SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr
Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov Sergey Drozdov Alexander Tlyapov Dmitry Sklyarov Sergey Gordeychik Alexander Zaitsev Evgeny Ermakov Sergey Scherbel Alexey Osipov Gleb Gritsai Timur Yunusov Andrey Medov Ilya Karpov Valentin Shilnenkov Artem Chaykin Ivan Poliyanchuk Vladimir Kochetkov Denis Baranov Kirill Nesterov Vyacheslav Egoshin Dmitry Efanov Roman Ilin Yuri Goltsev Dmitry Nagibin Sergey Bobrov Yuriy Dyachenko to save Humanity from industrial disaster and to keep Purity Of Essence
Aleksandr Timorin ICS security researcher Industrial protocols fan and 0-day PLC hunter SCADAStrangeLove team member The Ocean band fan atimorin atimorin@protonmail.ch
ICS basics 101 Vulnerabilities Input validation • • Design and architecture Safety and security as a whole
What is ICS world and why we should develop carefully Today is the digital era (welcome back captain obvious!) Automated processes is everywhere – from home automation to big energy plants, from brewery to traffic control systems
What is ICS world and why we should develop carefully Industry automatization processes becoming more comfortably for engineers and operators
What is ICS world and why we should develop carefully Switching from analog to digital brings old and absolutely not secure software development process
What type of ICS products are vulnerable: Client/Server software • Field devices: RTU, PLC, protective relays, power meters, • converters, actuators and so on Network switches, gateways • GSM/GPRS modems, wireless AP • Mobile applications • Industrial protocols • Human factor •
Analytics and statistics of ICS vulnerabilities • Analyzed CVE since ~2010 • Data source: ics-cert.us-cert.gov CVE details: NVD • • Total unique CVE: 689 • CVSS 2.0: min score 1.7 , max score 10.0 , avg score 6.5 , high and critical count of scores 285 (41%)
Analytics and statistics of ICS vulnerabilities • CWE statistics: CWE - Common Weakness Enumeration Definitions and full detailed description at https://nvd.nist.gov/cwe.cfm Unique number of CWE = 43
Analytics and statistics of ICS vulnerabilities • CWE statistics (TOP 20): $ sort cwe.all.raw | uniq -c | sort – nr | head -20
Analytics and statistics of ICS vulnerabilities • CWE statistics (TOP 20):
Other (after TOP20) Buffer Errors Numeric Errors NULL Pointer Dereference Code Injection Security Features Untrusted Search Path Unrestricted Upload of File with Dangerous Type SQL Injection Improper Access Control Information Leak / Disclosure CSRF Use of Hard-coded Credentials Authentication Issues Path Traversal Input Validation Resource Management Errors Credentials Management Permissions, Privileges, and Access Control Cryptographic Issues XSS
Honeywell EPKS, CVE-2014-9189 •
Honeywell EPKS, CVE-2014-9187 •
cb is a buffer size •
SpiderControl SCADA Web Server, stack-based bof, CVE- • 2015-1001
Siemens SIPROTEC 7SJ64 (protective relay) XSS •
Siemens WinCC •
WinCC WinCC Web-Client DataMonitor Internet, corp lan, vpn’s Some networks WinCC WinCC WinCC WinCC Web-Client DataMonitor SCADA- SCADA- Client +Web- Clients Server LA WinCC Engineering station N Servers (TIA portal/PCS7) PROFINET PROFIBU S PLC PLC PLC 1 2 3
WinCCExplorer.exe/PdlRt.exe Create and use your own security features Instead of standard features – that’s A bad idea!
Hardcodes are for protocols with auth: SNMP, telnet, HTTP, • etc. You can hardcode keys, certificates, passwords • SMA Sunny WebBox •
Siemens SIPROTEC 4 protective relay confirmation code • “311299”: - System log - Device info - Stack and other parts of memory - More ?
Siemens SIPROTEC 4 protective relay confirmation code • “311299”: “ SIPROTEC 4 and SIPROTEC Compact devices allow the display of extended internal statistics and test information… To access this information, the confirmation code “311299” needs to be provided when prompted. ” “ ...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information... ”
Siemens S7-1200 PLC, CVE-2014-2252 • “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system. ” Just “set” PROFINET request: set network info ( ip, netmask, gateway) with all zero values.
Not secure by design: default credentials, autocomplete Defaults, factory settings (sometimes unchangeable) is • everywhere SCADA StrangeLove Default/Hardcoded Passwords List https://github.com/scadastrangelove/SCADAPASS
KIOSK mode: Limit access to OS functions
KIOSK mode: Limit access to OS functions
Wincc accounts: “secret” crypto key •
WinCC accounts: “secret” crypto key fixed • It’s XOR, they should not bother hardcoding for XOR •
PLC password “encryption” Password (8 bytes)
TIA Portal PEData.plf passwords history •
Winccwebbridge.dll: please hash your hardcoded account •
Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- • 2014-2251
Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- • 2014-2251 Seed = plc_start_time + const •
Target – Siemens S7-1200 PLC
Profinet “feature” and PRNG vulnerability - real attack vector. Result - PLC takeover.
- Hash passwords - SHA is not good enough - Put length of plaintext nearby Redbox_value = len(pwd)*2+1
Architecture looks like ideal (from developers point of view)
Reality looks like ideal too (from attacker point of view)
Reality looks like ideal too (from attacker point of view)
Many vendors tend to develop bicycles own services (ftp, telnet, ssh, http etc.) Guten Tag WinCC: • WinCC Server Windows/MSSQL based SCADA • WinCC Client (HMI) WinCC runtime + project • WinCC Web Server (WebNavigator) IIS/MSSQL/ASP/ASP.NET/SOAP • WinCC WebClient (HMI) ActiveX/HTML/JS
Third-party services: deploying with default and example.config configurations (i.e. • lot of busybox based devices with default root account) No patches and updates •
Mirai DDos botnet DVR, NVR, IP cameras Over 0.5 million IoT devices are vulnerable What’s the problem? Hardcoded root:xc3511 Moreover, not so easy to change it
to get firmware? to get debug symbols? to debug? .. PowerPC no “operation system”
― Interlocking security (by Jakob Lyng Petersen) • Trains must not collide • Trains must not derail • Trains must not hit person working the tracks — Sadly, animals can’t handle the interview ― Formal methods and verification (rtfm) • B Method, Event B — Underground rail network in Beijing, Milan and Sao Paulo • Prover.com — Sweden, USA
― Safety critical systems ― Abstract machines + formal methods ― Atelier B • Available IDE and C translator • No Ada translator ― Newer version – Event-B • See Rodin framework
“Everything will be C in the end. If it's not C, it's not the end.” • – almost John Lennon
― KVB: Alstom • Automatic Train Protection for the French railway company (SNCF), installed on 6,000 trains since 1993 — 60,000 lines of B; 10,000 proofs; 22,000 lines of Ada ― SAET METEOR: Siemens Transportation Systems • Automatic Train Control: new driverless metro line 14 in Paris (RATP), 1998. 3 safety-critical software parts: onboard, section, line — 107,000 lines of B; 29,000 proofs; 87,000 lines of Ada ― Roissy VAL: ClearSy (for STS) • Section Automatic Pilot: light driverless shuttle for Paris-Roissy airport (ADP), 2006 — 28,000+155,000 lines of B; 43,000 proofs; 158,000 lines of Ada
RTFM • SSDLC • ICS best practices • Follow CERTs • Common Weakness Enumeration at cwe.mitre.org • More practice: OWASP TOP 10 • TESTING TESTING AND TESTING AGAIN! •
Mr. ICS developer, are you creating your products within SSDLC concepts?
Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev google and other Internets Yuriy Dyachenko *All pictures are taken from
Recommend
More recommend