IT 369 Midterm
Examples of Industrial Network Incidents
- Aurora Prject - agent.btz - Operation Aurora - Stuxnet
Remote Terminal Unit
- Electronic devices located at key measurement and control points - Originally hardwired devices with limited capabilities and one proprietary communications protocol - Modern RTUs contain their own microprocessors and can support multiple sophisticated protocols
Security improvements of Modbus
- ICCP's use of bilateral tables provides basic control over the communication path by explicitly defining which ICCP clients and servers can communicate. - A secure version of ICCP exists that incorporates digital certificate authentication and encryption.
ICCP: Security Concerns
- Lack of authentication and encryption - Explicit defined trust relationships - Highly accessible because it is on WAN
SCADA components
- Master Terminal Unit - Human Machin Interface -Remote Terminal Unit - Communications
Advanced Persistent Threats qualities
- Often uses simple exploits for initial infection -Designed to avoid detection over long periods of time - Designed to communicate information back to the attacker using covert command and control (C2) -Mechanisms for persistent operation even if detected - Not intended to impact or disrupt network operations
Host firewalls
A host firewall works just like a network firewall, and acts as an initial filter between the host and any attached network(s).
Consequences of a successful Cyber Incident
A successful cyber attack on a control system can either (1) delay, block, or alter the intended process, that is, alter the amount of energy produced at an electric generation facility. Or (2) delay, block, or alter information related to a process, thereby preventing a bulk energy provider from obtaining production metrics that are used in energy trading or other business operations.
Ladder Logic
PLCs often use "ladder logic," a simplistic programming language that is well suited for industrial applications. Ladder logic is based on relay-based logic and can be thought of as a set of connections between inputs (contacts) and outputs (coils)
Programmable Logic Controllers (PLCs)
Computer based solid state devices that control industrial equipment and process. They are industrial process control computers, heavily used in DCS and SCADA systems. Remote PLCs are often referred to as "field devices". PLC's are hardware devices and need you need to "flash" a PLC to update it.
The Control System
If the business network is "contested ground" and the SCADA DMZ is "middle ground" than the Control System is "sacred ground." Within the context of industrial network security, the control system represents the ultimate target: the devices and systems that actually control the industrial process which needs to be protected.
agent.btz
In 2008, the agent.btz worm began infecting U.S. military machines and was reportedly carried into CENTCOM's classified network on a USB thumb drive later that year.
OPC: Where it is used
OPC is primarily a SCADA protocol, and it is used within many areas of industrial networks, including data transfer to data historians, data collection within HMIs, and other supervisory controls
OPC: How it works
OPC works in a client/server manner, where a client application calls a local process, but instead of executing the process using local code, the process is executed on a remote server. The remote process is linked to the client application and is responsible for providing the necessary parameters and functions to the server, over an RPC.
Process fieldbus(Profibus)
Profibus is a Master/Slave protocol that supports multiple master nodes through the use of token sharing: when a master has control of the token, it can communicate with its slaves (each slave is configured to respond to a single master).
Scanning
Scanning a network typically begins with broad attempts to identify network devices and hosts using a ping sweep, and then leveraging additional capabilities of the Internet Control Message Protocol (ICMP) to determine additional information, such as the network mask (which allows you to derive subnet information), as well as open TCP and User Datagram Protocol (UDP) ports (which allows you to identify operating services, as most services map to well-known ports)
Stuxnet
Stuxnet is a tactical nuclear missile in the cyber war, and it was not a shot across the bow: Stuxnet uses four zero-days in total to infect and spread, looking for SIMATIC WinCC and PCS 7 programs from Siemens, and then using default SQL account credentials to infect connected Programmable Logic Controllers (PLCs) by injecting a rootkit via the Siemens fieldbus protocol, Profibus.
Distributed Control Systems
Supervisory control of multiple integrated systems responsible for a LOCAL process. A group of computers and/or smart field devices networked together to monitor and control industrial processes with direct feedback control. EX: oil and gas refineries, electrical power generation, and automotive production
Critical Infrastructures
Systems that if disrupted or destroyed will cause wide spread loss of essential services to a nation's citizens.
Ole for Process Control (OPC)
That is, OPC is a suite of protocols that collectively enable process control systems to communicate using some of the underlying networking capabilities of Windows.
Safety Controls
To avoid catastrophic failures, most industrial networks employ automated safety systems, however the safety systems are supported directly within the same communications protocols as the operational controls, on the same physical media. simple Man-in-the-Middle (MITM) attacks could be used to change values in a control system and that a modest-scale attack on a larger bulk electric system using targeted malware (in this scenario, targeting specific control system front end processors) was able to cause significant loss of generation.
Emerging Trends in APT and Cyber War
exploits are moving away from network-layer and protocol-layer vulnerabilities and more toward application-specific exploits, even more recent trends show signs that these applications are shifting away from the exploitation of Microsoft software products toward the almost ubiquitously deployed Adobe Portable Document Format (PDF) and its associated software products. Web-based applications are also used heavily both for infections and for C2.
NERC CIP
identifies security measures for protecting critical infrastructure with the goal of ensuring the reliability of the bulk power system.
Network segmentation/isoaltion of systems
if five critical services are isolated within a single functional group and separated from the rest of the network using a single firewall, it may be necessary to allow several different traffic profiles through that firewall (see Figure 2.4). If an attack is made using an exploit against web services over port 80, that attackmay compromise a variety of services including e-mail services, file transfers, and patch/update services. However, if each specific service is grouped functionally and separated from all other services
Responding to APT
l Always monitor everything: collect baseline data, configurations, and firmware for comparison. l Analyze available logs to help identify scope, infected hosts, propagation vectors, etc. l Sandbox and investigate infected systems. l Analyze memory to find memory-resident rootkits and other threats living in user memory. l Reverse engineer-detected malware to determine full scope and to identify additional attack vectors and possible prorogation. l Retain all information for disclosure to authorities.
Federal Information Security Management Act
may not apply to certain critical infrastructures, depending upon their geographic location and/or their jurisdiction within the United States federal government. However, the standards include valid and useful guidelines for the security of critical environments
Cyber war qualities
- Uses more sophisticated vectors for initial infection ie "zero day" - Designed to avoid detection over long periods of time - Designed to operate in isolation, not dependent upon remote command and control (C2) - Mechanisms for persistent operation or reinfection if detected - Possible intentions include network disruption
Common Vlunerabilities
- poorly configured firewalls - Unnecessary Ports and Services - Application backdoors - Asset Controls - Wi-Fi Access - Remote Access, VPNs, and mobile Apps - field access
Human Machine Interface
- printouts, map board, mimic panel, and projection technology Map boards and mimic panels are wall sized drawings of the process with indicator lights and numeric meter-style readouts representing physical process areas. Today the concept is the same but the display technology is much improved.
Common APT methods
- social engineering, targeted spear phishing (customized e-mails designed to trick readers into clicking on a link, opening an attachment, or otherwise triggering malware), malicious attachments, removable media such as USB drives, and malicious websites as initial infection vectors -One area where APT is often very sophisticated is in the knowledge of its target—known information about the target and the people associated with that target.
Control Processes
A "control process" is a general term used to define larger automated processes within an industrial operation. Each process is typically managed using an HMI, which is used to interact with that process.
Non-Routable network
A "non-routable" network refers to those serial, bus, and point-to-point communication links that utilize Modbus/RTU, point-to-point ICCP, fieldbus, and other networks.
Data Historians
A Data Historian is a specialized software system that collects point values and other information from industrial devices and stores them in a purpose-built database.
Modbus Security Concerns
-Lack of authentication - Lack of encryption - Lack of message checksum - Lack of program suppression. - Programmability
What is the number one vulnerability in ICS SCADA systems today?
