Hacking SCADA/SAS Systems

Used Techniques, Known Incidents

and Possible Mitigations
Seminar at Petroleum Safety Authority Norway
at 29/11-2006

Christian H. Gresser
[email protected]

Agenda
About NESEC
What is SCADA
Well-known Incidents
IT-Security and control Systems
Problems in SCADA security
SCADA systems security is different
Hacking is easy
IT-security in the future
Possible solutions
Lessons learned

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 2

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

About NESEC
Founded 2002 as a system integrator specialized on IT security in
Freising (near Munich/Germany)
Strong focus on security in production environments
Close cooperation with ABB Automation Products, development of
security concepts and solutions for ABB customers
Security analysis and penetration tests, even in life production, to
identify possible threats and rate risks
Working solutions to secure production plants and SCADA systems
without interruption in production
Customers include Munich Airport, Krupp-Mannesmann steel
production, Volkswagen, Altana Pharma, and more

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 3

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

SCADA
Supervisory Control and Data Acquisition
Monitor and control industrial systems
Oil and Gas
Air traffic and railways
Power generation and transmission
Water management
Manufacturing
Production plants
Huge threats
Massive power blackout
Oil refinery explosion
Waste mixed in with drinking water
NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 4

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

What is SCADA and control systems?

The power in your home
The water in your home
Where the wastewater goes
The cereals and milk for breakfast
Traffic lights on the way to the office
The commuter train control system
The phone system to your office
The air conditioning in your office building
The convenience food in the canteen
much, much more

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 5

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Well-known Incidents

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 6

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Well-known Incidents
Aaron Caffrey, 19, brought down the Port of Houston October, 2003. This is
thought to be the first well-documented attack on critical US infrastructure.
In August 2003, computer systems of CSX Transportation got infected by a
computer virus, halting passenger and freight train traffic in Washington,
DC.
In 2003, the east coast of America experienced a blackout, while not the
cause, many of the related systems were infected by the Blaster worm.
Computers and manuals seized 2003 in Al Qaeda training camps were full
of SCADA information related to dams and related structures
Ohio Davis-Besse nuclear power plant safety monitoring system was offline
for 5 hours due to Slammer worm in January 2003
2001, hackers penetrated a California Independent System Operator which
oversees most of the state's electricity transmission grid, attacks were
routed through CA, OK, and China.

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 7

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Well-known Incidents
In 2000, former employee Vitek Boden release a million liters of water into
the coastal waters of Queensland, Australia
A Brisbane hacker used radio transmissions in 2000 to create raw sewage
overflows on Sunshine coast
In 2000, the Russian government announced that hackers succeeded in
gaining control of the worlds largest natural gas pipeline network (owned by
Gazprom)
In 1997, a teenager breaks into NYNEX and cuts off Worcester Airport in
Massachusetts for 6 hours, affecting both air and ground communications.
In 1992, a former Chevron employee disabled its emergency alert system
in 22 states, which wasnt discovered until an emergency happened that
needed alerting.

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 8

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Risks in Production Environments

Viruses, Trojans,
malicious mobile code
42% of all attacks!

Social engineering

Denial of service
attacks

Deficient physical
infrastructure

Vulnerabilities in the OS
and in applications

Hacking and cracking

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Use of protected/illegal
material, private use

Disasters
Seite 9

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Attackers SCADA Knowledge

Ethernet
Just this is
TCP/IP
sufficient
Windows
RPC
SMB
802.11b
HTTP/HTTPS
ASCII
Unix/Linux/Solaris
TFTP
SQL

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

OPC
PLC
RTU
ModBus
IEC 60870
ICCP
HMI/MMI
S5/S7
Fieldbus
IED
TASE-2

Seite 10

This is all on
the Internet

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

How does SCADA work?

Multi-tier systems
Physical measurement/control endpoints
RTU, PLC
Measure voltage, adjust valve, flip switch

Intermediate processing
Usually based on commercial OS
VMS, Windows, Unix, Linux

Communication infrastructure
Analog, Serial, Internet, Wi-Fi
Modbus, DNP3, OPC, ICCP

Human Interface

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 11

Most attacks happen

at this level

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Problems with SCADA

SCADA = no authentication
What is the identity of an automated system?
OPC on Windows requires anonymous login rights for DCOM
How can policies such as change your password monthly be applied
to automated systems running unattended for years?
How do you manage rights for each person?

