authentication issues between entities during protocol message exchange in scada systems
DESCRIPTION
This presentation will show some vulnerabilities on SCADA protocols.TRANSCRIPT
![Page 1: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/1.jpg)
Authentication Issues between entities during protocol
message exchange in SCADA Systems
Manuel Humberto Santander Peláez [email protected]
![Page 2: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/2.jpg)
Agenda
• Introduction
• SCADA protocols
• Authentication Risks
• Remediation
![Page 3: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/3.jpg)
SCADA
• Supervisory Control and Data Acquisition
• Platform used to monitor and control all the variables of a real-time process
• Several variables to monitor
– Pressure inside a water tube used for distribution
– Flow speed of oil
– Amount of electric charge passing inside an electricity transmission line
![Page 4: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/4.jpg)
Components of SCADA platform
![Page 5: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/5.jpg)
Components of SCADA platform (2)
• Remote Terminal Unit (RTU):
– This is a communication device within the SCADA system and is located at the remote substation.
– The RTU gathers data from field devices in memory until the MTU request that information. It also process orders from the SCADA like switch off a transmission line
– It process the commands ordered by the HMI to the field devices
![Page 6: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/6.jpg)
Components of SCADA platform (3)
• Data Acquisition System (DAS):
– Gathers information from the MTU
– Generates and store alerts that needs attention from the operator because it can cause impact on the system
• Master Terminal Unit (MTU):
– The MTU is defined as the heart of a SCADA system and is located at the main monitoring center.
![Page 7: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/7.jpg)
Components of SCADA platform (4)
• Master Terminal Unit (MTU):
– MTU initiates communication with remote units and interfaces with the DAS and the HMI.
• Human Machine Interface (HMI):
– Interface where the operator logs on to monitor the variables of the system.
– Gathers information from the DAS
– Sends commands to the MTU and wait for response
![Page 8: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/8.jpg)
Electrical process
• Three big steps
– Generation
– Transmission
– Distribution
• Energy is created using any of the following methods
– Thermoelectrical plans
– Nuclear plants
– Hydro electrical plants
![Page 9: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/9.jpg)
Electrical process (2)
• SCADA platform is vital to perform the following when generation takes place:
– Ensure turbines are not having revolutions more than supported
– Generators are not working overloaded
– Energy being generated matches the amount of energy that the transmission line can handle
![Page 10: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/10.jpg)
Electrical process (3)
• Transmission
– Energy being generated needs to be distributed to reach the final users
– 115 KV is the power used to transmit in the wire lines
– Final destination are the substations that handles energy of a specific amount of instalations
– Large number of blocks in a city
![Page 11: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/11.jpg)
Electrical process (4)
• SCADA platform is vital to perform the following when transmission takes place:
– Monitoring of voltage in transmission lines looking for high amount of electricity flowing
– None of them can get overloaded because protections get activated and a blackout appears in all the installations that are controlled by the affected substations
![Page 12: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/12.jpg)
Electrical process (5)
• Distribution
– Energy being generated needs to be distributed to reach the final users
– 115 KV is the power used to transmit in the wire lines
– Final destination are the substations that handles energy of a specific amount of instalations
– Large number of blocks in a city
![Page 13: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/13.jpg)
Electrical process (6)
• SCADA platform is vital to perform the following when distribution takes place:
– Monitoring of voltage in transmission lines looking for high amount of electricity flowing
– Monitoring of voltage in user meters looking for high amount of electricity flowing
![Page 14: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/14.jpg)
Agenda
• Introduction
• SCADA Protocols
• Authentication Risks
• Remediation
![Page 15: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/15.jpg)
SCADA Protocols
• Modbus
• IEC 104
• DNP3
![Page 16: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/16.jpg)
Modbus
Source: Practical Industrial Data Communications
![Page 17: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/17.jpg)
Modbus (2)
• Client/server protocol which operates in a request/response mode
• Three variants:
– Modbus serial RS-232/RS-485: Implemented on serial networks
– Modbus TCP: Used for SCADA platforms where delay is not an issue (Water supply)
– Modbus UDP: Used for SCADA platforms where delay is a big issue (Energy)
![Page 18: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/18.jpg)
Modbus (3)
Source: Practical Industrial Data Communications
![Page 19: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/19.jpg)
Modbus (4)
• Modbus protocol structure
– Address field:
• Request frames: Address of the device being targeted by the request
• Response frame: Address of the device responding to request
![Page 20: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/20.jpg)
Modbus (5)
• Modbus protocol structure
– Function field
• Function requested by the HMI to be performed by the field devices
• In response packets, when the function performed is succeeded, the field device echoes it. If some exception occurred, the most significant bit of the field is set to 1
![Page 21: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/21.jpg)
Modbus (6)
Function NameFunction
Code
Physical Discrete Inputs Read Discrete Inputs 2
Read Coils 1
Write Single Coil 5
Write Multiple Coils 15
Physical Input Registers Read Input Register 4
Read Holding Registers 3
Write Single Register 6
Write Multiple Registers 16
Read/Write Multiple
Registers23
Mask Write Register 22
Read FIFO Queue 24
Read File Record 20
Write File Record 21
Type of access
Data Access
Bit access Internal Bits or Physical
Coils
16-bit
accessInternal Registers or
Physical Output Registers
File Record Access
![Page 22: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/22.jpg)
Modbus (7)
Function NameFunction
Code
Read Exception Status 7
Diagnostic 8
Get Com Event Counter 11
Get Com Event Log 12
Report Slave ID 17
Read Device
Identification43
Encapsulated Interface
Transport43
Type of access
Diagnostics
Other
![Page 23: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/23.jpg)
Modbus (8)
• Modbus protocol structure
– Data field
• In request paquets, contains the information required to perform the specific function
• In response packets, contains the information requested by the HMI
![Page 24: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/24.jpg)
Modbus (9)
• Modbus protocol structure
– Error check Field
• CRC-16 on the message frame
• If packet has errors, the field device does not process it
• Timeout is assumed, so the master sends again the packet to attempt again a function execution
![Page 25: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/25.jpg)
IEC 104
• Standard for power system monitoring, control and communications for telecontrol and teleprotection for electric power systems
• Completely compatible with:
– IEC 60870-5-1: Transmission frame formats for standard 60870-5
– IEC 60870-5-5: Basic application functions
![Page 26: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/26.jpg)
IEC 104 (2)
• It has the following features:
– Supports master initiated messages and master/slave initiated messages
– Facility for time sinchronization
– Possibility of classifying data being transmitted into 16 different groups to get the data according to the group
– Cyclic and spontaneous data updating schemes are provided.
![Page 27: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/27.jpg)
IEC 104 (3)
Source: Practical Industrial Data Communications
![Page 28: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/28.jpg)
IEC 104 (4)
Source: Practical Industrial Data Communications
![Page 29: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/29.jpg)
IEC 104 (5)
Source: Practical Industrial Data Communications
![Page 30: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/30.jpg)
IEC 104 (6)
• Link level
Link service
class Function Explanation
S1 SEND / NO REPLY
Transmit message.
No ACK or answer
required
S2 SEND / CONFIRM
Transmit message.
ACK required
S3 REQUEST / RESPOND
Transmit message.
ACK and answer
required
![Page 31: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/31.jpg)
IEC 104 (7)
Source: Practical Industrial Data Communications
![Page 32: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/32.jpg)
IEC 104 (8)
Source: Practical Industrial Data Communications
• Control field for unbalanced transmissions
![Page 33: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/33.jpg)
IEC 104 (8)
Source: Practical Industrial Data Communications
• Control field for balanced transmissions
![Page 34: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/34.jpg)
DNP3
• Set of communication protocols used between components of a SCADA system
• Used for communications between RTU and the IED (field devices)
• Implements the communication levels established by the enhance performance architecture (EPA)
![Page 35: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/35.jpg)
DNP3 (2)
• Enhance performance architecture (EPA)
Source: Practical Industrial Data Communications
![Page 36: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/36.jpg)
DNP3 (3)
• Message exchange
Source: Practical Industrial Data Communications
![Page 37: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/37.jpg)
DNP3 (4)
• Frame format
Source: Practical Industrial Data Communications
![Page 38: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/38.jpg)
DNP3 (5)
• Control Byte
Source: Practical Industrial Data Communications
![Page 39: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/39.jpg)
Agenda
• Introduction
• SCADA Protocols
• Authentication Risks
• Remediation
![Page 40: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/40.jpg)
Network technologies in SCADA Systems
• Many SCADA networks still use RS232/RS485 bus to communicate all components
– But also because of the need to access data in a fast way, we also have serial-to-ip gateways to access serial RTU and IED
– Lots of hybrid SCADA networks having serial and IP components
– Vulnerable from outsiders at the corporate network
![Page 41: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/41.jpg)
Lack of authentication in application protocol
• The SCADA protocols does not perform bi-directional authentication to ensure that all parties are trusted
– Only commands are sent
– Data is sent to the IP address configured as master
– All the IP spoofing vulnerabilities works on any MTU or Field device
– Any command can be sent
![Page 42: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/42.jpg)
Lack of confidentiality in application protocol
• The SCADA protocols does not perform any encryption to protect the information – Modbus, IEC 101/104 and DNP3 transmissions
can be checked by any attacker
– Man-in-the-middle can be performed on the network
– MTU traffic can be intercepted and then redirected to any IED with any desired change
– No way to know if traffic is trusted
![Page 43: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/43.jpg)
What could be done?
