Protecting Critical Infrastructure by Fuzzing Protocol ... · PDF fileProtecting Critical infrastructure by Fuzzing Protocol implementations Industrial control system (ICS) networks

Codenomicon whitepaper:

Protecting Critical Infrastructure by Fuzzing Protocol Implementations

PreemPtive seCurity and robustness testing solutions

Protecting Critical infrastructure by Fuzzing Protocol implementationsIndustrial control system (ICS) networks are no longer isolated: the integration into corporate networks and the introduction of IP-based communications have exposed these networks to cyberattacks. As a result, vulnerabilities in SCADA and other ICS protocol implementations can be exploited with Internet hacking tools. Fuzzing is a black-box testing technique originally used by Blackhat hackers to find exploitable vulnerabilities. In this paper, we demonstrate how fuzzing can be used to remedi-ate exploitable vulnerabilities proactively and make ICS networks more robust against cyberattacks.

Changing security landscape

the move to iP-based communications has led to a sharp rise in the

amount of external attacks against industrial control system networks.

between 1982 and 2000, only 30% of such attacks were external, and

the rest, 70%, were internal, either accidents or deliberate attacks

made by disgruntled employees. by 2003, things had changed: be-

tween 2000 and 2003, 70% attacks were external and only 30% in-

ternal [1]. in the past ten years, the connectivity of iCs networks has

increased significantly, which implies that the share of external attacks

in iCs networks has also grown.

during the first half of the fiscal year 2013 (oct 2012-may 2013), the in-

dustrial Control system Cyber emergency response team (iCs-Cert)

working under the department of Homeland security has already

reported over 200 attacks across all critical infrastructure sectors. the

amount of attacks against iCs systems already surpasses the total

amount of attacks reported during the fiscal year 2012 [2].

some external attacks are unintentional, meaning that the malware

has not been intended for the targeted industrial control system, but

targeted cyberattacks are on the rise. several power outages have

been attributed cyberextortion. electric utilities are also the target

of constant probing. Probing is a part of cyber-reconnaissance and it

used to map network infrastructure and locate vulnerabilities for fu-

ture attacks.

designed to be isolated

industrial control system networks used to be electronically isolated

from other computer systems and the cyberthreats that these systems

faced. in these isolated networks, all devices were deployed over serial

analogue circuits and an attacker would have needed to gain physical

access to the analogue circuit to carry out an attack. therefore, until

recently, the focus was on ensuring the physical security of industrial

control networks.

similarly, many iCs protocols were

designed for communication be-

tween trusted devices in a closed

network with no connection to the

outside world. as a result, iCs pro-

tocols contain very little security

features, such as encryption. more

worryingly, these protocols have

never been hardened and, in the

rush to improve connectivity of iCs

networks, many were simply encap-

sulated in iP wrappers.

increased Connectivity

over time, more components of

industrial control systems became

interconnected with the outside

Internet

Production network

Corporate Network

ICSNetwork

Trusted 3rdparty

Control devices Sensors and instrumentation

Valves,pumps etc.

1.

3.

4.

Attack interfaces:

1. Corporate network2. Trusted third parties3. ICS network: Online resources (WebHMI)4. Wireless connections

2.

the importance of these networks ad hoc responses are not enough. the focus should be on trying to prevent attacks. the best way to prevent attacks is to identify exploitable vulnerabil-ities and resolve the issues proactively.

Vulnerabilities Enable Attacks

there are numerous types of malware, including viruses, tro-jans, keystroke loggers, rootkits and spyware. What they all have in common is that the initial introduction and access to the system are enabled by a vulnerability in the code. vulner-abilities are design and implementation errors that are intro-duced into the code during development. the errors become vulnerabilities once the software is released and is exposed to outside attacks.

Zero-day Vulnerabilities

Zero-day vulnerabilities are the biggest threat to an organiza-tion’s security. their existence is unknown, and there are no de-fenses against attacks exploiting them: an attack can go com-pletely unnoticed. advanced attacks, like stuxnet, can utilize multiple zero-days making them extremely difficult to defend against. even on a smaller scale, such attacks can cause service disruptions.

