scada, stuxnet - sonntag · pdf filescada, stuxnet 1 . 2 ... scada = “supervisory...
TRANSCRIPT
Michael Sonntag
Institute of Networks and Security
Johannes Kepler University Linz, Austria
SCADA, Stuxnet
1
2
What is “SCADA”?
SCADA = “Supervisory Control And Data Acquisition”
—Control and monitoring systems for industrial machines
—Typically very robust: physical & electrical
—Often very local: Factory floor
—Sometimes widely distributed: Industry plant with several
kilometers length
—Sometimes very remote: Management of remote substations
• Power grid, pipelines, water/gas/sewage distribution, …
SCADA was previously completely different and often
“electric”, not “electronic”, i.e. relays
—Today all of them are computerized, but they are still often
treated as of old: Completely separate and as long as you
don’t get physical access, nothing can happen!
More general: “ICS” = Industrial Control System
3
SCADA system diagram
RTU: Remote
Terminal Unit
PLC: Programmable
Logic Controller
Both are “local”
devices for remote
sites. Today typically
small computer
systems
Source: Gerhard Eschelbeck
4
SCADA human-machine-interface example
http://2.bp.blogspot.com/-WvErSWD4bEI/Ti3gy3FFerI/AAAAAAAAAYU/lLk4SO0bjG4/s1600/DCS_PLC_Scada_Systems.jpg
5
SCADA installation example
http://www.miramarautomation.com/controlsystemsusa/PICTURES/RTU-CTRL_ST1.jpg
6
SCADA - Large control/monitoring panel
http://electrical-engineering-portal.com/wp-content/uploads/scada-dms.jpg
7
Remote SCADA stations - example
http://www.scadalink.com/solutions/img/sagd-scada-solution-02.jpg
8
Remote SCADA stations - example
http://www.scadalink.com/services/img/man-on-tower.jpg
9
Where is SCADA used?
Manufacturing: Controlling production lines
—Individual machines, robots, transport devices; quality control
Essential services & commodities: Electricity, gas, water,
oil, waste treatment
—Both for production and transmission/distribution
—Critical infrastructure!
Large buildings/facilities and environmental control
—Heating/ventilation/air conditioning systems (HVAC), lighting,
entry control, energy consumption …
—Not typical SCADA, but home automation is quite similar!
Transportation and mass transit
—Traffic signals, security checks (signals working, presence
detection etc.), tracking of “cars”, timetable information
10
SCADA operation
Typically programmed once, with “simple” software
—Updates are very rare
They continuously send reports on some measured data
Mostly they autonomously control the local system, but
“big” parameter changes come from remote central control
stations and are received “rarely”
—Communication bandwidth is low
Focus on: Performance, reliability, flexibility safety
Security is often non-existent
—Low computing resources & bandwidth
—No priority: Local comm. only/own radio frequency, physically
secure, works without, proprietary protocol…
• Many assumptions are today/in general NOT valid any more!
11
Threats
Deliberate attacks
—Insider (disgruntled employees)
—Industrial espionage
—Organized crime: Extortion
—Unfriendly states: Electronic warfare (or harassing)
Accidental threats
—Equipment failure
—User error
—Misdirected attacks/collateral damage
Natural phenomena
—Weather, earthquakes, floods, solar activity: Communication
disruption, device damage
12
Potential security problems
Disruption of service
—Locally: Just “disturb” (DoS, erroneous commands, …) it
—Globally: Use a local system to bring down the network
• All are interconnected; issuing commands to other local
systems might not be designed, but still possible!
Process redirection: Receiving more/free resources
Process manipulation: Redirect sewage flow into
freshwater pipes, overload electricity transformers/power
lines, turn off traffic control complete collapse etc.
Manipulation of sensor data: “Save” costs, wear out
systems, hide beginning malfunctions, …
Overloading: Little reserves (CPU, memory, …) available
13
Why is security now becoming a problem?
Increased interconnection: More remote sites without
personnel, but with data communication
—Also increased number of entry points and paths
• Supervisory authorities, billing, subcontractors etc.
—Connected to more systems (e.g. statistics, invoicing, …)
Off-the-shelf hardware and software instead of everything
proprietary (ICT moved into SCADA)
—Own custom DB MS SQL Server
—Assembler-coded system Linux base + scripts
—Proprietory protocol + bus system IP + Ethernet
Compatibility: Old protocols were conceived as serial
protocols without authentication, encryption, or integrity
mechanisms but are still used/supported today
14
Why is security now becoming a problem?
“Security is a cost, not an investment”
—Devices cost more, additional devices, more complexity, …
Different security models (=primary goals):
—ICT: CIA (Confidentiality, Integrity, Availability)
—SCADA: SRA (Safety, Reliability, Availability)
Legal problems:
—License and support contracts may forbid adding any code or
additional components Adding security is impossible
—NDAs may prevent enforcing producers to close vulnerabilities
ICT security SW/devices are ill suited for SCADA
—Different content protocols and communication mechanisms
—Real time requirements of SCADA: Delay/jitter unacceptable
15
Why is security now becoming a problem?
Patching is very rare/potentially complex: See later!
Wider use and in more important systems
—Similar to Linux: Few end-users Few attacks
Increased capabilities of field equipment
—You can reuse it for other things, reprogramming is actually
possible (no more EPROMs!), sending data is SW
(=changeable, e.g. to DoS) instead of HW
Public (=shared) networks used for data transfer
Standard systems can be used for contacting
Attacking the system (flooding) may influence the SCADA
16
Potential security issues
Classification of problems (Target: SCADA):
—Modify/disrupt sensor data flow (=outgoing)
• Show false values, cut off central control system
—Modify/disrupt command flow (=incoming)
• Issue commands or prevent changes to configuration
—Modify/disrupt system (=other program/“switch off”)
—Snooping: Unauthorized gathering of sensor data
—Delays: Communication is delayed (in-/outgoing)
• Itself dangerous, or to hide attacks for some time
Similar/classical problems exist regarding the central
control station, which is typically a “normal” computer
system (but additional communication channel)
17
Examples of (lacking) SCADA security
Default vendor password
—For maintenance and testing
—Typically identical in (at least) each device of a product line
—Sometimes impossible to disable
—May even allow remote connection
Additional functionality
—Daemons not turned off (remains of default configuration)
Keys for signing updates are included in the update
—Extract key from device/update Create your own update!
Proprietary protocol
—Often same/similar as very old ones Many people now
know it, reverse engineering simple (buy two devices!)
Security disabled by default to ease installation
18
Examples of (lacking) SCADA security
Old devices: Replacing everything is expensive
—Devices may be very old (but see also: Windows XP!)
—Amortization over 15-20 years or longer
Other systems in the SCADA network
—Example: Safety systems on SCADA network and the safety
engineers programmed the safety system from their normal
desktop computer: Get into LAN (get in safety desktop )
get in safety system access to SCADA network!
19
Security “advantages” of SCADA systems
Often rather obscure programming language
—Similarly often uncommon assembler code ( processors)
Knowledge on multiple systems required
—Get into UI system (Windows), reach control server (Linux),
attack SCADA stations (Proprietary)
Network separation: While it IS possible, it might not be
easy to reach the control system
Obscurity: Few data about SCADA systems is public
—Handbooks/brochures reserved for paying customers only
Specialized hardware needed for physical interfaces
Each installation is comparatively unique
If it crashes, it will reboot automatically (“watchdog timers”)
Physical security / tamper proof
20
“But the network is completely separate!”
Even if it is: Can someone add own devices into it?
—Attaching cables to a bus system?
—Plugging in at spare ports?
—GSM: Calling the correct number + password?
—Wireless communication/network?
Is it really separate?
—Management and maintenance? Updates? Development?
Note: “Separate” means also: No data medium may cross
the border, i.e. installing patches through SD-Cards not
separate any more, as a virus could spread through this!
Result: No SCADA network is ever completely separate!
—Minimization is still very useful and necessary!
21
Separating networks
Never allow direct connection to public networks/Internet
Introduce strong protection devices between networks
—Ideally (very complex and expensive!):
• “Public” network, e.g. company LAN
• Firewall
• Intermediate system for data exchange (DMZ, data warehouse)
• Firewall
• Control system and local SCADA network
• Firewall
• Remote SCADA network:
• Firewall
• SCADA device(s)
—Plus IDS at several locations
At each remote location
22
Patching SCADA systems
Risk of vulnerability to be patched vs risk of patch
disturbing the production?
—Higher priority for perimeter defences (firewalls etc.), as
these are cheaper and less riskier to implement/update?
Does the vendor still exist/support the system?
Can the system run the patched system at all?
How to (reliably!) update 1000 remote systems while they
are actively in use to control a process?
How to test patches?
—A complete duplicate system or a model of it (
communication link simulation!) might not be available
Who may authorize/perform installation of patches?
—Operator of the system, maintenance contractor, vendor?
23
Patching SCADA systems
Can the patch be installed during normal operation?
—Sufficient memory, CPU, bandwidth, … for this?
—How long will the “reboot” take?
—Critical systems are redundant – during patching they are not
• First patch redundant system, then test & switch over, then
install on “main” system and go back to fully redundant
Patch management:
—Which system is at which patch level?
—Which patches have been tested?
—Compatibility: Configuration, resources, …
De-installation of patches in case of problems
—Do we have backups?
—Will the system still run or is physical intervention necessary?
24
Malware example: Stuxnet
Stuxnet is one of the extremely rare malware examples for
SCADA systems
—Attacks are more common, but these occur “manually”
Stuxnet is a platform-independent worm containing
multiple rootkits
—Original target system: Windows (hidden by rootkit)
—Infects SCADA control software on them (if present)
—From there moves to SCADA systems itself (rootkit) if they
match certain properties, where it activates its payload
Timeline: 6/09 (First infection), &/10 (First malware report)
Very precisely targeted at specific systems
—Large Windows infection rate (6 millions? China, 30.000 Iran)
—Siemens: Only 24 SCADA systems were infected
25
Stuxnet properties
Extremely complex software requiring detailed knowledge
on Windows + Siemens SCADA systems
—Contained 4 zero-day exploits for Windows
—Rootkit for SCADA system
Two valid certificates for driver signing (Realtek, JMicron)
—Probably physically stolen; both are in one industrial complex
Specific knowledge on SCADA system at target facility
needed: What system, which configuration, program code
—Including the devices controlled by it
—For testing a similarly equipped facility would be needed
Estimated effort:
—6 month of 5-10 core developers + management, quality
control, reconnaissance, procurement…
26
Stuxnet properties
Unusually large: Approx. 500 kB in size
Written in several programming languages: C, C++, Step7
(several possibilities)
Works without any Internet connection: Infection,
spreading and “jump to Step7”
—Last one is via a special data cable: Communication library
(DLL) is modified to enable this
Several variants (at least 3) exist, which
add/remove/change some functionality
27
Stuxnet spreading
Initial infection takes place via a USB device (memory
stick, external harddisk, …)
—Opening the directory in icon view is sufficient, no further
interaction is necessary
• Vulnerability in processing .LNK files (Win XP – Win 7)
—Previous version used a different method (Autorun.inf vuln.)
Two hidden files are copied to the system and one is
installed as driver-filter for the file system
—Ensures survivability of reboots and acts as rootkit
• So these files will not be visible on disk/USB devices
—These files are digitally signed, or this would not work
If no admin rights are present, it uses exploits to elevate
itself to admin before continuing
—Also stops, if later than 24.6.2012 Self-termination!
28
Stuxnet spreading
Installs itself in running processes (no reboot needed)
—Which one it is depends on running the antivirus program
• It might install even in the AV process itself!
—If some AV programs are present and later than a specific
date, infection is stopped (to risky/detectable)
—It uses special techniques when loading itself as a DLL to
circumvent behavioural blocking
Contacts all other Windows servers in the LAN to infect
them (if they not already are) via RPC/Print spooler
—Also used to update existing infections to latest version
Infects all removable drives to spread out further
Propagates through network shares as well
—Uses the current user and WMI to copy & execute itself
29
Stuxnet spreading
If a server with the WinCC (Siemens development
environment for Step7 system) database is found, the
default hardcoded vendor password is used to inject itself
into the remote database
—When WinCC is run, the database is cleaned and the
payload written to a DLL (via in intermediate CAB file)
—The DLL is converted into a stored procedure and run
whenever the DB is started Infection of local system
30
Stuxnet reporting back
After it has installed itself, it will check whether internet
access is possible, by trying Windows Update or MSN
—If not Continue with other tasks
Contacts Command&Control servers
—www.mypremierfutbol.com, www.todaysfutbol.com
It uploads configuration information and checks for updates
—Encryption: XOR with a static 31 byte long key
—Whatever code is sent, is injected into a process and run
• Backdoor or update functionality!
31
Stuxnet infecting
It infects all (with restrictions) Step7 projects
—To ensure the DLL is loaded whenever the project is loaded
in the development/management environment
DLL is used for communication between WinCC and
SCADA system
—Allows injecting code into the SCADA system and hiding it
when retrieving/inspecting code there
—Delegates to the original DLL after inspection/modification
—Three different infection sequences exist, two very similar,
the third seems to be incomplete and for a different CPU
Infection takes place only if it is a specific model with a
specific CPU and certain static parameters (configuration
of connected devices)
32
Stuxnet on SCADA
Also it must contain the subroutine “FC1869”
(communication with Profibus devices) and contains at
least one communication module CP-342-5
Then copies code to SCADA system and ensures it is run
A CP-342-5 device is used to create variable frequencies
for controlling the rotation speed of electric motors
—Activity only, if the drives are from two specific vendors!
—The frequency must be between 807 and 1210 Hz
• Which is VERY high for such devices (capable of >600 Hz
USA export regulated as usable for Uranium enrichment!)
No hiding on the device itself – connection through
uninfected management system will show it (cryptically!)
33
Stuxnet: System configuration required
http://www.symantec.com/connect/blogs/stuxnet-breakthrough
Must be from Vacon or
Fararo Paya
34
Stuxnet payload
With random delays (13 days to 3 month) it begins activity
—It modifies the actual frequency for short intervals (1410
2 Hz 1064 Hz 1410), but reports the correct frequency
• Each step works only briefly: 15/50 minutes
• This is done with 27 days between the individual steps
• (Probable) aim: Destroying centrifuges for uranium enrichment
• Fragile: 10% loss/year during normal operation seems common
• 1064 Hz = Nominal speed ( 334 m/sec wall speed of centr.)
—Through directly sending control commands to the interface
Stuxnet sends/listens on global comm. bus First SCADA
device to elapse long wait time activates all simultaneously
35
Summary
SCADA systems are not a primary attack target today:
—Too few systems
—Each of them is different
—Making money from them is complex and dangerous
But:
—Terrorism (from state to disgruntled ex-employees)
—Targeted attacks for information stealing
—Getting in through SCADA as “backdoor” into normal LAN
• Connect at some remote station, get through the command
center, reach the internal network, and install malware there
SCADA security will become more important
—Especially during development: From no/little security to full
security similar to “normal” computers today
36
Potential future research directions
IDS/IPS might be useful: SCADA systems possess very
regular communication patterns – everything out of the
ordinary is alarming anyway
—So anomaly detection might finally work!
Patching and update management
—Both in designing systems as well as tools
• E.g. Dual-core CPUs might help in testing/deployment; can be
switched off to conserver energy; useful for “peak” needs too
Separating networks (“data diodes”)
Enabling forensics: Ensuring data is available to trace
problems back to the source (attack and/or faults/bugs/…)
Michael Sonntag
Institute of Networks and Security
Johannes Kepler University Linz, Austria
Thank you for your attention!
37