SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr - - PowerPoint PPT Presentation

*All pictures are taken from Dr StrangeLove movie and other Internets

Sergey Gordeychik Aleksandr Timorin Gleb Gritsai

SCADA STRANGELOVE

SCADA.SL

 Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and to keep Purity Of Essence

Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko

Aleksandr Timorin ICS security researcher Industrial protocols fan and 0-day PLC hunter SCADAStrangeLove team member The Ocean band fan atimorin atimorin@protonmail.ch

• ICS basics 101
• Vulnerabilities
• Input validation
• Design and architecture
• Safety and security as a whole

What is ICS world and why we should develop carefully

• Today is the digital era (welcome back captain obvious!)
• Automated processes is everywhere – from home

automation to big energy plants, from brewery to traffic control systems

What is ICS world and why we should develop carefully

• Industry automatization processes becoming more

comfortably for engineers and operators

What is ICS world and why we should develop carefully

• Switching from analog to digital brings old and absolutely not

secure software development process

What type of ICS products are vulnerable:

• Client/Server software
• Field devices: RTU, PLC, protective relays, power meters,

converters, actuators and so on

• Network switches, gateways
• GSM/GPRS modems, wireless AP
• Mobile applications
• Industrial protocols
• Human factor

Analytics and statistics of ICS vulnerabilities

• Analyzed CVE since ~2010
• Data source: ics-cert.us-cert.gov
• CVE details: NVD
• Total unique CVE: 689
• CVSS 2.0: min score 1.7 , max score 10.0 , avg score 6.5 ,

high and critical count of scores 285 (41%)

Analytics and statistics of ICS vulnerabilities

• CWE statistics:

CWE - Common Weakness Enumeration Definitions and full detailed description at https://nvd.nist.gov/cwe.cfm Unique number of CWE = 43

Analytics and statistics of ICS vulnerabilities

• CWE statistics (TOP 20):

$ sort cwe.all.raw | uniq -c | sort –nr | head -20

Analytics and statistics of ICS vulnerabilities

• CWE statistics (TOP 20):

Buffer Errors Information Leak / Disclosure Input Validation Permissions, Privileges, and Access Control XSS Cryptographic Issues Credentials Management Resource Management Errors Path Traversal Authentication Issues Use of Hard-coded Credentials CSRF Improper Access Control SQL Injection Unrestricted Upload of File with Dangerous Type Untrusted Search Path Security Features Code Injection NULL Pointer Dereference Numeric Errors Other (after TOP20)

• Honeywell EPKS, CVE-2014-9189

• Honeywell EPKS, CVE-2014-9187

• cb is a buffer size

• SpiderControl SCADA Web Server, stack-based bof, CVE-

2015-1001

• Siemens SIPROTEC 7SJ64 (protective relay) XSS

• Siemens WinCC

PLC 1 PLC 2 PLC 3

Some networks WinCC Web-Client WinCC SCADA- Clients

WinCC SCADA- Client +Web- Server

WinCC DataMonitor WinCC Web-Client WinCC DataMonitor WinCC Servers

LA N PROFINET PROFIBU S

Internet, corp lan, vpn’s Engineering station (TIA portal/PCS7)

WinCCExplorer.exe/PdlRt.exe Create and use your own security features Instead of standard features – that’s A bad idea!

• Hardcodes are for protocols with auth: SNMP, telnet, HTTP,

etc.

• You can hardcode keys, certificates, passwords
• SMA Sunny WebBox

• Siemens SIPROTEC 4 protective relay confirmation code

“311299”:

• System log
• Device info
• Stack and other

parts of memory

• More ?

• Siemens SIPROTEC 4 protective relay confirmation code

“311299”:

“SIPROTEC 4 and SIPROTEC Compact devices allow the display of extended internal statistics and test information… To access this information, the confirmation code “311299” needs to be provided when prompted.” “...Siemens does not publish official documentation on these

• statistics. It is strongly recommended to work together with

Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information...”

• Siemens S7-1200 PLC, CVE-2014-2252

“An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system. ” Just “set” PROFINET request: set network info (ip, netmask, gateway) with all zero values.

Not secure by design: default credentials, autocomplete

• Defaults, factory settings (sometimes unchangeable) is

everywhere SCADA StrangeLove Default/Hardcoded Passwords List https://github.com/scadastrangelove/SCADAPASS

KIOSK mode: Limit access to OS functions

KIOSK mode: Limit access to OS functions

• Wincc accounts: “secret” crypto key

• WinCC accounts: “secret” crypto key fixed
• It’s XOR, they should not bother hardcoding for XOR

PLC password “encryption”

Password (8 bytes)

• TIA Portal PEData.plf passwords history

• Winccwebbridge.dll: please hash your hardcoded account

• Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE-

2014-2251

• Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE-

2014-2251

• Seed = plc_start_time + const

Target – Siemens S7-1200 PLC

Profinet “feature” and PRNG vulnerability - real attack vector. Result - PLC takeover.

• Hash passwords
• SHA is not good enough
• Put length of plaintext nearby

Redbox_value = len(pwd)*2+1

Architecture looks like ideal (from developers point of view)

Reality looks like ideal too (from attacker point of view)

Reality looks like ideal too (from attacker point of view)

Many vendors tend to develop bicycles own services (ftp, telnet, ssh, http etc.) Guten Tag WinCC:

• WinCC Server

Windows/MSSQL based SCADA

• WinCC Client (HMI)

WinCC runtime + project

• WinCC Web Server (WebNavigator)

IIS/MSSQL/ASP/ASP.NET/SOAP

• WinCC WebClient (HMI)

ActiveX/HTML/JS

Third-party services:

• deploying with default and example.config configurations (i.e.

lot of busybox based devices with default root account)

• No patches and updates

Mirai DDos botnet DVR, NVR, IP cameras Over 0.5 million IoT devices are vulnerable What’s the problem? Hardcoded root:xc3511 Moreover, not so easy to change it

to get firmware? to get debug symbols? to debug? ..PowerPC no “operation system”

― Interlocking security (by Jakob Lyng Petersen)

• Trains must not collide
• Trains must not derail
• Trains must not hit person working the tracks

—Sadly, animals can’t handle the interview

― Formal methods and verification (rtfm)

• B Method, Event B

—Underground rail network in Beijing, Milan and Sao Paulo

• Prover.com

—Sweden, USA

― Safety critical systems ― Abstract machines + formal methods ― Atelier B

• Available IDE and C translator
• No Ada translator

― Newer version – Event-B

• See Rodin framework

• “Everything will be C in the end. If it's not C, it's not the end.”

– almost John Lennon

― KVB: Alstom

• Automatic Train Protection for the French railway company (SNCF),

installed on 6,000 trains since 1993

—60,000 lines of B; 10,000 proofs; 22,000 lines of Ada

― SAET METEOR: Siemens Transportation Systems

• Automatic Train Control: new driverless metro line 14 in Paris (RATP),
• 1998. 3 safety-critical software parts: onboard, section, line

—107,000 lines of B; 29,000 proofs; 87,000 lines of Ada

― Roissy VAL: ClearSy (for STS)

• Section Automatic Pilot: light driverless shuttle for Paris-Roissy airport

(ADP), 2006

—28,000+155,000 lines of B; 43,000 proofs; 158,000 lines of Ada

• RTFM
• SSDLC
• ICS best practices
• Follow CERTs
• Common Weakness Enumeration at cwe.mitre.org
• More practice: OWASP TOP 10
• TESTING TESTING AND TESTING AGAIN!

• Mr. ICS developer, are you creating your products within

SSDLC concepts?

*All pictures are taken from google and other Internets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko