control system vulnerabilities

> analysis of 5 years of field data

Jonathan Pollet, CISSP, CAP, PCIP

Red Tiger Security

[on behalf of the DHS CSSP

program - contract #240704]

1
Jonathan Pollet – CISSP, PCIP, CAP

—  12 Years of Electrical Engineering, SCADA, Industrial Controls, and IT

Experience
—  PLC Programming and SCADA System Design and Commissioning
—  Wireless RF and Telecommunications Design and Startup
—  Front-end Web Development for SCADA data
—  Backend Database design for SCADA data
—  Acting CIO for Major Oil Company for 2 years – Enterprise IT Management

—  Last 8 Years Focused on SCADA and IT Security

—  Published White Papers on SCADA Security early in 2001
—  Focused research and standards development for SCADA Security since 2002
—  Conducted over 120 security assessments on Critical Infrastructure systems
—  Conducted over 75 International conferences and workshops on CIP
—  Developed safe security assessment methodology for live SCADA Systems
—  Co-developed the SCADA Security Advanced 5-day training course

2
outline
—  background on the project

—  review of ISA99 architecture model

—  source for data used in the analysis

—  interesting results

—  avg. # of days between vulnerability disclosure and discovery
—  where in the architecture are most vulns being discovered
—  does the type of vulnerabilities change throughout the architecture
—  workstation HMI vulnerabilities ranked by OS
—  network vs. host/application vulns throughout the architecture
—  interesting security findings on control system networks

—  Q & A

3
project background
—  Over 38,000 control system vulnerabilities collected over 5 years
from mid-2002 to 2008

—  Over 100 security assessments performed on critical infrastructure

facilities such as electric power generation plants, transmission
energy control centers, chemical plants, water plants, and oil/gas
production, refining, and pipeline systems

—  Vulnerability analysis and classification conducted under

research project facilitated by INL and funded through the
DHS Control Systems Security Program contract #240704

—  ISA99 architecture model used to classify where the

vulnerabilities were discovered in the systems

4
5
data source – what was collected?
—  From mid-2002 to 2008, vulnerability data was stripped of any client
information and the raw vulnerabilities were captured in a database
—  Vulnerability ID (auto-numbered from entry number 1)
—  Vulnerability Title (title for the vulnerability)
—  Security Zone or Location (location based on the ISA99 model where the
vulnerability was located)
—  Disclosure Date (date when vulnerability was disclosed)
—  Discovery Date (date when vulnerability was discovered by the team and
entered into the database)
—  Days Between Disclosure and Discovery (time between disclosure and
detection)
—  Vulnerability Detailed Description
—  Vulnerability Suggested Remediation Steps

6
interesting results
—  avg. # of days between vulnerability disclosure and discovery
—  all field data was exported from the database to an excel spreadsheet containing
over 38,000 rows, and much of the analysis had to be performed manually
—  since we captured when the vulnerability was disclosed in the public, and also
captured when the vulnerability was discovered and entered into the database,
we were able to perform a simple diff against these two fields
—  vulnerabilities that were never disclosed in the public were thrown out of this
particular exercise since negative or zero entries would throw off the
calculations
—  the maximum number of days between when a vulnerability was disclosed in the
public and when it was found during an assessment was over 3 years!
—  the average was 331 days, or close to 1 year. this means that on average most
SCADA and process control environments contained latent vulnerabilities,
probably with compiled exploits, and were not discovered until almost a year
later, and would not have been discovered had not the asset owner funded the
assessment.

7
where are the vulnerabilities
being discovered?
Vulnerabilities by Location in Architecture

0,3% 0,0%

Level 5 - Internet DMZ zone

11,8%
16,9%

Level 4 - Enterprise LAN zone

Level 3 - Operations DMZ

Level 2 - Supervisory HMI LAN

24,7%

46,3%
Level 1 - Controller LAN

Level 0 - Instrumentations bus network

8
does the type of vulnerabilities
change throughout the architecture?
—  classified each vulnerability by the system that was impacted and where
the vulnerability was found in the architecture

—  The data set emerged a common set of system types at each network zone
or segment:
—  Email Server Applications
—  Web Server Platforms (Apache and IIS)
—  Business Applications
—  Shopping Cart Applications
—  Applications written on PHP platform
—  Applications written on ASP or .NET platform
—  Database Servers (MS SQL, mySQL, and Oracle)
—  FTP Servers
—  Portal Servers (Blogs, Forums, etc…)
—  Workstation (client) vulnerabilities
9
systems impacted at the Internet DMZ zone

Internet DMZ Vulnerabilities

Email Server Applications
0,0%

Web Server Platforms (Apache and IIS)

11,4% 12,7%
1,2%
Business Applications

5,6%
Shopping Chart Applications

Applications written on PHP platform

10,0%
23,3%
Applications written on ASP or .NET platform

Database Servers (MS SQL, mySQL, and Oracle)

FTP Servers

25,8% 7,8% Portal Servers (Blogs and Forums)

2,2% Workstation (client) vulnerabilities

10
systems impacted at the Enterprise LAN zone

Enterprise LAN Vulnerabilities

Email Server Applications

9,7%
Web Server Platforms (Apache and IIS)
12,5%

Business Applications
5,9%
1,2% Shopping Chart Applications
19,3%
Applications written on PHP platform

12,6% Applications written on ASP or .NET platform

Database Servers (MS SQL, mySQL, and Oracle)