Detecting Vulnerabilities by Fuzzing

Fuzzing is the most efficient technique for finding previously unknown vulnerabilities. in fuzzing, unexpected data in the form of modified protocol messages is fed to the inputs of a sys-tem, and the behavior of the system is monitored. if the system fails (e.g., by crashing or by failing built-in code assertions) then there is a potentially exploitable vulnerability in the software. there are no false positives in fuzzing.

Generation- and Mutation-based Fuzzing

there are two popular ways to automate fuzzing: mutation-based and generation-based fuzzing. in mutation-based fuzz-ing real-life inputs, like network traffic and files, are used to generate test cases by modifying the samples either randomly or based on the sample structure. in generation-based fuzzing, the process of data element identification is automated by us-ing protocol models, which are built, for example, from proto-col and file format specifications.

world using iP-based communications and control networks were

integrated into larger corporate networks. the convergence of these

once separate networks has helped reduce costs and improve efficien-

cy, but it has also exposed iCs networks to external attacks.

With iP-based communication used throughout the industrial control

system network, packets can be routed into field devices from exter-

nal networks. Field devices such as PlCs, rtus, smart instrumentation

and other embedded devices are the most critical elements of an iCs

network because they control physical equipment like pumps, valves,

boilers, compressors, safety systems, etc.

it is important to note that using analogue connections does not guar-

antee security. the devices within your production network might

communicate over analogue connections, but they also communicate

with devices that are connected to the corporate network and the in-

ternet. almost all iCs devices are either directly or indirectly connected

to the internet.

new attack surfaces

the need to separate the corporate and production network is well known, but other equally critical interfaces are ignored. trusted third parties like vendors, system integrators and con-trol engineers have direct access to iCs networks. moreover, the widespread use of online resources, like WebHmi, and wireless connections expose the production network to both internal and external attacks.

the challenge with these new interfaces is that traditional ma-licious software prevention and patch management processes are difficult to implement. the critical nature of industrial con-trol systems requires that they are available 24 hours a day, 7 days a week. thus, regular patching is inconvenient and often dangerous. Patching can introduce new unknowns and cause failures, whereas, anti-virus software and firewalls can slow sys-tems down, causing performance issues.

Proactive Cyberdefense

iCs networks form the backbone of many critical infrastruc-ture networks and are used to control everything from water-works, chemical plants and food and drug production facilities to transportation systems, satellites and power grids. due to

Case study: Fuzzing a PlC device

in this study, we used generation-based fuzzers to test the ro-bustness of a programmable logic controller (PlC) manufac-tured by an industry leading iCs device manufacturer. We tested a number of sCada and standard internet protocol interfaces.

Tested Protocols

We tested both sCada (modbus, iso-tsaP and iCmP) pro-tocols and standard internet protocols (iPv4, HttP, smnP and tls). internet protocols have long been fuzz tested successfully. in this case study, we wanted to demonstrate that fuzzing can also be used to find vulnerabilities in sCada protocols. there-fore, the test runs were stopped once the first vulnerability was discovered.

Test Tools

all the tests were carried using generation-based defensics fuzzers. the test tools were based on protocol specifications. the specifications provide the fuzzers with protocol specific in-formation (e.g., on the boundary limits of the data elements). this inbuilt semantic and syntactic knowledge is used to guide the process of generating test cases and test case execution. as a result, the fuzzers can achieve high-level coverage with excel-lent efficiency.

Results

We found vulnerabilities in all the tested protocol interfaces. the most frequent failure-mode was dos, but we also triggered other abnormal behavior from the test target: the tested PlC started flashing its lights. both dos and abnormal behavior in-dicate that there are vulnerabilities in the tested protocol inter-faces. With more extensive fuzzing more vulnerabilities could be revealed.

Test target Test tool Resultmodbus Port 502 modbus Port closed

iso-tsaP port 102 tCP for iPv4 abnormal behavior, flashing led light

iCmP iCmPv4 dos, 2min

iPv4 iPv4 dos, 2min

smnP server smnPv2 server dos, 2min

HttP client HttP client dos, webserver and modbus port die, status: defective, serious firmware exception

tls server tls server dos, webserver and modbus port die, status: defective, serious firmware exception

Fuzzing best Practices

the majority of critical infrastructure is privately owned, and it is the private companies that need to make sure that their networks are robust and secure. However, due to the impor-tance of these networks the protection of critical infrastructure cannot be left to the private sector. an effective cybersecurity strategy is based on partnership between government and the private sector, including both private companies and industry organizations, as well as international partners.

