Beruflich Dokumente
Kultur Dokumente
Troy Nash
Vulnerability & Risk Assessment Program (VRAP)
Lawrence Livermore National Laboratory
UCRL-MI-215398 August 2005
Backdoors and Holes in Network Perimeters
A Case Study for Improving Your Control System Security
T
he Supervisory Control and Data Ac- operations. All of the hosts on the DMZ
Introduction…1 quisition (SCADA) system of a natu- are on a separate subnet (with public,
ral gas utility was compromised re- Internet-addressable IP addresses) behind
sulting in a reduction of operation. The
Background…1 the primary firewall.
breach was discovered when operator inter-
Overview
faces became unresponsive and the system
Architecture Business LAN – The network used for
was no longer acquiring data. As a result,
Threat the conduct of business operations, in-
the system was disconnected from the net-
Example Attack Sequences cluding Internet access, Intranet services
work and a combination of manual operation
(web, electronic mail, file sharing, print-
overrides and limited fail-over to a backup
ing, databases), and other application
Discussion… 4 server went into effect until the environment
infrastructure for common business func-
could be restored. Technicians trouble-
tions such as finances, human resources,
shooting the incident identified the deletion
market monitoring and operations, the
Conclusion… 7 of several core application files on the pri-
employee desktop environment, and facil-
mary control server as the source of the
ity operations.
problem.
Threat
2
Attack Sequence #1 – Infiltration through the Wireless Access Point
The adversary becomes aware of the wireless access point at the remote facility (through reconnaissance, social engi-
neering, insider knowledge, or wardriving). From a parked vehicle outside the property fence line, the adversary uses
STEP 1 a standard mobile rig (laptop, 802.11 wireless network interface card, range-extending antenna, and discovery soft-
ware) to determine the specifics of the wireless network. Signal strength, WEP usage, and the MAC address and SSID
used by the wireless access point are obtained in a matter of seconds.
Using the SSID, the adversary attempts to gain access onto the wireless network. Since there are no security meas-
ures (authentication, access control, or encryption) in place, the adversary is able to associate with the access point
STEP 2
unchallenged. Additionally, a Dynamic Host Configuration Protocol (DHCP) server is active on the network, assigning a
dynamic IP address to the adversary’s laptop, and thereby completing the connection to the wireless network.
Once connected, the adversary is able to probe the network and its systems. First, host discovery techniques are used
STEP 3 to discover active systems on the network. Where possible, the specific network infrastructure (the switches, routers,
and firewalls) is identified as well.
For those systems that are found to be live, a fast port scan is conducted to discover what ports they have open, as
well as identify the operating system and applications in use. The adversary focuses on a small subset of ports that are
STEP 4 typically associated with common exploits or specific control system environments such as port 21(FTP), 23(Telnet), 25(SMTP),
80(HTTP), 102(ICCP), 161(SNMP), 502(Modbus TCP), 1433/1434(MSSQL), and 20000(DNP).
SNMP (Simple Network Management Protocol) is found to be running on several systems. Using a SNMP utility and the
default community string “public”, the adversary connects to the open SNMP port and retrieves system information.
STEP 5
The system.sysDescr.0 field for one of the hosts is SCADA-01. The vendor and version of the operating system is
determined as well.
SCADA-01 is moved to the top of the adversary’s list of potential target systems. Further probing identifies a vendor
specific vulnerability in the operating system. An exploit is acquired from a well known hacker site and then attempted
STEP 6 with success. The attacker gains root privileges and a command shell on the system then proceeds to recon the sys-
tem for several hours before deleting the files which cause the denial of service.
From a remote system on the Internet, the adversary performs reconnaissance of the company using keywords and
custom searches to identify information that can be used to support the attack. In one document retrieved from the
STEP 1
company’s website, the adversary finds the hostname and IP address of the SCADA system. The adversary cannot
connect directly to the system remotely because a firewall is blocking access from hosts on the Internet.
The adversary then proceeds to identify all of the public IP address ranges associated with the target company using
STEP 2 the American Registry for Internet Numbers (www.arin.net) and then begins to perform various scans against those
addresses to identify open ports and potential vulnerabilities.
A Windows system is discovered on the perimeter that has TCP port 139 (NetBIOS Session Service) open, used for
connecting to file shares. Access to the port is not blocked by a firewall. Additionally, system accounts are not using
STEP 3 strong passwords (a null administrator password can be used to remotely map the system drive). Once connected, the
adversary is able to read, write, and delete files on the primary file system.
Before attempting to attack the SCADA system the adversary first recons the compromised box. The backup SAM file
is acquired (to run a password cracker on) and the system (logs, caches, histories, bookmarks, scripts, batch files, ar-
STEP 4 chives, trash bin, etc.) is searched for information that can be used to propagate the current compromise to other sys-
tems on the network. It is discovered that the host uses SSH (Secure Shell) to connect to the SCADA server.
The adversary can successfully ping the SCADA system (using the IP address obtained from the document found on the
Web in Step 1) from the compromised host. While the firewall is providing limited protection to hosts on the DMZ it is
not blocking the DMZ network from making connections to systems on its trusted interface. In other words, a trust
relationship exists between the hosts on the DMZ and hosts on the protected network. With an available access path-
STEP 5 way, all that is required to attack the SCADA is more interactive control and a vulnerability. Virus protection software
on the Windows machine prevents the uploading of known Trojans onto the system, but it does not prevent the instal-
lation of a remote access tool. The adversary escalates their control of the system by installing rconsole, giving them
more freedom and options to remotely use the resources of the compromised host (or install their own) as if they were
running the tools locally at that system.
From the compromised host, the adversary identifies that the SCADA system is using a vulnerable version of SSH. An
STEP 6 exploit is crafted and then attempted with success. The attacker gains root privileges and a command shell on the sys-
tem then proceeds to recon the system for several hours before deleting the files which cause the denial of service.
3
RECOMMENDATIONS Tips for Improving Wireless
Discussion Access Point (AP) Security
1. Know your perimeter – What is
Beyond the specific system vulnerabili-
the boundary of your network pe- Change default parameters on your
ties that allowed for a compromise of
rimeter? Is it simply the border AP such as the administrator password
the SCADA host, four general observa-
gateway that separates your control and the SSID used for the network.
tions can be made with respect to vul-
system from other external net- Changes should be performed periodi-
nerabilities in the overall environment cally, not just the first time the device is
works? Is it at the firewall? What deployed.
that contributed to the success of the
about a modem that connects di-
attack.
rectly to the SCADA system or the Turn off SSID broadcasting on all
field technician’s laptop that gets non-public APs or single AP environ-
connected to both the control net- ments that have a pre-defined set of
OBSERVATION #1: users.
work and untrusted networks (e.g.,
Perimeter security is incomplete.
at home, hotel, or airport)? To bet- Control access to the network. At a
Modern process control environments ter understand your network pe- minimum, enable MAC address filtering
face significant security challenges. rimeter, consider the following: and use WEP encryption keys to control
access to the network. For a more se-
SCADA or other DCS (Distributed Con- cure approach, consider a dedicated
Take a complete inventory of
trol Systems) that operate in these envi- authentication server.
all access points, remote con-
ronments are distributed by nature and
nections, and other ways onto
are not concentrated in a single area Set up the AP on its own dedicated
your networks. Consider all subnet. Establish separation and secu-
that is easy to delineate and defend.
relevant mediums (satellite, rity controls between the wireless sub-
microwave, radio, telecommu- net and the wired network(s) that it
The boundaries (both physical and logi- connects to using a firewall or Access
nications, wireless 802.11,
Control Lists (ACLs) on the router.
cal) of these systems vary. Some are Bluetooth) and locations
localized to a specific facility, while oth-
(remote stations, vendors, Use encryption for communications.
ers span large geographical regions with customers), not just the Enable WEP (preferably with TKIP or
multiple, interconnected sites. Given other similar enhancement). Use the
Ethernet pathway from the
the dispersed environment, the perime- largest encryption key possible and
Internet. change the key frequently (if applica-
ter—the outermost edges, border, inter-
ble). Dynamic or session-based WEP
faces, interconnections—that surrounds Develop and maintain network
keys offer the best protection. In addi-
the control system is somewhat blurred or system-level diagrams that tion, use higher-level encryption mecha-
and difficult to manage from a security inventory and illustrate these nisms like VPN, SSH, and SSL for con-
connections and the security nections between hosts.
viewpoint. This is especially true of the
cyber components of the control system, controls that are in place.
Know your network. Maintain inven-
as opposed to the physical apparatus Develop a process for periodi- tories and diagrams of systems and de-
which is easier to visualize and protect cally verifying and modifying vices on your wireless local area net-
— it’s a piece of hardware inside a room, work (WLAN). Enable logging on sys-
the inventory as the perimeter tems and devices and check logs regu-
within a building, behind a fence, on expands or shrinks. larly. Consider deploying a wireless
private property, and so on. But the intrusion detection system on the WLAN.
cyber perimeter is less tangible, and 2. Defend your perimeter – Appro-
unsecured backdoors and other holes in priate security controls should be Conduct periodic assessments. Es-
the network perimeter are not uncom- added to all entry points onto your tablish a practice of testing existing
wireless environments to discover new
mon. network, not just the Internet con-
vulnerabilities and rogue devices as well
nection. In this specific case, secu- as to verify that the security posture is
Consider the wireless access point. rity should be added to the wireless maintained over time.
While the physical hardware may be network connection (see sidebar for
suggestions) and the trust relation- IMPORTANT: Simple security measures
locked inside a secure building, the net-
(like disabling SSID broadcasting, ena-
work perimeter is not just the remote ship on the DMZ should be broken.
bling WEP, or using MAC address filter-
station anymore, but everything within ing) in and of themselves will not pro-
3. Test your perimeter – Table-top
wireless range of the access point, in- vide adequate security against a deter-
review, assessments, wardialing,
cluding the hosts that connect to it. mined adversary. However, when used
wardriving, scanning, and penetra-
Even though access from the Internet in combination as reinforcing layers in a
tion testing will help identify back-
may be heavily monitored and guarded, “defense-in-depth” strategy, a more
doors and holes, as well as uncover comprehensive security posture is es-
this connection circumvents those secu-
potential vulnerabilities in perimeter tablished, raising the level of sophistica-
rity controls – it’s the unlocked backdoor
defenses. tion and effort required for a successful
that puts the control system at risk as
attack and increasing the opportunity to
long as pathways such as these remain
detect that attack.
unsecured. 4
OBSERVATION #2: 4. Report suspicious activity – passwords are not uncommon in these
Intrusion detection coverage is Communicate with Internet Service environments. In this case, the use of
limited. Providers (ISPs) regarding IP ad- nonexistent and default passwords con-
dresses within their range that are tributed to the success of the attack
While the infiltration is seamless in both
being used to conduct scans against sequences described here. Specifically,
attack sequences (the attacker looks
your networks and notify law en- the following observations are worth
like an ordinary user, accessing system
forcement of exploit attempts. noting:
resources by ordinary means), the net-
Also, consider reporting incident
work reconnaissance and subsequent 1. There was no password required for
activity to external organizations
exploit is very loud, generating suspi- access to the wireless network.
(e.g., DShield.org or US-CERT) that
cious traffic on the network, both out-
track such information. Forming
side the perimeter and on the interior 2. There was no password required to
cooperative partnerships in an ef-
networks. However, this is not discov- access the file share on the perime-
fort to share information (best
ered in either scenario because there ter system.
practices, lessons learned) and
are no intrusion sensors on the control
identify trends and common issues 3. The SCADA server used the default
system network and traffic from the
is another effective strategy. While SNMP community string (the proto-
host on the DMZ is given a regrettable
this will not stop an adversary, it col password) “public”.
pass because of the trust relationship.
will foster an image that your or-
ganization takes violations against In each case, a stronger password
RECOMMENDATIONS your security seriously and are will- would not have adversely affected the
ing to act on them. operation of the environment, while
1. Verify intrusion detection cover- significantly improving security.
age – Consider all the potential
access points to each of your net-
OBSERVATION #3: RECOMMENDATIONS
works, whether they are from the
Internet, a remote station, or an Nonexistent and default pass- 1. Change default and non-
Ethernet jack in a public lobby or words were in use in the environ- existent passwords – This re-
conference room. Consider key quires a comprehensive look at all
ment on both mission-critical and
choke points and mission-critical of the default and non-existent
systems. These all become poten-
perimeter systems.
passwords used in the environ-
tial candidates for intrusion sensors ment, including:
The use of passwords for authentication
and should be considered in the
(and subsequent access to systems) is a
overall deployment of an intrusion User accounts (administrator,
potential area of vulnerability in every
detection system. root, service, temporary,
security environment. The security is- guest)
sues relating to password authentication
2. Develop an intrusion detection Application passwords (SCADA,
(i.e., the use of weak, default, or non- FTP, SNMP, database, web,
capability – Beyond hardware/
existent passwords) has consistently mail, file shares)
software controls, establish a capa-
remained among SANS Most Critical Scripts & source code (Web-
bility (people + tools + process) to
Internet Security Vulnerabilities2 since applications, utilities, plug-ins)
monitor and react to suspected
the inception of the list. The creation,
network and system-level intru- Network devices (access
distribution, usage, revocation, and points, routers, switches, print-
sions, as well as to maintain and
other aspects of managing and protect- ers, firewalls)
tune the specific detection rulesets
ing the keys to our network systems is Control equipment (RTUs,
and logging requirements for your
an unending challenge, with many op- PLCs, IEDs, ROCs)
organization.
portunities for failure.
3. Evaluate the detection capabil- 2. Develop and implement policy
On a control system network, the prob-
ity – Perform regular tests at all and procedures – Establish the
lem is exacerbated due to its mission-
perimeter entry points, key choke minimum requirements for creating
critical nature and the requirement for
points, and from random systems strong passwords, such as: length,
real-time operation. Operators need
on the networks. Confirm that in- aging, reuse, character set to be
instant access to systems (getting
trusion detection is working as ex- used, as well as general principles
locked out for mistyping a password in a
pected – i.e., suspicious activity —the password shouldn’t be found
crisis situation is not tolerable) and
(like scanning) and relevant exploit in a dictionary (English or foreign)
passwords often go unchanged simply
signatures are flagged and the ap- or utilize personal information (such
because technicians do not want to risk
propriate response (email or page, as name, birth date, or SSN).
bringing down a system that is stable.
for example) is generated and
As such, shared, default, weak, or blank
routed correctly.
5
The policy should also handle metrics) should be considered as SCADA? The adversary’s work is made
changing passwords after suspected alternatives to using simple pass- much easier if information leakage ex-
compromise or when an untrusted words by themselves. The advan- ists, since they may not have the capa-
user such as a vendor or technician tage of two-factor authentication is bility to profile a system across a net-
is allowed temporary access to mis- that in order to access the system work of hosts to adequately determine if
sion critical systems and devices. the user must provide something a particular one is a SCADA system or
Finally, educate users regarding the they have (smartcard, token, or not. Packet capture and analysis or
policy and best practices for the fingerprint) and something they social engineering are valid secondary
security and overall usage of pass- know (a PIN or Password). An ad- options, but they involve more time and
words. versary must acquire (or circum- resources.
vent) both for the attack to suc-
ceed. The less information you give to the
2. Assess the environment – Peri-
adversary the harder their job becomes
odically audit the passwords used in
and the more likely you will discover
the environment to ensure that
their attack. In this case, the attacks
they meet policy requirements. At OBSERVATION #4:
succeeded because the adversary was
a minimum, systematically check Sources of information leakage
able to easily acquire the information
mission-critical systems on a regu- were present in the environment.
necessary. Finding ways to control and
lar schedule.
Unless the adversary is an insider or has minimize information leakage without
otherwise acquired insider knowledge affecting operations is the challenge.
3. Wrap additional layers of secu-
(through social engineering, coercion,
rity around the exceptions – If a
blackmail, or bribery) the specifics of RECOMMENDATIONS
system absolutely must have a
the network and systems prior to the
weak, blank, default, or shared 1. Practice good Operations Secu-
attack are unknown. In the early
password then it becomes impor- rity (OPSEC) – OPSEC is a process
stages of a cyber attack, the adversary
tant to add additional layers of se- that attempts to deny the adver-
operates somewhat blindly and must
curity around that system. For sary information that could be lev-
first discover the information, targets,
example: eraged to improve the opportunity,
and vulnerabilities necessary to execute
the attack. In other words, adversaries success, and impact of an attack.
Deny remote login (only allow
do not magically know where your Some recommendations for improv-
physical login at console/
SCADA system is or what systems are ing OPSEC in this case would be:
device).
vulnerable. They must discover this
Use a firewall or access control Not using descriptive names for
information through various techniques
list to restrict network access mission-critical systems. While
of scanning, probing, information
to a given system. In other it may be more convenient for
searches, etc.
words, the user must use Sys- managing those systems, using
tem X to remotely connect to As we observed in both attack se- names like SCADA or FIRE-
System Y (the one with the quences, the adversary needed to gain WALL or DNS make those sys-
weak, default, or nonexistent knowledge in order to successfully at- tems prime targets in keyword
password). No other system is tack the target. For example: searches and network discov-
allowed access to System Y, ery.
The existence of the wireless
regardless if the password is
network Minimize the amount of infor-
known or not.
The SSID of the wireless net- mation regarding vendors, ver-
Use more robust system event work sions, configurations, and ap-
logging. Determine what the plications that you provide (in
Live systems, open ports, po-
normal behavior is and is not tential vulnerabilities banners, diagrams, documents,
and then flag those events that presentations, fact sheets, an-
Version, brand, or type infor-
are suspicious — in order to mation of systems and devices nual reports, etc.), especially if
identify brute-force guessing at those resources are accessible
The IP address, host name, or
login prompts, access to pass- via the network. Identify,
MAC address of target systems
word files, and unusual com- track, and protect those
mand or data patterns. If the SCADA system did not contain a sources that do contain such
descriptive name, or if its IP address information.
4. Consider alternative methods of
was unknown, what system would the
authentication – Where applica- Develop a review and release
adversary attack? All of them? Or ran-
ble, two-factor authentication process for all information that
domly, in hopes of identifying the
(using smartcards, tokens, or bio- is accessible via the Web
6
including webpages, documents,
pictures, and other media files.
Conclusion
Figure 2 illustrates some of the primary rec-
ommendations from this document, applied to
the environment presented in Figure 1. Pri-
mary recommended mitigations included: