Presentation is loading. Please wait.

Presentation is loading. Please wait.

Control Systems Under Attack !? …about the Cyber-Security of modern Control Systems Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop, Knoxville (U.S.)

Published byBeverly Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "Control Systems Under Attack !? …about the Cyber-Security of modern Control Systems Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop, Knoxville (U.S.)"— Presentation transcript:

1 Control Systems Under Attack !? …about the Cyber-Security of modern Control Systems Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop, Knoxville (U.S.) October 14th 2007

2 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Overview

3 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Controls networks meet campus / business networks ► Proprietary field busses(PROFIBUS, ModBus) replaced by Ethernet & TCP/IP(PROFINET, ModBus/TCP) ► Field devices connect directly to Ethernet & TCP/IP ► Real time applications based on TCP/IP Migration to the Microsoft Windows platform ► MS Windows not designed for industrial / control systems ► OPC/DCOM runs on port 135 (heavily used for RPC) ► STEP7, PL7 Pro, UNITY, WINCC, VNC, PCAnywhere, … Use of IT protocols & gadgets ► eMails, FTP, Telnet, SNMP, HTTP (WWW), … directly on e.g. a PLC ► Wireless LAN, notebooks, USB sticks, webcams, … Controls Goes IT

4 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007

5 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Zombies BOT nets Attacking Controls Common Standards / Interconnectivity Cyber Threats ─ Today’s Peril Zombies !!! BOT nets !! Attacking Controls !!! Intruder Knowledge / Attack Sophistication 1980 1985 1990 1995 2000 2005 2010 Higher Lower Packet Spoofing Password Guessing Password Cracking Exploiting Known Vulnerabilities Disabling Audits Hijacking Sessions Sniffers Back Doors War Dialing Denial of Service Automated Probes/Scans IRC Based Zero Day Exploits Viruses Worms Root Kits Control Systems: Era of Legacy Technology (“Security through Obscurity”) Era of Modern Information Technology (“From Top-Floor to Shop-Floor”) Transition Phase (“Controls goes IT”) Shown at ICALEPCS2005

6 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 The RISK Equation

7 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Attacks performed by… ► Trojans, viruses, worms, … ► Disgruntled (ex-)employees or saboteurs ► Attackers and terrorists (first presentations on BlackHat conferences; free hacking tools; today’s general security situation) Lack of robustness & lots of stupidity ► Mal-configured or broken devices flood the network ► Developer / operator “finger trouble” Lack of procedures ► Flawed updates or patches provided by third parties ► Inappropriate test & maintenance rules or procedures Who is the threat ?

8 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Based on 135+ documented incidents (2006) “Industrial Security Intrusion DB”

9 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007

10 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Passwords are known to several (many?) people ► No traceability, ergo no responsibility People are increasingly the weakest link ► Use of weak passwords ► Infected notebooks are physically carried on site ► Users download malware and open “tricked” attachments Missing/default/weak passwords in applications Human Vulnerabilities (60%) …but how to handle access control ? …what about traceability ?

11 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Poorly secured systems are being targeted ► Unpatched systems, OS, and applications ► Missing anti-virus software or old virus signature files ► No local firewall protection “Zero Day Exploits”: security holes without patches ► Break-ins occur before patch and/or ► Anti-virus signature available ► Worms are spreading within seconds Technical Vulnerabilities (40%) …but how to patch/update control/engineering PCs ? …what about anti-virus software & local firewalls ? Boeing 777 uses similar technology to Process Control Systems

12 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Control Systems under Attack ! CERN TOCSSiC Vulnerability Scans ► 31 devices from 7 different manufacturers (53 tests in total) ► All devices fully configured but running idle ► see ICALEPCS 2005 …PLCs under load seem more likely to fail !!! …results improve with more recent firmware versions 1/2007 ICALEPCS 2005

13 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 TOCSSiC Findings (1) The device crashed while receiving special non-conform packets …violation of TCP/IP standards !!! 2005: DoS (70”) stopped manual control FTP server provides an attacker platform FTP & Telnet servers crashed ► Receiving very looooooooooong commands or arguments …both are legacy protocols w/o encryption ! HTTP server crashed ► Receiving an URL with tooooooooooooo many characters ► Using up all resources (“WWW infinite request” attack) HTTP server allows for directory traversal …who needs web servers & e-mailing on PLCs ?

14 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 PLCs are unprotected ► Can be stopped w/o problems (needs just a bit of ) ► Passwords are not encrypted ► Lack of authorization schemes TOCSSiC Findings (2) …authorization, data integrity checks, and encryption must become mandatory ! PLCs are really unprotected ► Services (HTTP, SMTP, FTP, Telnet, …) can not be disabled ► Neither local firewall nor antivirus software …default lock down of the configuration ! ModBus server crashed while scanning port 502 …protocol is well documented !

15 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007

16 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Where is the threat ? CERN SCADA Honeypots ► Demonstrating the existence of the threat Simulating two brands of PLCs ► NMAP fingerprint, FTP, Telnet, SNMP, HTTP, S7 & Modbus ► 4 pots (à two PLCs) deployed inside CERN ► Only observation: the usual “slight fever” on CERN’s campus network ► 3 pots deployed on the CERN controls network ► No interactions observed ► 3 pots visible on ports 102/tcp & 502/tcp from the Internet ► Lots of “noise” observed, e.g. SSH scans, but nothing dedicated

17 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007

18 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Aware or Paranoid ? (1) 2000: Ex-Employee hacked “wirelessly” 46x into a sewage plant and flooded the basement of a Hyatt Regency hotel. 2003: The “Slammer” worm disables safety monitoring system of the Davis- Besse nuclear power plant for 5h. 2003/08/11: W32.Blaster.Worm

19 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Aware or Paranoid ? (2)

20 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 May 2007 Aware or Paranoid ? (3)

21 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007

22 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 Myths about Cyber-Security

23 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 How do you secure controls ? ► How does your Security Policy for Controls integrate in the overall ? ► What is your strategy for protection ? M&M ? Defense-in-Depth ? Using Office-IT ? ► Have you adapted your network architecture ? ► How do you exchange data with external users ? ► What about remote access from the Internet ? VPN ? Modems ? ► How do you manage, patch, and update control PCs ? ► What have you put in place to detect incidents ? ► How do you (plan to) deal with incident handling ? ► What are your procedures for system recovery ?

24 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 How do you control their usage ? ► What is your general access policy ? ► How do you foresee to protect you control room (consoles) against unauthorized (physical) access ? ► How do you distinguish between different classes of users (visitors, operators, experts, developers) ? ► How do you ensure traceability of users and actions ? ► Are there dependencies on external conditions (e.g. maintenance period, beam injection, data taking) ? ► What is your remote access scheme ? ► How do you think to manage user rights ? ► What about synchronization with e.g. office accounts ? ► How do you maintain this lot for the next years ?

25 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 “Control Systems Under Attack !?” — Dr. Stefan Lüders — (CS)2/HEP Workshop ― October 14th 2007 (CS) 2 in HEP ― The Agenda http://indico.cern.ch/conferenceDisplay.py?confId=13367

Download ppt "Control Systems Under Attack !? …about the Cyber-Security of modern Control Systems Dr. Stefan Lüders (CERN IT/CO) (CS) 2 /HEP Workshop, Knoxville (U.S.)"

Similar presentations

Control Systems under Attack !? Cyber Threats Todays Peril Vulnerabilities in Controls Findings of the TOCSSiC First Steps for Mitigation Stefan Lüders.

Control Systems under Attack !? Cyber Threats Todays Peril Vulnerabilities in Controls Findings of the TOCSSiC First Steps for Mitigation Stefan Lüders.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj

Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google