Company level

Complex supply chains are typical for industrial control sys-tems. systems purchased by critical infrastructure operators, such as power utilities, are typically compiled by system inte-grators from devices and software they purchase from a vari-ety of device manufacturers. these device manufacturers, in turn, purchase parts of their software from third-party software developers. the iCs devices they produce often contain a soft-ware development kit (sdK), which can be used to modify the software to better meet the needs of the critical infrastructure operator. additionally, open-source software is widely used in critical infrastructure.

software developers

if a company is developing its own software, the best way to en-sure the security and robustness of the software they purchase is to identify and eliminate vulnerabilities during software de-velopment. large software houses already include fuzzing as a part of their secure development lifecycles: Cisco’s Csdl, micro-soft’s sdlC and the adobe Product lifecycles are good examples of this. giants like ibm and google also promote fuzzing. iCs

software development would benefit greatly from the same approach. the earlier the vulnerabilities are found, the easier and cheaper it is to fix them. indeed, by building security into your software you can avoid costly, critical, and embarrassing software blunders.

software buyers

many vendors are in a hurry to push software onto the market, and often times it is the user who ends up doing the testing [3]. by insisting on using fuzzing as an acceptance condition, you can make vendors claim responsibility over the quality and security of their products. verizon uses fuzzing as entry criteria for its network suppliers [4]. Why not use fuzzing to ensure that all equipment you accept into your iCs network is robust and secure? in iCs networks, patching can be difficult. the more vul-nerabilities you can fix prior to implementation, the less patch-ing you will need to do later on. the Codenomicon defensics test suites automatically collect all the important information on found vulnerabilities into a remediation Package, which you can send to third parties for automated reproduction.

industry level

industry organizations play a key role in motivating the private sector and ensuring that all industry players put enough effort into cybersecurity. the north american electric reliability Cor-poration (nerC) introduced a set of eight critical infrastructure protection (CiP) standards (CiP-002 to CiP-009). these standards

are mandatory in the us and Canada, and nerC has the author-ity to audit energy producers and distributors and fine them

up to $1m per day per violation. the challenge with stan-dards is keeping them up-to-date.

national level

the mandate for cybersecurity must come from a high level. Protection must be implemented by the network owners because only they have access to their own networks, but governments must

use their authority to make cybersecurity a national priority. the role of the govern-

ment is to build partnerships with the private sector and to get the private sector to under-

stand that cybersecurity is not only a means of in-suring against malicious compromise, but also a nec-

essary component of business continuity. the private sector will only commit to the cybersecurity effort if they can see the benefits (i.e., if the efforts also make sense at a business level).

global level

Cybercriminals act globally, but national borders restrict the jurisdiction of law enforcement. to catch cybercriminals and to prosecute them more effectively, cooperation between na-tional and international law enforcement is needed. this is only possible through the harmonization of cybercrime laws and the timely sharing of information between partners. Cybercrimi-nals move fast, so law enforcement must also work at “internet speed”. timely information sharing also helps build a culture of transparency and trust between global partners.

References1] a. nicholson, s. Webber, s. dryer, t. Patel, H, “sCada security in the light

of Cyber-Warfare, Computers and security”, vol. 31, 2012, pp. 418-436.

[2] iCs Cert monitor april/may/June 2013, [online], http://ics-cert.us-cert.

gov/sites/default/files/iCs-Cert_monitor_april-June2013.pdf

[3] Financial services sector coordinating council for critical infrastructure

Protection and Homeland security, “Homeland security strategy for Critical

infrastructure Protection in the Financial services sector”, [online], http://

www.dtcc.com/downloads/leadership/whitepapers/fss.pdf

[4] H. Chu, “verizon lab entry Criteria - security test requirements”, [online],

http://www.codenomicon.com/campaign/blackhat2011/#chu

CODENOMICON LTD | [email protected] | WWW.CODENOMICON.COM

global and emea Headquarters | tutkijantie 4e Fin-90590 oulu Finland | tel. +358 424 7431

americas Headquarters | 12930 saratoga avenue, suite b-1 saratoga, Ca 95070 united states | tel. +1 408-414-7650

aPaC Headquarters | 46b tras street singapore 078985 singapore | tel. +65 9188 1502