Embed Size (px)
Citation preview
1
Welcome to the World of Insecure Critical Infrastructure
andRoadmap for Protection
ACinfotec RedTeam
2
Who we are
Pornsook Kornkitichai - Senior security architect and consultant; ACinfotec Co.,Ltd;
• GPEN, eCPPT, C|EH
• MSc in Computer Science; University of Oxford
• Royal Thai Government Scholarship
• BEng in Computer Engineering;1st class honour; Chulalongkorn University
• Research Interest: Cyber Crime, Cyber Warfare, Art of attack and defence
Nuttakorn Dhiraprayudti - Security consultant; ACinfotec Co.,Ltd;
• CISSP, CISA, eCPPT, PECB 22301 Implementer
• MSc in Information Security; Royal Holloway, University of London
• BEng in Computer Engineering; Chulalongkorn University
• Research Interest: Computer Forensics, Penetration Testing
3
Outline
• A glimpse of ICS/SCADA world
• Insecurity of ICS/SCADA
• Demo
• How to secure
• ICS/SCADA VS Traditional Penetration Testing
• Our services and approaches
4
ICS in brief
ICS (Industrial Control System)
1. SCADA (Supervisory Control And Data Acquisition)
2. DCS (Distributed Control System)
Our industry, our society, and our way of life
depend upon these systems!!!
5
ICS in our daily life
Refinery Plant
Smart Grid
Water Plant
Chemical Processing
Rig
Building Automation System
Data Center
HVAC System
Transportation System
6
Common Components
Controller
Field Device
HMI SCADA Server
Controller
Field Device
Field Device
Field Device
7
HMI
8
Welcome to the insecure world
9
When SCADA went wrong
On June 10, 1999, a pipeline owned by Olympic Pipeline Company ruptured and gasoline leaked into two creeks in Bellingham, Washington. The gasoline ignited, resulting in a fireball that killed 3 persons, injured 8 other persons, caused significant property damage, and released approximately ¼ million gallons of gasoline, causing substantial environmental damage.
10
In the age of Cyber Warfare and cyber espionage
Stuxnet Duqu Flame Gauss ???
11
Hackers know it very well
110
243
347
0
100
200
300
400
2010 2011 2012
# ICS Vulnerabilites by ICS-CERT
12
Everybody says it is insecure
ICS/SCADA in the old days,
Photo: http://www.gizmodo.com.au/2012/10/the-awesome-control-rooms-that-run-the-world/
13
SCADA in the old days
but ICS/SCADA is now “DIGITALLY CONNECTED”
All rights reserved by Christie Digital
14
It’s moving to
I can find PLC.
15
Windows Environment
All rights reserved by alfonsozt /Flickr
16
also web-accessible
I can find PLC.
Photo: http://dailypayne.com.s60471.gridserver.com/wp-content/uploads/2010/01/day-9-i-see-you.jpg
17
Document Manual
Security is disabled by default. To log in, enter any name; you do not need a password or domain name
S5-LAN-LINK has a special protocol for communication with the PC. For this communication you need a DLL. In this document this DLL will be written down. There is no security of this protocol.
The option of configuring user passwords with special characters is supported in WINCC flexible 2007 or higher. Passwords which contain special characters are not supported in previous version of WinCC Flexible.
A password which contains special characters is reset to the default value “100” if you convert a project as of WinCC flexible 2007 or higher into a previous version. Define a new password without special characters after having completed the conversion.
18
SCADA VS Exploitation Framework
19
Mobile App
20
What if your ICS/SCADA system is online?
“It took only 18 hours to find the first signs of attack on one of the honeypots. “
Who’s Really Attacking Your ICS Equipment?
Percentage of attacks per country
21
Hunting for ICS/SCADA
All rights reserved by Skye Perry/Flickr
22
Looking for ICS
23
World War Map
24
Attacking Smart Meter: Simply Ping Flood
25
ICS Challenges
• Updating OS Patch
• Updating Antivirus Definition
• Cost of testing environment
• Connection between corporate and ICS network
• No security built-in; plain-text protocol, lack of authentication
• Gap between Engineering skills and IT security skills
• External Threats - Cyber Terrorist
• Internal Threats - Disgruntled employees
• Etc.
26
Roadmap for Protection
All rights reserved by Magdalen Green Photography /Flickr
27
1st Dimension : Defence-in-depth
28
2nd Dimension : Security Standard & Guideline
Critical Infrastructure Sectors Sector Specific Security Standard
Energy NIST SP800-82, NERC CIP, ISA-99/IEC62443
Public Health and Healthcare ISO 27799, HIPAA
Banking and Finance PCI DSS, ISO 27015 (FDIS)
ChemicalCommercial FacilitiesDamsCommercial Nuclear Reactors, Material and Waste
CFATS, NEI-0404
Telecommunications ISO 27011
Drinking Water and Water Treatment Systems CFATS
Transportation SystemsAgriculture and FoodDefense Industrial BaseGovernment FacilitiesInformation TechnologyPostal and Shipping
No specific
https://www.dhs.gov/homeland-security-presidential-directive-7
29
3rd Dimension : Assessment Framework
• Port Scan could crash the system because of strange payloads and overwhelming packets.
• With embedded devices which are not Windows/Unix, you will have more problems.
• Most control systems use simple HTTP GET/POST requests, automated tools could shutdown the mission-critical functions.
• Traditional Pentest tools are not enough for ICS protocols. We need better and more specific tools to tackle the ICS world.
“You need elaborate plans and procedures to conductsecurity assessment against ICS environment.”
Danger of Traditional Pentest
30
• Layered-approach Security Assessment based on
NERC CIP, CPNI, ISA-99/IEC62443, ISO27001, SANS
• ICS/SCADA Architecture Review
• Smart Grid Security Assessment
• Safety and availability
• With elite team members
Our services & approaches
31
References• http://www.incognitolab.com
• http://ics-cert.us-cert.gov/sites/default/files/Year_in_Review_FY2012_Final_0.pdf
• http://www.co.whatcom.wa.us/archives/whatcomcreek/
• http://www.f-secure.com/weblog/archives/00002083.html
• http://365.rsaconference.com/servlet/JiveServlet/previewBody/3697-102-1-4855/BR-208_Bencsath.pdf
• http://blog.trendmicro.com/trendlabs-security-intelligence/whos-really-attacking-your-ics-devices/
• https://www.yokogawa.com/za/cp/overview/pdf/CS_Risk_Assessment.pdf
• http://www.cpni.gov.uk/Documents/Publications/2011/2011034-scada-securing_the_move_to_ipbased_scada_plc_networks_gpg.pdf
• http://www.redtigersecurity.com
32
Q & A
