C. Paulino, SCADA Security - Florida Gulf Coast University
Contents
1. Y metasploit community zalewski f RAPID7 R75 AM 11 15 2017 Fig 26 Log into Metasploit 29 eS ae File Edt View Favorites Took Help da suggested Stes v GB FGCU Banner E FGCU Directory FGCU Home Page E FGCU Paseword Reset Poe E FGCU Webmail Home E Guiflie E MyVPN E Web Slice Gallery MY voc me sx Pager eyr Tooke r 0 services detected 0 passwords cracked 9 vulnerabilities identifed 0 SMD hashes stolen O SSH keys soten P San 0 mper expose fb Drutetorce Exploit Evidence Collection Cleanup 0 data files acquired 0 closed sessions Git Collect d Cen Recent Events Show ail events Time Event Details Nov 160926 30 user login successful remote login tom 127 0 0 1 show Nev 180925 44 user logout show da D Suggested Sites w E FGCU Banner FGCU Directory FGCU Home Page FGCU Pasoword Reset Pee E FGCU Webmail Home E Guifine E MyVPN E Web Slice Gallery v M Eo Wey Pager Safety aki Adminiatration Y mrmuniny hosts discovered 0 sessions opened 0 services detected 0 passwords cracked D vulnerabilites identifed 0 SMO hashes stolen 0 SSH keys stolen d san import Mengen fb Drutetorce C Lxpiot Evidence Collection Cleanup 0 Gala files acquired 0 closed sessions me Collect y Cem Recent Events Show all events Time Event Details Nov 16032630 user login successful remote login fom 127 0 0 12. NN EN Use mm of he Captus mme Oper a porasty captured te Vut Te poeci vm kovu erg paco Open Recent Crocs rw oF mos meer Captus Som m Start Sample Captures Koap STRA Gey b Meth Connector Deci NPY JAB181 0 17A6 955 M O00 DLABIT A nc amommen of example captum Sar on me ete Security Wot vt Weer ee reg m potios agi Cepture Options rein tee a Tagen regen v How to Capture LIN LE Network Media J Nee Rem ren Ne Caper ver Deren WLAN _ Fig 18 Start Wireshark packet capturing 23 Die dd Yew Go Capture Anstyze apen Telephony Tock jetemah Hee Guada Sax 972 QQQMN ggex x Fhe Expression Oer Apply Se Ne Time source Dengen Ze Frame 1 60 bytes on wire 480 bits 60 bytes captured 480 bits on interface O Ethernet 11 Src Pfu cc ae 40 00 80 17 cc ae 40 Ost Broadcast ffiff ff ff ff ff internet Protocol Version 4 Src 69 88 163 30 69 88 163 30 Ost 255 255 255 255 255 255 255 255 User wn Ph te cain Src Port dcutility 1044 Ost Port d2000kernel 3119 pata 9 bytes Fig 19 Open SCADA FrontEnd 24 23 eo pohMypetaca st ie prg P x D rege AC 2 Lopin Page em e e Fig 20 Log into SCADA FrontEnd F edu mr Wypertace st m pt 3 gt D cXIB Hypa TACE Sains LOCAL Data Flow Systems HELE a EC E DL RS R4 ig wana Fig 21 Select view tab in SCADA FrontEnd 25 EN VIEW REPORTS TOOLS CONFIG BUILD PORTAL HE
3. Task 2 V Your Metasploit Community E O Christian Paulino Outlook W File Edit View Favorites Tools Help s i L Suc ested Sites FGCU Banner FGCU Directory FGCU Home Page FGCU Password Reset Por FGCU Webmail Home Gulfline MAN 2 ce Gallery Los ode v Pager Safetyv Tock Qv x EB Project FGCU SCADA v Account zalewski Y Administration Community 2 Help geg Overview 44 Analysis Sessions Campaigns Web Apps ve Modules Tags ij Reports Tasks 0 Home FGCUSCADA Tasks Task2 4 Collect Started 2012 11 16 09 40 18 0500 Bruteforcing Complete 0 sessions opened v Complete Duration less than a minute d Replay 2012 11 16 093 41 03 2 11 16 09 41 03 2012 11 16 09 41 03 11 16 09 41 03 2012 11 16 09 41 03 2012 11 16 09 41 03 2012 11 16 09 41 03 161SNMP 0 09 09 03 05 0 012 11 16 09 41 03 161SNMP 0994 1000 69 88 163 30 161 Trying 147852369 0 0 0 0 0 03 lelSNMP 1615NMP l61SNMP leiSNMP 161SNMP 1615NMP P Trying imissyou Trying pollito P Trying ashlee SNMP Trying tucker Trying cookiel 0992 1000 69 88 61 SNMP Trying shelly 993 1000 69 88 0 161 SNMP Trying catalina 2012 11 16 09 41 03 2012 11 16 09 41 03 2012 11 16 09 41 03 2012 11 16 08 41 03 2012 11 16 09 41 03 2012 11 16 09 41
4. MA 2011 PA Consulting Group and CPNI Good Practice Guide Process Control and SCADA Security PA Consulting Group and CPNI London P Aubin SCADA Communications Security Authentication Encryption Integration www controlmicrosystems com G A Cagalaban Y So S Kim SCADA Network Insecurity Securing Critical Infrastructures through SCADA Security Exploitation Journal of Security Engineering D Kilman J Stamp Framework for SCADA Security Policy Sandia National Laboratories Albuquerque NM C Neuman Understanding Trust and Security in SCADA Systems Information Sciences Institute University of Southern California H Ko Application of Asymmetric key Encryption Method for Internet based SCADA Security Journal of Security Engineering J Caswell Survey of Industrial Control Systems Security www cse wustl edu jain cse571 11 ftp ics index html S Panguluri W R Phillips Jr R M Clark cyber threats and it scada system vulnerability www digitalengineeringlibrary com 33 13 14 15 16 17 18 19 A Saxena O Pal Z Saquib D Patel Customized PKI for SCADA System Int J of Advanced Networking and Applications Volume 01 Issue 05 Pages 282 289 2010 T Kim Securing Communication of SCADA Components in Smart Grid Environment international journal of systems applications engineering amp development Issue 2 Vol 5 2011 R
5. The second step was to perform an exploit test An exploit test involves trying to take advantage of a bug glitch vulnerability etc in order to gain access to a system The exploit test ended after three minutes with the attack being unsuccessful Wireshark Wireshark testing was the last part of the analysis done It was used to analyze packets being sent to and from the SCADA server After starting a packet capturing session the workstation was used to logon to the SCADA server After viewing the current summary of the SCADA system the packet capturing session was terminated The packets were filtered down to just the ones related to the SCADA system These packets were analyzed to show how strong the systems log in security was The security proved to be strong and thus ended the analysis 3 Definition of the Problem A specific SCADA system may have critical importance to the systems infrastructure which make security extremely important Because SCADA systems work on a network they are vulnerable to attack Important information may be stolen an operator may be locked out at a critical time and the control may be disrupted Many SCADA system operations are delicate If one 1s interrupted it may result in large amounts of damaged equipment injury to humans or even death 3 For this project the focus is on network intrusions through viruses worms and other types of malicious code A key element for any network to protect a
6. Launch Bruteforce button at the bottom Figure 30 Last go back to Overview and run an exploit test by clicking the Exploit button under the Penetration section Make sure the only IP address in the target addresses box is the SCADA server address Start the test by clicking the exploit button Figure 31 Refer to the implementation section for the experimentation results 28 Figures for metasploit user manual A m deeg A B herp Nocahost 1790 D C X f Download Metasploit Metesp Christian Paulino Outlook W localhost x C 6 O am Pager Seetyv Tools AU N eege vd There is a problem with this website s security certificate The security certificate presented by this website was not amp sued by trusted certificate authority The security certificate presented by this website was Issued for a different website s address Secunty certificate problems may dicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website K Venzon Wireless UML290 Firmware Upd Rik e 1 e a P P D ys Ia 1046 AM i A PL mm JAR 4 i2 unm Pac File Edit View Favetites Took Help Ge D Suggested Stes e D FGCU Banner E FGCU Directory FGCU Home Page E FGCU Pasoword Reset Poe E FGCU Webmail Home d Guifine D MyVPN E Web Slice Gallery v P px me Pager Safetjv Tooke e
7. engineering campaigns created New Campaign Show all events Time User Event Nov 16 09 41 06 zalewski module complete auxiliary pro bruteforce Nov 16 09 41 06 zalewski module complete auxiliary scanner snmp snmp login 11 16 2012 Fig 14 Metasploit results overview 20 Appendix A User Manual Wireshark 1 Turn on the SCADA workstation and log in under the username Zaleski with the passwordikselaz 2 Start Wireshark from theWindows start menu Figure 15 3 Once inside Wiresharkfrom the Capture dropdown menu choose the Interface This will bring up the window with Ethernet card information in which the MAC card has to be selected Figure 16 and Figure 17 4 Start the packet capturing process by going the Capture dropdown menu and clicking start Figure 18 This will result in a packet capturing screen Figure 18A 5 Open SCADA FrontEnd from the desktop icon Figure 19 6 Log in under the user name mgr The password is htiimgr Figure 20 7 Open up the customized view for the SCADA server First click the view button and then click the custom button Figure21 Figure 22 and Figure 23 8 Stop the packet capturing process Figure 24 9 Theresults can now be viewed The implementation section shows the experimentation results from the packets captured 21 Figures forwireshark user manual Fig 15 Opening Wireshark The V Zeen Ne X 7 fie fdt Yew Go Capome Analyze Ststetcs Telephon
8. show Nev 180925 44 user logout show Fig 28 FGCU SCADA project page in Metasploit 30 7 File Edit Wew Favorites Took Help Gy suggested Stes w GB FGCU Banner E FGCU Directory FGCU Home Page E FGCU Paseword Reset Poe FGCU Webmail Home E Guifline E MyVPN E Web Slice Gallery v Qe 7 r Pager Safety Tooke Mv ba e g metasploit commun Overview SMMAmiyie Geesen Campaigns Web Apps SP Modules lt Tens Reporte E Tee deenen mua Fei Target Settings Tag andes 40100 33 1 254 Ek 69 88 163 30 A Smow Advanced Options Ve Motaspioit Community 4 4 0 Update 1 2010 2012 Rapid lnc Boston MA str RAPID File Edk View fovea Took Hap da D Suggested Sites w H FGCU Banner FGCU Directory FGCU Home Page FGCU Pasoword Reset Pee E FGCU Webmail Home E Guifine D MyVPN D Web Slice Gallery v M GY Oo o Pager Sem Tooke Qe Target Aderesses enen Depth normai zl f Toggle Am Services Lockout Hank Di se Wiin tS server rap 9 Postgres Poste SC database low Si om DU DR database Low My5SOL My SOL database Medium WI uss Microsofl SQL Serves dalabase Medan 9 Orade Oratie ROUMS Server Low H Hm MTTP server hase authenteaten Lew wrres HTTPS server basic avtheebcaton Low HW Sen Secure Shet server Mecum F ssh PunkkY Secum Shed server ptic try antic ater low D I Tenet Telnet server low wj rm Fdo Tranaten Eed d verom low i9 fors Post Office Protoco
9. wire 4864 bits 608 bytes captured 4864 bits on interface 0 s Ethernet II Src HewlettP 25 e0 0d 08 2e 5f 25 e0 0d Dst Pfu_cc ae 40 00 80 17 cc 3e 40 a Transmission Control Protocol Src Port 50354 50354 Dst Port http 80 Seq 1 Ack 1 Len 554 0000 00 80 17 cc ae 40 08 2e 5f 25 e0 00 08 00 45 00 amp Ass E 0010 02 52 2f 65 40 00 80 06 00 00 45 58 a3 1c 45 58 R eQ EX EX 0020 a3 le c4 b2 00 50 56 fc al 8d 03 4e 6b a6 5018 PV KR ANANA AN IA d IF AN AN AT AC RA IN IF 73 Ah AO Ra 723 Y FE T elanc 0 y File C Users ZALEWS 1 AppData Local T Packets 534 Displayed 534 Marked 0 Dropped 0 Profile Default y m n i P CNR EE E F DUU _ Fig 7 Whireshark all packets 13 The Wireshark results were filtered to include only packets sent from the workstation to the SCADA server as shown in Figure 8 The filtering is done by entering a command into the filter text box The filter text box is highlighted green in Figure 8 To filter by IP address both source and destination addresses are required The command used to filter between the workstation and the SCADA server is ip src 69 88 163 28 and ip dst 69 88 163 30 fj Intel 82579LM Gigabit Network Connection Device NPF_ 47A9AF1B 9E17 4670 9655 49FD9BEO8A98 Wireshark 1 8 3 SVN Rev 45256 from trunk 1 8 File Edit View Go Capture Analyze Statistics Telephony Tools Internals Help TT CEECEE E
10. 161SNMP l161SNMP 161SNMP 161SNMP 161SNMP 161SNMP 0995 1000 69 88 163 30 161 Trying beckham 996 1000 69 88 163 30 161 S Trying simone 997 1000 69 88 163 30 161 P Trying nursing 9986 1000 69 88 163 30 161 P Trying iloveyou 999 1000 69 88 163 30 161 S Trying eugene 1000 1000 69 88 163 30 161 SNMP Trying torres 09 41 06 Attributing credential sources Rapid7 Support Center RAPID7 wi 6 TREE Fig 12 Metasploitbruteforcetest results The last test is an exploit test An exploit test checks for any faults in the SCADA server and attempts to use them to get into the server The exploit tests against the SCADA server failed which means there weren t any faults detected by Metasploit that could be abused The results of this test are shown in figure 13 The overall results page of all the tests 1s displayed in figure 14 18 Lola EEN ts https localhost 2790 workspaces 2 tacks 3 D Q Certificate error X File Edit View Favorites Tools Help a E Suggested Sites FGCU Banner FGCU Directory FGCU Home Page FGCU Password Reset Por FGCU Webmail Home Gulfline E MyVPN Web Slice Gallery v ef 7 me Pager Safetyy Took v He is y g yVEN i 9 ty Gol 7 Metasploit Task 3 0 Christian Paulino Outlook W x BB Project FGCU SCADA v Account zalewski Y amp Administration Y Community He
11. D Dillinger M A Rumsey COMMUNICATION VULNERABILITIES AND MITIGATIONS IN WIND POWER SCADA SYSTEMS Sandia National Laboratories MS O708Albuquerque New Mexico 2003 J Mamos SCADA Information Security Management Guide E Udassin control system attack vectors and examples field site and coporate network www c4 security com 2008 R K Fink D F Spencer R A Wells lessons learned from cyber security assement of scada and energy management systems U S Department of Energy Office of Electricity Delivery and Energy Reliability 2006 35 28 29 30 31 A McIntyre B Becker R Halbgewachs Security Metrics for Process Control Systems Sandia National Laboratories Albuquerque New Mexico 2007 R E Johnson Survey of SCADA security challenges and potential attack vectors Internet Technology and Secured Transactions ICITST International Conference for Date 8 11 Nov 2010 Riverbed Technology Wireshark www wireshark com Rapid7 Metasploit www metasploit com 36
