Field Devices and Controllers (ICS410.2)
Compare and contrast IPv4 and IPv6.
32-bit addresses vs. 128-bit addresses; No authentication vs. authentication for endpoints; Encryption provided by higher layers vs. encryption support; Configuration handled by DHCP vs. autoconfiguration.
What is a downside of integrated safety systems?
A lot of the virtualization that happens can be compromised by an attacker. Compromise of the controller/safety system leads to compromise of the safety system/controller since they are integrated.
What is the relationship between risk, a threat, and a vulnerability?
A vulnerability existing by itself is of no danger. A vulnerability coupled with a threat greatly increases the risk to a system.
How can an attacker gain access to HMI/master servers from the field?
Field devices continuously send information to master servers/HMI. An attacker could manipulate this information to cause buffer overflows or logic flaws and achieve remote code execution.
What are common reasons to attack an ICS?
Financial gain; corporate espionage; terrorist activities; political/cyber warfare; hacktivism; educational purposes; misguided "ethical" hackers;
What could an attacker do if able to capture and analyze ICS traffic?
Access gained to network; can analyze traffic becuause most ICS traffic is not encrypted; could map out endpoints, inputs, and outputs; monitor ICS status; build a baseline of your system; capture authentication/remote management tokens; use all of this to prepare for targeted attacks
What is a communication protocol?
Agreement between systems/devices on how they will communicate
What are important considerations wrt an attack tree?
Always subjective based on creator; focused on specific risk (top is ultimate goal, bottom is initial foothold), varying detail; simple trees are better; spending exhaustive times on a tree could cut into just fixing vulnerabilities; attacker will always find holes you didn't think of; innumerable and endless attack possibilities
What are upstream attacks?
An attacker could compromise a field device and attempt to utilize it to gain access to the supervisory controls. Could perform DoS or code execution to try to go 'back up the chain'. Once this access is gained, you basically have access to all other controllers.
What is ARP Spoofing?
An attacker injects ARP packets, which makes devices associate his MAC with different IPs. His machine may end up thought to be the HMI.
What are physical security considerations for plant and field floor equipment?
An attacker with physical access could obtain firmware, modify it, and reupload it to be malicious. An attacker could use an upstream attack after gaining access to insecure ports. Need enhanced perimeter protection and locks. Wireless interfaces also provide an "in". Contact alarms for cabinets/doors are useful as well such that things are only accessed on a known basis.
What is a Zero-Day attack?
An exploit that is not publicly available and typically unknown by the product vendor. Most dangerous because of the difficulty to defend or determine the root of the attack.
What are potential paths to field/plant floor equipment?
Attacker could connect into networks of level 0/1 devices. Could access level 2 and then go down into level 0/1. Attacker could use a physical device such a mobile PC or USB. Supply chain weaknesses could lead attacker to obtain hardware/firmware prior to delivery; remote access for maintenance is sometimes left enabled without owner/operator realizing it (for use of vendors to troubleshoot, but still)
How are Man In the Middle attacks a threat to ICS?
Attackers can inject themselves between the communications, thus being able to see, manipulate, and spoof traffic;
How is spoofing control signals a threat to ICS?
Attackers can spoof controls, causing controllers to act incorrectly; They could even send fake news back to the master servers about system status
How are DoS a threat to ICS?
Bandwidth exhaustion; targeted resource exhaustion; jamming RF signals and EMT; Put ICS out of commission, basically
What is DNS Spoofing?
Cache Poisoning; Attackers trick the server to responding to requests with a fake IP (usually the attackers) so that he can sniff packets;
How does Ethernet work?
Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Listens before transmitting data. If data is already on the wire, it waits before transmitting. If a collision occurs, it waits a random interval then tries again.
What is the difference between CWE and CVEs?
Common Weakness Enumeration: Categories of vulnerabilities Cyber Vulnerabilities Exposures: specific vulnerabilities in specific systems
What exists in the attack surface for a field component?
Component connections, management interfaces, the physical device, firmware, applications, ports
How does the OSI model "work" between two systems?
Consider two systems, A and B. Data at host A begins at the application layer, and moves DOWN the stack all the way to the physical layer, with each layer adding its own data to the packet. At the physical layer, the data is transmitted to host B's physical layer. The packet then moves UP the stack, with each layer stripping off bits of data added from host A's corresponding layers, then stops at application layer for use.
Walk through a "simple" flow of data in a DCS.
Data originates in level 0 (actuators and sensors), is processed and queued in level 1 (controllers/RTUs), processed and stored in levels 2/3 (supervisory), then finally to levels 4 and 5. This is an oversimplification, data can originate from anywhere. This is merely 1 type of flow.
What is the typical lifecycle of an engineering project?
Define the problem, Establish scope, Specify requirements, Develop design, Procurement, Construction/Installation, Configure, Test, Commission, Maintenance, Decommission
What are potential attacks on field components?
Disrupting communications, consuming processes and resources, changing configurations, rebooting devices, modifying programming/setpoints, manipulating firmware and applications
What are important take aways from the HatMan malware which can impact safety systems?
Do not allow remote access to SIS, isolate the safety network as much as possible, don't leave the key in Program mode
What are security concerns wrt embedded electronic attacks?
Embedded electronic attacks may be used to retrieve cryptographic keys and firmware which help bypass local security controls. These keys may also be able to be used to attack master services. Older devices have practically no security controls in place, so these types of attacks are less likely to happen because the ease of access is already there. Newer field devices however have increased security controls, which means increased chances for vulnerablility exploitation.
What are common input handling flaws?
Enumeration: receives responses for all possible predictable inputs; Targeted Vulnerabilities: Providing invalid inputs such as a SQL injection; Buffer Overflow: random inputs of varying lengths to try and crash an application for the purpose of code injection;
What is Ethernet/IP?
Ethernet Industrial Protocol (awful name). Used UDP messages for IO data, typically on a separate network due to the volume of broadcast messages; data rates can be defined by engineers; uses RPI
How and why is Ethernet used in ICS?
Ethernet provides faster speeds, which is beneficial for ICS that house RTOS. The lack of TCP/IP overhead makes it faster.
What is Profinet?
Ethernet version of Profibus; Three versions TCP/IP, Real Time, Isochronous real time; valid data ends in 0x80 and failures end in 0x00
How might an attacker attack firmware?
Firmware could be obtained by analyzing the data dump or captured communications in bus sniffing. It could also be obtained by physically connecting to a device, finding the file on a workstation, or even just downloading it from the vendor. Once the firmware is obtained, an attacker could analyze it for keys or algorithms, or reverse engineer it to discover vulnerabilities to exploit. They could also modify the firmware and attempt to re-upload it to the device, turning it into an attack tool.
Describe the IPv6 addressing scheme.
First 48 bits (6 bytes), is the network prefix, defines the organization. The next 16 bits (2 bytes), is the subnet ID, internal to the organization. The last 64 bits (8 bytes) is the Interface ID, MAC address or randomly assigned by OS. "chunks" of 0's (such as :000:) can be collapsed to "::". Prepended 0's (such as 0013) can be removed (to 13).
How is fuzzing a threat to ICS?
Fuzzing tests an applications ability to handle a large variety of traffic; Can use applications' response to find anomalies, and see if such anomalies could lead to a vulnerability
Explain the stratum scale.
Goes from 0 to 15, with 0 being the most accurate and closest to the correct time and 15 being the least accurate. S0 are high-precision time keeping devices. S1 syncs within microseconds of an attached S0. S2 syncs over a network to S1. S3 syncs over a network. S16 indicates no accurate time or that the device is unsynchronized
What equipment which pertains to the field/plant floor should be protected?
Industrial networks and Fieldbus(wireless comm, comm bridges, industrial/management protocols); Field devices (RTOS/Firmware, interfaces, safety systems); engineering workstations (system applications, program files)
What is ICCP?
Inter-Control Center Communications Protocol; standardized protocol used for formatting and exchanging data between control centers and facilities
What is ICMP?
Internet Control Message Protocol. Simple network layer protocol, used to carry information about the state of a network and error conditions. Not a protocol for transmission of data, but designed for error reporting. v4 and v6 based on which IPv is being used.
How can an attacker use entropy to find keys from information dumped from a circuit board?
Keys have high entropy (super random), so by measuring the entropy levels of various data blocks, those with out-of-place high entropy levels indicate where something cryptographic is occurring, like creating a key.
What is an ethernet hub?
Layer 1 device; replicates traffic onto all ports, which creates a large collision domain
What are Ethernet Network Devices on Layer 1, 2, and 3?
Layer 1: Hub Layer 2: Bridge, Switch Layer 3: Router, Switch
What is an ethernet bridge?
Layer 2 device; connects hubs, breaks up collision domains; identifies devices by MAC address
What is an ethernet switch?
Layer 2 or 3 device; Layer 2 device combines hub and bridge functions by being a bridge with more than 2 ends, and it can retransmit data to multiple ports. Like a bridge, it builds a map of MAC addresses as it exchanges data. Layer 3 device has all switch functions, but can also route data like a router;
What is an attack surface?
List of system inputs that an attacker could use to compromise a system; not necessarily just known vulnerabilities
What are security concerns wrt field device maintenance?
Local interfaces exist for technicians to perform maintenance; sometimes authentication doesn't exist on these interfaces, which gives immediate access to an attacker. If authentication is used, physical access to the device may be able to override it. Common universal passwords (admin/guest) are also used across multiple devices
What is an attack tree?
Logical string of attacks to accomplish some greater attacker goal
What is a loopback address?
Loopback addresses are IPs of a local system that call back to itself. Think of a web application development environment requesting different services that are hosted on the local machine.
Describe the data to be protected at each Purdue Level and the Control DMZ.
Lvl 1: Control Devices--tag lists, mappings, setpoints, firmware, etc. Lvl 2: Supervisory--project files, logic, loop configurations, device configurations, alarm thresholds, etc. Lvl 3: Operations--Operation schedules, historian information, models Control DMZ: Enforcement rules, security configurations/settings Lvl 4: Business/Site Specific Network--data about operators and plant staff Lvl 5: Enterprise Business Network--network architectures, network management, credentials
What are MAC/IP addresses used for on network devices?
MAC (layer 2) used to determine the next hop; IP (layer 3) used to determine the route across networks.
What is MMS?
Manufacturing Messaging Specificiation; "future" of SCADA ops in electric grids; Master to field comm; Uses symbolic names for data points, supports self-descriptive services, can pull metadata with measured data
What are common targets for the attack surface of a control network?
Master servers (server attacks), front end communications, HMI attacks, malware via internet/USB into control workstations; physical attacks, embedded electronics attacks on field devices; network attacks on WAN
What are the two proposed communication layers of the OSI model?
Mediums: PHY/MAC (data link + physical layers) and Protocols, which are all the upper layers.
Compare and contrast monolithic and microkernel based operating systems.
Microkernel (common RTOS) utilizes "userland" to handle some typical kernel functions. The kernel handles basic IPC, VM, and scheduling, while pushing information to other programs on the user side such as application IPC, servers, device drivers, and file servers. Monolithic kernel architecture maintains IPC, file systems, device drivers and VM on the kernel side, while the user-side applications pull data from such components.
What is NCCIC ICS-Cert?
NCCIC's datastore for ICS-specific vulnerabilities
What is NAC?
Network Access Control; dynamic VLAN allocation; isolates systems when connected to the network so that they can be scanned and checked before being places in the trusted network; can determine what user/machine has connected and allocate a VLAN particularly for that user/machine
How do MAC/IP addresses relate to network devices?
Network devices typically have a software and hardware address. MAC is hardware, IP is software. IPs can be mapped to MACs via ARP. MACs can be mapped to IP using ARP/RARP.
What are the benefits of an integrated safety system?
No additional hardware, reduced wiring, short response times, simplified proof of safety
What are the security concerns associated with remote field devices?
Often placed in places with limited physical protection; simple fences and locks can be bypassed, cameras are rarely monitored; physical access to a field device allows manual control of the control signals, and could potentially provide a remote access point for other devices or (worst case) the master server itself.
What is QNX?
Owned by BlackBerry, RTOS which utilizes microkernel. Very unix/linux-like OS. Used with Apple CarPlay, variety of medical devices.
What is an ethernet router?
Perimeter device that interconnects logical networks, whereas switch/bridge connects physical network segments. Directs data by tracking IP addresses, only sends packets to destinations that are defined in the packet
What exists in the attack surface for a micro-controller?
Physical components such as chips, cards, ports, which provide input to the system; Firmware/RTOS vulnerabilities, as well as improper equipment disposal; applications on the microcontroller; communication protocols that can be intercepted to connect to other components; Supply chain compromises; the people themselves who interact with micro-controller components.
Define the layers of the OSI model.
Physical: transmission across physical media Data link: connects physical network parts with abstract parts Network: handles network address scheme and connectivity of network segments Transport: Prepares data to be transmitted, sequences packets in transmission Session: Establishes and maintains connectivity between systems Presentation: Formats data on sending/receiving ends so that it can be read Application: Determines what network services are needed, manages requests from the application to other layers down the stack
Explain the DNP3/IEC-104 sister protocols.
Primarily developed for SCADA operations in electrical substations; Master to field device communication; Can send timestamps if device has a real time clock; can offer crypto via TLS;
How is IPv4 efficiently used in relation to private networks?
Private networks don't access the internet, a gazillion private networks can use the same IPs and it never be a problem. Once these IPs reach a firewall or router, a Network Address Translation occurs to assign an external IP to the internal one.
What are ICS specific documents and diagrams that support the engineering lifecycle?
Process Flow Diagram, Process & Instrumentation Diagram, equipment lists, Testing/Installation/Commissioning
What is the ISA Security Compliance Institute?
