TYPICAL ARCHITECTURE OF SCADA POWER PLANT

The model consist of 3 major compartment or network area namely the ENTERPRISE NETWORK, the PROCESS NETWORK,  and the CONTROL NETWORK.

1.Enterprise Network

1.Provides Services for all enterprise business operations such as Web/Email Servers, Application Servers, Workstations etc.

2.Regular access to Internet or Intranet.

3.Firewall Protected. (Tier I Security)

2.Process Network

1.Consist of Master Terminal Unit, HMIs and the Database Historian.

2.Provides an interface where the operator administers control and supervisory actions on all other subcomponents and field devices for efficient operation of the SCADA system.

3.Firewall Protected. (Tier II Security)

3.Control Network

1.Comprises the field instrumentation devices such as the Remote Telemetry Unit (RTU), the Sensors/IEDs and Actuators.

2.Modern SCADA incorporates an Intelligent Electronic Device (IED) which is an intelligent sensor and capable of functioning in place of the Programmable Logic Controller (PLC)

3.Secured WAN Link. (Tier III Security)

SECURITY ISSUES OF SCADA

SECURITY ISSUES WITH MTU

  • Outdated Operating System, Applications and AntiVirus.
  • Updating to latest versions might cause operational instability, affecting system availability.
  • Attacks that could compromise MTU – SQL Injection, Buffer Overflow, Lack of Privilege separation etc.
  • Physical and deliberate compromise by an insider, negligence of the operator in identifying false alarm, or in adhering to the Security Policies.

SECURITY ISSUES WITH HMI

As with the MTU the HMI are also affected with security issues resulting from outdated operating system, software and antivirus program. Some possible threats resulting from these issues are:

1.Input Validation Vulnerability: Arising as a result of improper validation of input variable causing the software to write more data than it can normally hold.

2.System Level Access: When the HMI default access level is system it could pose a security challenge as an attacker who succeeds in compromising the HMI will not face difficulty in taking control of its entire functionality to cause havoc.

SECURITY ISSUES WITH DATABASE HISTORIAN

  • Usage of deprecated software and applications, lack of efficient patch management and improper application development becomes the reason of a compromised DB historian.
  • Attacks that could compromise DBH – SQL Injection, Buffer Overflow, Cross-site scripting etc. allowing an attacker access to cookie-based authentication credentials to gain access to the system.

SECURITY ISSUES WITH SENSORS

  • Signal jamming and interference causing signal distortion and denial of service.
  • Since the sensor communicates directly with the RTU it is possible for an attacker who successfully penetrated the network to conduct a MAN-IN-THE-MIDDLE attack due to the lack of sufficient cryptographic mechanism in Modbus protocol.
  • Attacks that could compromise SENSORS – MiTM, FLOODING, TAMPERING, DOS, REPLAY attack.

SECURITY ISSUES WITH RTU

RTU is notable for several security issues such as:

1.Packet Modification: RTU packet in transit can be captured and modified since the protocol used within the field devices lacks proper encryption mechanism hence the messages are in plain text.

2.Buffer Overflow: Memory allocation on field devices such as RTU are usually fixed, hence knowledgeable attackers can take advantage of this to cause a denial of service.

3.Replay Attack: RTUs can be the route to stage a replay attack. Replay attack occurs when a captured message is retransmitted at some other time.

4.Privilege Escalation: An attacker who has successfully penetrated the control network via MiTM attack can increase his access level by exploiting privilege escalation vulnerability, should the RTU in use be susceptible to such vulnerability. An attacker exploiting this vulnerability can cause confidentiality, integrity and availability issues for the concerned system.

SECURITY ISSUES WITH COMMUNICATION PROTOCOLS

The two most common protocol used in SCADA network is Modbus and DNP3. While Modbus is proprietary, Distributed Network Protocol (DNP3) is non-vendor specific. These two protocols have common security issues such as lack of Cryptography.

SCADA ATTACK VECTOR

A compliance with MITRE ATT&CK Framework and Cyber Threat Metrics

These represent the starting point or point of compromise with which an adversary use to gain initial foothold within the target’s network. With respect to this work we have identified and used six possible attack vectors to compromise the SCADA master terminal unit from the documentation of MITRE ATT&CK framework and Cyber Threat Metrics, namely: removable media, malicious web components (SQL, XSS, BOF), Drive-by Compromise and Spear Phishing Attachment.

REMOVABLE MEDIA

This form of attack vector is mostly used in networks that are not easily reachable or accessible, also known as AIR-GAPPED NETWORKS e.g. SCADA and DCS network. The malware is copied into the removable media e.g. USB stick, thumb drive etc, and inserted into the target system mostly by disgruntled employee who has physical access to the system.

SPEAR PHISHING ATTACHMENT

This form of compromise involves a more targeted approach in which an adversary gains access to the target network by way of MALICIOUS EMAIL ATTACHMENT. It is a form of social engineering technique that uses a well constructed target-specific email to deliver the malware.

DRIVE-BY COMPROMISE

This method of malware infection takes advantage of a USER VISITING A WEBSITE in the process of browsing. This form of exploitation is mostly effective as once successful it gives the adversary access to the internal network systems. An adversary delivers the exploit code by injecting malicious code on a rather legitimate website. Cross-site scripting and watering hole attack are methods used. Other ways are through malicious adware and spywares served through legitimate websites.

MALICIOUS WEB COMPONENT (SQL INJECTION, BUFFER OVERFLOW & XSS ATTACKS)

This can be a tool for an attack to be propagated by using web pages that has been compromised with malware. An individual visiting such COMPROMISED WEBPAGE can also possibly expose his system or network to such vulnerability and in the process inadvertently download the malware. SQL injection, Buffer Overflow attack and Cross-site scripting attack are possible for webpages that are not properly secured or code not properly written and tested for bugs.

SCADA ATTACK ANALYSIS – STUXNET

Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.

Stuxnet has three modules: a WORM that executes all routines related to the main payload of the attack; a LINK FILE that automatically executes the propagated copies of the worm; and a ROOTKIT component responsible for hiding all malicious files and processes, to prevent detection of Stuxnet.

It is typically introduced to the target environment via an INFECTED USB FLASH DRIVE. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC.  In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the code and giving unexpected commands to the PLC while returning a loop of normal operation system values back to the users.

For its targets, Stuxnet contains, among other things, code for  MAN-IN-THE-MIDDLE ATTACK that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behaviour.

SCADA ATTACK ANALYSIS – INDUSTROYER

Industroyer (also referred to as Crashoverride) is a malware framework considered to have been used in the cyberattack on UKRAINE’S POWER GRID on December 17, 2016. Industroyer is the first ever known malware specifically designed to attack electrical grids. At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy. Industroyer can use a specialized exploit to launch a DoS attack on the Siemens SIPROTEC devices widely used in electro-energetics. By exploiting a known vulnerability (CVE-2015-5374) the malware can place the device into “firmware update” mode.

SCADA ATTACK SCENARIO

We have been able to come up with 2 different attack scenarios. The ultimate goal of our attack in each of the model is to compromise the integrity of data of a SCADA MASTER TERMINAL UNIT. The MTU as explained previously is where the ultimate control decision is made and translated in the form of a command which is transmitted over the communication link and effected on the respective field devices. The effect of an MTU integrity-based compromise is far reaching and can result in physical damage.

We define integrity-based compromise as any attempt perpetrated by an attacker to circumvent the authority of the operator of the SCADA MTU gaining full control of the component and issuing out malicious instructions, or a deceptive action by a malicious agent geared towards luring the operator of the SCADA MTU to perform and issue out wrong commands in response to a false alarm.