12. ER Qqqam gERX g Filter ip src 69 88 163 28 and ip dst 69 88 163 30 dree Clear Apply Save No Time Source Destination Protocol Length Info 63 9059769 88 163 28 69 88 163 30 TCP 6650354 gt http SYN Seq 0 Win 8192 Len 0 MSS 1460 WS 4 SACK_PERM 1 CSC 4 nn iFrame 6 66 bytes on wire 528 bits 66 bytes captured 528 bits on interface 0 Ethernet II Src HewlettP_25 e0 0d 08 2e 5f 25 e0 0d Dst Pfu cc ae 40 00 80 17 cc ae 40 0000 00 80 17 cc ae 40 08 2e Sf 25 e0 0d 08 0045 00 ie ere 0010 00 34 2f 08 40 00 80 06 00 00 45 58 a3 1c 45 58 A8 EX EX 0020 a3 1e c4 b2 00 50 56 fc al 8c 000000008002 Ele ads xin D n n nn di 11 NN AN no NA AC hd M1 Di Di m n D 0 M File C Users ZALEWS 1 AppData Local T Packets 534 Displayed 151 Marked 0 Dropped 0 ac DTM Profile Default Fig 8 Wireshark workstation to SCADA server packets 14 Next Wireshark was filtered even further to highlight the login packet This is shown in Figure 9 This was found by using the ctrl f function After hitting ctrl f String needs to be selected and then any String that resides in the list of packets can be found In this case it was mgr which is the username The username was searched for until the packet that displayed both the username and the key That packet 1s the one that was used to login E 82579LM Gigabit Network Connection Device NPF 47A9AF1B 9E17 4670 9E55 48FD9BE08A98 Wireshark 1 8 3
13. J Robles M Choi E Cho S Kim G Park S Yeo Vulnerabilities 1n SCADA and Critical Infrastructure Systems International Journal of Future Generation Communication and Networking J St Sauver SCADA Security NLANR Internet2 Joint Techs MeetingColumbus OH July 21 2004 A N Mahmood C Leckie J Hu Z Tari M Atiquzzaman Network Traffic Analysis and SCADA Security The President s Critical Infrastructure Protection Board 21 Steps to Improve Cyber Security of SCADA Networks The President s Critical Infrastructure Protection Board Riptech Inc Understanding SCADA System Security Vulnerabilities Riptech Inc 2001 34 20 21 22 23 24 25 26 27 Intelligent Systems Research Laboratory Technical Report TR ISRL 04 01 Security Considerations in SCADA Communication Protocols Dept of Computer Engineering and Computer Science University of Louisville Louisville KY 2004 PA Consulting Group and NISCC Good Practice Guide Process Control and SCADA Security PA Consulting Group London office of the manager national communications system Supervisory Control and Data Acquisition SCADA Systems office of the manager national communications system Arlington VA 2004 R K Fink D F Spencer R A Wells lessons learned from cyber security assessments of scada and energy management systems National SCADA Test Bed 2006 W F Young J E Stamp and J
14. LP A DFS Data Flow Systems HELP E Le E wW E oF T ees Fig 22 Select custom view tab in SCADA FrontEnd P E 0 ap zm e eg een o o op eypettaci 194 D ox J MyperTACE Stars LOCAL VIEW REPORTS TOOLS CONFIG BUILD PORTAL HELP A Links HSU Status RUNNING Server Date RUNNING Map Screen Server Time ESCH RUNNING District Screen ISU 0C Power BERD TTT NORMAL Local Area Screen isi AC Pow MM NORMAL CA MGE BL BR D nya Fig 23 SCADA server statistics 26 li Capturing Irom intel 3253790 Gah Network Connechon Were t ATARA IB E1 AE St AETORIEACH Wireshark 187 GVN Rev 45256 from trusk Lil mem file Edi Ve Go Capture graye aksies Telephony Toots bes Hep Be d Qi E rota OM Ti EBRGaamausmes S a piss Cirl K Filer RN ou Craft Eeperzgen Char Apply Serve He Time a Step fug Pater Protocol Length In s a Cul R id 3004 gt ete S i 5 Frame 1 60 bytes on wire ABO bits 60 bytes captured 4B bits on interface 0 Ethernet II Src Ffu cciae dO 0 80 lT ccraec40 Oat Broadcast ff ff TF fF fF fT 3 Internet Protocol Version 4 Sre 69 88 1565 50 63 ER 161 10 Dst 255 255 255 255 255 255 255 255 User Datagram Pra tocol Src Part dewtility 1044 pat Port d2O0 0O0kernel 3109 3 Dara 9 bytes 0000 ff ff ff ff ff
15. Packet filtering process Source http fengnet com book Building Secure Servers with Linux bssrvrlnx CHP 2 SECT 5 html 10 5 Implementation The first step is to see what connections are running on the SCADA server The tests were conducted via Putty on the workstation through an SSH connection The command netstat at was entered and all active networks going through the network device were displayed The results are shown in Figure 4 Fig 4 Active TCP Internet Connections 11 Next the command netstat Al was entered to display the active connections on UDP network communication The results are shown in Figure 5 mjr HyperTACII mgr l netstat 1 Active Internet connections only Servere Proto Recv Q Send Q Local Address Foreign Address state er icdlkulmni Sp LISTEN ECE m myxgi Di LISTEN CE u fW I LISIERH LCE itt pe LISTEN ter printi e LISTEN LCE u ant ei LISTEM c n ftp d LISTEN tej time LISTEN Lop telnet LISTEN CCE j ais E e LISTEN CE J gin LISTEN er J finger LISTEN Cep jut n LISTEM t CE LU P l104 ei e LISTEN ter z5unrpc j LISTEN udr df svolcs ug m 1044 udg j 21043 ud j 1042 ud j sdfepatch d lide j dishzuport P udg 1041 x ude 0 21040 x udp 21035 udg rivasr ude drivert i ude d sdri udr j 103 udr j dh DOE j 2 103 Fig 5 Active Network UDP Connections The last netstat command that was run was netstat XI Thi
16. RTU 3 This is illustrated in Figure 1 SCADA Architecture DAS Fig 1 Typical SCADA system setup Source http isc sans edu diary html storyid 13927 For this project there is one RTU one controller and a workstation connected to the controller The operator uses a web based human machine interface HMI to control and monitor the system The RTU and supervisory station are shown in figure 2 This project focuses on the security aspect of aSCADA system There are many issues in security when it comes to a SCADA system Some examples are e Encryption and Authentication e Network Traffic Analysis e Common Security Vulnerabilities Fig 2 SCADA system RTUin Florida Gulf Coast University CS lab 1 1 Encryption and Authentication Encryption hides the data and authentication forces the sender of data to prove their identity SCADA s communication security standards are set in place to protect the system from spoofing encryption attacks signature attacks and protocol attacks replay of messages data tampering and eavesdropping 6 Spoofing is when a third party pretends to be one of the communication devices An encryption attack is an attempt at cracking the encrypted code that protects the data A signature attack attempts to crack the secret code that proves data hasn t been changed A protocol attack is an injection of unintended messages such as misleading data or unintended controls Replaying messages is when a
17. SCADA Security Christian Paulino Instructor JanuszZalewski CEN 4935 Software Project in Computer Networks Florida Gulf Coast University 10501 FGCU Blvd S Fort Myers FL 33965 6565 Fall 2012 Draft 9 Submission Date December 8 2012 Introduction SCADA stands for Supervisory Control and Data Acquisition SCADA systems are an important part of most nations infrastructures They control a wide variety of operations such as pipelines chemical plants power plants water management systems etc Because a SCADA system provides remote monitoring and control it is perfect for industrial operations that could be hazardous to an operator SCADA has come a long way since it was developed in 1960 Low cost microcomputers made computer control of process and manufacturing operations feasible Programmable logic controllers also known as PLCS introduced relay ladder logic to the control industrial process They allowed engineers to program in relay logic instead of using programming languages and operating systems Initially control systems were only accessed locally With the evolution of the microcomputers PLCs standard computers operating systems and networks SCADA has expanded into distributed systems SCADA now allows real time remote monitoring and control distant operations The typical SCADA system is networked with a master terminal unit M TU one or more controllers for communication and one or more remote terminal units
18. SVN Rev 45256 from trunk 1 8 oo mm SH File Edit View Go Capture Analyze Statistics Telephony Tools Internals Help TT TECE TERETA F HG Qqqn CLE Filter ip src 69 88 163 28 and ip dstz 69 88 163 30 Bpresson Clear Apply Save No Time Source Destination Protocol Length Info Frame 214 608 bytes on wire 4864 bits 608 bytes captured 4864 bits on interface 0 3 Ethernet II Src HewlettP_25 e0 0d 08 2e 5f 25 e0 0d Dst Pfu_cc ae 40 00 80 17 cc ae 40 Internet Protocol Version 4 Src 69 88 163 28 69 88 163 28 Dst 69 88 163 30 69 88 163 30 0000000000000 a Transmission Control Protocol Src Port 50354 50354 Dst Port http 80 Seq 1 Ack 1 Len 554 Hypertext Transfer Protocol S 0000 00 80 17 cc ae 40 08 2e 5f 25 e0 0d 08 0045 00 ES em 0010 02 52 2f 65 40 00 80 06 00 00 45 58 a3 1c 4558 R eQ EX EX 0020 a3 1e c4 b2 00 50 56 fc al 8d d3 4e 6b a6 50 18 PV NK P NANANA AN IA d IF AN AN 47 AC CA IN IF 72 Fh AO Ra 73 Y CET elane O y File C Users ZALEWS 1 AppData Local T Packets 534 Displayed 151 Marked 0 Dropped 0 Profile Default A BR gu T a SET OR Nds ung SC Fig 9 Wireshark login packet 15 The last step is to see how the SCADA server fairs against attacks This is done with a penetration testing tool called Meatasploit Metasploit is a software that has various penetration tests built into it 31 Before running any tests th
19. Y e Administration Y Community 2 Help ETT H Delle Scam import Newpose Q Modules pes Drog New Host Search Hosts Hosts gj Notes d Services Vulnerabilities B Captured Data show 100 ents IPAddress Hostname Operating System VM Purpose Sue Vins Act Notes Updated H mimi K ppe ios 5x device 3 2 minutes apo Scanned Fl 101003310 Minas gsx dete 3 2 minules ago Scanned a 6088 16330 698816930 D un Rec Hat sever 3 minute ago Scanned i 10 100 33 10 JESS PC A Microsoft Windows 7 Starter 7601 Service Pack bt eb JI 4 2 minutes ago Scanned E munit App ios x device 1 2 2 minutes apo Scanned TT 101003352 IR Unknown device 33 2 minules ago Scanned Showing 1 to 6 of 6 entries Metasploit Community 4 4 0 Update 1 2010 2012 Rapid Inc Boston MA t RAPID A 180 n Jl 034 AM 3r 0 jon L 11 16 2012 Fig 11 Metasploit detected IP addresses 17 After the SCADA server 1s detected the penetration tests can start The first test 1s the bruteforce test A brute force tests to see how secure the SCADA server s keys are Metasploit generates a bunch of different keys and attempts to enter the SCADA server with each one In this experiment the test failed That means that the SCADA server is secure against a brute force attack Figure 12 shows the results of the test con a el https localhost 3790 workspaces 2 tesks 2 D Q Certificate error X Metasploit
