OWASP - ICS Security Meetup

Transcript

1. Cybersecurity & ICS A simple journey to security around Industrial

   control systems

2. #whoami Ashwani kumar a.k.a CyberK@Lki Hobbies – Gaming & finding

   new places to go solo Interest area – OSINT, Network Pentest, Malware analysis, Social engineering , DevSecOps, Geopolitics & Quantum physics Professional CS GO & Fortnite Player : Nick : GodWA Certified ICS Security skills from US Homeland Security & CISA Reported Scada bugs for BSNL, Railtel & other National critical infrastructures Provide OSINT training and consultancy to govt agencies & Private entities Work closely with CyberPeace NGO helping Indian masses to stay safe in cyberspace. 2 Website – https:/cyberkalki.com/ [ Work in Progress]

3. Deployments of Industrial Control Systems Distributed Control System Supervisory Control

   and Data Acquisition System Safety Instrumented Systems Process Control System Energy Management System Automation System Automated Control Systems

4. ICS Architecture – Basic Anatomy

5. ICS Communication Channel The 3 main components across all major

   ICS communication is :- 1. Field devices 2. Field controllers 3. HMI’s

6. IT vs ICS – A contrast comparison Controls IT ICS

   Security patches Applied regularly on standard systems Only recently provided by vendors. Applied once a year tops Antivirus Deployed on all Windows machines, centrally managed Not managed Administration Centralized, dedicated teams, standard operations and procedures Lack of local skills, heterogeneous environments, lots of different tools to use, vendor support is mandatory IAM Nominative accounts Generic, shared accounts, no password policy Availability Service interruptions are ok, especially outside business hours Real-time operations, downtime is unacceptable or very costly Protocols Standard, TCP/IP protocols that include authentication and encryption Lot of vendor-specific protocol, no security built into the protocols Impact No people endangered Possible impact of people, environment, industrial gear

7. Weakness within ICS domain 1. Legacy control system 2. Poor

   network protocol implementation 3. Plain text traffic 4. Weak protection of ICS systems from the enterprise IT network 5. Vulnerable web services 6. Insecure remote connectivity to ICS networks 7. Poor patch management 8. Lack of cyber security considerations in network architecture/segmentation 9. Weak network component configuration 10. Insecure encryption and authentication for wireless ICS networks 11. Poor programming and code quality 12. Poor passwords practices and weak authentication 13. No integrity checks at critical asset level 14. Least user privilege violation

8. Dangerous Consequences Accidents and human error have had dramatic consequences.

   Just think of what might happen if someone set out to intentionally maliciously manipulate a critical control/automation system

9. More specific consequences 1. Unauthorized access, theft, or misuse of

   confidential information (product formulations, trade secrets, production schedules, etc.) 2. Loss of integrity or reliability of process/production information 3. Loss of system availability and/or accessibility 4. Process upsets leading to compromised process functionality, inferior product quality, product contamination, lost production capacity, compromised process safety, or environmental releases 5. Equipment and/or facility damage 6. Personal injury or death 7. Violation of legal and regulatory requirements (e.g. environmental) 8. Risk to public health and confidence 9. Threat to a nation’s security

10. Toolkit for ICS Cybersecurity Posture Detection 1. Search Engines 2.

    Shodan 3. Kautilya 4. ControlThings.io 5. NMAP Scripts 6. Modscan 7. Ctmodbus 8. Metasploit 9. Redpoint Scripts 10. ShutdownSCADA 11. PLCScan 12. S-Mod etc..

11. Steps to Improve Cyber Security of ICS Networks 1. Identify

    all connections to ICS networks. 2. Disconnect unnecessary connections to the ICS network. 3. Harden SCADA networks by removing or disabling unnecessary services. 4. Do not rely on proprietary protocols to protect your system. 5. Implement the security features provided by device and system vendors. 6. Establish strong controls over any medium that is used as a backdoor into the ICS network. 7. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring. 8. Perform technical audits of ICS devices and networks, and any other connected networks, to identify security concerns. 9. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security. 10. Establish ICS “Red Teams” to identify and evaluate possible attack scenarios 11. Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured

12. Secure Architecture Diagram as per CISA

13. None

14. Industrial protocols Currently, the most used seem to be :

    ◦ HART / Wireless HART ◦ Profibus ◦ Modbus ◦ Profinet / S7 ◦ DNP3 ◦ OPC

15. Modbus protocol 1. Serial communication protocol invented in 1979 by

    Schneider Electric aka Modicon 2. The most common Modbus functions allow to read and write data from/to a PLC 3. Undocumented Modbus function codes can also be used to perform specific actions t common Modbus functions allow to read and write data from/to a PLC

16. Modbus Function codes & Frame format All documented MODBUS function

    codes: https://en.wikipedia.org/wiki/Modbus

17. Modbus Master/Slave Simulation SCADA/ICS systems use many different protocols to

    communicate than your standard IT systems. The most widely used and the de facto standard is the • Modbus protocol. First developed by Modicon (now Schneider Electric) in 1979 as a serial protocol, it has been modified and updated to run over TCP and is often referred to as Modbus TCP. You can see a diagram of the two packet structures below

18. Modbus Master/Slave Simulation.. Continued Step #1 Download and install Modbus

    master and slave .jar files. Can be run on windows system as well. After executing these two files, you should have a screen that looks like this below.

19. Modbus Master/Slave Simulation.. Continued Step #2 Select to Run Modbus

    TCP on port 502. Step #3 Add Slaves Step #4 Add Values to the Coils Step #5 Change the Coil Data Step #6 Adding Values to the Registers Step #7 Write Multiple Registers # The similar process can be followed for holding registers as well.
20. None

21. Read Coil Status

22. None

23. Modbus Data Models

24. Modbus Exploitation using Metasploit – 1/6 Note, I will be

    using a live, functioning SCADA system as my target. This is not a laboratory or VM. It is random system selected from the Internet. I have removed it's IP address to protect the naive and uninformed. No damage was done, and all settings were returned to their original state. Step #1: Search for Modbus Modules To begin, let's use the search function in Metasploit to find Modbus modules. • To begin, let's use the search function in Metasploit to find modbus modules.

25. Modbus Exploitation using Metasploit – 2/6 Step #2: Confirm modbus

    protocol is being used on target Now let’s recon some stuffs using other modules like Modbusdetect. When we run this module, it goes to the target system's port 502 and sends a probe to determine whether it is using modbus. As you can see below, it confirms that our target is running modbus and now we can proceed with our modbus-based reconnaissance and exploitation.

26. Modbus Exploitation using Metasploit – 3/6 Step #3: Find Unit

    ID’s This is similar to a ping sweep in TCP/IP, but the results are slightly less reliable. As you can see, this module was successful in finding each of the Unit ID's of the connected devices.

27. Modbus Exploitation using Metasploit – 4/6 Step #4: Reading and

    Writing data on the Modbus Devices Our next modbus module is modbusclient. It enables us to read and write the data from both the coils and registers on these SCADA systems. Reading the data can lead to information leakage, but writing the data is even more nefarious as it could change various setting within the plant and cause a malfunction (pay attention cyber warriors!).

28. Modbus Exploitation using Metasploit – 5/6 As you can see

    in last screenshot, we have changed value from 0 to 1. In SCADA/ICS terminology, coils are devices on the network that are either ON or OFF. Their settings are either 1 or 0. By changing the values of a coil, you are switching it on or off. This module requires several variables to be set. Most important is the ACTION.

29. Modbus Exploitation using Metasploit – 6/6 Also note the default

    setting for the UNIT_NUMBER is 1 and NUMBER is 1. This means that by default, it will take its action only on the first UNIT ID and only the first unit. In this case, I set the NUMBER variable to 100. This means it will start with UNIT ID number 1 and read 100 registers.

30. Denial of access using MSF– 1/2 Quick script to sweep

    the network, find controllers supporting this function code and configure a password.

31. Denial of access using MSF– 2/2 Locked Out. We just

    turned the PCN into unusable resource.

