Safety vs Security: How to Create Insecure Safety-Critical System
Download as PPTX, PDF•1 like•810 views
This document introduces the SCADA StrangeLove group, which focuses on researching industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems security to prevent industrial disasters. It lists the group members and provides a brief biography of member Aleksandr Timorin, an ICS security researcher who studies industrial protocols and finds zero-day vulnerabilities in programmable logic controllers.
Safety vs Security: How to Create Insecure Safety-Critical System
- 1. *AllpicturesaretakenfromDr StrangeLovemovieandother Internets Sergey Gordeychik Aleksandr Timorin Gleb Gritsai SCADA STRANGELOVE SCADA.SL
- 2. Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
- 3. Aleksandr Timorin ICS security researcher Industrial protocols fan and 0-day PLC hunter SCADAStrangeLove team member The Ocean band fan atimorin [email protected]
- 4. ICS basics 101 Vulnerabilities • Input validation • Design and architecture Safety and security as a whole
- 5. What is ICS world and why we should develop carefully Today is the digital era (welcome back captain obvious!) Automated processes is everywhere – from home automation to big energy plants, from brewery to traffic control systems
- 6. What is ICS world and why we should develop carefully Industry automatization processes becoming more comfortably for engineers and operators
- 7. What is ICS world and why we should develop carefully Switching from analog to digital brings old and absolutely not secure software development process
- 8. What type of ICS products are vulnerable: • Client/Server software • Field devices: RTU, PLC, protective relays, power meters, converters, actuators and so on • Network switches, gateways • GSM/GPRS modems, wireless AP • Mobile applications • Industrial protocols • Human factor
- 9. Analytics and statistics of ICS vulnerabilities • Analyzed CVE since ~2010 • Data source: ics-cert.us-cert.gov • CVE details: NVD • Total unique CVE: 689 • CVSS 2.0: min score 1.7 , max score 10.0 , avg score 6.5 , high and critical count of scores 285 (41%)
- 10. Analytics and statistics of ICS vulnerabilities • CWE statistics: CWE - Common Weakness Enumeration Definitions and full detailed description at https://nvd.nist.gov/cwe.cfm Unique number of CWE = 43
- 11. Analytics and statistics of ICS vulnerabilities • CWE statistics (TOP 20): $ sort cwe.all.raw | uniq -c | sort –nr | head -20
- 12. Analytics and statistics of ICS vulnerabilities • CWE statistics (TOP 20):
- 13. Buffer Errors Information Leak / Disclosure Input Validation Permissions, Privileges, and Access ControlXSSCryptographic Issues Credentials Management Resource Management Errors Path Traversal Authentication Issues Use of Hard-coded Credentials CSRF Improper Access Control SQL Injection Unrestricted Upload of File with Dangerous Type Untrusted Search Path Security Features Code Injection NULL Pointer Dereference Numeric Errors Other (after TOP20)
- 15. • Honeywell EPKS, CVE-2014-9189
- 16. • Honeywell EPKS, CVE-2014-9187
- 17. • cb is a buffer size
- 19. • SpiderControl SCADA Web Server, stack-based bof, CVE- 2015-1001
- 20. • Siemens SIPROTEC 7SJ64 (protective relay) XSS
- 21. • Siemens WinCC
- 24. PLC 1 PLC 2 PLC 3 Some networks WinCC Web-Client WinCC SCADA- Clients WinCC SCADA- Client +Web- Server WinCC DataMonitor WinCC Web-Client WinCC DataMonitor WinCC Servers LA N PROFINET PROFIBU S Internet, corp lan, vpn’s Engineering station (TIA portal/PCS7)
- 25. WinCCExplorer.exe/PdlRt.exe Create and use your own security features Instead of standard features – that’s A bad idea!
- 26. • Hardcodes are for protocols with auth: SNMP, telnet, HTTP, etc. • You can hardcode keys, certificates, passwords • SMA Sunny WebBox
- 27. • Siemens SIPROTEC 4 protective relay confirmation code “311299”: - System log - Device info - Stack and other parts of memory - More ?
- 28. • Siemens SIPROTEC 4 protective relay confirmation code “311299”: “SIPROTEC 4 and SIPROTEC Compact devices allow the display of extended internal statistics and test information… To access this information, the confirmation code “311299” needs to be provided when prompted.” “...Siemens does not publish official documentation on these statistics. It is strongly recommended to work together with Siemens SIPROTEC customer care or commissioning experts to retrieve and interpret the statistics and test information...”
- 29. • Siemens S7-1200 PLC, CVE-2014-2252 “An attacker could cause the device to go into defect mode if specially crafted PROFINET packets are sent to the device. A cold restart is required to recover the system. ” Just “set” PROFINET request: set network info (ip, netmask, gateway) with all zero values.
- 30. Not secure by design: default credentials, autocomplete • Defaults, factory settings (sometimes unchangeable) is everywhere SCADA StrangeLove Default/Hardcoded Passwords List https://github.com/scadastrangelove/SCADAPASS
- 31. KIOSK mode: Limit access to OS functions
- 32. KIOSK mode: Limit access to OS functions
- 33. • Wincc accounts: “secret” crypto key
- 34. • WinCC accounts: “secret” crypto key fixed • It’s XOR, they should not bother hardcoding for XOR
- 35. PLC password “encryption” Password (8 bytes)
- 36. • TIA Portal PEData.plf passwords history
- 37. • Winccwebbridge.dll: please hash your hardcoded account
- 38. • Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- 2014-2251
- 39. • Siemens S7-1200, S7-1500 PLC, CVE-2014-2250, CVE- 2014-2251 • Seed = plc_start_time + const
- 40. Target – Siemens S7-1200 PLC
- 41. Profinet “feature” and PRNG vulnerability - real attack vector. Result - PLC takeover.
- 42. - Hash passwords - SHA is not good enough - Put length of plaintext nearby Redbox_value = len(pwd)*2+1
- 43. Architecture looks like ideal (from developers point of view)
- 44. Reality looks like ideal too (from attacker point of view)
- 45. Reality looks like ideal too (from attacker point of view)
- 46. Many vendors tend to develop bicycles own services (ftp, telnet, ssh, http etc.) Guten Tag WinCC: • WinCC Server Windows/MSSQL based SCADA • WinCC Client (HMI) WinCC runtime + project • WinCC Web Server (WebNavigator) IIS/MSSQL/ASP/ASP.NET/SOAP • WinCC WebClient (HMI) ActiveX/HTML/JS
- 47. Third-party services: • deploying with default and example.config configurations (i.e. lot of busybox based devices with default root account) • No patches and updates
- 48. Mirai DDos botnet DVR, NVR, IP cameras Over 0.5 million IoT devices are vulnerable What’s the problem? Hardcoded root:xc3511 Moreover, not so easy to change it
- 50. to get firmware? to get debug symbols? to debug? ..PowerPC no “operation system”
- 53. ― Interlocking security (by Jakob Lyng Petersen) • Trains must not collide • Trains must not derail • Trains must not hit person working the tracks —Sadly, animals can’t handle the interview ― Formal methods and verification (rtfm) • B Method, Event B —Underground rail network in Beijing, Milan and Sao Paulo • Prover.com —Sweden, USA
- 54. ― Safety critical systems ― Abstract machines + formal methods ― Atelier B • Available IDE and C translator • No Ada translator ― Newer version – Event-B • See Rodin framework
- 57. • “Everything will be C in the end. If it's not C, it's not the end.” – almost John Lennon
- 58. ― KVB: Alstom • Automatic Train Protection for the French railway company (SNCF), installed on 6,000 trains since 1993 —60,000 lines of B; 10,000 proofs; 22,000 lines of Ada ― SAET METEOR: Siemens Transportation Systems • Automatic Train Control: new driverless metro line 14 in Paris (RATP), 1998. 3 safety-critical software parts: onboard, section, line —107,000 lines of B; 29,000 proofs; 87,000 lines of Ada ― Roissy VAL: ClearSy (for STS) • Section Automatic Pilot: light driverless shuttle for Paris-Roissy airport (ADP), 2006 —28,000+155,000 lines of B; 43,000 proofs; 158,000 lines of Ada
- 61. • RTFM • SSDLC • ICS best practices • Follow CERTs • Common Weakness Enumeration at cwe.mitre.org • More practice: OWASP TOP 10 • TESTING TESTING AND TESTING AGAIN!
- 62. Mr. ICS developer, are you creating your products within SSDLC concepts?
- 63. *Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko