Security Nightmares @ SCADA 09.-10. November 2016 | Check Point Mini CPX Dip.-Ing. Maurice Al-Khaliedy CSPI Technical Solutions & Consulting / Cyber Security Lead

loading in progress…

Who we are ? Maurice Al-Khaliedy | Cyber Security Lead Dennis Detering | Security Testing Consultant

History Founded 1970 in Fort Lauderdale, Florida as MODCOMP Inc. Since 1976 in Germany as MODCOMP GmbH In 1996/97 MODCOMP Inc. was purchased by CSP Inc. (CSP Inc. was founded 1968 in Massachusetts near Boston) 2015 Re-Branding to CSPi GmbH

MODCOMP (Modular Computer Systems, Inc.) History MODCOMP (Modular Computer Systems, Inc.) was a small minicomputer vendor that specialized in real-time applications. https://en.wikipedia.org/wiki/MODCOMP

Locations Boston, Massachusetts / USA Fort Lauderdale, Florida / USA Wokingham, Berkshire / United Kingdom Cologne, NRW / Germany

Cyber Security@CSPi Cyber Security beschäftigt sich mit der Ganzheitlichen Betrachtung der IT-Landschaft und entwickelt Konzepte und Methoden IT-Infrastrukturen sichere zu gestalten. Hierzu zählen primär auch die Interaktion von Industrieanlagen sowie physikalischen Überwachungs -und Zutrittssystemen.

Network Security Assessment Network Security Assessment ist die Evaluierung des Netzdesigns und der Architektur in Bezug auf IT-Sicherheit. Es dient der Identifikation von möglichen Lücken und/oder Fehlplanungen.

SCADA Terminology ICS Industrial Control System PLC Programmable Logic Controller SPS Speicherprogrammierbare Steuerung SCADA Supervisory Control and Data Acquisition HMI Human Machine Interface

Industry Model|(assembly line) Siemens S7 Check Point 1200R Siemens HMI Attacker Client Siemens Logo

Warnung

Schaltplan

Funktionsplan

FUP / S7 Siemens S7 / Q1.3 Siemens S7 / Q1.4

Alex Mayfield|Casino Hack ~ 1990 Jedes Mal, wenn irgendein Programmierer sagt: „Keiner wird sich je eine solche Mühe machen“, wird gerade irgendein Bengel in Finnland sich genau diese Mühe machen. Kevin Mitnick ; Die Kunst des Einbruchs

Scenario ONE

Attack Scenario ONE Internet Access No Segmentation / Zoning No password protection on S7 No Application control No NAC No Logging und Monitoring

Scenario ONE Attacker plugs into network Network Scan for PLCs using plcscan (or nmap) Preparation Reconnaissance Target information collecting e.g. IP Addresses, open ports etc. 1 Weaponization Coupling exploit with backdoor into deliverable payload 2

Scenario ONE Attacker can modify outputs Manipulate drill Example python script Read variables Manipulate drill Push too many parts on line Intrusion Delivery Delivering weaponized bundle to the victim via e.g. Email, Web, USB, remote access Seconds 3 Exploitation Exploitation a vulnerability to execute code on victim‘s system 4

Scenario TWO Internet Access No Segmentation No Zoning Password protection on S7 No Application control No NAC No Logging und Monitoring

! Attack Scenario TWO Password on S7 is set Attacker can sniff packets (Wireshark, TCP dump) Attacker can catch a single authentication packet Attacker can extract challenge/response and thus crack the password Attacker gains access to project file (e.g. public FTP/SMB shares) Attacker can extract and crack password (history) hashes using e.g. John the Ripper

Defence Scenario SIEM Controlled Internet Access Segmentation / Zoning Password protection on PCLs Proxy Application control Threat detection NAC (network access control) NBA (network behavior analysis) Logging und Monitoring Threat detection IDS FE FW IDS IDS SIEM IDS IDS

Scenario THREE

Scenario THREE Network monitoring ; Check Point Firewall and SIEM Network segmentation Attacker connects into network  Alert raised in monitoring Network access prevented / PLCs cannot be reached anymore Internet HMI PLCs Server Clients

SIEM/Logging SIEM (Security information and event management) Systeme befähigen Sie Risiken zu erkennen und zu bewerten. Resultierend aus diesen Informationen sind Sie in der Lage kontinuierlich und effizient auf Sicherheitsvorfälle zu reagieren.

The „Cyber Kill Chain“ Use-case catalog Classification and scoring Successful Brute-Force (1) Reconnaissance APT detection 1: Scoring: 17 Detection Phase: (1), (3), (4) Brute-Force Weaponization (2) NIDS (3) Delivery APT detection 2: Scoring: 69 Detection Phase: (1), (3), (6) Sandbox results Exploitation (4) Suspicious processes (5) Installation APT detection 3: Scoring: 101 Detection Phase: (7) Unhandled AV events CnC (6) (7) Action on objectives DNS requests for malicious URLs Use-case catalog Classification and scoring APT detection

Design Advantages Communication visibility Device and Application Control Minimization of the attack vectors Security controls between the zones Granular regulation of the network traffic Malware, anomaly and threat detection Better error identification

Conclusion People Process Technology (PPT) Knowing the infrastructure Knowing the attack vectors Knowing your Vulnerabilities Good understanding about the threat landscape Visibility IT security is a continuous process

Sūnzǐ - Die Kunst des Krieges ca. 500 v.Chr. Sun Tsu Kenne deinen Feind und kenne dich selbst und in hundert Schlachten wirst du nie in Gefahr geraten. Sūnzǐ - Die Kunst des Krieges ca. 500 v.Chr.

Thank you.