Hacking SCADA
Hacking SCADA
Christian H. Gresser
[email protected]
Agenda
About NESEC
What is SCADA
Well-known Incidents
IT-Security and control Systems
Problems in SCADA security
SCADA systems security is different
Hacking is easy
IT-security in the future
Possible solutions
Lessons learned
Seite 2
About NESEC
Founded 2002 as a system integrator specialized on IT security in
Freising (near Munich/Germany)
Strong focus on security in production environments
Close cooperation with ABB Automation Products, development of
security concepts and solutions for ABB customers
Security analysis and penetration tests, even in life production, to
identify possible threats and rate risks
Working solutions to secure production plants and SCADA systems
without interruption in production
Customers include Munich Airport, Krupp-Mannesmann steel
production, Volkswagen, Altana Pharma, and more
Seite 3
SCADA
Supervisory Control and Data Acquisition
Monitor and control industrial systems
Oil and Gas
Air traffic and railways
Power generation and transmission
Water management
Manufacturing
Production plants
Huge threats
Massive power blackout
Oil refinery explosion
Waste mixed in with drinking water
NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH
Seite 4
Seite 5
Well-known Incidents
Seite 6
Well-known Incidents
Aaron Caffrey, 19, brought down the Port of Houston October, 2003. This is
thought to be the first well-documented attack on critical US infrastructure.
In August 2003, computer systems of CSX Transportation got infected by a
computer virus, halting passenger and freight train traffic in Washington,
DC.
In 2003, the east coast of America experienced a blackout, while not the
cause, many of the related systems were infected by the Blaster worm.
Computers and manuals seized 2003 in Al Qaeda training camps were full
of SCADA information related to dams and related structures
Ohio Davis-Besse nuclear power plant safety monitoring system was offline
for 5 hours due to Slammer worm in January 2003
2001, hackers penetrated a California Independent System Operator which
oversees most of the state's electricity transmission grid, attacks were
routed through CA, OK, and China.
Seite 7
Well-known Incidents
In 2000, former employee Vitek Boden release a million liters of water into
the coastal waters of Queensland, Australia
A Brisbane hacker used radio transmissions in 2000 to create raw sewage
overflows on Sunshine coast
In 2000, the Russian government announced that hackers succeeded in
gaining control of the worlds largest natural gas pipeline network (owned by
Gazprom)
In 1997, a teenager breaks into NYNEX and cuts off Worcester Airport in
Massachusetts for 6 hours, affecting both air and ground communications.
In 1992, a former Chevron employee disabled its emergency alert system
in 22 states, which wasnt discovered until an emergency happened that
needed alerting.
Seite 8
Social engineering
Denial of service
attacks
Deficient physical
infrastructure
Vulnerabilities in the OS
and in applications
Use of protected/illegal
material, private use
Disasters
Seite 9
OPC
PLC
RTU
ModBus
IEC 60870
ICCP
HMI/MMI
S5/S7
Fieldbus
IED
TASE-2
Seite 10
This is all on
the Internet
Intermediate processing
Usually based on commercial OS
VMS, Windows, Unix, Linux
Communication infrastructure
Analog, Serial, Internet, Wi-Fi
Modbus, DNP3, OPC, ICCP
Human Interface
Seite 11
SCADA = no patching
Systems never needed patches in the past
install a system, replace it in 10 years
large window of vulnerability
Seite 12
Seite 13
Control Networks
Risk Impact
Loss of data
Risk Management
Recover by reboot
Safety is a non-issue
Outages intolerable
Reliability
Performance
Security
Seite 14
Corporate IT
Process Control IT
Anti-virus
widely used
Lifetime
3-5 years
5-20 years
Outsourcing
widely used
Patching
Change
frequent
rare
Time criticality
delays OK
Availability
outages OK (overnight)
24 / 7 / 365
fairly good
poor
Security testing
widely used
Physical security
Seite 15
Title
Board
BS 7799/ISO 17799
ISO 27001
ISA SP99
widely used
Seite 16
Seite 17
Hacking is easy
Cross site scripting
stealth / advanced
scanning techniques
packet spoofing denial of service
High
Intruder
Knowledge
sniffers
sweepers
back doors
trojans
Tools
Staged
attack
distributed
attack tools
www attacks
automated probes/scans
GUI
Low
1985
1990
Attackers
1995
Seite 18
2000
2005
Hacking is easy
Cross site scripting
stealth / advanced
scanning techniques
packet spoofing denial of service
High
Intruder
Knowledge
sniffers
sweepers
back doors
trojans
Tools
Staged
attack
distributed
attack tools
www attacks
automated probes/scans
GUI
Low
1985
1990
Attackers
1995
Seite 19
2000
2005
Example Hack
This example break-in uses only publicly available free software and
information
Nmap port scanner to identify the target OS
(see: http//www.insecure.org/)
Nessus vulnerability scanner to identify the missing patches
(see: http//www.nessus.org/)
Symantec SecurityFocus Vulnerability Database
(see: http://www.securityfocus.com/bid/
or: http://www.milw0rm.com/)
Metasploit Exploit Framework
(see: http://www.metasploit.org/)
Seite 20
Seite 21
Seite 22
Seite 23
Seite 24
Seite 25
Seite 26
Seite 27
900M
Infection Attempts
150,000
800M
Blended Threats
(Code Red, Nimda, Slammer)
700M
600M
125,000
Denial of Service
(Yahoo!, eBay)
100,000
500M
Malicious Code
Infection
Attempts
Network
Intrusion
Attempts
400M
300M
Zombies
200M
Polymorphic Viruses
(Tequila)
100M
75,000
50,000
25,000
0
1997
1998
1999
2000
2001
2002
2003
More attacks!
2004
2004 CERT
Seite 28
More viruses!
Seite 29
Seite 30
Seite 31
Seite 32
Protecting IT-systems
Use anti-virus software and install patches to protect systems from
viruses, worms and exploits
Protecting networks
Use firewalls and filters for network segmentation
User education
Train your employees to use and adopt IT security
Seite 33
Lessons learned
IT security is becoming very important
Control networks are no longer isolated networks
Automation systems are no longer specialized platforms
They are new targets
They are interesting targets
Seite 34
References
Kevin Poulsen, Slammer worm crashed Ohio nuke plant network,
http://www.securityfocus.com/news/6767
SQL Slammer Worm Lessons Learned for Consideration by the Electricity Sector,
North American Electric Reliability Council,
http://www.esisac.com/publicdocs/SQL_Slammer_2003.pdf
NRC Information Notice 2003-14, Potential Vulnerability of Plant Computer Network
to Worm Infection, United States Nuclear Regulatory Commission,
http://www.nrc.gov/reading-rm/doc-collections/news/2003/03-108.html
Instrumentation, Systems and Automation Society (ISA), Security Technologies for
Manufacturing and Control Systems, Technical Report ANSI/ISA-TR99.00.01-2004,
ANSI/ISA-TR99.00.02-2004, March/April 2004, http://www.isa.org/
International Electrotechnical Commission, Enterprise Network Control Network
Interconnection Profile (ECI), IEC/SC 65C/W 13 Draft v1.04, December 2004
National Infrastructure Security Coordination Centre (NISCC), NISCC Good Practice
Guide on Firewall Deployment for SCADA and Process Control Networks, Revision
1.4, February 2005, http://www.niscc.gov.uk/niscc/docs/re-20050223-00157.pdf
NIST, Procedures for Handling Security Patches, NIST Special Publication 800-40,
August 2002, http://csrc.nist.gov/publications/nistpubs/
NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH
Seite 35
Seite 36
Christian H. Gresser
NESEC GmbH
Lichtenbergstrasse 8
D-85748 Garching