Presentation is loading. Please wait.

Presentation is loading. Please wait.

Control Systems under Attack !? Cyber Threats Todays Peril Vulnerabilities in Controls Findings of the TOCSSiC First Steps for Mitigation Stefan Lüders.

Published byCruz Johns Modified over 10 years ago

Similar presentations

Presentation on theme: "Control Systems under Attack !? Cyber Threats Todays Peril Vulnerabilities in Controls Findings of the TOCSSiC First Steps for Mitigation Stefan Lüders."— Presentation transcript:

1 Control Systems under Attack !? Cyber Threats Todays Peril Vulnerabilities in Controls Findings of the TOCSSiC First Steps for Mitigation Stefan Lüders (CERN IT/CO) ICALEPCS 2005 October 14th, 2005 A Teststand On Control System Security at CERN

2 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20052 / 17 Aware or Paranoid ? 2000: Ex-Employee hacks wirelessly 46 times into sewage plant and spills basement of Hyatt Regency hotel. 2003: The Slammer worm disables safety monitoring system of the David- Besse nuclear power plant for 5h. 2003/08/11: W32.Blaster.Worm 2004: IT intervention, hardware failure and use of ISO protocol stopped SM18 magnet test stand for 24h. 2005: DoS (70) stopped manual control

3 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20053 / 17 Common Standards / Interconnectivity Cyber Threats Todays Peril Zombies BOT nets Attacking Controls Intruder Knowledge / Attack Sophistication 1980 1985 1990 1995 2000 2005 2010 Higher Lower Packet Spoofing Password Guessing Password Cracking Exploiting Known Vulnerabilities Disabling Audits Hijacking Sessions Sniffers Back Doors War Dialing Denial of Service Automated Probes/Scans IRC Based Zero Day Exploits Viruses Worms Root Kits Control Systems: Era of Legacy Technology (Security through Obscurity) Era of Modern Information Technology (From Top-Floor to Shop-Floor) Transition Phase (Controls goes IT)

4 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20054 / 17 Controls Networks mate Business Networks Proprietary field busses replaced by Ethernet & TCP/IP Field devices connect to Ethernet & TCP/IP Real time applications based on TCP/IP VPN connections from the outside onto the Controls Network Use of IT protocols & gadgets: SNMP, SMTP, FTP, Telnet, HTTP (WWW), … Wireless LAN, Notebooks, USB sticks, … Migration to the Microsoft Windows platform Windows not designed for Industrial / Control Systems OPC/DCOM runs on port 135 (heavily used for RPC) Controls Goes IT

5 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20055 / 17 Poorly secured systems are being targeted Worms are spreading within seconds Unpatched systems, O/S & applications Missing anti-virus software or old virus signature files No firewall protection Zero Day Exploits: security holes without patches Break-ins occur before patch and/or anti-virus available Threats due to Technique …but how to patch/update Control PCs ? …what about anti-virus software ?

6 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20056 / 17 Passwords are known to several (many?) people No traceability, ergo no responsibility People are increasingly the weakest link Use of weak passwords Infected notebooks are physically carried on site Users download malware and open tricked attachments Missing/default/weak passwords in applications Threats due to People …but how to handle Operator accounts ? …what about password rules ?

7 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20057 / 17 COTS Automation Systems are without security protections Programmable Logic Controllers (PLCs), field devices, power supplies, … Security not integrated into their designs Creation of the Teststand On Controls System Security at CERN The TOCSSiC Running Nessus vulnerability scan (used in Office IT) Running Netwox DoS attack with random fragments Running Ethereal network sniffer

8 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20058 / 17 Controls under Attack ! 20 devices from 6 different manufacturers (35 tests in total) All devices fully configured but running idle …PLCs under load seem to fail even more frequently !!! …results improve with more recent firmware versions

9 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 20059 / 17 TOCSSiC Findings (1) Device crashed Sending specially crafted IP packets causes the TCP/IP fragmentation re-assembly code to … … improperly handle overlapping IP fragments (Nestea attack) … loose network connectivity (Linux zero length fragment bug) Sending continuous stream of extremely large and incorrect fragmented IP packets leads to consumption of all CPU resources (jolt2 DoS attack) Sending special malformed packets (oshare attack) …violation of TCP/IP standards !!!

10 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200510 / 17 TOCSSiC Findings (2) FTP server crashed Sending a too long command or argument Issuing a CEL aaa…aaa command (VxWorks) FTP server allows to connect to third party hosts (i.e. provides an attacker platform) FTP server allows anonymous login Telnet server crashed After flooding it with ^D characters Sending a too long user name Sending too many Are you there commands …both are legacy protocols w/o encryption !

11 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200511 / 17 TOCSSiC Findings (3) HTTP server crashed Requesting a URL with too many characters (e.g. http:// /cgi-bin/aaa…aaa or http:// /jsp/aaa...aaa) Using up all resources (WWW infinite request attack) HTTP server directory available Using http:// /../.. get request …who needs web servers & e-mailing on PLCs ? ModBus server crashed by scanning port 502 …protocols are well documented (Google hacking) !

12 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200512 / 17 PLCs are un-protected Can be stopped w/o problems (needs just a bit googling) Passwords are not encrypted Might even come without authentication Still allow for legacy commands TOCSSiC Findings (4) …authentication & encryption should be mandatory ! Fixed SNMP community names public and private …why can community names not be changed ?

13 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200513 / 17 TOCSSiC Follow Up Disclosing vulnerabilities to vendors and manufacturers Exchanging information with Government Bodies, Industry & Research Forum on OPC security and future devs CERN produced a Security Policy for Controls Forum on the development of Windows For Controls with Microsoft

14 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200514 / 17 Apply Defence-in-Depth approach Protect each layer of your Control System Separate Controls and Business Networks Reduce and control inter-communication Use managed systems where possible Ensure prompt security updates: O/S, applications, anti-virus, … Swapping to Linux or Mac is NOT more secure Ensure security protections before connecting Check for up-to-date patches and anti-virus files Your Ways to Mitigate ? (1)

15 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200515 / 17 Use strong passwords and sufficient logging Check that default passwords are changed in all applications Passwords must be kept secret: beware of Google Hacking Ensure traceability of access (who and from where) Make security an objective Raise awareness in your Users community Contact your vendor / manufacturer Check your firmware versions Do you really want all those Bells & Whistles ? Join the MS MUG and the OPC FoundationMS MUGOPC Foundation Your Ways to Mitigate ? (2)

16 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200516 / 17 Conclusions Adoption of modern IT standards exposes Control Systems to security risks Control PCs, PLCs & other automation devices are intrinsically vulnerable Make security an objective

17 Stefan Lüders: Control Systems Under Attack !? @ ICALEPCS 200517 / 17 Thank you very much ! Special Acknowledgements go to: J. Brahy & R. Brun (CERN AB/CO) and J. Rochez (CERN IT/CO) J. Arnold (EPFL, Lausanne) and B. Figon (ESIEE, Amiens)

Download ppt "Control Systems under Attack !? Cyber Threats Todays Peril Vulnerabilities in Controls Findings of the TOCSSiC First Steps for Mitigation Stefan Lüders."

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
© Ravi Sandhu www.list.gmu.edu Introduction to Information Security Ravi Sandhu.

© Ravi Sandhu Introduction to Information Security Ravi Sandhu.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.

File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google