Enumerating and Validating ICS Devices SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Creative Commons License v3.0. 1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Enumerating and Validating ICS Devices
SCADA and Control Systems Security Group (SCADASEC) Findings 2010 Applied Control Systems (ACS) Conference September 20-23, 2010
Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE
Creative Commons License v3.0. 1
Who and what is “Infracritical”?
• Leading industry and business in Critical Infrastructure Protection (CIP).
– Provides guidance and direction to both public and private sectors through information sharing and ‘best practices’.
– Established open public discussion forums on current and relevant topics and affairs.
– Defines strategic vision of ‘future thought’ in infrastructure development and support.
• Liaisons government and industry strategies. • Sponsor and founder of the SCADASEC e-mail list.
2
Presentation Agenda
• Outline results from ‘The Gathering’ (May 2010). • Reasons for having ‘The Gathering’. • Latest projects:
– Enumerate and validate industrial automation/control systems devices (fingerprint).
– Catalog based on genus, manufacturing type, make, model, and results found into a centralized data repository.
– Allow for variances of information found ‘in the wild’. – Enumeration is utilized using ‘open source’ security tools. – Currently performing validation tests against the
Hirschmann ICS firewall (Hirschmann EAGLE TX/TX).
3
Outline Results from ‘The Gathering’ (May 2010)
• Established in May, 2010, ‘The Gathering’ provided a common ground for representation from commercial interests, academia and law enforcement.
• Discussed security concepts, issues and vulnerabilities with ICS equipment that was brought and shared.
• Discussed and shared engineering methods to improve performance of said equipment, both operationally and securely.
4
Reasons for Having ‘The Gathering’
• Need based on a “show ‘n tell” principle.
• Allows participants to see, work and handle ICS equipment that would otherwise not be possible.
• Allow and share ideas, concepts, ideologies between participants.
• Discuss methods of improvement of performance of shared ICS equipment.
• Write recommendations for manufacturers.
5
Other Discoveries
• We are limiting public discussion on these discoveries.
• Schweitzer SEL-3620:
– SSL interface survived the overnight assault from the Mu Dynamics fuzzer device.
– No problems found.
• Another popular industrial switch TELNET interface:
– 158 problems found.
• Write recommendations for manufacturers.
6
Project ‘Enlightenment’
• Validate CSET/CS2SAT network maps.
• Develop and exercise controlled methods of enumerating ICS equipment and appliances.
• Acquire intelligence from ICS equipment supplied from ICS owner-operators and private donators.
• Enumerate through several methods: – IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc.
– control system protocols: Modbus, Profibus, DNP, EthernetIP, etc.
• One of the more recognized industrial automation firewalls.
• Hirschmann Automation and Control (HAC) GmbH acquired by Belden Inc. (formerly Belden Wire & Cable, Inc.) in 2007.
• Hirschmann EAGLE and EAGLE mGuard firewalls’ software written by Innominate Security Technologies.
• Innominate Security Technologies acquired by Phoenix Contacts, Inc. in 2008.
image is actual model of device tested
Hirschmann Enumeration: Discoveries Found with Firewall
10
• Actual software from Hirschmann ICS firewall was written by Innominate Security Technologies.
• Software from Innominate can interchangeably be used between Hirschmann and Innominate versions.
• Software and firmware would be synchronized.
• Software after v4.2.3 required a ‘license upgrade’ (even though we had updates up to v7.0.1).
• Firmware after v4.2.3 had similar requirements.
Hirschmann Enumeration: Discoveries Found with Firewall
11
• Actual ICS screen shot.
• Tests were performed against two (2) firewalls.
• Firewall #1: Innominate
• Firewall #2: Hirschmann
Hirschmann Enumeration: Discoveries Found with Firewall
12
• F/W v3.0.1 (and including v3.1.1) caused ARP tables to be dropped during ‘normal’ port scans, requiring multiple attempts to connect to the firewall.
• F/W v4.0.4 (and higher) did not drop ARP tables.
• However -- F/W v4.0.4 while attacked using a vulnerability scan, produced inconsistent fingerprinting results, in most cases, no fingerprint.
• NMAP (as of v5.35DC1) thinks Hirschmann is a wireless access point / wireless router.
Hirschmann Enumeration: Discoveries Found with Firewall
13
Partial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –v
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT
Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds
The following is a sample taken from the startup log while connected to the console:
...
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.o
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.o
Warning: loading max6625 will taint the kernel: non-GPL license – Proprietary
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.o
Warning: loading power will taint the kernel: non-GPL license – Proprietary
Eagle: PHY sysctl directory registered.
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
...
Thoughts about this?
Hirschmann Enumeration: Discoveries Found with Firewall
21
Hirschmann Enumeration: Summary of the Unit
22
• This unit allows secured side to configure firewall. - Cross site scripting (XSS) and session hijacking vulnerable.
- Malware that gets inside secured networks can still cause damage.
- Other propagation methods for malware include USB, VLAN attacks/mistakes, operator errors, crossed cables, etc.
- Need out-of-band commands of the firewall.
• Licensing problems could make unit a deliberate target.
• ARP table ought to have hard-wired option.
• Not a stateful firewall; not aware of industrial protocols.
One More Thing… Interesting Coincidence?
23
• At the time of writing this presentation, the firewall was probed from several IP addresses from China; one of them is shown below: 2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast
address to master interface
2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification
string from 202.116.160.75
2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast
• Combined between ‘The Gatherings’ and intelligence gathered from/through enumeration and validation tests, we feel that there will be more to come … much more.
• So far, we have a small suite of scripts for the following: • Hirschmann Automation Control GmbH (HAC)