Control Systems under Attack !?

1
Control Systems under Attack !?
A Teststand On Control System Security at CERN

• Cyber Threats - Todays Peril
• Vulnerabilities in Controls
• Findings of the TOCSSiC
• First Steps for Mitigation

Stefan Lüders (CERN IT/CO) ICALEPCS 2005 -
October 14th, 2005
2
Aware or Paranoid ?
2003/08/11 W32.Blaster.Worm
3
Cyber Threats - Todays Peril
Era of Modern Information Technology(From
Top-Floor to Shop-Floor)
Transition Phase (Controls goes IT)
Intruder Knowledge /Attack Sophistication
Control Systems Era of Legacy
Technology (Security through Obscurity)
Common Standards / Interconnectivity
4
Controls Goes IT

• Controls Networks mate Business Networks
• Proprietary field busses replaced by Ethernet
  TCP/IP
• Field devices connect to Ethernet TCP/IP
• Real time applications based on TCP/IP
• VPN connections from the outside onto the
  Controls Network
• Use of IT protocols gadgets
• SNMP, SMTP, FTP, Telnet, HTTP (WWW),
• Wireless LAN, Notebooks, USB sticks,
• Migration to the Microsoft Windows platform
• Windows not designed for Industrial / Control
  Systems
• OPC/DCOM runs on port 135 (heavily used for RPC)

5
Threats due to Technique

• Poorly secured systems are being targeted
• Worms are spreading within seconds
• Unpatched systems, O/S applications
• Missing anti-virus software or old virus
  signature files
• No firewall protection
• Zero Day Exploits security holes without patches
• Break-ins occur before patch and/or anti-virus
  available

but how to patch/update Control PCs ? what
about anti-virus software ?
6
Threats due to People

• Passwords are known to several (many?) people
• No traceability, ergo no responsibility
• People are increasingly the weakest link
• Use of weak passwords
• Infected notebooks are physically carried on site
• Users download malware and open tricked
  attachments
• Missing/default/weak passwords in applications

but how to handle Operator accounts ? what
about password rules ?
7
The TOCSSiC

• COTS Automation Systems arewithout security
  protections
• Programmable Logic Controllers (PLCs),field
  devices, power supplies,
• Security not integrated into their designs
• Creation of theTeststand On Controls System
  Security at CERN

8
Controls under Attack !

• 20 devices from 6 different manufacturers (35
  tests in total)
• All devices fully configured but running idle

PLCs under load seem to fail even more
frequently !!! results improve with more recent
firmware versions ?
9
TOCSSiC Findings (1)

• Device crashed
• Sending specially crafted IP packets causes the
  TCP/IP fragmentation re-assembly code to
  improperly handle overlapping IP fragments
  (Nestea attack)
• loose network connectivity (Linux zero length
  fragment bug)
• Sending continuous stream of extremely large and
  incorrect fragmented IP packets leads to
  consumption of all CPU resources (jolt2 DoS
  attack)
• Sending special malformed packets (oshare
  attack)

violation of TCP/IP standards !!!
10
TOCSSiC Findings (2)

• FTP server crashed
• Sending a too long command or argument
• Issuing a CEL aaaaaa command (VxWorks)
• FTP server allows to connect to third party
  hosts(i.e. provides an attacker platform)
• FTP server allows anonymous login
• Telnet server crashed
• After flooding it with D characters
• Sending a too long user name
• Sending too many Are you there commands

both are legacy protocols w/o encryption !
11
TOCSSiC Findings (3)

• HTTP server crashed
• Requesting a URL with too many characters(e.g.
  http//ltIPgt/cgi-bin/aaaaaa or
  http//ltIPgt/jsp/aaa...aaa)
• Using up all resources (WWW infinite request
  attack)
• HTTP server directory available
• Using http//ltIPgt/../.. get request

who needs web servers e-mailing on PLCs ?

• ModBus server crashed by scanning port 502

protocols are well documented(Google hacking)
!
12
TOCSSiC Findings (4)

• PLCs are un-protected
• Can be stopped w/o problems (needs just a bit
  googling)
• Passwords are not encrypted
• Might even come without authentication
• Still allow for legacy commands

authentication encryption should be mandatory
!

• Fixed SNMP community names public and private

why can community names not be changed ?
13
TOCSSiC Follow Up

• Disclosing vulnerabilitiesto vendors and
  manufacturers

14
Your Ways to Mitigate ? (1)

• Apply Defence-in-Depth approach
• Protect each layer of your Control System
• Separate Controls and Business Networks
• Reduce and control inter-communication
• Use managed systems where possible
• Ensure prompt security updates O/S,
  applications, anti-virus,
• Swapping to Linux or Mac is NOT more secure
• Ensure security protections before connecting
• Check for up-to-date patches and anti-virus files

15
Your Ways to Mitigate ? (2)

• Use strong passwords and sufficient logging
• Check that default passwords are changed in all
  applications
• Passwords must be kept secret beware of Google
  Hacking
• Ensure traceability of access (who and from
  where)
• Make security an objective
• Raise awareness in your Users community
• Contact your vendor / manufacturer
• Check your firmware versions
• Do you really want all those Bells Whistles ?
• Join the MS MUG and the OPC Foundation

16
Conclusions

• Adoption of modern IT standards exposesControl
  Systems to security risks
• Control PCs, PLCs other automation devicesare
  intrinsically vulnerable
• Make security an objective

Do you want to act BEFORE or AFTER the incident ?
17
Thank you very much !

• Special Acknowledgements go to
• J. Brahy R. Brun (CERN AB/CO) and J. Rochez
  (CERN IT/CO)
• J. Arnold (EPFL, Lausanne) and B. Figon (ESIEE,
  Amiens)