Kbps throughput rate (low data rate)– Short Range (10 – 100 meters)– Supports star and mesh network topology– Easily add and remove nodes to the network
• Why Zigbee ?– WIFI transceivers are too expensive, more power to
operate– Bluetooth as a Frequency Hopping Spread Spectrum
requires more power to operate– Zigbee consumes less power than WIFI and Bluetooth– Zigbee designed specifically for monitoring and
automation – Zigbee is good solution for smart meters in Advanced
Meter Infrastructure(AMI)
Attack Vectors (cont.)• ZigBee Exploitation using KillerBee[1]
- zbid–list available ZigBee devices connected to PC- zbdump–"tcpdump-w" clone for capturing ZigBee traffic- zbconvert–convert capture file formats- zbreplay–Replay attack- zdsniff–over-the-air (OTA) crypto key sniffer- zbfind–GUI for locating ZigBee networks- zbgoodfind–search memory dump for crypto key- zbassocflood–association flood attack (DoS)- spoofing attacks when used with Software Defined Radio
1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
Attack Vectors (cont.)• ZigBee Security
– KillerBee[1] open source software is a tool suite used to test and exploit ZigBee networks
– Hacker community has made many software modifications to the KillerBee[1] tool suite
– KillerBee[1] tool suite is flashed on a RZUSB ($40.00) through Joint Test Action Group (JTAG) interface.
• AVR JTAG ICE mkII ($300.00) used to flash RZUSB
1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
RZUSBAVR JTAG ICE Programmer
Attack Vectors (cont.)
Smart Grid using ZigBee Home Area Network (HAN)
• Problem: Demand for power exceeds the supply
• AMI provides the ability to remotely control devices in the HAN- Turn off lights, Raise Tstat, etc...
• Detailed energy use collected over regular time intervals- Consumers can view energy usage real time
• Consumers can adjust power to reduce cost
• Utility companies can better manage supply and demand
Attack Vectors (cont.)• ZigBee
– Exploitation using KillerBee[1] - zbid–list available ZigBee devices connected to PC- zbdump–"tcpdump-w" clone for capturing ZigBee traffic- zbconvert–convert capture file formats- zbreplay–Replay attack- zdsniff–over-the-air (OTA) crypto key sniffer- zbfind–GUI for locating ZigBee networks- zbgoodfind–search memory dump for crypto key- zbassocflood–association flood attack (DoS)- spoofing attacks when used with Software Defined Radio
1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
