Post on 23-Dec-2015
Siemens OpenlabMajor Review
February 2012
PLCs Security
Author: Filippo TilaroSupervised by: Brice Copy
2
PLC Security project phases
Initial Phase
2009
•Security standards analysis:•IT
standards do not suit for PCS: different performances, availability, network architecture …
•ISA-99 standards as reference standard
•Lack of pragmatic guidelines to secure PCSs
•Not finished yet
Design &
Report
2010
•Design of the test-bench
•tools evaluation & development
•Test-bench validation and report
•ISA-Secure Embedded Device Security Assurance Certification
Developme
nt
2011
•Fulfilling the ISCI-CRT requirements:•Integration
of the CRT tests into the ‘Test-bench for Robust of Industrial Equipments’ (TRoIE)
•Releasing to Siemens a complete test definition set and implementation to be deployed and reproduced in Siemens Labs
•Starting speaking about Codenomicon tests (Protos fuzzer)
Openlab Major Review Report February 2012
3
Fuzzing Test Generator
Openlab Major Review Report February 2012
Target
Customized Peach
Fuzzing Framework
Grammars
INPUT GEN.
Generation and forging of any kind of communication load Translate experts’ knowledge into grammar rules Definition of proprietary and even not-existing protocols Scalable in terms of:
Testing files Protocol testing behavior (state-machine, mutation strategies)
4
ISCI Communication Robustness Test certification fulfilling
Integration of the CRT test cases into the TRoIE test-bench
Extension of the CRT for not covered protocols
5 security testing phases: Discover Protocol Functionalities and Attack
Surface Storms and Maximum Load Tests Single Field Injection Combinatorial Fields Injection Cross State Fuzzing (for stateful protocols)
Openlab Major Review Report February 2012
5
Test-bench Reproducibility
3-Layers Architecture
Extended Peach Framework
REST Web ServiceReverse Proxy & Access Control
Client
JSON
Authentication to run a test Built-in invariant test definitions No specific security knowledge OS Compatibility
Openlab Major Review Report February 2012
6
PLC I/O Monitoring
Target
Waveforms Comparison Feedback Control System:
No synchronization issues Reduced PLC Scan Cycle for a best
timing resolution
Requirements: 3 sec period:1 sec High, 2 sec Low PLC waveform generation 20 msec resolution Parametric threshold jitter
Openlab Major Review Report February 2012
7
Test-bench release & Expertise transfer to Siemens (Dec 2011) Installation, configuration, Documentation Next Steps:
Proprietary Network protocols testing (S7,PROFINET), Software applications, libraries and APIs, System I/O modules
Multi-Protocols (Man-in-the-middle) layer testing PLC internal status monitoring Extending to the supervision level: SCADA
system like PVSS, OPC-UA…
Openlab Major Review Report February 2012
Conclusions
Siemens OpenlabMajor Review
February 2012
Step7 Openness,
PVSS Security,
Virtualization Author: Omer KhalidSupervised by: Renaud Barillere
9
Step7 Deployment - I
Step 7 / Totally Integrated Automation: Software development environment to develop software for
PLC’s that interfaces with the industrial equipment.
Aim: To bring-in modern software engineering capabilities to Step7 product line: Step7 Deployment
• To automate the deploy Siemens software on engineering workstations; Scalability: from small (10’s of machines) to large (100’s of machines); Easy and flexible to deploy, fast refresh rate
Openlab Major Review Report February 2012
10
Step7 Deployment - II
Status: Completed All milestones has been achieved and delivered. Verified
and confirmed by Siemens.
Value for Siemens: Final strategy is implemented by Siemens in v12 of TIA. TIA portal can now be deployed in automated fashion using
3rd party standard software inventory management software.
Approach: Three strategies validated through prototyping
• Reported in detail in previous major review• Nutshell: either using chained MSI’s or SIA engine
Meets short term, medium and long terms objectives and product development plans of Step7 software
Criteria: integration with Siemens existing software tools.
Openlab Major Review Report February 2012
11
Step7 Security
Stuxnet worm Detected in June 2010. Attack method (0-day exploit against
windows, fake certificates, rootkit,
DLL replacement)
Software Security New topic was added to the project in Jul/Aug 2010
• Market survey conducted – mostly source code based analysis• Binary code based analysis identified to complement existing source
code based analysis– BitBlaze and Veracode selected as test candidates
Status: Completed Initial testing/prototyping Siemens continues in-house
Openlab Major Review Report February 2012
PVSS Security
Objective Improve the SCADA security and system robustness
Strategy Identifying vulnerability areas and their associated risks –
including test use cases Determine key cyber security aspects from CERN standpoint,
Taking Siemens/ETM input Evaluate risks and use cases identified, and prototype to
investigate vulnerabilities
Security Areas: Access Control, Data Integrity and Confidentiality, Auditing and
Logging, Updating and Patching, Network Resource Availability
Status: SCADA recommendation document prepared and submitted to SCADA section.
Openlab Major Review Report February 2012
13
Virtualization
Objective: Evaluate and deploy engineering applications on private
cloud infrastructure.
Process: Various private cloud tool kits evaluated
• OpenNebula, Eucalyptus, Vmware vSphere
Performance of applications benchmarked• For distributed and shared storage• For high and low load deployment.
Outcome: A private cloud infrastructure deployed
• PVSS developers using it extensively for application development.
Results related to infrastructure performance were published in a paper in ICALEPCS 2011 conference.
Openlab Major Review Report February 2012
14
Khalid O., Sheikh A., Copy B., “Optimizing Infrastructure for Software Testing and Deployment for Engineering Applications", 13th International Conference on Accelerator and Large Experimental Physics Control Systems, Grenoble, France. Oct 2011.
Khalid O., “OpenNebula cloud for Engineering applications, OpenNebula Blog, Nov, 2011
Tilaro F., "Cyber security analysis for industrial control systems", CERN Computing Newsletter, 2010.
Tilaro F., Copy B., "Industrial Devices Robustness Assessment and Testing against Cyber Security Attacks", 13th International Conference on Accelerator and Large Experimental Physics Control Systems, Grenoble, France. Oct 2011.
Tilaro F., "Testbench for Robustness of Industrial Equipments (TROIE)", CERN, 2009
Copy B., Tilaro F., ”Standards Based Measurable Security For Embedded Devices” ICALEPCS 2009
Publications
Openlab Major Review Report February 2012