5,9%
FTP Servers
4,6% 23,4%
Portal Servers (Blogs and Forums)
5,0%

Workstation (client) vulnerabilities

11
systems impacted at the Operations DMZ zone

Operations DMZ Vulnerabilities

Email Server Applications

3,3%
6,0% 5,5% Web Server Platforms (Apache and IIS)

3,9% Business Applications

Shopping Chart Applications

Applications written on PHP platform

19,8%

41,4% Applications written on ASP or .NET platform

Database Servers (MS SQL, mySQL, and Oracle)

2,3% FTP Servers

1,5%
1,1% Portal Servers (Blogs and Forums)
15,3%

Workstation (client) vulnerabilities

12
workstation HMI vulnerabilities ranked by
OS
Supervisory HMI LAN
Vulnerabilities Microsoft-based Operating System or Applications

1,4% Red Hat Linux Operating System or Applications

11,5% Tru64 Operating System or Applications

4,4%

2,4% HPUX Operating System or Applications

8,3% IBM AIX Operating System or Applications

6,7% 62,2% FreeBSD Operating System or Applications

2,2% SCO UNIX Operating System or Applications

0,9%
Sun Solaris Operating System or Applications

SuSE Linux Operating System or Applications

13
only logged 105 controller LAN vulnerabilities, but
QnX showed up as the most typical source

Controller LAN Vulnerabilities

15,2%
19,0% Vulnerabilities in Controller LAN due to
Phone/Telecom Equip

Vulnerabilities in Controller LAN due to

QNX

Misc. Vulnerabilities
65,7%

14
network vs. host/application vulns
throughout the architecture

Network versus Host/Application Vulnerabilities by Location in

Architecture
100%

90%

80%

70% 64,0%
60%
90,7%
50% 95,1% 96,7% Host/Application
40%

30%
Network
20% 35,4%
10%
9,3%
0% 3,4% 3,3%
Level 5 - Internet DMZ zone Level 4 - Enterprise LAN Level 3 - Operations DMZ Level 2 - Supervisory HMI
zone LAN

15
interesting security findings on control system networks
—  VOIP (Voice over IP) Systems
—  Network Video Recording Devices
—  Network Surveillance Equipment and Software
—  Adult Video Directory Scripts
—  Online Dating Service Databases
—  Advanced Forensics Format (AFF) archives
—  Gaming Software Servers
—  aGSM - a freeware game server info monitoring utility
—  Alien Arena 2006 Gold Edition
—  Counter Strike
—  Brood Wars
—  Battlefield 1942 Server and Clients
—  Quake 2 and Quake 3 Game Servers found in Supervisor
HMI LAN
—  Soldier of Fortune II
—  Software license cracking executables (CD-key
generators)
—  Torrent client software on Supervisor HMI LAN
—  Paging Software Server (i.e. Air Messenger Server
connected to both the SCADA and Internet for
SMTP relay out)
—  America Online Clients
—  MP3 Music and Video Playing Software including
iTunes
—  Streaming Music and Radio software with
vulnerabilities
—  BitTorrent Clients (for peer-to-peer file sharing)
—  MSN and other IM chat clients
—  Anonymous FTP Servers running waiting for
connections
16
but wait…there s more
—  Apache Web Servers and Linux hosts
un-patched for over 2 years
—  APC Battery Backup UPS systems
with vulnerable Web Interface
—  Several web blog site engines
running in control system DMZ
—  Office grade Linksys, Belkin, and
D-Link WiFi devices on Supervisory
HMI LAN
—  IM clients found installed and
contained vulnerabilities on
Supervisory HMI LAN
—  Windows 95 found installed on hosts
in Supervisory HMI LAN (no longer
supported by MS)
—  Windows NT found installed on
hosts in Supervisory HMI LAN (no
longer supported by MS)
—  Windows Vista found used as OS for
operator consoles in Supervisory
HMI LAN
—  IRC Chat Servers found installed on
hosts in the Operational DMZ LAN
—  Nintendo Entertainment System
(NES) Game Simulator
—  Netscape Browser vulnerabilities
detected in Supervisor HMI LAN
—  Multi-function Printer/Fax/Scanner
device vulnerabilities
17
summary / take away points
—  331 = the average time in days between when a vulnerability was disclosed in the public
versus when it was discovered in an industrial control systems assessment

—  the intermediate Operations DMZ network that sites between the Enterprise network and
the industrial control systems had the most vulnerabilities attributed to its zone

—  web server and back-end database vulnerability findings comprised the largest number of
vulnerabilities found in these Operations DMZ network – we need more web app testing!

—  network devices are better managed in the Internet DMZ and Enterprise LAN networks
where the IT or IS department has clear ownership of managing the network devices

—  number of client workstation vulnerabilities also increased deeper into the real-time
operations networks, thus proving we still have a patch problem in our industry

—  vulnerabilities with Windows operating systems or Windows applications also accounted
for the overwhelming majority of vulnerabilities for systems in the Supervisory HMI LAN

—  Vulnerabilities and Exploits will continue to be found at a rapid pace for SCADA HMI
Applications built for Windows, Web-Enabled SCADA Browser Applications, and Embedded
PLC devices

18
q&a
—  contact info

jonathan pollet
principal consultant
[email protected]
office: +1.877.387.7733
mobile: +1.281.748.6401

19