-The Business Network because the network is attached to the SCADA network. -Updating is onerous and may cause unnecessary downtime or other problems. -Bad code that could be outdated -People Internally -People externally who want to hack (foreign actors)
APT Targets
1) Intellectual Property - Application code - Application design - Protocols - patents 2) Industrial Designs: - Protocol Schematics - Engineering designs - Research 3) Chemicals and Formulas - Pharmaceutical formulas - Chemical equations - Chemical compunds
Cyber war targets
1) Intellectual Property - Certificates and authority - Control protocols - functional diagrams - PCS command codes 2) Industrial Designs: - Control system designs and schematics - Safety controls - PCS weaknesses 3) Chemicals and Formulas: - Pharmaceutical formulas - Pharmaceutical safety and allergy information - Chemical hazards and controls.
CH7. Securing Enclave Perimeters
1. All inbound and outbound traffic must be forced through one or more known network connections that can be monitored and controlled. 2. One or more security devices must be placed in-line at each of these connections.
Communications
1. Initially used telephone systems and radio transmitters designed for voice - Slow - Some remote areas had to build their own communication systems 2. Latest systems are digital networks designed to transfer data - TCP/IP - Wireless including cellular and satellite
Recommended IDS/IPS Rules
1. Prevent any undefined traffic from crossing enclave boundaries (where the disruption of the communication will not impact the reliability of a legitimate service). 2. Prevent any defined traffic containing malware or exploitation code from crossing enclave boundaries. 3. Detect and log suspicious or abnormal activity within an enclave 4. Log normal or legitimate activity within an enclave, which may be useful for compliance reporting
Industrial Control Systems (ICS)
1. SCADA systems 2. Distributed Control Systems 3. Programmable Logic Controllers
Types of Critical Infrastructures
1. public safety, 2. bulk electric energy, 3. nuclear energy, 4. chemical manufacturing, 5. agricultural 6. pharmaceutical manufacturing and distribution, 7. banking and finance
SCADA evolution 1960s
1960s - Integrated Circuit led to minicomputers capable of computer control of processes Confined to one physical location Not connected to an external network Local area network Closed loop control Proprietary protocols
SCADA evolution 1990s to present
1990s to present - Client/Server Powerful PCs TCP/IP networking High speed Ethernet Commercial real-time operating systems Looking more like IT systems Scalable and fault tolerant Smart software makes redundancy easy
Defending Against APT
Advanced Persistent Diligence requires a strong Defense-in-Depth approach, both in order to reduce the available attack surface exposed to an attacker, and in order to provide a broader perspective of threat activity for use in incident analysis, investigation, and response.
CH 3. Air gap
Before the proliferation of Internet connectivity, web-based applications, and real-time business information systems, energy systems were built for reliability. Physical security was always a concern, but information security was not a concern, because the control systems were air-gapped—that is, physically separated with no common system (electronic or otherwise) crossing that gap. The problem is there is now a path into critical systems.
Behavioral Whitelisting
Behavioral whitelisting combines an understanding of what is known good/bad behavior (policies) with an understanding of expected behaviors, to define what is "known good behavior."
Social Networking
By design, social networking sites make it easy to find and communicate with people, and people are subject to social engineering exploitation just as networks are subject to protocol and application exploits.
DNP3
DNP3 began as a serial protocol designed for use between master control stations and slave devices or "outstations," as well as for use between RTUs and IEDs within a control station. Like most control system protocols, DNP3 was extended to work over IP, encapsulated in TCP or UDP packets, in order to make remote RTU communications more easily accessible over modern networks. DN3P is highly reliable!
DN3P: What it does
DNP3 is primarily used to send and receive messages between control system devices—only in the case of DNP3, it also does it with a high degree of reliability. DNP3 is primarily used between a master control station and an RTU in a remote station, over almost any medium including wireless, radio, and dial-up. However, DNP3 is also widely used between RTUs and IEDs. As such it compete
Enumeration
Enumeration refers to the process of identifying valid users and/or account credentials, as well as shared network resources that those user accounts might be able to access.
Host IDS
Host IDS (HIDS) systems work like Network IDS, only they reside on a specific asset and monitor systems internal to that asset.
Chapter 4 Summary
However, because industrial network protocols, in general, lack sufficient authentication or encryption, all are susceptible to cyber attack using relatively simple MITM attacks, which can be used to disrupt normal protocol operations or potentially to alter or otherwise manipulate protocol messages to steal information, commit fraud, or potentially cause a failure of the control process itself.
SCADA vs. DCS vs. PLC
Location: SCADA- geographically dispersed where DCS and PLCs are factory centered. Communications: SCADA- long distance, slow speed DCS and PLC- LAN, high speed Control: SCADA has supervisory level control where DCS and PLC have closed feedback loops.
Modbus TCP
Modbus TCP uses Transmission Control Protocol/Internet Protocol (TCP/IP) to transport Modbus commands and messages over modern routable networks
CH4. Modbus
Modbus is the oldest and perhaps the most widely deployed industrial control communications protocol. It can be used by extremely simple devices such as sensors or motors to communicate with a more complex computer, which can read measurements and perform analysis and control. To support a communications protocol on a simple device requires that the message generation, transmission, and receipt all require very little processing overhead. This same quality also makes Modbus suitable for use by PLCs and RTUs to communicate supervisory data to a SCADA system.
Where MODBUS is used
Modbus is typically deployed between PLCs and HMIs, or between a Master PLC and slave devices such as PLCs, HMIs, Drivers, Sensors, I/O devices, etc. A common deployment uses Modbus on TCP/IP within a SCADA DMZ or Supervisory LAN, where master HMIs provide a central management capability to a number of Master PLCs, each of which may connect serially over a bus topology to a number of PLCs and/or HMIs, responsible for a distinct control loop.
SCADA evolutiuons 1960-1980
Putting all your eggs in one basket was a problem because of reliability issues. The solution was an identical 2nd computer, but making the redundancy work was difficult. Watchdog timer - Shaw page 15 - A circuit that would generate a trigger signal, when a countdown by its hardware timer reached zero, unless that timer was reset by commands from the computer. Both primary and backup computers ran the circuit. If either computer stalled or had a hardware failure, or if its programming went into an infinite loop, the watchdog would count down to zero and generate an electrical signal that would tell than backup computer to take over.
Remote Terminal Unit (RTU)
RTUs monitor field parameters and transmit that data back to a central monitoring station—typically either a Master Terminal Unit (MTU), or a centrally located PLC, or directly to an HMI system.
Supervisory Controls and Data Acquisition (SCADA)
SCADA systems highly distributed systems controlling geographically dispersed equipment. - gas pipelines - Water and waste systems -transportation systems - electrical utilities - refineries and chemical plants
ICCP: How it works
The ICCP protocol defines communication between two control centers using a client/server model. One control center (the server) contains application data and defined functions. Another control center (the client) issues requests to read from the server, and the server responds. Communications over ICCP occur using a common format in order to ensure interoperability
Two inferences by comparing APT and cyber war:
The first is that cyber warfare is higher in sophistication and in consequence, mostly due to available resources of the attacker and the ultimate goal of destruction versus profit. The second is that in many industrial networks, there is less profit available to a cyber attacker than from others.
CH6. Reconnaissance
The initial reconnaissance, or "foot printing" of a target, enables an attacker to understand the organization's security posture. By properly researching a target, an attacker can conclude information about the company and its employees, the company's Internet presence, internal and external networks and domains, and potential points of entry into those networks.
The business network
The primary entry point to the business network is from the Internet.
Control Loops
The term "loop" derives from the ladder logic that is widely used in these systems: a controller device such as a PLC is programmed with specific logic; the PLC then cycles through its various inputs, applying the logic to adjust outputs or controls, in order to perform a specific function.
SCADA Evolution 1980s
This architecture allows for a stripped down dedicated computer for remote terminal unit polling which makes the redundancy problem easier to handle Processor for large complex applications might not need redundancy Historical archiving of data became more necessary. These processors needed large on-line storage as well as removable media for long term off-line archiving. Graceful degradation concept is the ability to suffer a partial function loss. The distributed architecture allows for this
The SCADA DMZ
Where the business network is "contested ground," the SCADA network is the "middle ground," the demilitarized zone between the business and process control systems.
Enclave
a convenient term for defining a closed group of assets, similar to the functional "zone and conduit" model supported by ISA-99,21 that is, the devices, applications, and users that should be interacting with each other legitimately in order to function. EX: a control loop: an HMI interfaces with a PLC which interacts with sensors, motors, valves, etc. to perform a specific control function.
unidirectional data diode
a one-way information transfer device that connects two networks of different security levels and allows information to be sent to the more secure network without the risk of information leakage.
Inter Control Center Protocol (ICCP)/TASE.2
a protocol designed for communication between control centers within the energy industry. Unlike Modbus, which was designed for serial command requests, ICCP was designed for bidirectional Wide Area Network (WAN) communication between a utility control center and other control centers, power plants, substations, and even other utilities.
Programmable Logic Controllers (PLC)
a specialized computer used to automate functions within industrial networks
Asset
a unique device that is used within an industrial control system. Assets are often computers, but also include network switches and routers, firewalls, printers, alarm systems, Human-Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and the various relays, actuators, sensors, and other devices that make up a typical control loop
ISA-99
an industrial control security standard created by the International Society of Automation (ISA) to protect SCADA and process control systems.
Intelligent electronic device (IED)
any device commonly used within a control system—such as a sensor, actuator, motor, transformers, circuit breakers, and pumps—that is equipped with a small microprocessor that enables it to communicate digitally. These devices communicate almost exclusively using fieldbus protocols, operating as slave nodes, and are controlled via an upstream RTU or PLC.
Industrial Network
any network operating some sort of automated control system that communicates digitally over a network
HSPD-7
attempts to distinguish the critical versus noncritical systems.
Supervisory Workstation
collects information from assets used within a control system and presents that information for supervisory purposes. will consist of either an HMI system (with read-only or supervisory access restrictions) or a Data Historian—a device specifically designed to collect a running audit trail of control system operational data.
ISO 27002
defines "Information technology—Security techniques—Code of practice for information security management," and is not specific to industrial network security.
NIST 800 Series
documents provide best practices and information of general interest to information security.
Anomaly Detection
picks up where policy-based detection ends, by providing a "rule less" method of identifying possible threat behavior. Simply, anomaly detection takes action when something out of the ordinary happens.
Exception Reporting
refers to an automated system that notifies the security administrator whenever a defined policy has been violated.
Nuclear Regulatory Commision
responsible for ensuring the safe use of radioactive materials for beneficial civilian (nonmilitary) purposes by licensed nuclear facilities.
Chemical Facility Anti-Terrorism Standards (CFATS)
set of risk-based performance guidelines published by the Department of Homeland Security.
Aurora Project
successfully demonstrated that a controller could be destroyed via a cyber attack. The vulnerability allowed hackers—which in this case were white-hat security researchers at the INL—to successfully open and close breakers on a diesel generator out of synch, causing an explosive failure.
Modbus RTU and Modbus ASCII
support binary and ASCII transmissions over serial buses, respectively
Operation Aurora
t hit Google and others in late 2009 and put the spotlight on the sophisticated new arsenal of cyber war. Operation Aurora used a zero-day exploit in Internet Explorer to deliver a payload designed to exfiltrate protected intellectual property. Operation Aurora changed the threat landscape from denial of service attacks and malware designed to damage or disable networks to targeted attacks designed to operate without disruption, to remain stealthy, and to steal information undetected.
Electronic Security Perimeters
the boundary between secure and nonsecure enclaves.
common Cyber war methods
the threats associated with cyber war trend toward more sophisticated delivery mechanisms and payloads, APT is a logical precursor to cyber war.
CH.2 Critical Infrastructure
to critical network infrastructure, including any network used in the direct operation of any system upon which one of the defined "critical infrastructures" depends.
Human Machine Interfaces (HMIs)
used as an operator control panel to PLCs, RTUs, and in some cases directly to IEDs. HMIs replace manually activated switches, dials, and other controls with graphical representations of the control process and digital controls to influence that process.