2. Agenda
• What is ICS?
• IT vs ICS
• ICS Components
• ICS Protocols
• PLCs
• Common issues with ICS Security
• Pentesting ICS (approach and methodology)
• Securing ICS
• So you want to learn ICS Security?
4. Where do we
see ICS in use?
• Food manufacturing plants
• Power plants
• Building automation systems (AC/HVAC)
• Water treatment
• Chemical plants
• Oil & Gas
• Telcos
• Weapons Control System
• Dams, etc.
7. IT vs ICS
IT ICS
Security
patches
Applied regularly on standard systems
Only recently provided by vendors. Applied
once a year tops
Antivirus
Deployed on all Windows machines,
centrally managed
Sowly starting to show up. Some vendors used to / stil
forbid AV usage (lack of support if AV is installed)
Not managed
System
Administration
Centralized, dedicated teams, standard
operations and procedures
Lack of local skills, heterogeneous environments, lots of
different tools to use, vendor support is mandatory
IAM Nominative accounts Generic, shared accounts, no password policy
Availibility
Service interruptions are ok, especially
outside business hours
Real-time operations, downtime is unacceptable or very
costly
Protocols
Standard, TCP/IP protocols that include
authentication and encryption
Lot of vendor-specific protocol, no security built in to the
protocols
Impact No people endangered Possible impact of people, envrionment, industrial gear
8. A look into the
past
1969: First PLCs
1973: Modbus protocol invented
1986: PLCs controlled by PCs
1992: TCP/IP for PLCs
2003: Web servers for PLCs
2017: AD is coming!
9. ICS
Components
• Sensors and Actuators: allow interaction with
the physical world (pressure sensor, valves,
motors, …)
• Local HMI: Human-Machine Interface, permits
the supervision and control of a subprocess
• PLC: Programmable logic controller: manages
the sensor and actuators
• Supervisor screen: remote supervision of the
industrial process
• Data Historian: Records all data from the
production and Scada networks
• RTU: Remote Terminal Unit (standalone PLC)
• IED: Intelligent Electronic Device (smart sensor)
11. Industrial protocols
At the beginning, specific protocols on specific physical layer (RS232, RS285, 4-20 current loop)
Some protocols were adapted to TCP/IP, like Modbus, and other were developed to allow
interoperability.
Currently, the most used seem to be :
HART / Wireless HART
Profibus
Modbus
Profinet / S7
DNP3
OPC
12. Modbus protocol
Serial communication protocol invented in 1979 by Schneider Electric
Developed for industrial application
Royalty-free
Now one of the standards for industrial applications
Security?
Clear-text
No authentication
How it works:
Master/Slave protocol
Master must regularly poll the slaves to get
information
Modbus addresses are 8 bits long
There is no object description: a request returns
a value, without any context or unit.
13. Modbus protocol
Modbus was originally made for serial communications
It is now often used over TCP
MODBUS/TCP FRAME FORMAT
14. Modbus protocol
The most common Modbus functions allow to read and write data from/to a PLC
Other functions, such as file read and diagnostics functions also exist
Undocumented Modbus function codes can also be used to perform specific actions
Commonly used MODBUS function codes
Function name
Function
code
Read coils 1
Write single coils 5
Read holding registers 3
Write single register 6
Write multiple registers 16
Read/Write multiple registers 23
All documented MODBUS function codes: https://en.wikipedia.org/wiki/Modbus
15. S7 protocol
Proprietary protocol by Siemens
TCP port 102
Based on COTP (Connection-Oriented Transport Protocol, RFC905)
No security
New version of the protocol available starting with version 4 and up of the PLC firmware :
provides mutual authentication and communication Encryption
Security features analyzed by Quarkslab, see the talk from SSTIC
https://www.sstic.org/2015/presentation/analyse_de_scurite_de_technologies_propritai
res_scada/
16. DNP3 protocol
Standard protocol, developed by GE in the 90’s
Slave/Slave : Information can be share at the initiative of any device
Layer 2 protocol (just top of physical layer), ported to TCP/IP
Integrity is verified using CRC
Data reporting communication : only send the data that has changed (simplified), or at
the initiative of the PLC/RTU
Used for smartgrids in the US
Secure DNP3 introduced in 2007
- Works on serial and TCP versions
- Challenge/response to exchange a session key (using PSK)
- Can be done at startup, every XX minutes, or only for sensitive actions (write requests for example)
- Possible to use secure DNP3 over TLS
17. PLC
Real-time digital computer used for automation
Replaces electrical relays
Lots of analogue or digital inputs & outputs
Rugged devices (immune to vibration, electrical noise, temperature, dust, …)
19. Other languages..
SoMachine is the software provided by Schneider Electric to program
the entry level PLCs.
PLCs used in big plants are usually programmed using Unity Pro.
Unity Pro has no free/demo version
20. PLC programming
Create a project
Define the hardware setup
Create variables
Define the program
Test
Debug
Push to PLC
START
21. Common
issues with ICS
security
Organization & awareness
Network segmentation
Vulnerability management
Security in protocols
Third Party management
Security monitoring & detection
23. ICS security assessments
Types of Security assessments
- Security Posture Audits (interview and artifact reviews)
- Physical Security Assessments (policy and walkthroughs)
- Network Capture Assessments (passive network)
- Vulnerability Scanning (actve network)
- Penetration Testing (active network and hands-on)
Each assessment type fills looks at the system from different perspectives
and angles
Most common time to do penetration tests on control systems are during
equipment acquisitions
24. What to pentest?
All connectivity from corporate networks to control networks
All remote access connectivity into the control network
Any link carrying control traffic across public or semi-public links
Any new system before it is implemented
Any system changes or updates that are being tested in test or staging
environments
Web applications running on top of devices such as RTUs, PLC, HMIs
Fuzzing ICS protocol implementations
25. Port scanning on ICS networks is dangerous
Nmap is the de-facto tool for port scanning but can be really
dangerous on ICS
Two stories from NIST SP800-82
A ping sweep broke for over $50,000 in product at a semi-conductor factory
The blocking of gas distribution for several hours after a pentester went
slightly off-perimeter during an assessment for a gas company
Nmap useful setup for scanning
Reduce scanning speed! Use « --scan-delay=1 » to scan one port at a time
Perform a TCP scan instead of a SYN scan / do not perform UDP scan
Do not use fingerprinting functions, and manually select scripts (do not use “–
sC”)
26. PLCSCAN
https://code.google.com/archive/p/plcscan/
by SCADAStrangeLove (http://scadastrangelove.org/)
Scans for ports 102 (Siemens) and 502 (Modbus) and tries to pull
information about the PLC (modules, firmware version,…)
Not exhaustive since not all PLCs use Modbus or are Siemens
27. Attacking standard services
Most PLCs have standard interfaces, such as HTTP and FTP
Lets’ say security was not the first thing in mind when introducing
these features …
On Schneider M340
FTP credentials are hardcoded (sysdiag /factorycast@schneider)
Allows you to retrieve the password file for the web UI
28. Metasploit for everything
/auxiliary/scanner/scada/modbusclient (can perform read/write
operations on coils and registers)
Unauthenticated actions on PLC
/auxiliary/scanner/scada/modicon_command (STOP/RUN)
/auxiliary/scanner/scada/modicon_stux_transfer (Logic download/upload)
30. Securing ICS
ICS security standards
ANSSI
ISA99
NIST SP800-82 Revision 2
ENISA Guidelines
NERC CIP
System Hardening
Network Segmentation
Corporate network to ICS network pivoting is a problem
Segregate while allowing some communications
Two network cards
Security monitoring
31. So you want to learn ICS
Security? – ICS Security
Resources
32. Connect!
• SCADAsec email list at Infracritical
ICS Security Conferences
DigitalBond’s S4
SANS ICS Summit
4SICS
EnergySec
Oil and Gas Security Summit
33. Information Sharing
National Council of ISACs
Downstream Natural Gas (www.dngisac.com)
Electricity (www.esisac.com)
Oil & Natural Gas (www.ongisac.com)
Water (www.waterisac.com)
34. Books
Robust Control System Networks, Ralph Langner
Industrial Network Security, 2nd Edition, Knapp & Langill
Cybersecurity for Industrial Control Systems, Macaulay & Singer
Countdown to Zero Day, Kim Zetter
Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky &
Brodsky
Hacking Exposed Industrial Control Systems, Bodungen, et al
35. Books
Robust Control System Networks, Ralph Langner
Industrial Network Security, 2nd Edition, Knapp & Langill
Cybersecurity for Industrial Control Systems, Macaulay & Singer
Countdown to Zero Day, Kim Zetter
Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky &
Brodsky
Hacking Exposed Industrial Control Systems, Bodungen, et al
36. Training
ICS-CERT
Free online training and resources
Free 5-day Red vs Blue ICS exercise
ICS Vendor Training
SANS ICS410 and ICS515
Red Tiger Security, Lofty Perch, SCADAhacker
38. This slide deck is generously borrowed from the following
talks:
Pentesting ICS 101 - https://www.defcon.org/html/defcon-
24/dc-24-workshops.html#Soullie
How to get into ICS security – RSA Conference 2016
What the hell is ICS security – Bsides Tampa 2016