Case Study Series: Vol 1.1

Backdoors and Holes in Network Perimeters A Case Study for Improving Your Control System Security

Troy Nash Vulnerability & Risk Assessment Program (VRAP) Lawrence Livermore National Laboratory UCRL-MI-215398 August 2005

Backdoors and Holes in Network Perimeters A Case Study for Improving Your Control System Security

service, as well as providing some system Contents Introduction data to industrial clients. Other systems provide applications for the company’s he Supervisory Control and Data Ac- Introduction…1 operations. All of the hosts on the DMZ quisition (SCADA) system of a natu- are on a separate subnet (with public, Tral gas utility was compromised re- Internet-addressable IP addresses) behind Background…1 sulting in a reduction of operation. The the primary firewall. breach was discovered when operator inter- Overview faces became unresponsive and the system Architecture Business LAN – The network used for was no longer acquiring data. As a result, Threat the conduct of business operations, in- the system was disconnected from the net- cluding Internet access, Intranet services Example Attack Sequences work and a combination of manual operation (web, electronic mail, file sharing, print- overrides and limited fail-over to a backup ing, databases), and other application server went into effect until the environment Discussion… 4 infrastructure for common business func- could be restored. Technicians trouble- tions such as finances, human resources, shooting the incident identified the deletion market monitoring and operations, the Conclusion… 7 of several core application files on the pri- employee desktop environment, and facil- mary control server as the source of the ity operations. problem. Background Operations LAN – The primary network Sponsor: where the SCADA system resides. In- Overview cludes components such as the servers, U.S. Dept. of Homeland Security operator workstations, historical archiver, Control System Security Center The SCADA system is operated by a natural alarm management, and data control gas company serving customers (residential, (gateways, concentrators, multiplexers). industrial, and some commercial) in several

communities spread across a geographically Remote Stations – The infrastructure diverse region. The company handles all located at the specific control point (e.g., aspects of distribution, storage, transporta- compressor station). This is where the tion, and customer service (installation, bill- monitoring and control equipment resides, ing, meter reading) of the natural gas which including the sensors and actuators it purchases from interstate suppliers. The (meters, valves, pressure controller, odor- primary purpose of the system is to monitor ant injection) for the specific mechanism Developed by: and control pressure, volume, temperature, being monitored/controlled. and general operating status of the various pipeline facilities, including underground storage reservoirs and unmanned compres- In addition, the following attributes of the sor stations at locations throughout the ser- overall environment are worth noting: vice area. „ The communications infrastructure is

Ethernet and TCP/IP-based using a Architecture combination of leased-lines and mi- Note: This case study is fictional Figure 1 illustrates the network environ- crowave radio as the transmission with composite elements from real- ment at a conceptual level, including the medium between remote sites. world examples and open source following core elements: information. The goal of this series „ The SCADA utilizes Unix-based sys- DMZ – A less restrictive network used for is to provide a neutral platform for tems, while all other systems public access services like Web and FTP. the discussion of critical infrastruc- (desktops, laptops, business servers) In this case, the target company hosts a ture security issues across a variety in the environment are Windows- website for Internet presence, customer of sectors. based. 1 „ There is a firewall and intrusion de- the SCADA system itself. The attack Example Attack Sequences tection at the Internet perimeter does not necessarily have to be iso- between the Business LAN and the lated to the specific SCADA system but In the case of our target company, we Internet. However, there are no could be used in support of a coordi- will focus on two attack sequences for 1 intrusion sensors on the Operation nated “swarming” attack using multi- achieving compromise of the environ- LAN itself. Additionally, scanning ple exploits (both physical and cyber) ment. The first represents a backdoor activity from the Internet is ignored in order to maximize the impact of the that completely circumvents perimeter (no critical alerts are generated, no attack and further complicate recovery defenses while the second involves a action is taken). and response efforts. hole that penetrates through perime- ter defenses. „ The system includes several gas ap- plications for analysis, data ware- housing, and customer use, some of which are interconnected to systems external to the Operations LAN, but with very little security segmentation or compartmentalization between systems and networks in general.