20. ate partners may not be protected by a firewall e Dial up modem access is unnecessarily granted and dial access policies are often forgone Firewalls are not implemented internally leaving little to no separation between network segments 19 The lack of real time monitoring creates a big security risk If there is a large amount of data coming in from network security devices it may be overwhelming and cause the attempt at monitoring to fail Even if there 1s an intrusion detection system that has been implemented the network security staff can only recognize individual attacks This stops organized attack patterns from being recognized These common vulnerabilities within a SCADA system should be recognized and addressed from the beginning It is important within a SCADA system to go over every detail of risk and implement measures to prevent potential security breaches 19 2 Previous Work This project is a continuation of previous ones by T Bennet 1 and M Humphries 2 The following section briefly outlines what was previously accomplished 2 Hardware The SCADA system for this project has already been setup The RTU control unit and workstation are all able to connect to each other over a network When switches are flipped on the RTU the workstation is able to display the status Besides setting up the SCADA system some analysis has been done Florida Gulf Coast University s SCADA system is setup using Red Hat and Apac
21. e SCADA server needs to be detected This is done by running a scan with metasploit looking for the SCADA server s IP address which is 69 88 163 30 The results of the scan are shown in figure 10 and the detected IP addresses are shown in figure 11 oe Ka a ebe visite D v Q Cefifiateenor X Metasploit Task1 M Your Metasploit Community WU HE File Edit View Favorites Tools Help o iB 8 Suggested Sites v 2 FGCU Banner 2 FGCU Directory FGCU Home Page 2 FGCU Password Reset Por FGCU Webmail Home Gulfline MyVPN Web Slice Gallery v d v E i mm v Pagev Safety Toolsy Qv amp Project FGCU SCADA v Account zalewski Y amp Administration Y Community Help metasp Overview 44 Analysis Sessions 4j Campaigns e WebApps ve Modules Tags J Reports Tasks 0 Home FGCUSCADA Tasks Task 4 Bruteforce O Exploit planed Discovering Sweep of 10 100 33 1 69 88 163 30 complete 6 new hosts 343 new services of Complete Duration 2 minules Replay S RAPID7 Fig 10 Metasploit scan results 16 mei Metasploit Hos File Hit View Favorites Tools Help dy D Suggested Stes v E FGCU Banner 2 FGCU Directory FGCU Home Page 2 FGCU Password Reset Por FGCU Webmail Home Guffine WI Web Slice Galley v rf mr Pager eyr Tost gt Le Biet didis ere Ompigs Web gps Uie Jg Rees se FQ E Project FGCU SCADA Account zalewski
22. ff men 17 cc ae Ap OB 00 a5 DO E DOLO GF 25 5f BH 00 QO 40 11 QZ ca 45 5H al le fT fT 0 oe EM aa Ob ff Ff Oi 14 c 2f OO 11 6 Jd 216 20 26 38 18 26 55 B8 0050 31 36 55 00 op DO OO OO OO oi op M auia sana or Intel R 525790 M Gigabit Network Conmectio Packetz 513 Displayed 513 Marked fi Profile Default e e Ta Te E L EB erc ow Ham Fig 24 Stop Wireshark packet capturing 27 Metasploit l Open Metasploit from the Windows start menu Navigate to the Metasploit folder and then click Access Metasploit Web UI Figure 25 Log into the Metasploit Web UI under the username zalewski The password is i kswelazl Figure 26 Under the projects tab go to the project FGCU SCADA click on it and scroll down If the project has not been created yet follow these steps Go to the projects tab and click on Create New Project in the dropdown menu Figure 27 and Figure 28 First scan for IP addresses Click on the Scan button under the Discovery section Enter the IP address of the SCADA server and then click the Launch Scan button The SCADA server IP address is 69 88 163 30 Figure 29 Next go back to Overview and run a bruteforce test by clicking the Bruteforce button under the Penetration section Make sure the only IP address in the target addresses box 1s the SCADA server address Click Toggle AII services to select all options and then click the
23. gainst these kinds of risks is the firewall The firewall needs to be configured appropriately based on the needs of the system 4 Prospective Solution Before the security of a system can be enhanced information on the current level of security must be gathered and analyzed Following the documentation of the previous project this project will reproduce the experiment results 2 These results are the data on the security of FGCU s SCADA system This data needs to be analyzed to determine the possible security risks in the system After the security risks are determined this project will implement a way to possibly improve the security The firewall on the SCADA server will be used to do packet filtering Packet filtering examines the packets that are sent to the network It checks the source IP address the destination IP address and the internet protocols carried by the packet 3 This process is shown in Figure 3 The windows firewall can be configured to either permit or deny incoming packets Rules will be created that will allow only the necessary connections for operation of the projects SCADA system to enter This will help ensure connections with malicious intent cannot connect to the system Client j Fire ata ll i Server Packet filter f mi Gees Packer is passed if Packet is sent allowed dropped if denied IP header Src and Dest IP addresses Other header ignored info Packet i5 examined Fig 3
24. he for the webserver The computers are on a Computer Science specific network that is controlled by Extreme Networks The Extreme Networks firewall was determined to provide industrial strength against outside attacks More analysis was done on the connection between the SCADA server and the workstation There was a physical layer of risk only A hacker would have to plug into the Netgear network switch that connects the workstation with the SCADA server This was the hardware analysis of the previous project 2 2 Software The software analysis that was done involved using Netstat Metasploit and Wireshark The Netstat tests were done using an SSH connection with Putty on the workstation 2 2 1 Netstat The first step of the test displayed all active network connections running through the primary network device The second step displayed all active connections on the UDP network communication The third step was to display all the active UNIX domain sockets 2 2 2 Metasploit 2 219 Metasploit was used to perform a penetration test A penetration test is a test that simulates an attack from an outside malicious source The first step was to do a brute force attack What the brute force did was select all known running processes and try to crack their password The processes selected were MySQL HTTP HTTPS SSH Telnet FTP LOGIN SHELL and SNMP After 7 minutes the brute force failed and showed that an attack of that level would not work
25. l v server Medam Wi Fre 820 Remote Faecafon server low Si LOGIN USO Romale Logo server Low i seu BSD Remate Shes server Low B vw VMWare Authentcation Daemon Yugh vec NCES server Low W sewer Semple Network Manager Protocct tow arp Apple F ng Protocol low NW PCAe when Dats PCAnywhme Rance high Fig 30 Target address box and services for bruteforce test 31 9 da D Suggested Stes w GB FGCU Banner FGCU Directory FGCU Home Page FGCU Pasoword Reset Poe E FGCU Webmail Home E Guifine D MyVPN E Web Slice Gallery v Ze e OD v Pager Safety Tooke ve D e metasploit Overview Lib Anotyeis 5 Sessione Green Wob Apps Modules Tee ChFspors E Teeks deenen mua Fei Automated Exploit Settings Tae Andrei boss 16330 db Minimum Rehiab ty Great H o Mutusgiet Pro 4 4 0 Update 1 2010 2012 Rapid inc Damon MA Rapid Support Center ste RAPIO7 Fig 31 Target address box for exploit test 32 References 1 2 5 4 5 6 7 5 9 10 11 12 T Bennet Security in SCADA Applications Florida Gulf Coast Unviersity Fort Myers FL 2010 M Humphries Remote Control and Reporting using SCADA Florida Gulf Coast University Fort Myers 2011 R L Krutz Securing SCADA Systems Wiley Publishing Inc Indianapolis IN 2006 E D Knapp Industrial Network Security Elsevier Inc Waltham
26. lp metasploit pro Overview as Analysis Sessions 4j Campaigns sWebApps ve Modules Tags J Reports C Tasks Q Home FGCUSCADA Tasks Task3 E Collect Exploiting Complete 0 sessions opened 1 host targeted 0 hosts skipped of Complete Duration 7 minutes Replay r Ising closed port 9090 for 69 88 163 30 due to firewall rules 0161 Started bind handler 0159 69 88 163 30 443 Loading PHP code 0159 69 88 163 30 443 Waiting for a session may take some time Using closed port 9084 for 69 88 163 30 due to firewall rules 0162 Started bind handler 0162 69 88 163 30 443 Sending PHP payload Using closed port 9099 for 69 88 163 30 due to firewall rules 0163 Started bind handler 0163 69 88 163 30 443 Disclosing the path of the Tiki Wiki on the filesystem Rapid7 Support Center RAPID7 Fig 13 Metasploit exploit test results 19 di S Suggested Sites B FGCU Banner FGCU Directory FGCU HomePage FGCU Password Reset Por 2 FGCU Webmail Home Gulfline E MyVPN Web Slice Gallery v Overview Project FGCU SCADA Discovery 6 hosts discovered 14 services detected 0 vulnerabilities identified Web Apps 2 web sites identified 0 web pages crawled 0 web forms found 0 web vulnerabilities found sessions opened passwords cracked SMB hashes stolen 0 SSH keys stolen j Bruteforce Exploit Social Engineering 0 social