32. More enumeration using SMOD – 1/4

33. More enumeration using SMOD – 2/4

34. More enumeration using SMOD – 3/4

35. More enumeration using SMOD 4/4

36. Other Metasploit Modules …. Vendor Component Metasploit Reference 7-Technologies IGSS

    exploit/windows/scada/igss9_igssdataserver_listall.rb exploit/windows/scada/igss9_igssdataserver_rename.rb exploit/windows/scada/igss9_misc.rb auxiliary/admin/scada/igss_exec_17.rb AzeoTech DAQ Factory exploit/windows/scada/daq_factory_bof.rb 3S CoDeSys exploit/windows/scada/codesys_web_server.rb BACnet OPC Client exploit/windows/fileformat/bacnet_csv.rb Beckhoff TwinCat auxiliary/dos/scada/beckhoff_twincat.rb General Electric D20 PLC auxiliary/gather/d20pass.rb Schneider Electric CitectSCADA CitectFacilities exploit/windows/scada/citect_scada_odbc.rb Siemens Factory Link exploit/windows/scada/factorylink_cssservice.rb exploit/windows/scada/factorylink_vrn_09.rb

37. Man-in-the-middle Attack – 1/2 • The control system network also

    needs to be secured against attackers. Since there is no transport layer security to secure communications between master and slave, a hostile actor can use a variety of methods, like ARP poisoning, to insert themselves into the middle of communications. This attack is a three-step process. ◦ The first is to poison the ARP tables on the master and slave. This forces the network to trust the predefined route for communication. ◦ In the second step, with all traffic between the two is going through the attacker (or man-in-the-middle) machine, certain packets are captured and modified. This is done with Scapy’s sniff function, which allows us to specify a function to apply to every packet that meets the given criteria. ◦ The third step is to clean up the ARP tables. This seamlessly removes our code from the communication, thereby making the post attack analysis more difficult.

38. Man-in-the-middle Attack – 2/2 • When our software (or man-in-the-middle)

    receives a Modbus command it stores the resultant slave state locally. It then forwards a modified request to the slave and intercepts its response. The response is then edited to match the expected result. This allows us to change the configuration of the slave without the master being aware of the changes. • Above figure show a request and response being filtered by our software. It shows the master issuing a write request (write value 1 to coil 3), that status being saved by our software, and a different configuration being forwarded (write value 0 to coil 3). • Post that, the response from the slave (coil 3 is 0) is processed. The result of which is the master believing the slave has a different configuration than it has. • This deception will persist until either the software decides to remove itself from the configuration, or the slave is queried by something that has not been ARP poisoned.

39. Modbus Security Concerns 1. Lack of authentication 2. No encryption

    3. No Checksum 4. No Broadcast 5. Lack of Confidentiality & Integrity 6. Lack of Session management controls 7. Simplistic Framing

40. Sample Attack logic Case Study

41. Use of ICS across Sectors …

42. Global ICS Security Standards

43. References - Links 1) https://www.nrc.gov/docs/ML1319/ML13198A409.pdf 2) https://www.us-cert.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_OSTools_InternetFacingICS_S508C.pdf 3) https://www.energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf 4)

    https://cdn5.dcbstatic.com/files/i/c/ics_cert_training_docebosaas_com/1593630000/NIpMC97WedpbK6Quk7kEmw/scor m/657916188b1ef986b692e5d1da361745a2b8b5bc/ics-per-sector.pdf 5) https://github.com/samratashok/Kautilya 6) https://githacktools.blogspot.com/2018/06/smod-modbus-pentest-framework.html 7) https://www.rapid7.com/db/modules/auxiliary/scanner/scada/modbusclient 8) https://www.comm.utoronto.ca/~dkundur/pub_pdfs/ChePatGouButKunCQR15.pdf Books 1) Robust Control System Networks, Ralph Langner 2) Industrial Network Security, 2nd Edition, Knapp & Langill 3) Cybersecurity for Industrial Control Systems, Macaulay & Singer 4) Countdown to Zero Day, Kim Zetter 5) Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky & Brodsky 6) Hacking Exposed Industrial Control Systems, Bodungen, et al

44. In future… 1. Exploiting DNP3 and S7 protocols 2. Exploiting

    PLC and HMI devices 3. Packet sniffing & MITM attacks on field devices 4. Visualizing and exploiting ICS via Dragos 5. Exploiting other ICS & IOT level bugs BE UPDATED !!! Follow my website or blogs for more insights about ICS Pentesting TTP’s