welcome to phoenix contact hacking scada...

49
Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix Contact Sr. ASE North Central [email protected] 847 226 5197 @m_p_cowell on Twitter

Upload: others

Post on 07-Jul-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Welcome to PHOENIX CONTACT

Hacking SCADA networks MIPSYCON 2015

Matt Cowell

Phoenix Contact Sr. ASE – North Central

[email protected]

847 226 5197

@m_p_cowell on Twitter

Page 2: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Happy CIS&R month!

2 | Presentation | Matt Cowell | ASE Central | 13 November 2015

https://www.whitehouse.gov/the-press-office/2015/10/29/presidential-proclamation-critical-infrastructure-security-and

Page 3: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

3 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Who am I?

Matt Cowell

Sr. ASE (Automation Sales Engineer) – N. Central

Tenure – Joined Phoenix Contact Jan 2008

Located Gurnee, IL (north of Chicago)

Responsible for all Phoenix Contact Automation product in N. Central Region

Automation product responsibility includes Ethernet, network security products, controllers and software, Industrial PC’s, HMI’s, I/O, safety and Wireless

Territory includes IL, WI, MN, ND, SD

Background – Various Engineering roles with later years focused in system integration

Page 4: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Question Time

Have any of your networks/systems ever been breached

(hacked)?

How do you know?

Who’s responsibility is cyber security?

Everyone’s

Don’t assume someone else (IT) has it covered

6 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 5: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

7 | Presentation | Matt Cowell | ASE Central | 13 November 2015

SCADA system - Typical devices

Typically Field Devices

in/near control panel

Page 6: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

11 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Evolution of connecting SCADA to IT network or internet?

Internet

Router/Firewall

Enterprise/Company level

Acce

ss th

rou

gh

ou

t

SCADA/Ind. Network

Page 7: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

12 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Evolution of connecting SCADA to IT network or internet?

Internet

Router/Firewall

Enterprise/Company level

Acce

ss th

rou

gh

ou

t

SCADA/Ind. Network

Why converge? Reporting – Regulatory requirements/Compliance

Convenience – Access from desk, city network

Autonomy & Remote access – Outside access for

contractors

Integration - to database/laboratory/billing

Mistake - Could also be inadvertent

Page 8: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

13 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Why consider security now?

Scope of industrial networks has grown beyond conventional “switch

only” networks (layer 2)

Networks are becoming more ‘interconnected’

Device access from IT/enterprise network is desired

Remote access to SCADA systems is required for support

Industrial devices lack network security features we have become

familiar with (robust NIC’s, win. updates, patches, anti virus, etc)

Vulnerabilities are being discovered daily

Increase in network devices & trends are relying upon use of ‘the cloud’

Few standards in place yet to enforce security

Stuxnet demonstrated the sophistication and damage that can be

caused by industrial specific malware – don’t wait for stuxnet 2.0

Industrial attacks are becoming more common and brazen and usually

make headline news.

Page 9: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

You already know physical security…

Cameras and surveillance

Analogous to IDS (Intrusion Detection System)/logging

Access control – access based upon credentials

Analogous to account/password control policy

Perimeter security – fences, gates, locks

Analogous to firewall’s & data diodes

Alarms

Analogous to Email/SMS/SNMP/HMI alarms

SIEM (Security Information & Event Management) or IDS

Security guard

Analogous to IT/security focused professional

We generally take physical security very seriously

15 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 10: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

….How real is the cyber threat?

16 | Presentation | Matt Cowell | ASE Central | 13 November 2015 8:40

Page 11: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Attack statistics

ICS CERT – Responded to 245 ‘ICS’ attacks in 2014

ICS CERT – Reported 159 ‘ICS’ product vulnerabilities

DELL – SCADA attacks doubled in 2014 (vs 2013)

18 | Presentation | Matt Cowell | ASE Central | 13 November 2015

http://www.hackmageddon.com/

https://www.dell.com/learn/us/en/uscorp1/press-releases/2015-04-13-dell-annual-threat-report

https://ics-cert.us-cert.gov/sites/default/files/documents/Year_in_Review_FY2014_Final.pdf

Page 12: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

ICS CERT – incidents by sector

19 | Presentation | Matt Cowell | ASE Central | 13 November 2015

https://ics-cert.us-cert.gov/sites/default/files/documents/Year_in_Review_FY2014_Final.pdf

Page 13: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

ICS CERT – incidents by access vector

20 | Presentation | Matt Cowell | ASE Central | 13 November 2015

APT!

https://ics-cert.us-cert.gov/sites/default/files/documents/Year_in_Review_FY2014_Final.pdf

Page 14: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Verizon report

Malware events affecting

utilities…

22 | Presentation | Matt Cowell | ASE Central | 13 November 2015

http://www.verizonenterprise.com/DBIR/2015/

Page 15: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

A few discovered vulnerabilities

All confirmed and published by US CERT (DHS)

41 total vulnerabilities posted (including) ICSA-15-169-02 : Schneider Electric Wonderware System Platform Vulnerabilities

ICSA-11-307-01 : Schneider Electric Vijeo Historian Web Server Multiple Vulnerabilities

ICSA-13-217-02 : Schneider Electric Vijeo Citect, CitectSCADA, PowerLogic SCADA Vulnerability

ICSA-14-259-01A : Schneider Electric SCADA Expert ClearSCADA Vulnerabilities (Update A)

ICSA-12-018-01B : Schneider Electric Quantum Ethernet Module Hard-Coded Credentials

(Update B)

ICSA-14-273-01 : SchneiderWEB Server Directory Traversal Vulnerability

ICSA-11-173-01 : ClearSCADA Remote Authentication Bypass

ICSA-14-086-01A : Schneider Electric Serial Modbus Driver Buffer Overflow (Update A)

ICSA-14-093-01 : Schneider Electric OPC Factory Server Buffer Overflow

ICSA-14-086-01 : Schneider Electric Serial Modbus Driver Buffer Overflow

ICSA-13-077-01B : Schneider Electric PLCs Vulnerabilities (Update B)

ICSA-15-085-01A : Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014

Vulnerabilities (Update A)

23 | Presentation | Matt Cowell | ASE Central | 13 November 2015

As of 11/2/15

Page 16: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

A few discovered vulnerabilities

75 total vulnerabilities posted (including) ICSA-15-050-01 : Siemens SIMATIC STEP 7 TIA Portal Vulnerabilities

ICSA-15-020-01 : Siemens SCALANCE X-300/X408 Switch Family DOS Vulnerabilities

ICSA-12-256-01 : Siemens WinCC WebNavigator Multiple Vulnerabilities

ICSA-14-098-03 : Siemens Ruggedcom WIN Products BEAST Attack Vulnerability

ICSA-13-149-01 : Siemens SCALANCE Privilege Escalation Vulnerabilities

ICSA-12-158-01 : Siemens WinCC Multiple Vulnerabilities

ICSA-12-212-02 : Siemens SIMATIC S7-400 PN CPU DoS

ICSA-14-114-02 : Siemens SIMATIC S7-1200 CPU Web Vulnerabilities

ICSA-14-079-02 : Siemens SIMATIC S7-1200 Vulnerabilities

24 | Presentation | Matt Cowell | ASE Central | 13 November 2015

As of 11/2/15

Page 17: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

..more discovered vulnerabilities

ICSA-13-095-02A : Rockwell Automation FactoryTalk and RSLinx Vulnerabilities (Update A)

ICSA-15-111-02 : Rockwell Automation RSLinx Classic Vulnerability

ICSA-11-175-01 : Rockwell FactoryTalk Diag Viewer Memory Corruption

ICSA-14-021-01 : Rockwell RSLogix 5000 Password Vulnerability

ICSA-14-254-02 : Rockwell Micrologix 1400 DNP3 DOS Vulnerability

ICSA-14-294-01 : Rockwell Automation Connected Components Workbench ActiveX Component

Vulnerabilities

ICSA-12-088-01A : Rockwell Automation FactoryTalk RNADiagReceiver (UPDATE A)

ICSA-10-070-01A : Rockwell Automation RSLinx Classic EDS Vulnerability (Update A)

ICSA-13-011-03 : Rockwell Automation ControlLogix PLC Vulnerabilities

ICSA-11-273-03A : Rockwell RSLogix Overflow Vulnerability (Update A)

ICSA-10-070-02 : Rockwell PLC5/SLC5/0x/RSLogix Security Vulnerability

ICSA-11-161-01 : Rockwell RSLinx EDS Vulnerability

ICSA-15-132-02 : Rockwell Automation RSView32 Weak Encryption Algorithm on Passwords

ICSA-15-062-02 : Rockwell Automation FactoryTalk DLL Hijacking Vulnerabilities

ICSA-12-342-01B : Rockwell Allen-Bradley MicroLogix, SLC 500, and PLC-5 Fault Generation

Vulnerability (Update B)

25 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 18: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

..and some others

ICSA-12-212-01 : ICONICS GENESIS32/BizViz Security Configurator Authentication Bypass

Vulnerability

ICSA-14-023-01 : GE Proficy Vulnerabilities

ICSA-15-167-01 : GarrettCom Magnum Series Devices Vulnerabilities

ICSA-12-243-01 : GarrettCom - Use of Hard-Coded Password

ICSA-13-042-01 : MOXA EDR-G903 Series Multiple Vulnerabilities

ICSA-15-160-01 : N-Tron 702W Hard-Coded SSH and HTTPS Encryption Keys

ICSA-12-354-01A : Ruggedcom ROS Hard-Coded RSA SSL Private Key (Update A)

ICSA-12-146-01A : RuggedCom Weak Cryptography for Password Vulnerability (Update A)

ICSA-13-340-01 : RuggedCom ROS Multiple Vulnerabilities

ICSA-12-249-02 : WAGO IO 758 Default Linux Credentials

26 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 19: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Network security breach case study: Stuxnet

The industrial virus that brought mass media attention

Complex rootkit exploiting 4 x zero day exploits

Designed to attack Siemens control networks and Win OS

Used stolen digital certificates to look inconspicuous

Could manipulate PLC logic and network traffic

Automatically spreads via USB jump drive

Reports updates back to internet server

Targeted Iran’s uranium enrichment centrifuges causing

significant damage but also spread worldwide

Suspected to be a state sponsored virus

It has a ‘kill date’ coded into it to stop spreading on 6/24/12

27 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 20: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Network security breach case study: Stuxnet

The industrial virus that brought mass media attention

Complex rootkit exploiting 4 x zero day exploits

Designed to attack Siemens control networks and Win OS

Used stolen digital certificates to look inconspicuous

Could manipulate PLC logic and network traffic

Automatically spreads via USB jump drive

Reports updates back to internet server

Targeted Iran’s uranium enrichment centrifuges causing

significant damage but also spread worldwide

Suspected to be a state sponsored virus

It has a ‘kill date’ coded into it to stop spreading on 6/24/12

28 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 21: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Network security breach case study: Havex

First detected summer 2014

Primarily cyber espionage campaign but could've easily

been repurposed for malicious intent

Havex malware was created by a well resourced group

known as “Dragonfly” or “Energetic Bear”

Targeted energy grid operators, power generation plants,

petroleum pipelines & industrial OEM’s

Victims were located in various countries including US

Used multiple attack vectors including compromising ICS

software, spam and watering hole attacks.

Communicates with a C&C server for control and updates

Used OPC DA to communicate while evading detection

29 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 22: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Network security breach case study: Havex

First detected summer 2014

Primarily cyber espionage campaign but could've easily

been repurposed for malicious intent

Havex malware was created by a well resourced group

known as “Dragonfly” or “Energetic Bear”

Targeted energy grid operators, power generation plants,

petroleum pipelines & industrial OEM’s

Victims were located in various countries including US

Used multiple attack vectors including compromising ICS

software, spam and watering hole attacks.

Communicates with a C&C server for control and updates

Used OPC DA to communicate while evading detection

30 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 23: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

500,000 reasons to be afraid

36 | Presentation | Matt Cowell | ASE Central | 13 November 2015

https://threatpost.com/shodan-search-engine-project-enumerates-internet-facing-critical-

infrastructure-devices-010913/77385/

Page 24: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

500,000 reasons to be afraid

37 | Presentation | Matt Cowell | ASE Central | 13 November 2015

https://threatpost.com/shodan-search-engine-project-enumerates-internet-facing-critical-

infrastructure-devices-010913/77385/

Page 25: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Powergrid honeypot

38 | Presentation | Matt Cowell | ASE Central | 13 November 2015

http://www.scmagazineuk.com/4sics-what-hackers-do-when-they-access-a-power-grid-honeypot/article/448391/

Page 26: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Powergrid honeypot

39 | Presentation | Matt Cowell | ASE Central | 13 November 2015

http://www.scmagazineuk.com/4sics-what-hackers-do-when-they-access-a-power-grid-honeypot/article/448391/

Page 27: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Why do people ‘hack’?

There are a number of motivators, including:

Ego

Criminal

Political/Spying

Hacktivism

Terrorism

War

Personal gain

Corporate gain

Sabotage

Retribution

Personal Concern

51 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 28: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

How do people hack? Inside job/disgruntled employee - abusing network privileges

Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form

Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force

DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.

Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter

Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.

Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.

Ransomware – Specific infection that demands a ransom money or will lock you out from files or threaten to delete them by specific deadline - NEW

Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.

Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing

Exploiting vulnerabilities – latest windows updates, stuxnet

Page 29: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

How do people hack? Inside job/disgruntled employee - abusing network privileges

Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form

Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force

DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.

Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter

Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.

Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.

Ransomware – Specific infection that demands a ransom money or will lock you out from files or threaten to delete them by specific deadline - NEW

Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.

Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing

Exploiting vulnerabilities – latest windows updates, stuxnet

Page 30: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

How easy is it to ‘hack’ a facility?

Just ask Google

Wireless breach

Wardriving

If no access to the inside network, first have to find it:

Specialist search engines

Public IP and Port scans

Social engineering via Trojan or Phishing

Vulnerabilities

Easy targets

Publically available online and being found daily

Dedicated tools to make life easier

…..as we will see

54 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 31: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

How easy is it to ‘hack’ a facility?

Just ask Google

Wireless breach

Wardriving

If no access to the inside network, first have to find it:

Specialist search engines

Public IP and Port scans

Social engineering via Trojan or Phishing

Vulnerabilities

Easy targets

Publically available online and being found daily

Dedicated tools to make life easier

…..as we will see

55 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 32: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Even easier if you have $8k

56 | Presentation | Matt Cowell | ASE Central | 13 November 2015

http://www.forbes.com/sites/thomasbrewster/2015/10/21/scada-zero-day-exploit-sales/

Page 33: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

57 | Presentation | Matt Cowell | ASE Central | 13 November 2015

4. Attack demonstration

Perimeter

192.168.0.100

192.168.0.102

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)

Master

Lean

Managed

Switch

PLC

Slave

Attacking

PC Internet

1.2.3.4

LAN WAN

Page 34: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

58 | Presentation | Matt Cowell | ASE Central | 13 November 2015

4. Denial Of Service attack

What did we learn?

With information we collected by learning the network, we can now break it

Network adapters (particularly on Industrial devices) can be overwhelmed if you send excessive packets

This can manifest in many devastating ways – preventing legitimate communications and in some cases locking up the device requiring power cycle or losing its program

Recommendations:

Use Firewalls to control/restrict access

Use managed switches with bandwidth limitation or routers to prevent excess traffic

Enable monitors/logging to watch and automatically notify of dangerous traffic levels

Page 35: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

59 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Control the ‘inside’

Prevent unnecessary access to industrial devices/network

Use a firewall to control traffic rules

Be careful of open ports and ‘backdoors’

Ensure adequate encryption when using wireless (WPA2) &

long, unusual pass phrase

Restrict USB drive usage

Be careful of infected internal PC’s – a Virus or Trojan can

run on the inside ‘inside job’, cause havoc and send

information out

Its claimed 60-70% of all security breaches are carried out

by insiders

Page 36: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

So WHAT do you do?

Take measures to harden/design in security to your control

system

Take advantage of Managed switches – port control (disable

unused ports, RADIUS authentication, MAC table lookup

etc)

Utilize industrial Firewalls – packet filtering rules, logging,

authentication (user firewall or VPN), CIFS, eliminates

additional burden on existing hardware

60 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 37: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

61 | Presentation | Matt Cowell | ASE Central | 13 November 2015

The solution?

mGuard Industrial Router, Firewall and VPN

Partial

Page 38: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

62 | Presentation | Matt Cowell | ASE Central | 13 November 2015

The solution?

mGuard Industrial Router, Firewall and VPN

Partial

Page 39: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Not just my advice..

Use of a firewall is a common recommendation by the US

CERT for posted vulnerabilities

63 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 40: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

It gets worse…

64 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Cybersecurity Act of 2012

13

Page 41: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

It gets worse…

65 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Cybersecurity Act of 2012

13

Page 42: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

What is ‘critical infrastructure’?

16 sectors

66 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 43: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

DOE…”Doh!”

67 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Attackers successfully compromised U.S.

Department of Energy computer systems

more than 150 times between 2010 and

2014, a review of federal records obtained

by USA TODAY finds

http://www.usatoday.com/story/news/2015/09/09/cyber-attacks-doe-energy/71929786/

http://gizmodo.com/department-of-energy-hacked-over-150-times-in-four-year-1730259071

Page 44: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Standards & guidelines

NIST 800-82 R2 guidelines

NERC CIP v5

Remember high/medium BES begins Apr 1st 2016

ISA 62443 (formerly known as ISA-99).

68 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 45: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Standards & guidelines

NIST 800-82 R2 guidelines

NERC CIP v5

Remember high/medium BES begins Apr 1st 2016

ISA 62443 (formerly known as ISA-99).

69 | Presentation | Matt Cowell | ASE Central | 13 November 2015

CIP Requirement Controls

CIP 002 Critical Cyber Asset Identification

CIP 003 Security Management Controls

CIP 004 Personnel and Training

CIP 005 Electronic Security Perimeter(s)

CIP 006 Physical Security of Critical Cyber Asset’s (CCA)

CIP 007 Systems Security Management

CIP 008 Incident Reporting and Response Planning

CIP 009 Recovery Plans for Critical Cyber Assets

CIP 014 Physical security

Page 46: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Defense in Depth in practice

www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

Zones

Firewalls

DMZ

IDS/Logging

Page 47: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Summary

Like it or not – critical control systems are becoming more

interconnected (IoT/IIoT)

This is not just an IT problem – controls engineers need to

know more about network security

The risk of a attack is great

NERC CIP v5 is a big deal

Key starting points:

Know/document your network

Implement basic access control mechanisms

Log network traffic

Have a proactive patching strategy!

71 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 48: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Final Thought

72 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Page 49: Welcome to PHOENIX CONTACT Hacking SCADA …cce.umn.edu/documents/CPE-Conferences/MIPSYCON-Power...Welcome to PHOENIX CONTACT Hacking SCADA networks MIPSYCON 2015 Matt Cowell Phoenix

Thank you

73 | Presentation | Matt Cowell | ASE Central | 13 November 2015

Matt Cowell Sr. Automation Sales Engineer

[email protected]

847 226 5197

@m_p_cowell