„ 802.11b wireless is used at the re- mote compressor stations. This al- lows field technicians easy access to the control network for diagnostics and maintenance purposes using their portable laptops.

Threat

Threat is defined for this case study as: a source of danger (whether intentional, acci- dental, or natural) with the capability to cause harm, damage, or other operational impact to an asset (persons, property, data) by exploiting vulnerability. Threats are dynamic, can change with time and opportunity, and are influenced by both internal and external events.

Specific threats may include an earthquake, a harmful biological agent, or an individual intent on disrupting operations. In this case, the threat is construed to be a human adversary such as a terrorist, hacker, activ- ist, or disgruntled employee. In the follow- ing discussion, the threat will be referred to as the adversary.

The adversary in this case chooses to utilize a remote, cyber-based attack that does not require physical access to control system resources. While the attack described here is the deletion of files leading to a denial of Figure 1 service, other potential scenarios are possi- ble, including more covert tactics such as capturing and exfiltrating data or controlling set points and operational parameters of

2 Attack Sequence #1 – Infiltration through the Wireless Access Point

The adversary becomes aware of the wireless access point at the remote facility (through reconnaissance, social engi- neering, insider knowledge, or wardriving). From a parked vehicle outside the property fence line, the adversary uses STEP 1 a standard mobile rig (laptop, 802.11 wireless network interface card, range-extending antenna, and discovery soft- ware) to determine the specifics of the wireless network. Signal strength, WEP usage, and the MAC address and SSID used by the wireless access point are obtained in a matter of seconds.

Using the SSID, the adversary attempts to gain access onto the wireless network. Since there are no security meas- STEP 2 ures (authentication, access control, or encryption) in place, the adversary is able to associate with the access point unchallenged. Additionally, a Dynamic Host Configuration Protocol (DHCP) server is active on the network, assigning a dynamic IP address to the adversary’s laptop, and thereby completing the connection to the wireless network.

Once connected, the adversary is able to probe the network and its systems. First, host discovery techniques are used STEP 3 to discover active systems on the network. Where possible, the specific network infrastructure (the switches, routers, and firewalls) is identified as well.

For those systems that are found to be live, a fast port scan is conducted to discover what ports they have open, as STEP 4 well as identify the operating system and applications in use. The adversary focuses on a small subset of ports that are typically associated with common exploits or specific control system environments such as port 21(FTP), 23(Telnet), 25(SMTP), 80(HTTP), 102(ICCP), 161(SNMP), 502(Modbus TCP), 1433/1434(MSSQL), and 20000(DNP).

SNMP (Simple Network Management Protocol) is found to be running on several systems. Using a SNMP utility and the STEP 5 default community string “public”, the adversary connects to the open SNMP port and retrieves system information. The system.sysDescr.0 field for one of the hosts is SCADA-01. The vendor and version of the operating system is determined as well.

SCADA-01 is moved to the top of the adversary’s list of potential target systems. Further probing identifies a vendor STEP 6 specific vulnerability in the operating system. An exploit is acquired from a well known hacker site and then attempted with success. The attacker gains root privileges and a command shell on the system then proceeds to recon the sys- tem for several hours before deleting the files which cause the denial of service.

Attack Sequence #2 – Infiltration through the DMZ

From a remote system on the Internet, the adversary performs reconnaissance of the company using keywords and STEP 1 custom searches to identify information that can be used to support the attack. In one document retrieved from the company’s website, the adversary finds the hostname and IP address of the SCADA system. The adversary cannot connect directly to the system remotely because a firewall is blocking access from hosts on the Internet.

The adversary then proceeds to identify all of the public IP address ranges associated with the target company using STEP 2 the American Registry for Internet Numbers (www.arin.net) and then begins to perform various scans against those addresses to identify open ports and potential vulnerabilities.

A Windows system is discovered on the perimeter that has TCP port 139 (NetBIOS Session Service) open, used for STEP 3 connecting to file shares. Access to the port is not blocked by a firewall. Additionally, system accounts are not using strong passwords (a null administrator password can be used to remotely map the system drive). Once connected, the adversary is able to read, write, and delete files on the primary file system.

Before attempting to attack the SCADA system the adversary first recons the compromised box. The backup SAM file STEP 4 is acquired (to run a password cracker on) and the system (logs, caches, histories, bookmarks, scripts, batch files, ar- chives, trash bin, etc.) is searched for information that can be used to propagate the current compromise to other sys- tems on the network. It is discovered that the host uses SSH (Secure Shell) to connect to the SCADA server.

The adversary can successfully ping the SCADA system (using the IP address obtained from the document found on the Web in Step 1) from the compromised host. While the firewall is providing limited protection to hosts on the DMZ it is not blocking the DMZ network from making connections to systems on its trusted interface. In other words, a trust relationship exists between the hosts on the DMZ and hosts on the protected network. With an available access path- STEP 5 way, all that is required to attack the SCADA is more interactive control and a vulnerability. Virus protection software on the Windows machine prevents the uploading of known Trojans onto the system, but it does not prevent the instal- lation of a remote access tool. The adversary escalates their control of the system by installing rconsole, giving them more freedom and options to remotely use the resources of the compromised host (or install their own) as if they were running the tools locally at that system.

From the compromised host, the adversary identifies that the SCADA system is using a vulnerable version of SSH. An STEP 6 exploit is crafted and then attempted with success. The attacker gains root privileges and a command shell on the sys- tem then proceeds to recon the system for several hours before deleting the files which cause the denial of service.

3 Discussion RECOMMENDATIONS Tips for Improving Wireless Access Point (AP) Security 1. Know your perimeter – What is Beyond the specific system vulnerabili- the boundary of your network pe- ties that allowed for a compromise of Change default parameters on your rimeter? Is it simply the border the SCADA host, four general observa- AP such as the administrator password gateway that separates your control and the SSID used for the network. tions can be made with respect to vul- system from other external net- Changes should be performed periodi- nerabilities in the overall environment cally, not just the first time the device is works? Is it at the firewall? What that contributed to the success of the deployed. about a modem that connects di- attack. rectly to the SCADA system or the Turn off SSID broadcasting on all field technician’s laptop that gets non-public APs or single AP environ- connected to both the control net- ments that have a pre-defined set of OBSERVATION #1: users. Perimeter security is incomplete. work and untrusted networks (e.g., at home, hotel, or airport)? To bet- Control access to the network. At a Modern process control environments ter understand your network pe- minimum, enable MAC address filtering face significant security challenges. rimeter, consider the following: and use WEP encryption keys to control access to the network. For a more se- SCADA or other DCS (Distributed Con- cure approach, consider a dedicated „ Take a complete inventory of trol Systems) that operate in these envi- authentication server. all access points, remote con- ronments are distributed by nature and nections, and other ways onto are not concentrated in a single area Set up the AP on its own dedicated your networks. Consider all that is easy to delineate and defend. subnet. Establish separation and secu- relevant mediums (satellite, rity controls between the wireless sub- microwave, radio, telecommu- net and the wired network(s) that it The boundaries (both physical and logi- connects to using a firewall or Access nications, wireless 802.11, Control Lists (ACLs) on the router. cal) of these systems vary. Some are Bluetooth) and locations localized to a specific facility, while oth- (remote stations, vendors, Use encryption for communications. ers span large geographical regions with customers), not just the Enable WEP (preferably with TKIP or multiple, interconnected sites. Given Ethernet pathway from the other similar enhancement). Use the the dispersed environment, the perime- largest encryption key possible and Internet. change the key frequently (if applica- ter—the outermost edges, border, inter- ble). Dynamic or session-based WEP „ Develop and maintain network faces, interconnections—that surrounds keys offer the best protection. In addi- the control system is somewhat blurred or system-level diagrams that tion, use higher-level encryption mecha- and difficult to manage from a security inventory and illustrate these nisms like VPN, SSH, and SSL for con- nections between hosts. viewpoint. This is especially true of the connections and the security cyber components of the control system, controls that are in place. Know your network. Maintain inven- as opposed to the physical apparatus „ Develop a process for periodi- tories and diagrams of systems and de- which is easier to visualize and protect cally verifying and modifying vices on your wireless local area net- — it’s a piece of hardware inside a room, work (WLAN). Enable logging on sys- the inventory as the perimeter tems and devices and check logs regu- within a building, behind a fence, on expands or shrinks. larly. Consider deploying a wireless private property, and so on. But the intrusion detection system on the WLAN. cyber perimeter is less tangible, and 2. Defend your perimeter – Appro- unsecured backdoors and other holes in priate security controls should be Conduct periodic assessments. Es- the network perimeter are not uncom- added to all entry points onto your tablish a practice of testing existing wireless environments to discover new mon. network, not just the Internet con- vulnerabilities and rogue devices as well nection. In this specific case, secu- as to verify that the security posture is Consider the wireless access point. rity should be added to the wireless maintained over time. While the physical hardware may be network connection (see sidebar for IMPORTANT: Simple security measures locked inside a secure building, the net- suggestions) and the trust relation- (like disabling SSID broadcasting, ena- work perimeter is not just the remote ship on the DMZ should be broken. bling WEP, or using MAC address filter- station anymore, but everything within 3. Test your perimeter – Table-top ing) in and of themselves will not pro- wireless range of the access point, in- vide adequate security against a deter- review, assessments, wardialing, cluding the hosts that connect to it. mined adversary. However, when used wardriving, scanning, and penetra- Even though access from the Internet in combination as reinforcing layers in a tion testing will help identify back- may be heavily monitored and guarded, “defense-in-depth” strategy, a more doors and holes, as well as uncover this connection circumvents those secu- comprehensive security posture is es- potential vulnerabilities in perimeter rity controls – it’s the unlocked backdoor tablished, raising the level of sophistica- defenses. that puts the control system at risk as tion and effort required for a successful attack and increasing the opportunity to long as pathways such as these remain detect that attack. unsecured. 4

OBSERVATION #2: 4. Report suspicious activity – passwords are not uncommon in these Intrusion detection coverage is Communicate with Internet Service environments. In this case, the use of limited. Providers (ISPs) regarding IP ad- nonexistent and default passwords con- dresses within their range that are tributed to the success of the attack While the infiltration is seamless in both being used to conduct scans against sequences described here. Specifically, attack sequences (the attacker looks your networks and notify law en- the following observations are worth like an ordinary user, accessing system forcement of exploit attempts. noting: resources by ordinary means), the net- Also, consider reporting incident work reconnaissance and subsequent activity to external organizations 1. There was no password required for exploit is very loud, generating suspi- (e.g., DShield.org or US-CERT) that access to the wireless network. cious traffic on the network, both out- track such information. Forming side the perimeter and on the interior 2. There was no password required to cooperative partnerships in an ef- networks. However, this is not discov- access the file share on the perime- fort to share information (best ered in either scenario because there ter system. practices, lessons learned) and are no intrusion sensors on the control identify trends and common issues 3. The SCADA server used the default system network and traffic from the is another effective strategy. While SNMP community string (the proto- host on the DMZ is given a regrettable this will not stop an adversary, it col password) “public”. pass because of the trust relationship. will foster an image that your or- ganization takes violations against In each case, a stronger password RECOMMENDATIONS your security seriously and are will- would not have adversely affected the ing to act on them. operation of the environment, while 1. Verify intrusion detection cover- significantly improving security. age – Consider all the potential access points to each of your net- RECOMMENDATIONS works, whether they are from the OBSERVATION #3: Internet, a remote station, or an Nonexistent and default pass- 1. Change default and non- Ethernet jack in a public lobby or words were in use in the environ- existent passwords – This re- conference room. Consider key ment on both mission-critical and quires a comprehensive look at all choke points and mission-critical perimeter systems. of the default and non-existent systems. These all become poten- passwords used in the environ- tial candidates for intrusion sensors The use of passwords for authentication ment, including: and should be considered in the (and subsequent access to systems) is a overall deployment of an intrusion „ User accounts (administrator, potential area of vulnerability in every detection system. root, service, temporary, security environment. The security is- guest) sues relating to password authentication 2. Develop an intrusion detection „ Application passwords (SCADA, (i.e., the use of weak, default, or non- capability – Beyond hardware/ FTP, SNMP, database, web, existent passwords) has consistently software controls, establish a capa- mail, file shares) remained among SANS Most Critical bility (people + tools + process) to „ Scripts & source code (Web- Internet Security Vulnerabilities2 since monitor and react to suspected applications, utilities, plug-ins) the inception of the list. The creation, network and system-level intru- „ Network devices (access distribution, usage, revocation, and sions, as well as to maintain and points, routers, switches, print- other aspects of managing and protect- ers, firewalls) tune the specific detection rulesets ing the keys to our network systems is and logging requirements for your „ Control equipment (RTUs, an unending challenge, with many op- organization. PLCs, IEDs, ROCs) portunities for failure. 3. Evaluate the detection capabil- 2. Develop and implement policy On a control system network, the prob- ity – Perform regular tests at all and procedures – Establish the lem is exacerbated due to its mission- perimeter entry points, key choke minimum requirements for creating critical nature and the requirement for points, and from random systems strong passwords, such as: length, real-time operation. Operators need on the networks. Confirm that in- aging, reuse, character set to be instant access to systems (getting trusion detection is working as ex- used, as well as general principles locked out for mistyping a password in a pected – i.e., suspicious activity —the password shouldn’t be found crisis situation is not tolerable) and (like scanning) and relevant exploit in a dictionary (English or foreign) passwords often go unchanged simply signatures are flagged and the ap- or utilize personal information (such because technicians do not want to risk propriate response (email or page, as name, birth date, or SSN). bringing down a system that is stable. for example) is generated and As such, shared, default, weak, or blank routed correctly. 5

The policy should also handle metrics) should be considered as SCADA? The adversary’s work is made changing passwords after suspected alternatives to using simple pass- much easier if information leakage ex- compromise or when an untrusted words by themselves. The advan- ists, since they may not have the capa- user such as a vendor or technician tage of two-factor authentication is bility to profile a system across a net- is allowed temporary access to mis- that in order to access the system work of hosts to adequately determine if sion critical systems and devices. the user must provide something a particular one is a SCADA system or Finally, educate users regarding the they have (smartcard, token, or not. Packet capture and analysis or policy and best practices for the fingerprint) and something they social engineering are valid secondary security and overall usage of pass- know (a PIN or Password). An ad- options, but they involve more time and words. versary must acquire (or circum- resources. vent) both for the attack to suc- The less information you give to the 2. Assess the environment – Peri- ceed. adversary the harder their job becomes odically audit the passwords used in and the more likely you will discover the environment to ensure that their attack. In this case, the attacks they meet policy requirements. At OBSERVATION #4: succeeded because the adversary was a minimum, systematically check Sources of information leakage able to easily acquire the information mission-critical systems on a regu- were present in the environment. necessary. Finding ways to control and lar schedule. Unless the adversary is an insider or has minimize information leakage without otherwise acquired insider knowledge affecting operations is the challenge. 3. Wrap additional layers of secu- (through social engineering, coercion, rity around the exceptions – If a blackmail, or bribery) the specifics of RECOMMENDATIONS system absolutely must have a the network and systems prior to the weak, blank, default, or shared attack are unknown. In the early 1. Practice good Operations Secu- password then it becomes impor- stages of a cyber attack, the adversary rity (OPSEC) – OPSEC is a process tant to add additional layers of se- operates somewhat blindly and must that attempts to deny the adver- curity around that system. For first discover the information, targets, sary information that could be lev- example: and vulnerabilities necessary to execute eraged to improve the opportunity, the attack. In other words, adversaries success, and impact of an attack. „ Deny remote login (only allow do not magically know where your Some recommendations for improv- physical login at console/ SCADA system is or what systems are ing OPSEC in this case would be: device). vulnerable. They must discover this „ Not using descriptive names for „ Use a firewall or access control information through various techniques mission-critical systems. While list to restrict network access of scanning, probing, information it may be more convenient for to a given system. In other searches, etc. words, the user must use Sys- managing those systems, using tem X to remotely connect to As we observed in both attack se- names like SCADA or FIRE- System Y (the one with the quences, the adversary needed to gain WALL or DNS make those sys- weak, default, or nonexistent knowledge in order to successfully at- tems prime targets in keyword password). No other system is tack the target. For example: searches and network discov- allowed access to System Y, ery. „ The existence of the wireless regardless if the password is network „ Minimize the amount of infor- known or not. mation regarding vendors, ver- „ The SSID of the wireless net- „ Use more robust system event work sions, configurations, and ap- logging. Determine what the plications that you provide (in „ Live systems, open ports, po- normal behavior is and is not tential vulnerabilities banners, diagrams, documents, and then flag those events that presentations, fact sheets, an- „ Version, brand, or type infor- are suspicious — in order to mation of systems and devices nual reports, etc.), especially if identify brute-force guessing at those resources are accessible „ The IP address, host name, or login prompts, access to pass- via the network. Identify, MAC address of target systems word files, and unusual com- track, and protect those mand or data patterns. If the SCADA system did not contain a sources that do contain such descriptive name, or if its IP address information. 4. Consider alternative methods of was unknown, what system would the authentication – Where applica- „ Develop a review and release adversary attack? All of them? Or ran- ble, two-factor authentication process for all information that domly, in hopes of identifying the (using smartcards, tokens, or bio- is accessible via the Web 6

including webpages, documents, pictures, and other media files.

2. Make use of obfuscation techniques where possible – Default banners pro- vide the adversary with information (type, version) about the applications in use on a given system. Vulnerability and port scanners often base their findings on the information returned from a standard query. This information can be used for attack planning and exploitation. Modify- ing these can trick the adversary (or automated tool) into launching the wrong attack as well as increase the opportunity for discovery. Similarly, default installa- tions (directory structures, ports used, or other patterns) can reveal information. Renaming directories (e.g., using “/apps” instead of “/cgi-bin”) and using different ports for special services (e.g., using port “9999” instead of a default “8080” for a given admin web service) are examples of obfuscation techniques that can frus- trate the adversary’s efforts.

Conclusion

Figure 2 illustrates some of the primary rec- ommendations from this document, applied to the environment presented in Figure 1. Pri- mary recommended mitigations included:

„ reinforcing all perimeter access points

„ improving intrusion detection coverage

„ hardening password usage

„ minimizing information leakage

These will serve as starting points for a more Figure 2 comprehensive, multi-layer security posture.

While the presence of vulnerabilities on the SCADA server did introduce risk, no single vulnerability was the ultimate cause of the compromise and subsequent denial of service presented in this case study. There were sev- References eral factors that contributed to the opportu- nity and success of the attack. The consid- [1] Swarming Attacks: Infrastructure Attacks for Destruction and Disruption, a eration of these factors, as well as the recom- whitepaper developed by the National Infrastructure Protection Center mendations provided in this document, can (NIPC), July 2002. help to improve the overall security posture of control system environments across a variety [2] The SANS Top 20 Internet Security Vulnerabilities, Version 5.0 October 8, of sectors that face similar issues. 2004 Copyright (C) 2001-2004, SANS Institute, http://www.sans.org/top20/

7