SCADA Security Generic Electric Grid Malware Design

1
Eyal Udassin C4 Security
2
Contents
Introduction
The Problem Security by Obscurity
The Solution Behavioral Attack
Recommendations
3
About C4

• Based in Israel
• Consists of security experts, reverse engineers
  and protocol analysts
  
• Provide red team penetration tests to
  utilities, financial institutions and
  governmental agencies
  
• Our teams skills enable us to find and exploit
  vulnerabilities in proprietary systems
  
• Experts in SCADA security
• Contact info_at_c4-security.com /
  www.c4-security.com

4
Introduction

• Terminology
• SCADA Supervisory Command and Data Acquisition
• DCS Distributed Control Systems
• CC Systems for electricity, water, sewage, gas,
  oil, trains, petrochemical plants etc.
  
• Energy management systems (EMS) are SCADA systems
  as they control network nodes dispersed over a
  large geographical area
  
• These systems bring power to your home

5
Introduction

• National infrastructure utilities directly affect
  the well-being of nations civilians, thus it is
  a prime target for terrorists
  
• The Holy Grail for an attacker in the SCADA
  environment is the Control Center
  
• We strongly believe that in order to thwart such
  attacks, it is necessary to conduct the same
  offensive research
  

6
Typical Control Center Elements
7
Background

• 3 Critical vulnerabilities in GE-Fanuc Cimplicity
  and Proficy were disclosed by us at S4-2008
  (including a stable heap overflow)
  
• Even this was the first time that taking control
  over the SCADA server was demonstrated, there
  were a few engineers who doubted that it would
  allow an attacker to cause real damage
• Skeptics fuel progress time for stage II ?

8
The Problem

• The 1 claim from big-scale SCADA operations is
• Even if you assume complete control over our
  control center you will not be able to cause
  substantial physical damage as
  
• 1. Youre not a control engineer, so you wont
  understand what youre seeing on the HMI
  
• 2. You wont find any documentation on the
  network to allow you to map the SCADA network
  addresses and their datapoints to their
  meaning what they control in the physical
  world

9
The Problem

• Without a mapping of the addresses datapoints
  to physical locations and controlled devices, it
  is very difficult to generate malicious packets
  
• Such a map can usually be found on the operators
  workstations and the SCADA server as a tag
  database. Each tag is a user friendly name given
  to an address/datapoint
• We keep the mapping only in paper copy etc.
• Mmmm strange, but lets play along

10
Translation to IT Security Terms

• Security by obscurity
• To be completely honest its one of the few
  places where it might actually work!
  
• Two shortcuts to beating security by obscurity
  are missing
  
• Cant trigger events
• Few (if any) string anchors

11
Translation to IT Security Terms

• Example packets
• 0a 07 d9 08 3b 92 0b af 00 0b
• Trip a breaker (92ob) address (d9083b)
• 0a 08 80 b5 cc 91 01 00 0b
• Read generation frequency (9101) on plant 11
  address (80b5cc)
  

12
The Solution

• Base assumptions
• The Good
• Assumption 1 Security by obscurity works. We
  will never know what the data means
  
• Already discussed
• No silver bullet cant cause aurora style
  attack as we dont what kind of generator is
  used nor where is it located logically
  
• Assumption 2 Even if well have the map,
  causing substantial damage is difficult
  
• Complexity mitigated by getting a control
  engineer on-board
  
• Safety mechanisms 3 cases in the past year
  where these failed due to mechanical or human
  error
  

13
Base Assumptions (cont.)

• The Bad
• Assumption 3 Control protocols are simple
• 95 are Start/Stop, TLV, or fixed size and
  format
  
• Assumption 4 We own the communication server
  (aka FEP)
  
• This is were we left off in our previous
  research, for more details see
  
• http//www.c4-security.com/SCADA20Security20-2
  0Attack20Vectors.pdf
  
• The Ugly
• Assumption 5 - Humans need more electricity when
  they are awake
  

14
Daily Electricity Demand

• England

15
Daily Electricity Demand

• The Czech Republic

16
Daily Electricity Demand

• Scotland

17
Attack Vector

• The main goal of the control center is to keep
  the grid balance - generation should match the
  demand
  
• From the previous graphs we see that
• In the morning the grid utilization is increased
• In the evening it is decreased
• How does this work to our advantage?
• Lets turn night into day, and vice versa
• No need to know what were sending as the
  operators already took care of that for us
  

18
Malware Design

• Install malware on the comm. Server
• Stage I Learning Mode
• Sniff traffic to and from the field (easy to
  distinguish)
  
• Create request/response pairs with a timestamp
  for day night classification
  
• Auto-identify problematic fields
• CRC/Parity Fields
• Timestamps
• Counters
• Simple statistical computations

19
Malware Design

• Stage II Active mode
• When enough packet data is collected, wait for
  the next critical time of day (dawn, nightfall)
  
• Drop all messages coming from the SCADA server
• Instead, sent the commands of the opposite
  timeframe to the field
  

20
Malware Design

• What will happen in Active Mode?
• Example sunrise time
• Electricity demand constantly rises
• The field devices will receive night-time command
  e.g. disconnect aux. power plant from the
  grid , lower power output from main power
  plant etc.
• Operators will try to connect more power plants,
  without success as the commands are ignored
  
• Network instability supply will not meet the
  demand
  
• Potentially causing blackouts
• May change electric frequency

21
Advanced Attack Vector

• An even nastier approach is to record
  communication between the comm. server and SCADA
  server as well
  
• When the systems goes from learn mode to
  active mode perform two actions
  
• Send the control data to the field as previously
  mentioned
  
• Dont drop the SCADA server requests, send
  responses which it expects at this time from the
  field
  

22
Advanced Attack Vector

• Expected result
• Field devices are performing the exact opposite
  of their required behavior
  
• SCADA operators see that everything is running
  smoothly
  

23
Design Advantages

• Little to zero knowledge on the network design
  and implementation is required
  
• One time insertion of the malware, no need for
  ongoing communications
  
• Physical impact is likely

24
Drawbacks

• There are always exceptions
• We sign all messages -
• Unique network architectures
• Prior knowledge of the protocols used will
  greatly increase the chance of impact as the
  learn mode will be well defined
  
• Independent safety controls will alert the
  operators, and might contain the damage to a
  certain degree
  
• Looking for guinea pigs!

25
Recommendations

• Relax
• Not FUD. Its not going to happen tomorrow
• Not to be underestimated though - acknowledged by
  control center engineers from 3 TD utilities
  
• The goal is to increase awareness of the
  importance of securing your SCADA network
  

26
Recommendations

• Several potential mitigations
• Strong authentication of messages between the
  SCADA server and communication server
  
• Field communication solutions
• Encrypt or digitally sign messages
• Obfuscation with key swap every X days (Rrushi
  S4 2007)
  
• Chaffing switch live/simulation between two
  FEPs every day
  
• These solutions address the question How do I
  minimize the damage to my assets, even after my
  control center is compromised?
  

27
Summary

• Choose your field protocols with security in
  mind
  
• Asset owners - demand quality software, which
  undergoes an ongoing assessment of its resilience
  to attack
  
• And on top of that - prevent control center
  compromise (assumption 4). Be prepared, audit
  yourselves!
  
• All that is necessary for evil to triumph is for
  good men to do nothing
  
• Edmund Burke, 1770

28
(No Transcript)