SlideShare a Scribd company logo

2012 Reenergize the Americas 3B: Angel Avila

R
Reenergize

Defensive Network Security Consultants (DNSC) provides cybersecurity services including penetration testing, vulnerability assessments, and auditing. They aim to raise awareness of threats targeting industrial control networks and critical infrastructure. Real-world threats constantly try to exploit industrial control installations through various attack vectors like social engineering, wireless attacks, malware, and insider threats. DNSC emphasizes that awareness and proactive security measures can help reduce risks to networks controlling critical systems.

1 of 25
Threats to Industrial Control Networks Defensive Network Security Consultants (DNSC), LLC 17 October 2012
Contact Information Angel E. Avila CISSP, CISA, CEPT, C|EH, CompTIA Sec+ E-mail: angel.e.avila@dnsc-cyber.com http://www.dnsc-cyber.com PH: 915-247-8978 2
DNSC Background • Computer Security Professionals (8 years) – Specializing in Penetration Testing, Vulnerability Assessments, Compliance and Auditing • Experience working on Government (DoD) and Private Industry systems • Certifications: – Certified Information Systems Security Professional (CISSP), – Certified Information Systems Auditor (CISA), – Certified Ethical Hacker (C|EH), – Certified Ethical Penetration Tester (CEPT), – Certified Information Systems Manager (CISM), – Certified Penetration Tester (CPT), – CompTIA Security + 3
Objective • The intent of this brief is to raise awareness among the energy community of some of the current threats that are targeting Industrial Control (IC) networks including the Smart Grid and the importance of developing secure critical infrastructure. 4
Why should we care? • “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” [1] • Successful attacks against critical infrastructure assets can potentially lead to loss of life, and life as we know it. 1. Bumiller, Elisabeth; Shanker, Thomas. “Panetta Warns of Dire Threat of Cyberattack on U.S." New York Times on the Web 11 Oct. 2012. 15 Oct. 2012 <http://www.nytimes.com/2012/10/12/world/panetta-warns-of- dire-threat-of-cyberattack.html?_r=0s> 5
IC Network Overview Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for 6 Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.
Common Mistakes • Overconfidence: Systems 100% secure • Refusal to recognize threats: It can’t happen to me • Air Gap myth: Systems not connected to IT network/Internet • Executive override – “Intentional” security holes for legitimate business purposes. ‘Set it and forget it • Default accounts & passwords • Lack of authentication • Inbound/outbound traffic • Compliance != Secure 7
Adversary • Cyber Threat Expertise – Novice: An adversary with no training, only using open-source (freely available) tools – Intermediate: An adversary with some training, some level of funding, uses tools either purchased or traded on-line – Expert: An adversary with a mature skill set and uses custom, open source, and purchased tools • Foreign sponsored • Hacktivist 8
Threats to IC Networks • Advance Persistent Threat (APT) – Adversary with sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception) • Maintain a foothold in order to conduct directed malicious objectives against the target • EX: Stuxnet-Worm targeting Iranian nuclear reactor machinery – Driven by either government agencies or terrorist organizations • APT’s pursues its objectives repeatedly over an extended period of time while countering victim’s mitigating attempts 9 As defined in NIST Special Publication 800-39, Managing Information Security Risk
Threats to IC Networks (cont.) • Cyber Threats – Identified as malicious efforts directed in gaining access to, exfiltration, data manipulation, and denial of service towards information systems (IS) – Directed attacks against confidentiality, integrity, and availability (CIA) – Cyber threats can come from anyone • Supply Chain Threat – Referred to embedded code being inserted into devices – Do you know who is developing your devices? 10
Threats to IC Networks (cont.) • Outsider Threat – No credentials, no physical access to the target network – Ex: Hacktavists, Foreign State, Terrorists Organizations, Script Kiddies • Nearsider Threat – No credentials, but has access to the target network – Ex: Cleaning crew, delivery personnel • Insider Threat – Having user and/or root-level credentials to the target network 11 – Ex: Disgruntle Employee (users/administrators)
IC Network Overview Outsider/Cyber Threats Insider/Nearsider Threats Insider/Nearsider Threats Advanced Persistent Threat Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for 12 Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.
Attack Vectors • Web – SQL Injection – Broken authentication and session management • https://www.owasp.org/index.php/Top_10_2010-Main • Wireless – Use of weak wireless algorithms WEP and WPA • Bad Security Practices – HBGary and Anonymous incident • http://arstechnica.com/tech- policy/2011/02/anonymous-speaks-the-inside-story-of- the-hbgary-hack/ • Social Networking – Facebook 13
Attack Vectors (cont.) • SCADA Protocols – Lack of authentication – Lack of encryption • SCADA Systems – Sinapsi eSolar Light Photovotaic System Monitor – Bypass authentication using hard-coded credentials and vulnerable to SQL injection • Also affects other Solar panel control systems • ICS-ALERT-12-284-01 • Control systems – A search engine, Shodan, that used to identify internet facing Control systems 14 • ICS-ALERT-11-343-01
Attack Vectors (cont.) • How can I traverse through the Smart Grid? – Advanced Meter Infrastructure (AMI) Smart Meters shutdown meters through Optical port • D. Weber, “Looking into the Eye of the Meter”. BlackHat 2012. – Over 40+ million ZigBee electric meters are deployed with concentration in Texas, California, Texas, Michigan, and Virginia. • Zigbee Alliance: Heile, Bob, https://docs.zigbee.org/zigbee-docs/dcn/10-6056.pdf 15
Attack Vectors (cont.) • AMI provides the ability to remotely control devices in the HAN - Turn off lights, Raise Tstat, etc... • Detailed energy use collected over regular time intervals. - Consumers can view energy usage real time • ZigBee is being used in HANs within the Smart Grid • Sniffing traffic • Replay attacks • Denial-of-Service Smart Grid using ZigBee Home 16 Area Network (HAN)
Conclusion • Real-world threats are constantly trying to exploit various IC installations • Reliability vs. Security • Awareness and being proactive helps reduce the risk of your network being exploited 17
Questions • ?? 18
Contact Information • Angel E. Avila CISSP, CISA, C|EH, CEPT, CompTIA Security + angel.e.avila@dnsc-cyber.com • Richard G. Coy CISSP, CISA, C|EH, CPT, CEPT richard.g.coy@dnsc-cyber.com • Francisco J. Leyva CISSP, CISA, C|EH, CISM, CEPT francisco.j.leyva@dnsc-cyber.com • Humberto Mendoza CISSP, CISA, C|EH, CISM, CEPT humberto.mendoza@dnsc-cyber.com • Daniel Chacon CISSP, CISSA, C|EH, CISM, CEPT daniel.chacon@dnsc-cyber.com http://www.dnsc-cyber.com 19
Backup 20
Attack Vectors (cont.) • ZigBee Overview – Low Power (Long Battery Life), low data rate wireless protocol – 250 Kbps throughput rate (low data rate) – Short Range (10 – 100 meters) – Supports star and mesh network topology – Easily add and remove nodes to the network • Why Zigbee ? – WIFI transceivers are too expensive, more power to operate – Bluetooth as a Frequency Hopping Spread Spectrum requires more power to operate – Zigbee consumes less power than WIFI and Bluetooth – Zigbee designed specifically for monitoring and automation – Zigbee is good solution for smart meters in Advanced Meter Infrastructure(AMI)
Attack Vectors (cont.) • ZigBee Exploitation using KillerBee[1] - zbid–list available ZigBee devices connected to PC - zbdump–"tcpdump-w" clone for capturing ZigBee traffic - zbconvert–convert capture file formats - zbreplay–Replay attack - zdsniff–over-the-air (OTA) crypto key sniffer - zbfind–GUI for locating ZigBee networks - zbgoodfind–search memory dump for crypto key - zbassocflood–association flood attack (DoS) - spoofing attacks when used with Software Defined Radio 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
Attack Vectors (cont.) • ZigBee Security – KillerBee[1] open source software is a tool suite used to test and exploit ZigBee networks – Hacker community has made many software modifications to the KillerBee[1] tool suite – KillerBee[1] tool suite is flashed on a RZUSB ($40.00) through Joint Test Action Group (JTAG) interface. • AVR JTAG ICE mkII ($300.00) used to flash RZUSB AVR JTAG ICE RZUSB Programmer 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
Attack Vectors (cont.) • Problem: Demand for power exceeds the supply • AMI provides the ability to remotely control devices in the HAN - Turn off lights, Raise Tstat, etc... • Detailed energy use collected over regular time intervals - Consumers can view energy usage real time • Consumers can adjust power to reduce cost • Utility companies can better manage supply and demand Smart Grid using ZigBee Home Area Network (HAN)
Attack Vectors (cont.) • ZigBee – Exploitation using KillerBee[1] - zbid–list available ZigBee devices connected to PC - zbdump–"tcpdump-w" clone for capturing ZigBee traffic - zbconvert–convert capture file formats - zbreplay–Replay attack - zdsniff–over-the-air (OTA) crypto key sniffer - zbfind–GUI for locating ZigBee networks - zbgoodfind–search memory dump for crypto key - zbassocflood–association flood attack (DoS) - spoofing attacks when used with Software Defined Radio 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf

More Related Content

2012 Reenergize the Americas 3B: Angel Avila

  • 1. Threats to Industrial Control Networks Defensive Network Security Consultants (DNSC), LLC 17 October 2012
  • 2. Contact Information Angel E. Avila CISSP, CISA, CEPT, C|EH, CompTIA Sec+ E-mail: angel.e.avila@dnsc-cyber.com http://www.dnsc-cyber.com PH: 915-247-8978 2
  • 3. DNSC Background • Computer Security Professionals (8 years) – Specializing in Penetration Testing, Vulnerability Assessments, Compliance and Auditing • Experience working on Government (DoD) and Private Industry systems • Certifications: – Certified Information Systems Security Professional (CISSP), – Certified Information Systems Auditor (CISA), – Certified Ethical Hacker (C|EH), – Certified Ethical Penetration Tester (CEPT), – Certified Information Systems Manager (CISM), – Certified Penetration Tester (CPT), – CompTIA Security + 3
  • 4. Objective • The intent of this brief is to raise awareness among the energy community of some of the current threats that are targeting Industrial Control (IC) networks including the Smart Grid and the importance of developing secure critical infrastructure. 4
  • 5. Why should we care? • “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” [1] • Successful attacks against critical infrastructure assets can potentially lead to loss of life, and life as we know it. 1. Bumiller, Elisabeth; Shanker, Thomas. “Panetta Warns of Dire Threat of Cyberattack on U.S." New York Times on the Web 11 Oct. 2012. 15 Oct. 2012 <http://www.nytimes.com/2012/10/12/world/panetta-warns-of- dire-threat-of-cyberattack.html?_r=0s> 5
  • 6. IC Network Overview Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for 6 Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.
  • 7. Common Mistakes • Overconfidence: Systems 100% secure • Refusal to recognize threats: It can’t happen to me • Air Gap myth: Systems not connected to IT network/Internet • Executive override – “Intentional” security holes for legitimate business purposes. ‘Set it and forget it • Default accounts & passwords • Lack of authentication • Inbound/outbound traffic • Compliance != Secure 7
  • 8. Adversary • Cyber Threat Expertise – Novice: An adversary with no training, only using open-source (freely available) tools – Intermediate: An adversary with some training, some level of funding, uses tools either purchased or traded on-line – Expert: An adversary with a mature skill set and uses custom, open source, and purchased tools • Foreign sponsored • Hacktivist 8
  • 9. Threats to IC Networks • Advance Persistent Threat (APT) – Adversary with sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception) • Maintain a foothold in order to conduct directed malicious objectives against the target • EX: Stuxnet-Worm targeting Iranian nuclear reactor machinery – Driven by either government agencies or terrorist organizations • APT’s pursues its objectives repeatedly over an extended period of time while countering victim’s mitigating attempts 9 As defined in NIST Special Publication 800-39, Managing Information Security Risk
  • 10. Threats to IC Networks (cont.) • Cyber Threats – Identified as malicious efforts directed in gaining access to, exfiltration, data manipulation, and denial of service towards information systems (IS) – Directed attacks against confidentiality, integrity, and availability (CIA) – Cyber threats can come from anyone • Supply Chain Threat – Referred to embedded code being inserted into devices – Do you know who is developing your devices? 10
  • 11. Threats to IC Networks (cont.) • Outsider Threat – No credentials, no physical access to the target network – Ex: Hacktavists, Foreign State, Terrorists Organizations, Script Kiddies • Nearsider Threat – No credentials, but has access to the target network – Ex: Cleaning crew, delivery personnel • Insider Threat – Having user and/or root-level credentials to the target network 11 – Ex: Disgruntle Employee (users/administrators)
  • 12. IC Network Overview Outsider/Cyber Threats Insider/Nearsider Threats Insider/Nearsider Threats Advanced Persistent Threat Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for 12 Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.
  • 13. Attack Vectors • Web – SQL Injection – Broken authentication and session management • https://www.owasp.org/index.php/Top_10_2010-Main • Wireless – Use of weak wireless algorithms WEP and WPA • Bad Security Practices – HBGary and Anonymous incident • http://arstechnica.com/tech- policy/2011/02/anonymous-speaks-the-inside-story-of- the-hbgary-hack/ • Social Networking – Facebook 13
