Modelling versus remote hybrid test bed

E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca

Efficiency of electrical grids under cyber attacks on their SCADA Rome, 16th December 2014

Summary

Brief introduction of SCADA

Common security problems of SCADA

Typical attacks on SCADA devices

Modelling limits

Towards test bed : Enea test bed

Cyber attacks on a SCADA subset

Effects of attacks on SCADA devices

2

SCADA system architecture

SCADA (Supervisory Control And Data Acquisition)

systems are designed to:

Collect field information by means local processor

(PLC/ RTU);

Transfer the information to a central computer (SCADA

Control Server);

Display the information to the operator graphically or

textually (HMI);

Allow the operator to monitor and control an entire

system from a central location in real time.

All the components of the SCADA systems are

connected by:

Serial Line, Ethernet, Wi-fi with Modbus, DNP3, OPC

protocols 3

Corporate network & SCADA

4

SCADA System

Local Processors:

PLC/RTU

Local Processors: PLC/RTU

Centralized Control: HMI+SCADA Control Server

Cyber security on SCADA system (1/3)

In the past years, SCADA systems operated in closed and

proprietary networks. For instance, Modbus, a common SCADA

protocol, was originally designed for use only within simple

process control networks to enable low speed serial

communications between clients and servers

In recent years, the rapid development of Information

Communication Technology (ICT) has carry out to full integration

of telecommunication networks over IP protocol (e.g. Modbus

on TCP/IP)

In this new scenario SCADA system is not isolated but it is

exposed to a series of attacks due to its insecure design

5

Cyber security on SCADA system (2/3)

Common problems on SCADA system

Lack of Authentication

None AUTH or simple with default login/password (e.g. user/user)

A lot of open service with anonymous access or simple account (e.g. FTP service)

No encryption used: all protocols are clear test

SCADA systems are vulnerable to cyber attacks on the different layers:

Host level (e.g. Software vulnerability of OS and Applications)

Network level (e.g. Modbus does not have any security features like Authentication and Encryption)

6

Cyber attacks on SCADA system (3/3)

Host level attacks examples:

Old or not patched Operating Systems and Application are vulnerable to buffer overflow and SQL injection attacks causing:

Corruption of the correct behavior of the program (e.g. incorrect data monitoring or data visualization and so on)

Modifying the database content (e.g. login and password of the administration users, setpoint configuration )

Network level attacks examples:

Denial of Service (DoS): the attacker send a lot of service requests in a short time to the server and so slow down the server resources

Man In The Middle (MITM): the attacker intercepts the traffic between two SCADA devices (e.g. HMI and SCADA Control Center or SCADA Control Center and PLC), which believed to exchange information with the legitimate interlocutor, but indeed the attacker may sniff the information and/or send false messages (e.g. sniffing SCADA login/password, view or modifying command or data monitoring)

Consequences of attacks:

Loss of / fake observability: if the SCADA Control Center can’t receive or receive false packets from PLC

Loss of / fake controllability: if PLC/RTU can’t receive or receive false packets from SCADA Control Center

7

Modelling describes in a simplified way corporate network

and SCADA element state related to cyber security, attack and consequences scenarios, and the impact of incorrect functioning of such elements on quality of service indicators SCADA and of electrical grid.

Modelling assumptions miss to realistically reproduce cyber attacks and their propagation on corporate network and SCADA devices

8

Modelling limits

9

ENEA test bed architecture (1/2)

ENEA test bed is based on a switched LAN

The LAN is configured with a private IP address plan provided by the

IEC for coexistence of IPSEC VPN connection with remote sites

HMI

IP: 172.27.228.10

SCADA Control Server

IP: 172.27.228.3

Attacker

IP: 172.27.228.9

NIDS

IP: 172.27.228.11

VPN gateway provided

by Virtual Machine

IP: 172.27.228.1

IEC

PLC

IP: 172.27.228.102

IP: 172.27.228.103

LAN 172.27.228.0/24 provided by IEC

10

ENEA test bed architecture (2/2)

ENEA test bed is costituted by :

• Human Machine Interface (HMI)

• SCADA Control Server

• Programmable Logic Controller (PLC)

• Attacker

• Network Intrusion Detection System (NIDS)

HMI

IP: 172.27.228.10

SCADA Control Server

IP: 172.27.228.3

Attacker

IP: 172.27.228.9

NIDS

IP: 172.27.228.11

VPN gateway provided

by Virtual Machine

IP: 172.27.228.1

IEC

LAN 172.27.228.0/24 provided by IEC

PLC

IP: 172.27.228.102

IP: 172.27.228.103

PLC: hardware architecture

11

Modicon M340 PLC hardware architecture:

1. Rack with 4 slot

2. Power supply

3. Processor with USB and Ethernet interface (BMX P34 CPU B)

4. Discrete I/O module

5. Ethernet RTU Module (BMX NOR 0200H)

How to manage Modicon M340 PLC?

Remote diagnostic and monitoring via built-in WEB server and SCADA system

Remote programming and downloading of control program with Unity Pro software

Downloading configuration file via FTP protocol via built-in FTP server on the Ethernet RTU Module (BMX NOR 0200H)

13

PLC: configuration and remote management

HMI

SCADA Control Server Unity Pro

PLC

LAN 172.27.228.0/24 provided by IEC

14

PLC: remote web management

Cyber attacks strategy

To conduct an attack on SCADA system:

It is useful to make a Information Gathering:

Need to find information about the architecture of SCADA system and its components: IP address, MAC address, open services, software versions

This research is typically achieved through tools such as Nmap, Ettercap, SNMPcheck, Wireshark

Based on the results obtained from the previous operation you choose the best strategy of attack

Very often one does not even need a sophisticated attack but simply exploits badly made configurations or configurations left with default parameters

15

First step, before to define the kind of the cyber attack to implement, we need to perform an information gathering

Using Nmap tool by means of Kali Linux on the attacker machine, we have conducted information gathering and vulnerability assessment on ENEA test bed

In particular, a depth scan was carry out on PLC, with default configuration, to discover potential vulnerabilities

By means of Nmap scan, we have discovered some PLC enabled services to analyze in depth:

HTTP service

SNMPv1 service

FTP service

16

Information Gathering (1/2)

HMI

IP: 172.27.228.10

SCADA Control Server

IP: 172.27.228.3

Attacker

IP: 172.27.228.9

NIDS

IP: 172.27.228.11

PLC

IP: 172.27.228.102

IP:172.27.228.103

LAN 172.27.228.0/24 provided by IEC

17

Information Gathering (2/2)

18

SNMP service: in-depth analysis (1/4)

The SNMP (Simple Network Management Protocol) is

used for network management

The community string ‘read only’, configured in the PLC

device, is ‘public’ so it is easy to get any information on

the PLC with a generic SNMP tool

The knowledge of the community string ‘write’,

configured in the PLC device, allows to modify the PLC

configuration

No encryption of the data exchange and no

authentication with user and password in SNMP v1

19

Using the tool SNMPcheck with ‘-w’ option has been

verified that the SNMP service on the PLC has the

community string ‘write’ defined public

The write community string defined as public exposes

the device to potential configuration changes by

attackers

SNMP service: in-depth analysis (2/4)

20

After discovering that a device is listening on UDP port

161, an SNMP enumeration tool, like SNMPwalk, can be

used to extract information from the device.

SNMP service: in-depth analysis (3/4)

21

In information gathering campaign, we have discovered

that the PLC has the community string write defined

public so it is very simple to enforce the change of

parameters

Using SNMPset tool, we may change via SNMP some

device parameters (e.g. system name, IP address and

so on)

SNMP service: in-depth analysis (4/4)

22

Syn Flood attack (1/2)

Syn Flood is a DoS attack

Attacker sends a lot of SYN requests to the target

machine (in this case PLC) but it does not return the

ACK. The target machine could exhaust all its memory

resources only for waiting for a response that will never

happen

Switch

HMI IP:172.27.228.10

Attacker IP: 172.27.228.9

PLC

IP: 172.27.228.102

IP: 172.27.228.103

23

Syn Flood attack (2/2)

Syn Flood attack has been carry out by means of Kali Linux using

‘hping3’ tool

Switch

HMI IP:172.27.228.10

Attacker IP: 172.27.228.9

PLC

IP: 172.27.228.102

IP: 172.27.228.103

24

Syn Flood attack: Effects

The Syn Flood attack causes a slowdown of PLC responses or

distruction of network traffic between PLC and management stations

(like SCADA Control Server and configuration software machine)

Communication Error: Unable to retrieve status of the PLC: unexpected disconnection possible. Select Connect to establish the connection. Select Cancel to return to the offline mode

Connect Cancel

Invalid PLC IP address or PLC is busy or support disabled

25

DoS attacks consequences on SCADA system

Consequences on SCADA system:

Loss of controllability: if PLC/RTU can’t receive

packets from SCADA Control Server

Loss of observability: if the SCADA Control Server

can’t receive packets from PLC/RTU

MITM attack by means Ettercap

To perform MITM attack in the switched network LAN, we have used Ettercap, supplied by Kali Linux distribution

Ettercap is a network manipulation tool used to perform several kinds of attacks

Password sniffing for many network protocols

Characters injection

Packet filtering and others

26

Switch

HMI IP:172.27.228.10

MAC:00-50-8b-ac-09-7c

Attacker IP:172.27.228.9

MAC: 00-14-5e-1e-1d-5e

PLC

IP:172.27.228.103

MAC:00-80-f4-11-5d-68

MITM attack against an FTP session (1/3)

Attacker, using Ettercap, captures all traffic going from HMI to

PLC

Ettercap poisons the ARP cache on each machine and all

Ethernet traffic is intercepted

Ettercap automatically extracts the login and password from any

active connection

27

Switch

HMI IP:172.27.228.10

MAC: 00-50-8b-ac-09-7c

Attacker IP: 172.27.228.9

MAC: 00-14-5e-1e-1d-5e

PLC

IP: 172.27.228.103

MAC: 00-80-f4-11-5d-68

MITM attack against an FTP session (2/3)

HMI starts an FTP session to PLC and logs in

28

Switch

HMI IP:172.27.228.10

MAC: 00-50-8b-ac-09-7c

Attacker IP: 172.27.228.9

MAC: 00-14-5e-1e-1d-5e

PLC

IP: 172.27.228.103

MAC: 00-80-f4-11-5d-68

MITM attack against an FTP session (3/3)

Ettercap shows us the login and password that are sent

in clear text in the FTP session

29

30

MITM attacks consequences on SCADA system

Consequences on SCADA system:

Fake controllability: PLC/RTU receives fake packets

from SCADA Control Server

Fake observability: SCADA Control Server receives

fake packets from PLC/RTU

Thank you for your attention