In order to defend a network against an attacker, it is important to be able to think like an attacker—and that means understanding the basics of hacking. The tools and techniques for hacking vary widely, although there are well-known and common
methodologies that are often employed. By analyzing possible methods of gaining unauthorized entry into an industrial network, the perimeter can be strengthened accordingly. Note that these methods are all methods of attacking, and do not define the attack itself. That is, these steps define the process of how an attacker might gain entry into your network to deliver some sort of malicious payload such as a virus or malware; they do not define the payload itself. Protecting against the delivery of the payload comes first; protecting the users, services and hosts within your network from the payload (any malicious code, virus, bot, Trojan, etc.) comes after. The latter is discussed in
Chapter 7, “Establishing Secure Enclaves”.
The Attack Process
While there are numerous ways to penetrate a network, most involve some (if not all) of the following defined steps. They are performing some sort of reconnaissance activity to learn more about the target network; scanning the network to determine what the network looks like and what services are available for exploitation; enumeration, which is the process of identifying operating systems and users, including the determination of authentication credentials of users on the network; and then an attack—typically either an abrupt disruption such as a Denial of Service (DOS), or an attempt to penetrate and infect the network. Examining these steps as a process, it can be seen that successfully penetrating a network is more difficult than simply disrupting it from the outside (see
Figure 6.1). For example, if the goal of an attack is to disrupt an outward-facing service such as HTTP, an attack can be as simple as a targeted DOS against an organization’s primary Internet access point. It is easy because the target is fully exposed, by design. Conversely, penetrating a network—either to disrupt an internal system that is not exposed, or to steal or alter information or other resources—requires that one or more layers of defense must be compromised. For the purposes of developing a best-practice defensive strategy, all industrial systems should be fully enclosed and protected within secure boundaries (see
Chapter 7, “Establishing Secure Enclaves”); however, in reality many critical industrial networks are fully exposed (see the section “Targeting an Industrial Network”).
Reconnaissance
The initial reconnaissance, or “foot printing” of a target, enables an attacker to understand the organization’s security posture. By properly researching a target, an attacker can conclude information about the company and its employees, the company’s Internet presence, internal and external networks and domains, and potential points of entry into those networks.
Many readily available Internet services and search engines can be used for foot printing. Many companies openly publish information about partners, member organizations, and even employee blogs—any of which might equate to a way in. Partners typically interact with a company via a partner portal that may provide access to a greater range of information and services. Blog-friendly companies might implement special web services to aggregate employee RSS feeds.
Any information that can be obtained is important because it could identify an entry point into the network, or it may be leveraged directly for social-engineering efforts, with results ranging from additional information gathering to targeted spear-phishing.
The tools available for network reconnaissance include: open-source aggregation services such as Maltego (
www.paterva.com/web5/); social networking sites such as Facebook and LinkedIn; or more advanced tools such as the Social Engineer Toolkit (SET), a specialized tool set designed to “perform advanced attacks against the human element.”
For reconnaissance of network domains, IP space, extranets, and other essentials of network foot printing, domain queries, and lookups provide useful information about the available network(s) as well as specific devices within the network. DNS information can also be used to locate additional related domains (using point of contact searches), or simply provide a relevant user identity (including address and phone number) that might be leveraged as part of a social-engineering attack. Once a device within a network has been identified, it can be scrutinized to obtain more detail—such as using a command line tool like traceroute to learn about the routers, firewalls, and other devices that might sit along the path to the target.
Scanning
Scanning a network typically begins with broad attempts to identify network devices and hosts using a ping sweep, and then leveraging additional capabilities of the Internet Control Message Protocol (ICMP) to determine additional information, such as the network mask (which allows you to derive subnet information), as well as open TCP and User Datagram Protocol (UDP) ports (which allows you to identify operating services, as most services map to well-known ports).
Again, there are many tools that are available to facilitate network scanning, including tools like Fyodor’s popular
Nmap scanner, a free network scanning tool that combines ping sweeps, port scans, operating system detection, and service detection (by looking up well-known ports) and service version detection (by connecting to identified servers and obtaining reported version information). Nmap (
www.nmap.org) is widely used; it is available on all major operating systems, and many minor ones including Amiga, and is thoroughly documented in 16 languages. Metasploit (
www.metasploit.com) is another popular penetration testing tool that includes network scanning modules.
Enumeration
Enumeration refers to the process of identifying valid users and/or account credentials, as well as shared network resources that those user accounts might be able to access. The process involves establishing connections (or attempting to) and performing directed queries using tools like net view (for NT domains), or applications such as finger (for Unix user information) and rpcinfo (for identifying remote procedure calls that may be running). The concept is that if an open entry point does not exist, a valid user account can be used to breach the network via a closed entry point. Once a username is known, passwords can be guessed (using knowledge gained during reconnaissance), brute-forced using password generators, or obtained from captured network traffic during the authentication process.
Once again, common tools such as Metasploit include ready-to-use enumeration modules. As of version 3.5.0, Metasploit included modules for the enumeration of MySQL and MS-SQL services, Oracle database users, DNS services, SAP BusinessObjects, Apache web servers, Wordpress blogs, Server Message Block (SMB) users and shares, Simple Mail Transfer Protocol (SMTP) users, Session Initiation Protocol (SIP) users, and even SMTP and Telnet authentications.
Disruption, Infection and Persistence
The intentions of the attacker dictate what further actions might be taken. Does the attacker want to kill a service, or hide within the network to steal information over time?
If the goal is simply to disrupt a process or service, only understanding that service—for example, knowing an outward-facing IP address of a server—can be enough. There is no need to actually penetrate a web server to disrupt a company’s ability to serve web pages, for example, because a simple DOS attack can be sufficient to break that service. In this very simple example the path to disruption shown in
Figure 6.1 can be taken prior to enumeration. It may be necessary to first penetrate the network to a degree prior to breaking a service, however. For example, to attack a system or service that operates only internally (such as a supervisory system), it may first be necessary to penetrate one or more layers of defense (see the section “Disruption and Penetration of Industrial Networks”).
Once a system has been accessed, it can be infected, referring to the successful installation and execution of some type of malware code on a device. The nature of the malware could be simple or complex, ranging from botnets to more advanced rootkits and/or memory-resident malware. Once a system is infected, the attacker can do almost anything, for example, opening backdoors, escalating privileges, spreading the infection to other devices, and establishing command and control functionality, etc.
Persistence means that the attacker’s goal is to penetrate the network and lie hidden, listening, and waiting. Malware introduced as part of a persistent threat will attempt to remain hidden. As stated in
Chapter 3, “Introduction to Industrial Network Security,” this is one of the foundations of the Advanced Persistent Threat (APT). Persistence requires the following additional steps that must be taken:
10• Establish outbound connections or backdoors for command and control
• Continue to farm user credentials to access additional systems
• Escalate privileges and obtain data for exfiltration
• Maintain persistence by deleting logs and other evidence of the infection, rewriting legitimate services to hide command and control and other functionality, and evading detection through mutation
The last step sets requires that all steps in the attack process remain hidden. This could mean operating entirely in memory, or it could mean rewriting an existing service so that the outbound command and control can operate secretly within a legitimate service—something that is expected and will not raise a red flag if seen by a network security analyst (
Chapter 9, “Monitoring Enclaves,” discusses how to use security monitoring tools to help detect these covert communications). Persistent threats might also include several layers of infection, with dormant “backup” malware waiting to take over if the running exfiltration services are detected and removed.
11 In this way, the threat remains active in a new unknown form even after the original threat has been discovered and cleaned—perhaps even more so due to unwarranted complacency that can be felt after “eliminating” the original threat.
Targeting an Industrial Network
While the basic hacking methods discussed above apply to industrial networks, there are additional considerations—at all stages of an attack—when targeting a control system, as illustrated in
Figure 6.2. Industrial control systems, because they utilize specialized systems and protocols, present new opportunities to an attacker. However, enterprise network hacking methods remain available as well, presenting a greater overall attack surface, which can be an advantage to an attacker.
Industrial networks can be difficult to attack if properly isolated, however. The establishment of secure zone or enclaves and a clear delineation between business, supervisory, and operation systems provides additional layers that an attacker must penetrate before reaching the most critical—and the most vulnerable system. Once the attacker has penetrated surrounding enclaves, they must discover the continued path into the control system.
Finally, in addition to normal user accounts and authentications, there are device Master/Slave relationships that can be discovered and manipulated to gain
“authenticated” access to control system assets. In other words, there are Reconnais-sance, Scanning, and Enumeration techniques specific to Supervisory Control and Data Acquisition (SCADA) and distributed control systems (DCS) environments.
Industrial Reconnaissance
Industrial networks, protocols, assets, and systems are specialized. They are not commonly available, however, so an attacker intent on infiltrating an industrial system may focus reconnaissance efforts on information about the specific systems in use. As with enterprise hacking, reconnaissance can focus on public information about a company in order to learn the types of control system assets being used, the shift change schedule, and what other companies partner, service, or trade with the target company. Because many asset vendors use different and sometimes proprietary industrial protocols, knowing the specific assets used within the control system can indicate to an attacker what to look for in terms of systems, devices, and protocols.
Unfortunately, information can be obtained as easily as for any other network. Websites like the Sentient Hyper-Optimized Data Access Network (SHODAN) allow Internet-connected devices to be searched by port and protocol, country, and other filters. Any server, network switch or router, or other networked device using HTTP, FTP, SSH or Telnet is indexed by SHODAN (
shodanhq.com). As a result, the site can easily identify devices utilizing SCADA protocols over any of these services (as seen in
Figure 6.3).
12 This is an important step, as control systems are not easily procured, and therefore not easily reverse-engineered to find vulnerabilities. However, by understanding the control system devices in use the attacker is able to look for existing well-known vulnerabilities, or acquire device-specific research about the device through
backchannels in order to determine vulnerabilities or backdoors. For example, in the case of Stuxnet, a hard-coded authentication process was used to gain access to the target Programmable Logic Controllers (PLCs). There has been much speculation in general about how a malware author might know this “insider information.” It could have been someone with insider knowledge, access to a production DCS, or—depending upon the sophistication of the attacker—this level of industrial-grade information could have been obtained via the deployment of APTs that are intent on discovering control system schematics, source code, and other information. Black market information sources might already posses the information from existing APTs.
Scanning Industrial Networks
As mentioned in the section “Scanning,” a network scan can identify hosts as well as the ports and services those hosts are using. In industrial networks, network scanning works in much the same way. The results of the scan can quickly identify SCADA and DCS communications, allowing the attacker to focus on these items. For example, a device found using port 502 is known to be using Modbus and is therefore very likely an HMI system or some supervisory workstation that is communicating with the HMI (see
Table 6.1).
Table 6.1 SCADA and DCS Well-known Ports and Services
Port | Service |
---|
102 | ICCP |
502 | Modbus TCP |
530 | RPC |
593 | HTTP RPC |
2222 | Ethernet/IP |
4840 | OPC UA |
4843 | OPC UA over TLS/SSL |
19,999 | DNP-Sec |
20,000 | DNP3 |
34,962–34,964 | Profnet |
34,980 | EtherCAT |
44,818 | Ethernet/IP |
However, there is a caveat when scanning industrial networks: because many industrial network protocols are extremely sensitive to latency and/or latency variation (jitter), a “hard scan” could actually cause the industrial network to fail. The lesson here is that, if the intention is disruption of services, all it takes is a simple network scan to achieve your goal. It is easy enough to scan through a firewall,
13 meaning that if real-time protocols are only protected by a firewall, they are highly prone to DOS attacks using very basic hacking techniques. If the goal of the attacker is more complex, network scans need to be performed more sensitively. This means using a “soft scan” versus large sweeps—for example, inspecting router tables or even sniffing traffic passively (see the section “Determining Vulnerabilities”). Successful scan results can quickly map known SCADA and DCS systems by filtering on the ports and services listed in
Table 6.1.
CautionTable 6.1 is only a partial list of some of the more common industrial ports and services. Many industrial devices utilize proprietary or unregistered port numbers. Always consult asset documentation to determine if special ports are used, and for what service, so that a comprehensive list of SCADA and DCS ports can be built.
Once a target system is identified, the scanning can continue—this time using the inherent functions of the industrial network protocols rather than commercial scanning tools. The following examples will obtain device information from industrial networks:
• Sniffing Ethernet/IP traffic to obtain Critical Infrastructure Protection (CIP) device identifiers and attributes
• Sweeping DNP3 requests that solicit a response (e.g., REQUEST_LINK_STATUS) to discover DNP3 slave addresses
14• Capture an EtherCAT frame or a SERCOS III Master Data Telegram to obtain all slave devices and time synchronization information
Each industrial protocol utilizes its own function codes, and some proprietary function codes may be used on specific devices (necessitating some reconnaissance). For example, on SERCOS (Serial Real-time Communications System) networks, all slave devices can be easily identified via a short packet capture, as all communications to all nodes are packaged into a common message. Obtaining a SERCOS Master Data Telegram may also allow an attacker to identify designated time slots for communications to a specific device, as well as what cycles are available for open TCP/IP use.
Again, Stuxnet has exemplified the disruptive potential of this type of scanning. Once Stuxnet establishes itself in the logic of a target PLC, it listens to Profibus communications using these same techniques in order to detect specific frequency settings of specific frequency controllers. Stuxnet then manipulates the PLC outputs in order to sabotage the process.
15NoteScanning an industrial network can effectively act as a DOS attack. Because many industrial protocols are real time, and the processes tightly synchronized, the introduction of additional packets into a real-time network can be disruptive. This means that an attacker who does not want to immediately disrupt an industrial network may scan quietly: performing low-and-slow scans, or using the “scan and spread” methodology of Stuxnet, where the malware crawls invasively but quietly through the network examining its surroundings at it goes in order to find target systems, rather than performing fast and loud sweeps.
Enumerating Industrial Networks
Because many industrial systems are Windows based, Windows user accounts can be enumerated in standard ways and be fully applicable to industrial operations. This is especially true of OPC Classic systems that rely on Windows OLE and DCOM, where obtaining authentication to the host allows essentially full control over the OPC environment. However, despite the lack of authentication in the underlying network protocols, enumeration can extend to specific identities and roles within a control system. Useful authentication information might include the following:
• ICCP server credentials (the bilateral table)
• Master node addresses (for any Master/Slave industrial protocol)
• Historian database authentication
Accessing an HMI would allow direct control of that HMI’s managed processes, and/or theft of information about that process. Obtaining ICCP server credentials would allow an ICCP server to be spoofed, enabling either steal or manipulate information being transmitted between control centers. If a Master node address is obtained, the attacker could spoof that Master node, obtaining control over a control loop without requiring access to the HMI (the attacker could inject function codes directly on the bus at this point).
In many cases, user roles and privileges are stored centrally, in an
LDAP or an
Active Directory server, providing attackers with a clear target for enumeration attempts. This is why it is important to functionally isolate both physical devices and logical services into established enclaves. This is also why NIST 800-82 (Guide to Industrial Control Systems [ICS] Security) recommends using a combination of account verification methods, including “something known (e.g., PIN number or password), something possessed (e.g., key, dongle, smart card), something you are such as a biological characteristic (e.g., fingerprint, retinal signature), a location (e.g., Global Positioning System [GPS] location access), the time when a request is made, or a combination of these attributes.”
16 By abstracting authentication across multiple physical and digital attributes, enumeration becomes very difficult and can be effectively limited. That is, it may be possible to obtain a username or even a password, but full authentication remains elusive.
Disruption and Penetration of Industrial Networks
As mentioned in the section “Scanning Industrial Networks,” simply scanning an industrial network can be enough to disrupt it: many of the industrial protocols are sensitive enough that the introduction of a significant amount of unexpected traffic will result in protocol failure, and an effective DOS condition. This is a significant concern: it is possible to perform a network scan through a firewall,
17 and even easier to packet-flood through an open port on a firewall. That is, by identifying what traffic is allowed through the firewall, the attacker can then use allowed traffic to scan through the firewall, using a soft scan for true reconnaissance or a hard scan for disruption of service. If the firewall is well configured, a scan may not be possible, but all firewalls will allow some traffic through. By spoofing legitimate communications, abnormal amounts of traffic can be injected into a control network, causing a DOS.
TipThe more strictly defined, a firewall’s rules are, the more difficult it will be to identify and spoof “allowed” traffic. When configuring a firewall, always begin with “deny all,” and then configure “allow” rules according to the following guidelines:
1. Only “allow” traffic that is absolutely necessary for the operation of the devices specific to the enclave that is being secured. If too many “allow” conditions are needed, consider breaking the enclave into additional functional groups.
2. Always explicitly define the source and destination IP address and port. That is, use “allow from [a specific IP address and port] to [a specific IP address and port]” rather than “allow all from [a specific IP address].”
3. Especially for critical control systems, supplement the firewall with an IDS/IPS, application monitor or similar device to detect hidden channels or exploits inside of allowed protocols. An IDS/IPS with rate-based anomaly detection, for example, could detect and prevent a potentially disruptive packet-flood condition.
If the goal is not disruption, but penetration (and possibly persistence), we can again look to Stuxnet as an example of the types of infiltration techniques that might be deployed. Stuxnet employs a variety of scanning and mutation mechanisms for industrial network penetration. By looking for specific conditions in the network environment before performing additional tasks, Stuxnet is able to distribute itself widely despite maintaining a very focused target. Stuxnet reacts to its environment as follows:
• In the “enterprise phase” it looks for a target HMI before mutating to penetrate the HMI.
• In the “industrial phase” it infects the HMI, looks for target PLCs, and then again mutates, injecting malware into the PLC.
• In the “operational phase” it uses the PLC to look for certain IEDs operating with specific parameters before injecting commands to sabotage the process.
This simplified description of how Stuxnet operates highlights the following important considerations:
• The initial attack vectors leverage common enterprise hacking techniques.
• A compromised SCADA or DCS asset can be used to detect and penetrate additional industrial systems.
• Even “nonroutable” systems (such as a fieldbus consisting of PLCs and IEDs) are susceptible to infection, and can be used to penetrate even further into the industrial process.
Threat Agents
Industrial networks are different in many ways from enterprise networks, and as such they attract a different type of attacker. Who would want to deliberately breach an industrial network? An attack on an industrial network is not difficult, although it does require specialized knowledge and therefore the attacker will require more resources. There also is not an obvious benefit to attacking most industrial networks, as there might be from a financial services network or a retailer. The bad news is that there are attackers, and they fall into several distinct classes. The Government Accountability Office (GAO) has identified several classes of attackers, or “threat agents” in DHS parlance. They include the following
18:
• General hackers looking for individual prestige (referred to as “attackers” by the GAO, although the term “attacker” is used more generally in this book to refer to any threat)
• Botnet operators and spammers, identified as having the same skill sets as general hackers, but with the intent of further distributing spambots and other botnets
• Criminal groups looking to obtain money, either as ransom against the threat of a disruptive attack, or through direct monetary theft
• Insiders, including disgruntled employees, technology or business partners, or recently terminated employees or partners
• Phishers, treating industrial networks as another population of users susceptible to identity theft
• Spyware and malware authors
• Foreign intelligence services, as part of information gathering and espionage efforts
• Terrorists, seeking to destroy or disrupt critical infrastructures
• Industrial spies, who—much like foreign intelligence services—perform espionage, but for the purpose of acquiring intellectual property from competitive companies and/or nations
At first, the list of identified threat agents does not stand apart from what might be expected from an enterprise network attacker. However, the last three (foreign intelligence agencies, terrorists, and industrial spies) quickly put the risk of industrial network attack in perspective. Mapping the GAO’s classifications to the likelihood and sophistication of an attack (as depicted in
Chapter 2, “About Industrial
Networks,”
Figure 2.2), we can now also see the consequences of such an attack, as illustrated in
Figure 6.4.