Security Vulnerabilities: Stay One Step Ahead

idae

ICS Security Vulnerabilities:

Stay One Step AheadStay One Step Ahead

idae

We help our clients improve the safety, security and availability of their automation systemsand availability of their automation systems

Copyright © 2010 - exida

idaeJohn A. Cusimano, CFSE, CISSP

• Director of Security Solutions for exida• 20+ years experience in industrial automationy p• Employment History:

− Eastman Kodak− Moore Products − Siemens

• Certifications:− CFSE, Certified Functional Safety Expert, y p− CISSP, Certified Information Systems Security Professional

• Industry Associations:− ISA S99 Committee (WG4, WG5, WG7, WG8)( , , , )− ISA S84 Committee (WG9)− ISA Security Compliance Institute− ICSJWG Workforce Development & Vendor Subgroups


idae Agenda

• SituationRecommended Strateg for S ppliers• Recommended Strategy for Suppliers

• Recommended Strategy for End Users

idae Situation

• ICS products have rapidly evolved to incorporate COTS technology

• Security was not a big concern in ICS environment until recentlyMost ICS vendors do not follow a mature security• Most ICS vendors do not follow a mature security development lifecycle

• Security researcher community has suddenly become y y yaware of the ICS market

• They are having success at finding and publishing l bilitivulnerabilities

idaeStuxnet Responsep

“Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”

Mark WeatherfordVice President and Chief Security OfficerNERCNERC

idae

Software related SCADA incidentsSoftware related SCADA incidents

• Software Vendor Patch Crashes SCADA SystemSoftware Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake DrainFaulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel

ClosureClosure• Computer Software Faults May Have Caused

Chinook Helicopter CrashC oo e copte C as• Gas Leak Caused by Computer Malfunction

7

Incidents from the Repository of Industrial Security Incidents (RISI) database(www.securityincidents.org)

idae Luigi Auriemma• March 21, 2011 • Independent security researcher Luigi Auriemma

published 34 zero day vulnerabilities affecting 4 differentpublished 34 zero-day vulnerabilities affecting 4 different SCADA/HMI products:– Iconics Genesis32 v9.21 and Genesis64 v10.51 (13)– Siemens Tecnomatix FactoryLink v8.0.1.1473 (6)– DATAC RealWin 2.1 build 6.1.10.10 (7)– 7-Technologies IGSS v9 00 00 11059 (8)7 Technologies IGSS v9.00.00.11059 (8)

• Included code and commands to exploit the vulnerabilities

• Vulnerabilities include stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees memory corruptionsdouble and arbitrary memory frees, memory corruptions, directory traversals, design problems, etc.

idae Gleg Ltd. SCADA+ Pack

• Moscow-based security firm, Gleg Ltd., recently began sellling an exploit pack called SCADA+ Pack

• Includes both previously known and zero-day SCADA vulnerabilities– Atvise SCADA (zero-day)Atvise SCADA (zero day)– Control Microsystems ClearScada (zero-day)– DataRate SCADA WebControl and RuntimeHost

( d )(zero-day)– Indusoft SCADA Webstudio (zero-day) – ITS SCADAITS SCADA– Automated Solutions Modbus/TCP OPC Server– BACnet OPC client Advantech Studio Web server– Iconics Genesis

idae Rubén Santamarta• April 4, 2011• Independent security researcher, Rubén Santamarta,

identified an RPC vulnerability in Advantech/BroadWinWebAccess, a web browser-based HMI product

• The vulnerability affects the WebAccess Network• The vulnerability affects the WebAccess Network Service on 4592/TCP and allows remote code execution

• Rubén reported to ICS-CERT and publicly released p p ydetails of the vulnerability including exploit code and instructions on how to use it

idae Others• Joel Langill of SCADAhacker.com has

responsibly disclosed several zero-day vulnerabilities with exploits to ICS-CERT and the affected vendors

• Steve James of exploited security, recently notified ICS-CERT of a vulnerability in AGG OPC SCADAViewerOPC SCADAViewer

idae Dillon Beresford• May 9, 2011• Security researcher Dillon Beresford of NSS Labs

t d l it l biliti th Sireported several security vulnerabilities on the Siemens S7 PLC to ICS-CERT and Siemens, including proof-of-concept exploit code

• On May 18th he was asked to cancel his scheduled demonstration at the TakeDownCon security conferenceH l t t d hi fi di t A ti H k• He later presented his findings at Austin Hackers Anonymous on May 26th

• Beresford claims to be able to produce a Linux shell onBeresford claims to be able to produce a Linux shell on the PLC and have root level access to the OS

idae Exploit Hub

• Marketplace for validated, non-zero-day exploits• iPhone App-Store style marketplace for security• iPhone App-Store style marketplace for security

researchers to sell their exploits

idaeStuxnet Responsep

“Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”

Mark WeatherfordVice President and Chief Security OfficerNERCNERC

idae

Software related SCADA incidentsSoftware related SCADA incidents

• Software Vendor Patch Crashes SCADA SystemSoftware Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake DrainFaulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel

ClosureClosure• Computer Software Faults May Have Caused

Chinook Helicopter CrashC oo e copte C as• Gas Leak Caused by Computer Malfunction

15

Incidents from the Repository of Industrial Security Incidents (RISI) database(www.securityincidents.org)

idae

Recommended Strategy for Suppliers

idae Recommended Strategy f A t ti S lifor Automation Suppliers

• Integrate security into development lifecycle (SDL)

• Evaluate existing productsg p• Specific testing for security vulnerabilities• 3rd party evaluation• 3rd party evaluation• Be prepared to respond to a disclosure

idaeIncorporating Security into the Software p g y

Development LifecycleSecurity

Response Planning

Security Training

Security Requirements

gand

Execution

Security

Security Validation

TestingSecurity Architecture

Design

Fuzz testing, Abuse case testing

Testing

Security Risk Assessment g

and Threat Modeling

Security Coding

Security Code Reviews &Static Analysis

18

Coding Guidelines

idae Guidance• Microsoft - The Security Development Lifecycle1

• DACS - Enhancing the Development Life CycleDACS Enhancing the Development Life Cycle to Produce Secure Software2

• DHS – “Build Security In”3y• ISASecure – Software Development Security

Assessment (SDSA) specification4( ) p

1 Howard Michael and Steve Lipner The Security Development Lifecycle: SDL a Process for Developing Demonstrably More Secure1. Howard, Michael, and Steve Lipner. The Security Development Lifecycle: SDL, a Process for Developing Demonstrably More Secure Software. Redmond, WA: Microsoft, 2006. Print.2. Goertzel, Karen, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 20083, https://buildsecurityin.us-cert.gov/bsi/home.html4. www.isasecure.org ESDA-312 Software Development Security Assessment (v1_4) (SDSA)

idae Threat Modeling

• Identify critical assets and interfacesCreate an architect re o er ie• Create an architecture overview

• Identify trust boundaries• Identify and rate threats • Identify vulnerabilitiesIdentify vulnerabilities• Identify existing mitigations

Quantify residual risk• Quantify residual risk

idae

Security Integration TestingSecurity Integration Testing

• Fuzz testingFuzz testing – Software testing technique, often automated or semi-

automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes or failing built-in codeexceptions such as crashes or failing built in code assertions.

• White box testing for security (abuse case)te bo test g o secu ty (abuse case)– Based on knowledge of how the system is

implemented– Comprehend and analyze security– Create tests to exploit software

idae Response Planning

• Acknowledge the issue• Be open and forthrightBe open and forthright• Analyze the risk• Develop a mitigation planDevelop a mitigation plan• Responsibly notify customers

idae

Recommended Strategy for End-Users

idae THE 7 THINGS

1. ASSESSMENT2. POLICY & PROCEDURE3 AWARENESS & TRAINING3. AWARENESS & TRAINING4. NETWORK SEGMENTATION5. ACCESS CONTROL 6. SYSTEM HARDENING7. MONITOR & MAINTAIN

© Copyright 2010 exida 25

idaeASSESS EXISTING SYSTEMS

• Perform control system security assessments of existing systems

• Identify critical control system assets• Compare current control system design, architecture,

policies and practices to standards & best practicespolicies and practices to standards & best practices• Identify risks, gaps and provide recommendations for

closure• Benefits:

– Provides management with solid understanding of i i d h f dcurrent situation, gaps and path forward

– Helps identify and prioritize investmentsFirst step in developing a security management– First step in developing a security management program


idaePOLICY & PROCEDURE

• Establish control system security policies & procedures

S– Scope– Management Support– Roles & Responsibilities– Roles & Responsibilities– Specific Policies

• Remote access• Portable media• Patch mgmt • Anti-virus managementAnti virus management• Change Management• Backup & Restore

I id t R• Incident Response

– References© Copyright 2010 exida 28

ANSI/ISA S99.02.01-2009Establishing an IACS Security Program

idaeAWARENESS & TRAINING

• Make sure personnel are aware of the importance of security and companyimportance of security and company policies

• Provide role-based training – Visitors – Contractors

N hi– New hires – Operations

Maintenance– Maintenance – Engineering – ManagementManagement


idae NETWORK SEGMENTATION

• Defense-in-Depth strategy• Partition the system into distinctPartition the system into distinct

security zones– Logical grouping of assets sharing common

security requirementsy q– There can be zones within zones, or subzones,

that provide layered security– Zones can be defined physically and/or logically

• Define security objectives and strategy for each zone– Physical– Logical

• Create secure conduits for zone-to-zone communications

– Install boundary or edge devices where communications enter or leave a zone y gto provide monitoring and control capability over which data flows are permitted or denied between particular zones.


idae ACCESS CONTROL

• Control and monitor access to control system resources

• Logical & Physical• AAA

Ad i i t ti– Administration– Authentication– Authorization

• Review– Who has access?

To what resources?

• Zone-by-zone•Asset-by-Asset

•Role-by-Role– To what resources?– With what privileges?– How is it enforced?

y•Person-by-Person


idae SYSTEM HARDENING

• Remove or disable unused i ti tcommunication ports

• Remove unnecessary applications and services

• Apply patches when and pp y pwhere possible

• Consider ‘whitelisting’ toolsConsider whitelisting tools• Use ISASecure™ certified

productsproducts


idae MONITOR & MAINTAIN

• Install vendor recommended anti-virus and update signaturesvirus and update signatures regularly

• Review system logs periodically• Review system logs periodically• Consider Intrusion Detection (IDS)

or Host Intrusion Prevention (HIPS)or Host Intrusion Prevention (HIPS)• Pen testing (offline only)• Periodic assessments• Periodic assessments


idae

We help our clients improve the safety, security and availability of their automation systemsand availability of their automation systems


idae Exida Security Services

Supplier Services• Certifications

End User Services• Control System Security

– ISASecure™ EDSA Certification– Achilles Certified Communications™

Certification

• Gap Analysis

Assessments• Security Policy / Procedure

DevelopmentFAT/SAT S i A

Gap Analysis– Software Development Security

Assurance Assessment

• Training & WorkshopsS S ft D l t f ICS

• FAT/SAT Security Assessments• Training & Workshops

– Secure Software Development for ICS Products

– Threat Modeling Workshop– Secure Coding Workshop

S it I t ti T ti– Security Integration Testing

Security Vulnerabilities: Stay One Step Ahead

Technology

Transcript of Security Vulnerabilities: Stay One Step Ahead