SCADA = no patching
Systems never needed patches in the past
install a system, replace it in 10 years
large window of vulnerability

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 12

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Problems with SCADA

SCADA = not connected to the Internet
often believed: not interconnected at all
found in reality: numerous uncontrolled connections
even unconnected networks get connected via dial-in or notebooks
from support personnel

SCADA = insecure design and implementation

simple passwords used by many people and never changed
anonymous FTP, Telnet without password
access limitations in control software are often not used

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 13

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

SCADA System security is different

Information Technology

Control Networks

Risk Impact

Loss of data

Loss of production, equipment, life

Risk Management

Recover by reboot

Fault tolerance essential

Safety is a non-issue

Explicit hazard analysis expected

Occasional Failures tolerated

Outages intolerable

Beta test in field acceptable

Thorough quality assurance testing

expected

High throughput demanded

Modest throughput acceptable

High delay and jitter accepted

High delay a serious concern

Most sites insecure

Tight physical security

Reliability

Performance

Security

Little separation among intranets on Information systems network isolated from

same site
plant network
Focus is central server security

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 14

Focus is edge control

device stability
Hacking SCADA Petroleum Safety Authority V1.2 November 2006

SCADA System security is different

Aspect of IT

Corporate IT

Process Control IT

Anti-virus

widely used

often difficult / impossible to

deploy

Lifetime

3-5 years

5-20 years

Outsourcing

widely used

rarely used for operations

Patching

frequent (often daily)

slow (required vendor approval)

Change

frequent

rare

Time criticality

delays OK

critical, often safety dependent

Availability

outages OK (overnight)

24 / 7 / 365

Security skills and

awareness

fairly good

poor

Security testing

widely used

must be used with care

Physical security

usually secure and

manned

often remote and unmanned

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 15

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Standards for IT-Security in SCADA

Standards

Title

Board

BS 7799/ISO 17799

Information Security Management

British Standards Institute /

International Organization for Standardization

ISO 27001

Information Security Management

International Organization for Standardization

ISA SP99

Manufacturing and Control Systems Security

Instrumentation Systems and Automation

IEC 62443 (draft)

widely used

International Electrotechnical Commission

IEC 61784-4 (draft)

(IEC SC65c WG13)

Digital Data Communications for

Measurement and Control Network and
System Security

International Electrotechnical Commission

NIST Process Control

Security Requirements
Forum (PCSRF)

System Protection Profiles (SPP) and

Protection Profiles (PP) for Common Criteria
(ISO 15408)

National Institute for Standards and Technology

NERC Cyber Security

Standard

US IT-security standard for power plant

operation

North American Electric Reliability Council

NISSC Practice Guide on

Firewall Deployment for
SCADA and Process
Control Networks

Firewall Deployment for SCADA and Process

Control Networks

UK National Infrastructure Security Coordination

Centre

NIST Special Publication

800-40

Procedures for Handling Security Patches

National Institute for Standards and Technology

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 16

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Real World Example

Claim: We are secure because the oil production network is
completely separate from the rest of the corporate network
Flaw #1: network diagrams dont match reality
Its the desired configuration not the actual configuration

Flaw #2: diagram obviously doesnt match reality

Dial-in for remote support is in the office network not the production
network, how can they connect?

Flaw #3: notebooks

Notebooks are often used by support personnel to trace problems. Are
the secured?

Flaw #3: insecure production network

No patches, no segmentation, if one systems gets compromised, it
can bring down everything
NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 17

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Hacking is easy
Cross site scripting
stealth / advanced
scanning techniques
packet spoofing denial of service

High
Intruder
Knowledge

sniffers
sweepers
back doors
trojans

Tools

Staged
attack
distributed
attack tools
www attacks
automated probes/scans
GUI

network mgmt. diagnostics

disabling audits
Attack
session
Sophistication
burglaries hijacking
exploiting known vulnerabilities
password cracking
self-replicating code
password guessing

Low
1985

1990

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Attackers

1995
Seite 18

2000

2005

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Hacking is easy
Cross site scripting
stealth / advanced
scanning techniques
packet spoofing denial of service

High
Intruder
Knowledge

sniffers
sweepers
back doors
trojans

Tools

Staged
attack
distributed
attack tools
www attacks
automated probes/scans
GUI

network mgmt. diagnostics

disabling audits
Attack
session
Sophistication
burglaries hijacking
exploiting known vulnerabilities
password cracking
self-replicating code
password guessing

Low
1985

1990

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Attackers

1995
Seite 19

2000

2005

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Example Hack
This example break-in uses only publicly available free software and
information
Nmap port scanner to identify the target OS
(see: http//www.insecure.org/)
Nessus vulnerability scanner to identify the missing patches
(see: http//www.nessus.org/)
Symantec SecurityFocus Vulnerability Database
(see: http://www.securityfocus.com/bid/
or: http://www.milw0rm.com/)
Metasploit Exploit Framework
(see: http://www.metasploit.org/)

Everyone can use these tools!

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 20

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Free Vulnerability Databases 04/04

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 21

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Free Vulnerability Databases 28/11

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 22

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Free Download of all Tools 04/04

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 23

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Free Download of all Tools 28/11

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 24

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Tools used in the Live Hack 29/11

Some tools only work well with a Unix operating system, e.g. Nmap
and Nessus
For the live hacking today we use the following tools:
SuperScan4 from Foundstone (a division of McAfee, Inc.)
(free download: http://www.foundstone.com/resources/freetools.htm)
Metasploit Exploit Framework
(see: http://www.metasploit.org/)
SecurityFocus Vulnerability Database (a division of Symantec Corp.)
(see: http://www.securityfocus.com/bid/