Product testing and assessment process; VIT, CRT, SRT, compliance testing for standards
What is Functional Safety?
Protection against hazards caused by incorrect functioning of components or systems
What is OPC/OPC UA?
Protocols that could communicate from layer 2 devices to other vendors by translating data to the right format; "vendor neutral"; OPC UA is successor, not Windows-Specific like OPC; OPC UA has improved security;
What is Embedded Linux?
RTOS. Some linux distros used modified kernels to achieve realtime IO handling; modern kernels support real-time scheduler; field devices also use non-real-time embedded linux, because sometimes CPU-bound processes are more important
What is RTOS and how does it differ from traditional OSs?
Real Time Operating System. Specialize in I/O handling, works in a deterministic way, such that it can guarantee so many CPU cycles between actions; does not necessarily mean fast, just means it operates in real-time at measurable, consistent standards. Present on more complex embedded devises.
What are CWE 121, 122, 20, and 79?
Respectively: Stack-based BO, heap-based BO, improper input validation, cross-site scripting
Identify which time source/references exist at which stratum levels.
S0: Global sources such as GPS. S1: Site servers, dedicated servers/devices which sync via GPS/Glonass S2: Time sensitive devices/systems such as controllers/historians. Utilize IRIG-B and PTP S3: Non-sensitive devices, may use NTP
What is an attack model?
Series of diagrams/descriptions of how attackers can attack a system
What is the ISA/IEC 62443?
Set of documents that cover guidance for procurement/development etc. of ICS systems. Includes security compliance.
What is a protocol stack?
Set of network protocols that work together to implement communications
What is Ethernet?
Shared network media protocol. Most common layer 2 (OSI) protocol
Where can vulnerabilities exist?
Software flaws, improper configurations, poor physical security and hiring practices, etc.
What is IEC 62351?
Standard in development to increase security of ICS protocols; incorporating TLS into those protocols;
What are the three basic purposes of communication protocols?
Standardize communication format, specify communication order/timing, allow all parties to determine meaning of a communication
How does the TCP/IP Model compare to the OSI Model?
TCP/IP model only has 4 layers: Application, transport, internet, and network. Application encompasses the application/presentation/session layers of OSI model. Transport and Internet correspond to Transport and Network of OSI. TCP/IP's Network layer corresponds to OSI's Data Link and Physical layers.
Compare and contrast TCP and UDP.
TCP: Establishes connection before data transmission via 3-way handshake, Confirms data delivery; uses packet sequence numbers; slower because of more overhead/header information; more packets due to handshake; UDP: Connectionless, send and forget; no delivery confirmation; no sequence numbers; less overhead, so faster; small header, fewer packets
What is "stratum"?
Term used to provide a relative measure of closeness to a central or high-quality time server or reference time source
What are common entry points in an attack surface at a high-level?
The internet, client-side workstation attacks, malicious insiders (employees and attackers who have already gained access), compromised remote access, malware on USB, physical/wireless access;
Why are attack surfaces important?
The more you can decrease your attack surface the more resilient and difficult to compromise the system is
What is the difference between Traditional and Integrated safety systems?
Traditional systems have a separate safety tech, while integrated is integrated with controllers and components.
What is Wind River VXWorks?
Used in many ICS devices such as NASA Mars Rover, Linksys Wifi Routers, Boeing Apache helicopter; known for debug interface which allows engineers (if enabled) to have high access level to RTOS; not common to see a 'log in' type situation with RTOS; debug interface still in delivered products; good for forensics........and attackers
Describe what occurs doing Dumping Data at Rest.
Utilize special hardware to connect directly to data storage chips and dump their contents.
Describe what occurs during Bus Snooping Data in Motion.
Utilize special hardware to connect to circuit board components and use bus sniffing to capture communication between chips. Could capture firmware or cryptographic network keys.
What are TUV/SIL certifications?
Verifications of safety implementations.
What is a VLAN?
Virtual LAN; Segmentation of a switch into different networks; Can utilize ACLs to control traffic between VLANs
What are common security concerns for ICS protocols?
Vulnerabilities to man in the middle attacks; Lack of authentication; weak integrity; protocols not designed with security in mind
What is a vulnerability?
Weakness in a system or process that could be exploited by a threat.
What is Modbus TCP?
Widely accepted protocol developed in '79; used for master (HMI) to field (PLC) communications. Field device cannot initiate communications, only simple req/resp protocol; No inherent security, vulnerable to interception and injections
What is Windows CE?
Windows Embedded Compact; built specifically for embedded devices, nothing like traditional Windows OS; includes smaller kernel and visual studio for dev/debugging;