ATTACK SCENARIO – 1

ATTACK SCENARIO – 1

ATTACK GOAL Compromising MTU integrity by REPLAY ATTACK
ATTACK VECTOR Removable Media
ATTACK AGENTS Disgruntled Field Operative (Malicious Insider)
ATTACK SCOPE Control and Process Network

 

  1. The goal here is to compromise the integrity of the SCADA MTU by transmitting replay packets.
  2. The attacker is able to use the help of an insider known as a disgruntled field operative, with possession of an undetectable malware(Zero day) in USB.
  3. Malware is a zero day hence cannot be detected by security scanner and intrusion detection software since both security appliances do not have the signatures.
  4. The malware exploits authentication vulnerability of the Modbus communication protocol and as a result opens up remote communication with the attacker, enabling the attacker gather more intelligence about the system and further grant attacker remote presence within control network.
  5. The attacker could exploit known vulnerabilities and  gain preliminary user level access to the RTU, and once it’s done he is able to elevate his privilege thus gaining administrative access to the device which would ultimately give him the opportunity to inject replay packet for onward transmission to the MTU.
  6. The attacker is thus able to transmit an old packet at a new time in a REPLAY ATTACK which would possibly cause the operator at the MTU to see the new malicious message as legit and in response issue the wrong control command, and by virtue of issuing the wrong command the operator would have inadvertently compromised the integrity of the SCADA MTU.

ANALYSIS OF ATTACK SCENARIO – 1

 

 

FEATURE TYPE

ATTACK NODES FROM MODEL SI SCORE
SOCIAL ENGINEERING None 0
REMOTE ADMINISTRATION “Malware Opens up Remote Communication”; “Inject Sensor Packet Data”; “Transmit Replay Packet” 1
STEALTH “Modbus authentication vulnerability exploited leading to undetected access to control network” 1
ZERO – DAY VULNERABILITY “Malware present in USB for initial compromise” and two Zero-day vulnerabilities exploited—First: to obtain shell access to remotely administer control on RTU, Second: to escalate privilege. 1
APT Multiple zero-day exploits used namely: Modbus Authentication vulnerability exploit, RTU credential vulnerability exploit to obtain shell access and RTU privilege escalation vulnerability exploit. 1
TOTAL 4

ATTACK SCENARIO – 2

ATTACK SCENARIO – 2

ATTACK GOAL Compromising MTU Integrity XSS Attack.
ATTACK VECTOR Malicious Web Component (XSS Attack)
ATTACK AGENTS Targeted-threat Agent
ATTACK SCOPE SCADA Enterprise and Process Network.

  1. The attacker performs initial reconnaissance to gather relevant information regarding the victim who happens to be an ignorant Enterprise Network user.
  2. Attacker inject payload into the victim’s web application. Since execution of exploit code in XSS attack depends on the target’s interaction with the compromised web application, the execution of the malicious code is achieved in two ways, via social engineering technique where attacker lures the ignorant Enterprise Network user to visit malicious URL, and secondly via a known exploit.
  3. Being in possession of the victim’s cookie the attacker can have access to enterprise user’s session consequently impersonating him. In this process, the attacker easily bypasses firewall 1 detection and gains access to the web server in the enterprise network. Once a foothold has been established within the enterprise network, the attacker can further exploit a known information disclosure vulnerability. By virtue of exploiting an information disclosure vulnerability the attacker is able to steal administrator’s session cookies credential and also obtain VPN credentials.
  4. With the required access level offered by administrative access rights the attacker is able to use VPN tunnelling techniques to tunnel and gain access into process network thus evading firewall 2 detection. Now attacker can stage a Man In The Middle Attack by eavesdropping on communication between components of the process network. Attacker is thus able to gain limited access to the MTU. Attacker further exploit a known privilege escalation vulnerability able to gain root access to the MTU which gives him ultimate control over the MTU and with such control he is able to modify MTU control signal compromising the integrity of the entire SCADA system.

ANALYSIS OF ATTACK SCENARIO – 2

FEATURE TYPE ATTACK NODES FROM MODEL SI SCORE
SOCIAL ENGINEERING “Target Visits Malicious URL” 1
REMOTE ADMINISTRATION “XSS payload injected to web Application”, “Steal Session Cookies”; “Steal Administrator Credentials”; “VPN Tunneling”; “MITM Attack” 1
STEALTH “VPN Tunneling” 1
ZERO – DAY VULNERABILITY Three Zero-day used. “Xss Vulnerability exploit”;

“Information disclosure vulnerability exploit”;

“Privilege Escalation Vulnerability exploit”

1
APT Multiple Zero-day exploits; Steal User Session;

“Impersonate User”

1
TOTAL 5

INDUSTRIAL SOLUTION TO SCADA NETWORK DEFENSE

The overall SCADA Project approach contains 4 phases –

PRE ASSESSMENT

  • DEFINE PROJECT SCOPE
  • IDENTIFYING TERMS OF REFERENCE
  • INFORMATION GATHERING
  • LOGISTIC

ON SITE WORK

  • FACILITY TOUR
  • INTERVIEW
  • DOCUMENTATION
  • NETWORK REVIEW
  • NETWORK ANALYSIS
  • HOST ASSESSMENT

OFF SITE WORK

  • DOCUMENT COLLECTION
  • VALIDATE NETWORK ARCHITECTURE
  • ANALYZE ROUTER, SWITCH, FIREWALL CONFIGURATIONS, HOST CONFIGURATIONS AND SCRIPTS
  • PRIORTIZE AND RANK SECURITY RISKS
  • PROVIDE RECOMMENDATIONS

REVIEW WITH CLIENT

  • 1ST DRAFT REPORT ON FINDINGS AND RECOMMENDATIONS
  • REVIEW DRAFT WITH STAKEHOLDERS ON SUGGESSTIONS AND MODIFICATIONS
  • FINAL REPORT

The SCADA Network sees it’s most of weaknesses at the Enterprise Level which is highly dependent upon human interaction. It is, however always recommended to train the human resources. Training empowers employees with an up-to-date know-how on how to recognize and mitigate a cyber-threat. By making employees able to identify and eliminate cyber threats, we are strengthening the most vulnerable link in the chain. Anonymity CSL provides comprehensive Training Programmes especially designed for SCADA Workforce to minimize the risk of Human Err.

OUR APPROACH AND METHODOLOGY

The METHODOLOGY ANONYMITY CSL takes up are distributed in 6 stages

STAGE 1

  • Define project scope and terms of reference
  • Define restrictions e.g. operating hours, tolerable downtime
  • (if any) etc.
  • Customization of assessment procedures
  • Information gathering
  • Logistics

STAGE 3

  • Assessment on SCADA, RTU and PLC
  • Check patch level
  • Check connection type and communication
  • Testing of register / coils

STAGE 5

  • Conduct physical assessment
  • Check on the current policy
  • 1. PROJECT PLANNING AND INITIATION
  • 2. DESKTOP AND SERVER SECURITY ASSESSMENT
  • 3. SCADA SECURITY ASSESSMENT
  • 4. NETWORK ARCHITECTURE REVIEW AND SECURITY ASSESSMENT
  • 5. PHYSICAL ASSESSMENT
  • 6. REPORTING

STAGE 2

  • Check desktop / server role and compare against services running
  • Check patch level
  • Check permission on critical directories
  • Check logging / Anti Virus

STAGE 4

  • Review current network architecture design
  • Conduct assessment on Network device configurations
  • Network sniffing

STAGE 6

  • Analysis of Findings
  • Identify Risk Rating
  • Consolidate Reports

SCADA PEN TESTING CHECKLIST

  1. Are all factory default credentials changed?
  2. Is access to PLCs whitelisted to authorised machines only? They should not be reachable from everywhere.
  3. Is the SCADA network separated from the rest of the network? If not, try reaching the PLCs from corporate workstations.
  4. Is physical access to the SCADA control centre restricted?
  5. Can you access the internet from the controller machine?
  6. Are there any clear text services running on the SCADA network?
  7. Does the organisation follow a strict password policy?
  8. Are the controller machines, workstations and servers patched? Are they running anti-virus software and have application whitelisting enforced?