  • 14. Attack Vectors (cont.) • SCADA Protocols – Lack of authentication – Lack of encryption • SCADA Systems – Sinapsi eSolar Light Photovotaic System Monitor – Bypass authentication using hard-coded credentials and vulnerable to SQL injection • Also affects other Solar panel control systems • ICS-ALERT-12-284-01 • Control systems – A search engine, Shodan, that used to identify internet facing Control systems 14 • ICS-ALERT-11-343-01
  • 15. Attack Vectors (cont.) • How can I traverse through the Smart Grid? – Advanced Meter Infrastructure (AMI) Smart Meters shutdown meters through Optical port • D. Weber, “Looking into the Eye of the Meter”. BlackHat 2012. – Over 40+ million ZigBee electric meters are deployed with concentration in Texas, California, Texas, Michigan, and Virginia. • Zigbee Alliance: Heile, Bob, https://docs.zigbee.org/zigbee-docs/dcn/10-6056.pdf 15
  • 16. Attack Vectors (cont.) • AMI provides the ability to remotely control devices in the HAN - Turn off lights, Raise Tstat, etc... • Detailed energy use collected over regular time intervals. - Consumers can view energy usage real time • ZigBee is being used in HANs within the Smart Grid • Sniffing traffic • Replay attacks • Denial-of-Service Smart Grid using ZigBee Home 16 Area Network (HAN)
  • 17. Conclusion • Real-world threats are constantly trying to exploit various IC installations • Reliability vs. Security • Awareness and being proactive helps reduce the risk of your network being exploited 17
  • 18. Questions • ?? 18
  • 19. Contact Information • Angel E. Avila CISSP, CISA, C|EH, CEPT, CompTIA Security + angel.e.avila@dnsc-cyber.com • Richard G. Coy CISSP, CISA, C|EH, CPT, CEPT richard.g.coy@dnsc-cyber.com • Francisco J. Leyva CISSP, CISA, C|EH, CISM, CEPT francisco.j.leyva@dnsc-cyber.com • Humberto Mendoza CISSP, CISA, C|EH, CISM, CEPT humberto.mendoza@dnsc-cyber.com • Daniel Chacon CISSP, CISSA, C|EH, CISM, CEPT daniel.chacon@dnsc-cyber.com http://www.dnsc-cyber.com 19
  • 21. Attack Vectors (cont.) • ZigBee Overview – Low Power (Long Battery Life), low data rate wireless protocol – 250 Kbps throughput rate (low data rate) – Short Range (10 – 100 meters) – Supports star and mesh network topology – Easily add and remove nodes to the network • Why Zigbee ? – WIFI transceivers are too expensive, more power to operate – Bluetooth as a Frequency Hopping Spread Spectrum requires more power to operate – Zigbee consumes less power than WIFI and Bluetooth – Zigbee designed specifically for monitoring and automation – Zigbee is good solution for smart meters in Advanced Meter Infrastructure(AMI)
  • 22. Attack Vectors (cont.) • ZigBee Exploitation using KillerBee[1] - zbid–list available ZigBee devices connected to PC - zbdump–"tcpdump-w" clone for capturing ZigBee traffic - zbconvert–convert capture file formats - zbreplay–Replay attack - zdsniff–over-the-air (OTA) crypto key sniffer - zbfind–GUI for locating ZigBee networks - zbgoodfind–search memory dump for crypto key - zbassocflood–association flood attack (DoS) - spoofing attacks when used with Software Defined Radio 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
  • 23. Attack Vectors (cont.) • ZigBee Security – KillerBee[1] open source software is a tool suite used to test and exploit ZigBee networks – Hacker community has made many software modifications to the KillerBee[1] tool suite – KillerBee[1] tool suite is flashed on a RZUSB ($40.00) through Joint Test Action Group (JTAG) interface. • AVR JTAG ICE mkII ($300.00) used to flash RZUSB AVR JTAG ICE RZUSB Programmer 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
  • 24. Attack Vectors (cont.) • Problem: Demand for power exceeds the supply • AMI provides the ability to remotely control devices in the HAN - Turn off lights, Raise Tstat, etc... • Detailed energy use collected over regular time intervals - Consumers can view energy usage real time • Consumers can adjust power to reduce cost • Utility companies can better manage supply and demand Smart Grid using ZigBee Home Area Network (HAN)
  • 25. Attack Vectors (cont.) • ZigBee – Exploitation using KillerBee[1] - zbid–list available ZigBee devices connected to PC - zbdump–"tcpdump-w" clone for capturing ZigBee traffic - zbconvert–convert capture file formats - zbreplay–Replay attack - zdsniff–over-the-air (OTA) crypto key sniffer - zbfind–GUI for locating ZigBee networks - zbgoodfind–search memory dump for crypto key - zbassocflood–association flood attack (DoS) - spoofing attacks when used with Software Defined Radio 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf