Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
2. @chrissistrunk
Electrical Engineer
Mandiant, Entergy (11 years)
SCADA Expert
Loves Security
DNP3 User Group
Button Pusher but I like Blue
12. ICS/SCADA lags IT by 10-15 years
735 SCADA-related vulns on OSVDB.org since
2011. “Like kicking a puppy”
Positive vs. Negative Testing: The front yard
is mowed, but the back yard is overgrown.
13. Let’s take a step back and ask some questions:
What’s the risk if this device is compromised?
◦ Probability * Impact = Risk
◦ Check out my RTU risk score pres from S4x13
What is the ICS device talking to?
Does it uses serial or IP protocols…or both?
How do we defend unsecured protocols?
Is the physical security sufficient?
Will you be called at 2AM?
14. The answers to the questions tell you that you
have to do something to protect the device(s)
What types of mitigations exist?
Which ones will you use?
◦ Defense in depth – more than one!
◦ Belt and suspenders!
When will they be deployed?
◦ The sooner the better!
15.
16. Software/firmware patches/device upgrades
Robust RTU/PLC and master configurations
Robust IP network configurations
ICS Protocol-aware network tools
Proper physical security
Employee awareness
Secure coding and SDL for Vendors
19. If there is a software or firmware patch or
hardware upgrade that’s out there that fixes a
known vulnerability (such as DNP3, modbus)
…GO GET IT
Properly test it before you roll it out
If you’re not used to patching your SCADA
system, please work with your vendors to do
this to minimize downtime
20. USE DNP3-SA! (application layer security)
◦ Correct master only talks to the correct RTU
◦ But it won’t protect against all “bugs”
Disable unused serial and network ports
Use a possible workaround (ex: auto restart)
Check the default settings
◦ DNP3 or other protocols may be factory configured
◦ If not used, disable them!
◦ ICS devices are on SHODAN
Many appear to have the same configurations
21.
22. What does SCADA stand for?
◦ Supervisory Control and Data Acquisition
What is the standard TCP port for modbus?
◦ 502
What are the 2 start bytes for DNP3?
◦ 0x0564
What year was STUXNET discovered?
◦ 2010
What ICS protocol did HAVEX malware use?
◦ OPC
23.
24.
25. When possible, DISABLE functions that aren’t
required in your production systems
DNP3 function code examples
◦ Cold and/or Warm Restarts (FC 13 & 14)
◦ Start/Stop Application (FC 17 & 18)
◦ Save Configuration (FC 19) old
Activate Configuration (FC 31) new
◦ Open, Close, Delete, Abort File (FC 25, 26, 27, 30)
If you can’t disable these, use IDS/IPS or DPI
Firewalls to alert on unwanted SCADA traffic
26. Segment your ICS/SCADA WAN
◦ Routers, Firewalls, DMZs, & VLANs
◦ This can help isolate the network when needed
Understand your network!
◦ The bad guys sure will
Use encryption and authentication
◦ Use DNP3-SA and TLS
◦ Remote access VPNs, radios, etc
◦ Look at IEC 62351 standard (dovetails with SA)
No ICS protocols on Corporate WAN
27. Examples of SCADA tools and Enterprise
networks that understand ICS
Protocol analyzers such as Wireshark, ASE &
TMW RTU Test Sets
IDS/IPS such as SNORT, Bro, CyberX
SilentDefense ICS, McAfee ADM, Bayshore
Networks, and Checkpoint
Routers such as the Cisco CGR 2010
Field firewall w/ICS Deep Packet Inspection
◦ Secure Crossing and Tofino
28. Newer enterprise security technologies can be
used to help detect, respond, and contain
threats on your SCADA network
Security Operations Center
◦ Security Analyst(s) using a SIEM
◦ Log aggregation
◦ Anomaly and intrusion detection
◦ Indicators of Compromise (IOCs)
Security Onion (Linux distro)
www.securityonion.net
32. RTU
Corp
SCADAnet
Is this happening in your ICS???
Your
Company
Cust
2
Inside cover of The Cuckoo’s Egg
Internet
Pump
Plant
1
DMZ
Cust
1
Hist
Plant
2
HMI
36. What is the proper amount of physical
security? It depends…
If your Critical SCADA master has top physical
security, but the serially-connected tiny
distribution RTU does not, is that okay?
Use a lock that meets or exceeds: UL 437,
ANSI 156.30 Grade A, or ASTM F883 Grade 6
Harden your external barriers
The better the defenses, the more time it
buys you to respond
37.
38. 3/8” Mesh
ASTM Grade 6
These may buy you
extra time to respond
39. “Thieves hit our store
last night. This is how
they circumvented the
door alarm…”
via
http://redd.it/1pn1xi
40.
41. Train your folks on ICS/SCADA security
◦ Security Conferences, several training classes available
◦ http://ics-cert.us-cert.gov/Training-Available-Through-
ICS-CERT
◦ GICSP Certification
Security awareness is important
Have a questioning attitude
Report suspicious computer or personal
activity/incidents
◦ Who do you call?
◦ Internal hotline, supervisor, SOC, etc
◦ ICS-CERT (877-776-7585)
42. Ask your vendors for DNP3-SA if they don’t
have it or are already working on it
Require in the bids for new SCADA systems or
upgrades to be tested by a 3rd party,
including the DNP3 protocol stack
◦ Positive Tests: FAT/SAT
◦ Negative Tests: Fuzzing (it’s not new folks!)
43.
44. DNP3 isn’t a special case. Other ICS protocols will
see the same fate.
Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP…
You can defend your SCADA.
Early testing both slave/server AND master/client
sides of the protocol are important!
Compliance != Security, but the culture is
important.
Don’t count on the government to protect your
critical systems…it’s your job.