The complete vulnerability scan with Nessus will be skipped due to

time restraints

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 25

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Whats in the future

Microsoft currently does a good job securing their systems
There already is a trend to attack different parts in the operating
system
backup software and anti-virus because agents are installed on all
systems
completely new environments production plants

It is only a matter of time before automation systems will be attacked

A good indicator are the SANS Top 20 Internet Security
Vulnerabilities
see: http://www.sans.org/top20/

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 26

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Whats in the future

2006 was the year of application break-ins
widespread automated exploits for office applications but also backup
software, anti-virus and personal firewalls
new and automated attacks against web applications

2007 will be the year of network components

exploits for router, switches and all the networking gear
Critical infrastructure like DNS will be targeted again

2008 will be the year of embedded and automation systems

many issues are fixed, new targets are required
these systems are finally connected to the networks

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 27

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

900M

Infection Attempts

150,000
800M
Blended Threats
(Code Red, Nimda, Slammer)

700M
600M

125,000

Denial of Service
(Yahoo!, eBay)

100,000

500M

Malicious Code
Infection
Attempts
Network
Intrusion
Attempts

Mass Mailer Viruses

(Love Letter/Melissa)

400M
300M

Zombies

200M
Polymorphic Viruses
(Tequila)

100M

75,000
50,000
25,000
0

1997

1998

1999

2000

2001

2002

2003

Network Intrusion Attempts

More attacks!

2004

2004 CERT

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 28

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

More viruses!

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 29

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

New attack vectors!

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 30

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Shift in awareness necessary

Control systems have become very similar to office environments
They need to be treated similar
Control systems are interconnected to corporate networks or even
the internet
They need the same (or even better) protection
Shift in security awareness:
IT security should be part of the initial design process not an add-on
later
IT security should be part of the standard maintenance procedures not
only after an incident
Every employee is responsible for IT security

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 31

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Awareness is Rising Finally

ISS gave a presentation on SCADA Security at the Black Hat
Federal Conference in January 2006
They found lots of problems in widely used software
OPC has many buffer overflows
OPC over DCOM is often very insecure

and while analyzing SCADA systems

SCADA systems usually have no authentication
SCADA systems are usually not patched

You can go to the store and buy a book on pen-testing

that will give you all the knowledge you need
to cause a widespread power blackout!

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 32

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Multilayered approach necessary

Protecting the infrastructure
Block access to sensitive parts of the infrastructure (e.g. rooms,
buildings), often referred to as physical security

Protecting IT-systems
Use anti-virus software and install patches to protect systems from
viruses, worms and exploits

Protecting networks
Use firewalls and filters for network segmentation

Protecting applications and data

Use encryption and VPNs to protect data from unauthorized access

User education
Train your employees to use and adopt IT security

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 33

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Lessons learned
IT security is becoming very important
Control networks are no longer isolated networks
Automation systems are no longer specialized platforms
They are new targets
They are interesting targets

Hacking Tools are easy to use

Everybody can attack and break into systems
The tools are readily available
If you are not protected, you will be hacked

There is neither cause to panic nor cause to ignore the issue

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 34

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

References
Kevin Poulsen, Slammer worm crashed Ohio nuke plant network,
http://www.securityfocus.com/news/6767
SQL Slammer Worm Lessons Learned for Consideration by the Electricity Sector,
North American Electric Reliability Council,
http://www.esisac.com/publicdocs/SQL_Slammer_2003.pdf
NRC Information Notice 2003-14, Potential Vulnerability of Plant Computer Network
to Worm Infection, United States Nuclear Regulatory Commission,
http://www.nrc.gov/reading-rm/doc-collections/news/2003/03-108.html
Instrumentation, Systems and Automation Society (ISA), Security Technologies for
Manufacturing and Control Systems, Technical Report ANSI/ISA-TR99.00.01-2004,
ANSI/ISA-TR99.00.02-2004, March/April 2004, http://www.isa.org/
International Electrotechnical Commission, Enterprise Network Control Network
Interconnection Profile (ECI), IEC/SC 65C/W 13 Draft v1.04, December 2004
National Infrastructure Security Coordination Centre (NISCC), NISCC Good Practice
Guide on Firewall Deployment for SCADA and Process Control Networks, Revision
1.4, February 2005, http://www.niscc.gov.uk/niscc/docs/re-20050223-00157.pdf
NIST, Procedures for Handling Security Patches, NIST Special Publication 800-40,
August 2002, http://csrc.nist.gov/publications/nistpubs/
NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 35

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

What NESEC can do

Expertise in penetration testing of process control networks
Working and applicable concepts and solutions to secure
production IT environments and PCNs
Review of existing security concepts
Development of Best Practices for PCNs

What can we do for you ???

NESEC Gesellschaft fr angewandte Netzwerksicherheit mbH

Seite 36

Hacking SCADA Petroleum Safety Authority V1.2 November 2006

Thank you very much for your

attendance
Your questions please

Christian H. Gresser
NESEC GmbH
Lichtenbergstrasse 8
D-85748 Garching

Tel.: +49 89 5484-2130

Fax: +49 89 5484-2139
eMail: [email protected]
Web: http://www.nesec.de/