Standards Based Measurable Security For Embedded Devices Brice Copy ICALEPCS 09 11 October 2009

Plan Project background Test bench objectives Implementation Investigation results Achievements Perspectives

Project background Based upon TOCSSiC, study the robustness of PLCs CERN Openlab backed project With SIEMENS funding CERN specific aspects Strong demand for RBAC type security Better built-in security mechanisms Wide variety of risk assessments

Testbench objectives Investigate cyber security standards relevant to PLC equipment operation.  Establish a working environment tailored for ICS to enable the discovery of new security vulnerabilities. Assess the robustness of SIEMENS Programmable Logic Controller (PLC) products. Perform automated security assessments of industrial control equipment. Determining which are the key aspects of cyber security in  the CERN environment.

Cyber Security Standards ISO 27000, NERC CIP, ISA-99, IEC62xxx Slowly evolving towards ICS relevant standards ISA-99 relevant but still draft Vendors : Mexican standoff situation Everybody agrees it is better than legislation

Finding new vulnerabilities... Directly related to quality processes First, define a method to test Second, define a method to reproduce results Third, define a method to fix and verify Meanwhile, keep abreast of emerging threats and vulnerabilities

...In the comfort of your own lab An environment that can play many roles... ...Acts as a first class citizen in information exchanges An environment that communicates... ... by accepting inputs from other tools ...and producing outputs for other consumers Multiple roles : network trafic analyzer integrated development environment protocol fuzzing / trafic replay integrate with third party tools Communicates : allows to describe vulnerabilities in a platform independent format produces results that can be leveraged by other tools (replay, analysis)

Testbench in theory

And in practice ? A plug-in based environment OpenVas for general purpose testing A better set of PLC monitoring tools A protocol fuzzer to convert grammars into vulnerability scanners convert network trafic captures into vulnerability descriptions A way to feed vulnerabilities to our favourite PLC vendor (and sponsor)

Testbench in practice S7-400 hooked up for a test run, Beckhoff PLC from a previous test run

Testbench in practice My good friend and colleague Filippo, embarrassed at the idea his parents might find out what he does for a living : torturing PLCs until they flash red and need to be power cycled

Achievements and findings Newer PLC generations are better in many aspects... ...and surprisingly exposed in others Protocol fuzzing presents an unforeseen potential Communicating results to a third-party and making them reproduceable is still too much work No vulnerability disclosure, but principles and technologies can be discussed Wurldtech Achilles provides very good results fast and demonstrated the importance of good protocol fuzzing Difficulties to share vulnerability definitions, from a tool to another environment For instance, we can explain the principle of a vulnerability, why not have a format to express it in an executable way ?

Perspectives Improve techniques to share results and analyse them Start integrating our tools more closely Adopt a cut down standard until full blown ones become ready