RECOMMENDED TOOL LIST

Here are the tools that we recommend in a SCADA assessment –

smod: ModBus penetration testing framework

plcscan: Python script for scanning PLC devices

NMAP Scripts: NMAP script to scan PLC devices

Wireshark: Network sniffer

mbtget: Perl script to read data from PLC

plcinject: Tool to inject code into PLCs

Testimonial
What people are saying
Jaspal Singh

Outstanding and inexplicable services were received by us as a Stellar from GIS consulting team for the ISO 27001 implementation and Cybersecurity. It would,indeed, have become a major hurdle for us to obtain this most desired certification if we hadn’t got accompanied by this incredible consultancy team of professionals. To be honest, the team members present in GIS consulting team are extremely high knowledgeable, professional and skilled. A special and big thanks to Mr. Naveen Dham, for being with us everytime we felt struggled while implementing any stuffs related to infosec. Hats off.

Jaspal Singh, Sr. Quality & Compliance, Stellar Data Recovery,
Ashish Agarwal

Strength of Global IS Consulting lies in their team of seasoned professionals led by their CEO who has helped Interglobe in strengthening it’s security posture by conducting regular vulnerability assessment and penetration testing to help us secure our environment.

Ashish Agarwal, Assistant Manager, Interglobe Enterprise Ltd,
Aditya Khullar

Thanks to Cybersecurity Team of Global IS Consulting who has been instrumental in protecting us from latest cyber threats through their extensive penetration testing done on our networks and financial webportals. We appreciate the remediation actions implemented by the team to make us compliant to PCI DSS Standard.

Aditya Khullar, Manager Information Security, Interglobe Enterprise Ltd.,
Sandeep Chauhan

Global IS Consulting is one of the most professional and committed consulting organization that we have come across. Helmed by Mr Naveen Dham, the company efficiently and effectively built a Management System based on IS 27001:2013 standard for our organization. The best part was the level of involvement and keen participation in all the activities pertaining to the certification process of the organization.

Sandeep Chauhan, DGM Quality, PL Engineering (Punj Lloyd Group),
Amandeep Bawa

Thanks to CEO of Global IS Consulting for helping us achieve ISO27001 Certification by indepth implementation and maintaining it for last 5 years in row. Appreciate the professional approach, dedication and massive knowledge carried by the team.

Amandeep Bawa, IT Head, Panasonic India Pvt Ltd, Corporate Office Gurgaon,
Durgesh Upadhyaya

We appreciate the support provided by CEO of Global IS Consulting; Mr. Naveen Dham for helping us achieve ISO 27001 and every year ISMS maintenance provided for real time compliance to ISO 27001 standard

Durgesh Upadhyaya, Admin Head, Panasonic India Pvt Ltd, Corporate Office Gurgaon,
Navjeevan Kumar

Global IS Consulting is a group of experienced, talented and committed professionals. The CEO of the organization with his team has always shown his best in every project handled by them in the past. He has been instrumental in certifying our client Aircel for ISO 27001:2013 and maintaining it for last 3 years.

Navjeevan Kumar, Head Infra, Wipro Infotech Ltd.,
Sandhya Khamesra

CEO of Global IS Consulting, Naveen Dham is very professional in his work. He has an indepth knowledge of ISO 27001, PCI DSS, ISO 20000 and various other IT Standards and is able to quickly adapt the requirements of the standards required with what the client wants to accomplish, resulting in a lot of value addition to the clients. He has a wide variety of implementation scenarios in his background that he can draw information from. We highly recommend Naveen for any ISMS, ITSMS, PCI DSS and cybersecurity consultation projects.

Sandhya Khamesra, North Business Head, BSI Group,
Rumila

Hats off to CEO of Global IS consulting who has been maintaining our ISO 27001 & ISO 20000 standard maintenance since our inception. Their Cybersecurity experts have been instrumental in protecting us from latest cyber threats through their extensive penetration of our network and patching them in time.

Rumila, Senior Vice President, Silaris Informations Pvt. Ltd.,
get in touch
We are accepting new projects

GIS Consulting was incorporated with Mission to Empower Customers, effectively manage their "Digital Assets", to protect, comply and grow the business profitably, in the Data, Network and Application (DNA of every business) protection and management space.

Get in touch with our experts for all your Information Security Needs.

Clients
Happy business industry Clients
whatsapp