Scada Industrial Control Systems Penetration Testing

PENETRATION TESTING A SCADA INDUSTRIAL CONTROL SYSTEMS

By : Yehia Mamdouh

THIS PRESENTATION WILL LET US KNOW:

What is SCADA?

What is used For?

What the benefits behind using SCADA?

SCADA system concept

How SCADA Communication Works?

SCADA Protocols

SCADA Cyber security

Types of SCADA Networks

Attack Vectors

Penetration testing methodology

Conclusion

WHAT IS SCADA CONTROL SYSTEM?

* SCADA : Supervisory Control and Data Acquisition. A type of control

system can be used to monitor many different kinds of equipment in

many different kinds of environments

* In General Refers to an industrial control system (ICS)

WHERE YOU CAN LOCATE SCADA?

* Electric power generation, transmission, and distribution

* Water and sewage

* Buildings, facilities, and environments

* Manufacturing

* Mass transit

* Traffic signals.

BENEFITS OF SCADAUsed For

1-Trasmits individual device status

2- Manages energy consumption by controlling the devices

3- Allowing directly control power system equipment

4- Control chemical plant processes, oil and gas pipelines, electrical generation and transmission

equipment, manufacturing facilities...etc.

EX: Motors, valves, pumps, relayes, etc.

Benefits:

1- Identify and solve problems before they even start.

2- Keep your eye on long-term trends and threats

3- Identify and attack bottlenecks and inefficiencies throughout the enterprise

4- Effectively manage bigger and more complicated processes with a smaller staff.

SCADA SYSTEM CONCEPT

SCADA WorkStation : Human operator

it’s a device to issue a command central SCADA console, receiving raw data in human form,

also monitor and control

HMI: (Human-Machine Interface) It’s Software & Hardware that allows human operator to monitor state of process under control, modify control settings, manually override auto-control operations The interface

locate between the human operator and the commands relevant to the SCADA system.

(Windows, Linux or Unix)

SCADA SYSTEM CONCEPT

Data Historian: Collect and store information from your mission critical systems, extract and perform

accurate analyses (SQL)

SCADA Server MTU: (Master terminal unit) is a device that issues the commands to the Remote

Terminal Unit (RTUs) which are located at remote places from the control, gathers the required data,

stores the information, and process the information and display the information

RTU: Connecting to sensors on the process, converting sensors signals and sending digital

data to the supervisory systems

PLC: Programmable Logic Controller (PLC)

automatically performers the main site control process which controls the operation of

industrial equipment's. such as control of machinery

WHO SCADA COMMUNICATIONS WORKS?* The Control Operator or workstation monitor the data and initiates control commands to HMI

* HMI which is machines, traditional applications installed on workstations running Windows or

Linux and recently use web applications These HMIs speak to the SCADA controlling server

*SCADA controlling server collected data from Data historian which is basically a database that

the SCADA server pushes data to and in some cases pulls data from

* SCADA server sends the appropriate signal to the correct RTU or PLC.

* The RTU or PLC consults its pre-programmed logic to determine what it should do with this

control signal controls the operation of industrial equipment's

*Equipment's EX: Relays, Capacitor banks, Feeder Switches, Actuators

Temperature Level

Pressure Level

Oil Level

Alarm

Radioactivity level

HMI (Web Interface)

Work Station

Data Historian SCADA Server Communication

Router

Wide Area

Network

RTU/PLC

RTU/PLC

ModBus TCP/IP– DNP3 protocols

communicate between SCADA

server and RTU/PLC

System Concept of SCADA

SCADA PROTOCOL

* We have mention that SCADA server send signals to RTU or PLC and vice versa

How Can Central SCADA console to receive information from sensors, which are very simple devices?

Here is comes SCADA Protocols !

* RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or

DNP3, that can be transported across your communications network and back to you

DNP3(Distributed Network Protocol)

used for communications

between master station and RTUs

Port 20000 TCP/UDP

Modbus is typically used for

Supervisory Control and Data

Acquisition (SCADA)-style network

communication between devices

implementations over serial, TCP/IP

Standard port 502 TCP

DNP3 ModBus

WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS?

Why?

*The ability of cyber intruders to gain access to networked control systems might be easy

*More efficient methods of communication = more new risks cause disaster

*Control systems share the common vulnerabilities with the traditional information technology

*Control systems Recently adopting web technology , Which is interesting target for cyber attacks

*Non secure protocols that transmitted data some of them = TCP/IP

*Control systems turn on to use Windows , Linux which have known vulnerabilities

WHY SECURITY IS IMPORTANT IN CONTROL SYSTEMS?

* New protocols and communication standards that are providing increased

are the same technologies that have been exploited and compromised in

the Internet and networking domains

Modbus TCP

Modbus request packet

No authentication

no encryption

no security

Attacks on Field Devices

Database Attacks

Communications hijacking and

‘Man-in-the-middle’ attacks

Vulnerabilities in Common Protocols

REAL ATTACKS

For last years, security risks have been reported in control systems

Types of SCADA Networks

TYPES OF SCADA NETWORKS

Early or Monolithic SCADA systems

*First SCADA systems held all operations in one

*Usually a mainframe, computer. There was little control exercised, and most early SCADA functions

were limited to monitoring sensors and flagging any operations

*Limited to a single plant or facility. Like the software, SCADA hardware from one vendor was rarely

usable in another vendor's SCADA system.

TYPES OF SCADA NETWORKSDistributed SCADA Systems

*Shared control functions across multiple smaller (usually PC) computers connected by Local Area

Networks (LAN)

*Shared Real Time information and often performed small control tasks in addition to alerting operators

of possible problems

TYPES OF SCADA NETWORKSNetworked SCADA systems

* Current SCADA systems are usually networked

* Communicate through Wide Area Networks (WAN) systems, over phone or data lines and often transmit data

between nodes through Ethernet or Fiber Optic connections.

* Make heavy use of Programmable Logic Controllers (PLC) to monitor and make routine process adjustments,

*The hardware tends to be more interchangeable as PLC and other sub-unit vendors have standardized

communications and other protocols to allow the user to choose the best component for their needs

TYPES OF SCADA NETWORKSInternet of Things (IoT)

*A data model allows to define the types of data that will be monitored, allows for new types to be added quickly and

easily as new smart objects are added to the process

*Allows combinations of smart things/objects, sensor network technologies

* Communication will bring physical business benefits like high-resolution management of resources and products,

better collaboration between enterprises, and improved life-cycle management

ATTACK VECTORS

*SCADA systems are vulnerable to the same threats as any TCP/IP-based system.

*SCADA Administrators and Industrial Systems Analysts deceived into thinking that since their industrial

networks are on separate systems ,they are safe form outside attacks.

*PLCs and RTUs are usually polled by other 3rd party vendor-specific networks and protocols

MODBUS4, and DNP, and are usually done over phone lines, leased private frame relay circuits, satellite

systems

*Security in an industrial network can be compromised in many places along the system and is most

easily compromised at the SCADA host or control room level

SCADA Attacks How Far?

ATTACK VECTORS

*Denial of Service (DoS) attack to crash the SCADA server leading to shut down condition

*Delete system files on the SCADA server (System Downtime and Loss of Operations)

*Plant a Trojan and take complete control of system

*Log any company-sensitive operational data for personal or competition usage

There is Attack Vectors Should be addressed

1- Backdoors and holes in network perimeter

2- Vulnerabilities in common protocols

3- Attacks on Field Devices

4- Database Attacks

5- Communications hijacking and ‘Man-in-the-middle’ attacks

++ Once the corporate network compromised, then any IP-based device or computer system can be accessed.

++ 24/7 provides an opportunity to attack the SCADA host system can cause :

ATTACK VECTORS

1-Modern networks in the control system arena, often have inherent capabilities that are deployed without

sufficient security analysis and can provide access to attackers once they are discovered.

2- Network components, have technologies These technologies often include firewalls, public-facing services,

and wireless access. each of these components often does have associated security vulnerabilities

3-Remotely located control system elements that can be accessed via remotely connected communications

if systems are based on commercial operating systems, the attacks can be via DDOS, escalated privilege

exploits, Trojan horse

Backdoors and holes in network perimeter

ATTACK VECTORS

4- Organizations in many CI/KR sectors provide data to customers, providers, through publicly accessible services.

Such as calculating load expectations, billing futures information. As these services are in the public domain, they

are often accessible from the Internet with little or no user access limitations

5- Relationship between the firewall and the web server if not deployed right this allows unauthorized, data to flow

from the external side to the internal domain. If the attacker compromised the trusted web server, the attacker

has a channel to access internal services (or control systems) LAN.

Backdoors and holes in network perimeter

ATTACK VECTORS

1- Microsoft XP, a platform commonly used in control systems, mitigates the security issues

2- Control systems and modern networking technologies comes some inherited security vulnerabilities. Even

though many of these vulnerabilities have solutions and available workarounds, the deployment of these

mitigations in control systems architectures is not always feasible.

Attacks Using Common Protocols

ATTACK VECTORS

1-Control systems architectures usually have a capability for remote access to terminal end points and devices in

number of ways including by telephonic or dedicated means. To provide for the collection of operational and

maintenance data

2-Modern equipment has embedded file servers and web servers to facilitate robust communications these

devices are part of an internal and trusted domain, and thus access into these devices can provide an attacker

with an unauthorized vector into the control system architecture.

3-RTUs, are an extension of the control domain, attackers can add these field devices to their list of viable targets

to be investigated during reconnaissance and scanning phases of the attack.

3-If a device is compromised, and the attacker can leverage control over the device and escalate privileges

Attack into control system via field devices

ATTACK VECTORS

1-Database applications have become core application components of control systems and their associated record

keeping utilities

2-Databases used by control systems are often connected to databases located on the business network and most

use (SQL). The information contained in databases makes them high-value targets for any attacker

3-Attackers can exploit the communications channel between the two networks and bypass the security

mechanisms used to protect the control system environment

4-The effect of corrupted database content can impact data acquisition servers, historians, and even the operator

HMI console. Control systems databases because they are so reliant on data accuracy and integrity.

Database and SQL data injection attacks

ATTACK VECTORS

1- The ability for an attacker to re-route data that is in transit on a network, the ability to capture and analyze

critical traffic that is in plaintext format, and the ability toreverse engineer any unique protocols to gain command

over control communications

2- By combining all of these MITM, attack is executed

3- As the attack is on the control domain, this plaintext traffic can be harvested (sniffed) and taken offline for

analysis and review

4-Using ARP poisoning and collecting traffic, the attacker can establish and maintain complete

control over the communications in the network , preventing the HMI from issuing alarms

5- MTM can be between HMI and RTU due to week protocol that are used like Modbus

Man-in-the-middle attacks

Penetration Testing Methodology

PENETRATION TESTING METHODOLOGY

Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing

How?

* We are dealing With Devices - Operating systems (windows , Linux ) – Protocols over TCP –Application

and SQL Databases – Firewalls

Audit identification

Devices and networks:

Router configs, router tables, switch tables,

physical cable checks, packet sniffing

Services

Local Port verification (nestate)

Vulnerabilities

Local banner grabbing

Perimeter

Identify all external connections

*Review firewall rules

*Review remote access methods

*Check for wireless networks

*Check physical access

PENETRATION TESTING METHODOLOGY

Penetration Testing Methodology we use in Control systems it like Normal Network Penetration Testing

How?

Network Infrastructure

Review router configs

Review switch tables

Conduct physical cable checks

Conduct packet sniffing and analysis

Host operating systems

Review patch level

Review password quality

Review share and directory permissions

Review remote access

Applications

Review ports and services

Review OS credentials

Revives remote access

Consider code review

PLCs, RTU,s ..etc.

Review patch levels

Review password quality

Conduct packet sniffing

PENETRATION TESTING METHODOLOGYScanning / Discovery

Some tools are Available Like

plcscan - Scans Modbus device

Modescan - Scans Modbus devices

Nmap ( Be carful single Nmap scan can crush system)

Metasploit Modules for Modbus detection

*Most PLCs (Communication Modules) have no ability to filter based on source IP address

So we Can

Use python scripts or John the Ripper for crack

Bruteforce PLC online

Scan supported devices and stations

change name of stations

change IP, Netmask, gateway

request full network info

PENETRATION TESTING METHODOLOGYAnalyze protocols

How protocols live in the network?

Not blocked by firewalls/switches

Accessible between Lan segments

Works form data link layer to application layer

Easy to detect

Easy to analyze

So we Can Available Tools

detect devices and their protocols

monitor state, commands

inject, modify reply packets in real times

Sniffing Traffic

Wireshark

tcpdump

python

hex viewer

PENETRATION TESTING METHODOLOGYAnalyze protocols

Modbus

Using the web is the often the easiest way 80% of Modbus/TCP devices have web interfaces Other research

shows most devices run Windows 2k

DNP3

*Has source and destination addresses that can be useful in Man-in the-Middle attacks Such as

1-Turn off unsolicited reporting to stifle alarms

2- Issue unauthorized stops, restart, or other functions that could disrupt specific operations

*Implementations typically do not employ encryption, authentication and authorization; DNP3 devices simply

assume that all messages are valid

PENETRATION TESTING METHODOLOGYAnalyze protocols

DNP3

Passive Network Reconnaissance

With appropriate access captures and analyzes DNP3 messages. This provides the information about network

topology, device functionality,

Rogue Test

Installs a “man-in-the-middle” device between the master and outstations that can read, modify and

fabricate DNP3 messages and/or network traffic memory addresses and other data

Other attacks on Data Link and Application Layer

PENETRATION TESTING METHODOLOGYData Manipulation

Available Tools

Web Application Test and SQL Injection

*As Scada Use Web application On HMI and SQL in Database we can test them for possible Vulnerabilities

Modlib - Scapy extention [python]

OpenDNP3 - Library [C++]

Metasploit Modules

Conclusion

SCADA SECURITYCreating Demilitarized Zones (DMZs)

Multiple DMZs could also be created for separate functionalities and access privileges, such as peer

connections, the data historian, the Inter Control Center Communications Protocol (ICCP) server in

SCADA systems

Firewalls

properly configured and coordinated, can protect passwords, IP addresses, files and more

Proxy Servers

Proxy server is an internet server that acts as a firewall, mediating traffic between a protected network and

the internet

The Security Policy

Effective security policies and procedures are the first step to a secure control systems network. Many of

the same policies

Security Training

Provide The staff that work in the facility Security Tanning very essential for preventing Physical and Social

Engineering Attacks

SCADA SECURITY

1- Identify all connections to SCADA networks

2- Disconnect unnecessary connections to the SCADA network

3- Removing or Disable unnecessary services

4- Implement internal and external IDS and establish 24-hour incident monitoring

5- Conduct Physical security surveys and assess all remote sites connected to the SCADA network to evaluate

their security

6- Clearly define cyber security roles, responsibilities and authorities for managers, system administrators and

users

7- Document network architecture and identify systems that serve critical function that require additional levels

of protection