• Let’s see how a master station puts the current timestamp on an IED
• Let’s see how the attacker changes it
• Can issue writable commands and reading commands
• DEMO TIME!
![Page 44: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/44.jpg)
Agenda
• Introduction
• SCADA Protocols
• Authentication Risks
• Remediation
![Page 45: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/45.jpg)
What you cannot do with SCADA
• Protocol delay is usually a BIG issue in SCADA
– Water supply and Oil SCADA tolerates big delays because it does not have consequences in the process
– Power SCADA is critical. A delay higher than 5 miliseconds could end in a massive blackout because of failure to open a breaker in a substation
– Be careful on what you do to protect your SCADA
![Page 46: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/46.jpg)
SCADA Network Design
![Page 47: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/47.jpg)
Monitor your network
• SCADA traffic baseline is mandatory
– You need to know what applications are doing transit inside your network
– Inside SCADA protocols you monitor applications that gives you information on the industrial process being controlled
– Unauthorized applications could indicate a breach trying to perform operations or gather information on IED
![Page 48: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/48.jpg)
Monitor your network (2)
• Use Network Intrusion Prevention System
– You definitely can use conventional IPS if they are fast enough to avoid delays in your network
– Not all of them support SCADA protocols
– If you have snort, you can write rules for Modbus and DNP3. Otherwise, you need to write your own rules
– Industrial Defender Solution works pretty good as it includes lots of SCADA signatures
![Page 49: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/49.jpg)
• SCADA platforms are designed to last from 10 to 20 years
– Too many technology changes happens in that time
– Lots of security issues to deal with
– Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process
Control unauthorized changes to Master Terminal Unit
![Page 50: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/50.jpg)
Control unauthorized changes to Master Terminal Unit (2)
• SCADA platforms are designed to last from 10 to 20 years
– Too many technology changes happens in that time
– Lots of security issues to deal with
– Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process
![Page 51: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/51.jpg)
Control unauthorized changes to Master Terminal Unit (3)
• Control any changes inside your SCADA servers
– Mcafee Integrity control works pretty good
– Defines what can be changed by who
– Lots of custom logs to choose from
– Can send events to any SIEM configured in the Network
![Page 52: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/52.jpg)
Monitor attacks to Master Unit
• Host IPS is definitely needed as any attack could change the integrity and stability of a process
• Availability is critical to a SCADA system and cannot be altered
• Conventional Host IPS performs extensive use of CPU and can affect performance inside SCADA
![Page 53: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/53.jpg)
Monitor attacks to Master Unit (2)
• Industrial Defender Host IPS works pretty good
• Works seamless with Siemens Spectrum Platform
• Does not load the machine or needs extensive bandwith to perform its checks
• Central console to perform operations inside the platform
![Page 54: Authentication Issues between entities during protocol message exchange in SCADA Systems](https://reader034.vdocuments.net/reader034/viewer/2022051312/5462cfacaf79599e2c8b4d0a/html5/thumbnails/54.jpg)
Questions? Comments?
Manuel Humberto Santander Peláez http://manuel.santander.name
http://twitter.com/manuelsantander