November 2016 | Check Point Mini CPX Dip.-Ing. Maurice Al-Khaliedy

Präsentation zum Thema: "November 2016 | Check Point Mini CPX Dip.-Ing. Maurice Al-Khaliedy"—  Präsentation transkript:

1 Security Nightmares @ SCADA
November 2016 | Check Point Mini CPX Dip.-Ing. Maurice Al-Khaliedy CSPI Technical Solutions & Consulting / Cyber Security Lead

2 loading in progress…

3 Who we are ? Maurice Al-Khaliedy | Cyber Security Lead
Dennis Detering | Security Testing Consultant

4 History Founded 1970 in Fort Lauderdale, Florida as MODCOMP Inc.
Since 1976 in Germany as MODCOMP GmbH In 1996/97 MODCOMP Inc. was purchased by CSP Inc. (CSP Inc. was founded 1968 in Massachusetts near Boston) 2015 Re-Branding to CSPi GmbH

5 MODCOMP (Modular Computer Systems, Inc.)
History MODCOMP (Modular Computer Systems, Inc.) was a small minicomputer vendor that specialized in real-time applications.

6 Locations Boston, Massachusetts / USA Fort Lauderdale, Florida / USA
Wokingham, Berkshire / United Kingdom Cologne, NRW / Germany

7 Cyber Cyber Security beschäftigt sich mit der Ganzheitlichen Betrachtung der IT-Landschaft und entwickelt Konzepte und Methoden IT-Infrastrukturen sichere zu gestalten. Hierzu zählen primär auch die Interaktion von Industrieanlagen sowie physikalischen Überwachungs -und Zutrittssystemen.

8 Network Security Assessment
Network Security Assessment ist die Evaluierung des Netzdesigns und der Architektur in Bezug auf IT-Sicherheit. Es dient der Identifikation von möglichen Lücken und/oder Fehlplanungen.

9 SCADA Terminology ICS Industrial Control System
PLC Programmable Logic Controller SPS Speicherprogrammierbare Steuerung SCADA Supervisory Control and Data Acquisition HMI Human Machine Interface

10 Industry Model|(assembly line)
Siemens S7 Check Point 1200R Siemens HMI Attacker Client Siemens Logo

11 Warnung

12 Schaltplan

13 Funktionsplan

14 FUP / S7 Siemens S7 / Q1.3 Siemens S7 / Q1.4

15 Alex Mayfield|Casino Hack ~ 1990
Jedes Mal, wenn irgendein Programmierer sagt: „Keiner wird sich je eine solche Mühe machen“, wird gerade irgendein Bengel in Finnland sich genau diese Mühe machen. Kevin Mitnick ; Die Kunst des Einbruchs

16 Scenario ONE

17 Attack Scenario ONE Internet Access No Segmentation / Zoning
No password protection on S7 No Application control No NAC No Logging und Monitoring

18 Scenario ONE Attacker plugs into network
Network Scan for PLCs using plcscan (or nmap) Preparation Reconnaissance Target information collecting e.g. IP Addresses, open ports etc. 1 Weaponization Coupling exploit with backdoor into deliverable payload 2

19 Scenario ONE Attacker can modify outputs Manipulate drill
Example python script Read variables Manipulate drill Push too many parts on line Intrusion Delivery Delivering weaponized bundle to the victim via e.g. , Web, USB, remote access Seconds 3 Exploitation Exploitation a vulnerability to execute code on victim‘s system 4

20 Scenario TWO Internet Access No Segmentation No Zoning
Password protection on S7 No Application control No NAC No Logging und Monitoring

21 ! Attack Scenario TWO Password on S7 is set
Attacker can sniff packets (Wireshark, TCP dump) Attacker can catch a single authentication packet Attacker can extract challenge/response and thus crack the password Attacker gains access to project file (e.g. public FTP/SMB shares) Attacker can extract and crack password (history) hashes using e.g. John the Ripper

22 Defence Scenario SIEM Controlled Internet Access Segmentation / Zoning
Password protection on PCLs Proxy Application control Threat detection NAC (network access control) NBA (network behavior analysis) Logging und Monitoring Threat detection IDS FE FW IDS IDS SIEM IDS IDS

23 Scenario THREE

24 Scenario THREE Network monitoring ; Check Point Firewall and SIEM
Network segmentation Attacker connects into network  Alert raised in monitoring Network access prevented / PLCs cannot be reached anymore Internet HMI PLCs Server Clients

25 SIEM/Logging SIEM (Security information and event management) Systeme befähigen Sie Risiken zu erkennen und zu bewerten. Resultierend aus diesen Informationen sind Sie in der Lage kontinuierlich und effizient auf Sicherheitsvorfälle zu reagieren.

26 The „Cyber Kill Chain“ Use-case catalog Classification and scoring
Successful Brute-Force (1) Reconnaissance APT detection 1: Scoring: 17 Detection Phase: (1), (3), (4) Brute-Force Weaponization (2) NIDS (3) Delivery APT detection 2: Scoring: 69 Detection Phase: (1), (3), (6) Sandbox results Exploitation (4) Suspicious processes (5) Installation APT detection 3: Scoring: 101 Detection Phase: (7) Unhandled AV events CnC (6) (7) Action on objectives DNS requests for malicious URLs Use-case catalog Classification and scoring APT detection

27 Design Advantages Communication visibility
Device and Application Control Minimization of the attack vectors Security controls between the zones Granular regulation of the network traffic Malware, anomaly and threat detection Better error identification

28 Conclusion People Process Technology (PPT) Knowing the infrastructure
Knowing the attack vectors Knowing your Vulnerabilities Good understanding about the threat landscape Visibility IT security is a continuous process

29 Sūnzǐ - Die Kunst des Krieges ca. 500 v.Chr.
Sun Tsu Kenne deinen Feind und kenne dich selbst und in hundert Schlachten wirst du nie in Gefahr geraten. Sūnzǐ - Die Kunst des Krieges ca. 500 v.Chr.

30 Thank you.