SCADA Security, DNS Phishing

SCADA Security, DNS Phishing AVESTA HOJJATI, COMMUTER SCIENCE DEPARTMENT

ADVISOR DR AKBAR NAMIN TEXAS TECH UNIVERSITY

What is SCADA?• Supervisory Control And Data Acquisition, type of

Industrial Control System (ICS).• Computer based• Communication through IPv4 & IPv6• Uses PLC (Programing Logic Controller) as the main operator

Main Areas of Concern• Security and authentication in the design, deployment

and operation of existing SCADA networks • The premise that SCADA systems are secure because

they use specialized protocols and have proprietary interfaces

• The premise that SCADA networks are secure because they have been physically secured

• The premise that SCADA networks are secure because they are not exposed to the Internet

SCADA Vulnerabilities• DoS (Denial of Service). Vulnerabilities found in FactoryTalk

Services Platform and RSLinx Enterprise November 2011: The cyber-security of the North American power grid is "in a state of near chaos," according to a report by a respected U.S. energy

consultancy monitoring the industry's transition to wireless digital technologies.

• Critical Remote Code Execution (CRCE). Vulnerabilities found in Modbus Serial Driver, product by Schneider Electric

September 2010: Iran admits that the Stuxnet worm had infected at least 30,000 computers in the country. The worm, which researchers have dubbed the most sophisticated malware ever, targets Windows PCs that manage large-scale SCADA systems at manufacturing and utility companies.)

• Most SCADA protocols were never intended for use on publically accessible networks, and in some cases, not even on IP networks. MODBUS, a common SCADA protocol, was originally designed for use only within simple process control Networks to enable low speed serial communications between clients and servers

Point of Attack

CRCE Attack

CRCE Prevention

Securing SCADA Networks • Patch host operating systems, applications and SCADA

components• Control application communications between SCADA

networks and other networks • Control application communications within SCADA

networks • Control what and who are allowed to interact with

SCADA networks and systems • Monitor all networks closely and react quickly to viruses

and attacks

What is DNS?• The DNS (Domain Name System)translates Internet

domain and host names to IP addresses. DNS automatically converts the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites. (wiki)

DNS Phishing (Fake HTTP request)• Redirecting all incoming traffic to a fake server

Enables to launch additional attacks, or collect traffic logs that contain sensitive information

• Capturing all in-bound emailAllows the attacker to send email on their behalf, using the victim organization's domain and cashing-in on their positive reputation

DNS Phishing (Fake HTTP request)• Taking over the registration of a domain

Attackers take over the registration of a domain and change the authoritative DNS servers

This was the type of attack used by the Syrian Electronic Army. They gained access to the domain registration accounts operated by Melbourne IT, changed the authoritative DNS servers to ns1.syrianelectronicarmy.com and ns2.syrianarmyelectronicarmy.com.

• Cache poisoningAttackers inject malicious DNS data into the recursive DNS servers

operated by Internet Service Providers (ISPs). The damage cause by this attack is localized to specific users connecting to the compromised servers

DNS Phishing scenario

Demonstrating an attack usingBackTrack

Using ARP spoofing Technique (Address Resolution Protocol)

Avoidance • Good security practices such as strong passwords, IP acceptable client

lists (ACLs) and social engineering training will help guard against attack• DNSSTOP( Domain Name Server STOP)

A curses-based application that displays various tables of DNS statistics• DSC (Domain Statistics Collector)

DNS Statistics Collector is designed to collect and aggregate statistics from busy authoritative servers, such as those used by TLD (Top-Level Domain) and root server operators.

• Traffic Gist A network traffic statistics collection tool. Gist can collect statistics about live

traffic and do postmortem packet capture analysis

Limiting Recursion to Authorized Clients

For DNS servers that are deployed within an organization or Internet Service Provider, the resolvershould be configured to perform recursive queries on behalf of authorized clients only. These requests typically should only come from clients within the organization’s network address range. We highly recommend that all server administrators restrict recursion to only clients on the organization’s network.BIND9

In the global options, include the following [10]:acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };

options {  allow-query { any; };  allow-recursion { corpnets; }; };

References • http://www.fastandeasyhacking.com/ (Armitage)• http://ettercap.github.io/ettercap/ (Ettercap)• Siemens PLS Simulator (S7 Seriese)

Questions?