27. n of a challenged message only goes through if the message passes the challenge The Master or RTU are able to issue a challenge Challenges and responses use session keys These two standards help protect the communications of a SCADA server using encryption and authentication 6 1 2 Network TrafficAnalysis It is important to analyze patterns of user activity within the network a SCADA system is on This 1s done by network traffic traces Network traffic analysis can be split into four main categories There is traffic matrix traffic volume traffic dynamics and traffic mixture measurement 17 Traffic matrix measurement is done to estimate the volume of traffic between the origin and destination within a network There are two general approaches to traffic matrix measurement There is network tomography and direct measurement Network tomography indirectly infers end to end traffic demands based on traffic measurements within the network Direct measurement holds information of where traffic flows at each point in the network The points are merged into a central point to find the end point of each flow 17 Traffic volume measurements aims to show the total traffic sent or received on a network This is done by aggregating the total byte or packet count for each source IP address This can be used to identify heavy users and find possible causes of congestion on the network This information can be used to determine the source of a
28. possible security risk to a SCADA system 17 Traffic dynamics measurement measures the temporal variation in Internet traffic This is used to test the stability of a network The tests check for packet delay packet loss and detecting possible bottlenecks Traffic mixture measurement involves aggregating traffic data over a long period of time These data are used to detect anomalies analyze performance and do security management The data gathered from network traffic analysis can be of vital importance to the security of a SCADA system 17 1 3 Common Security Vulnerabilities Often times information about a company network is easily obtainable through public routine queries This public information can be used by attackers to focus their attacks against the network A website often has data that network intruders will find very useful Some examples are employee names e mail addresses network system names and the company s structure The domain name service DNS can provide IP addresses and server information 19 A SCADA system may have weak network architecture The weakness of the architecture increases the risk that an internet based compromise could also compromise the SCADA system Four common architectural weaknesses include the following e The configuration of file transfer protocol FTP web and e mail servers sometimes unnecessarily provide internal corporate network access e Networks connections with corpor
29. s displayed the active UNIX domain sockets The results are shown in Figure 6 mjrPBHyperTACII mgr netstat sl Active UNIX domain sockets only servers Proto RefCnt Flags Type ctate LI Node Path unix H ACC aT RAH LISTEN TRG LKA l tmp font unix f27100 unix H ACC STREAM LISTER TG KR l var lib mysqgl mysqi sock mgrBHyperTACII mgr I Fig 6 Active UNIX Domain Socket 12 The next step is to see how the workstation and the SCADA server interact A software package called Wireshark was used to this purpose Wireshark is a packet capturing program than can be used to analyzepackets that are sent over a network 30 Figure 7 shows how Wireshark was used to capture the packets in the CS lab where the workstation and SCADA server are located H wg 82579LM Gigabit Network Connection DeviceNPF ATAOAFIB OE17 4670 9E55 BFD9BEOSAGE Wireshark 183 SVN Rev 45256 from ball gee Mew w EI File Edit View Go Capture Analyze Statistics Telephony Tools Week Help Banann GES QeoaFs ER Qaam gERXH Filter pres Clear Apply Save No Source Destination Protocol Length Info Time 214 52 013369 88 163 28 69 88 163 30 HTTP 608 GET skins index php3 login MGR amp key 947194027 amp hashcode 302671a763bclaf0daudio truegbeep false HTTP 1 1 221 52 107369 88 163 30 69 88 163 28 TCP 66 http gt 50360 SYN ACK Seq 0 Ackel Win 30660 Len 0 MSS 1460 SACK_PERM 1 WS 1 5 Sa ET PP EE OS EEN 4 n a Frame 214 608 bytes on
30. third party captures old data and sends it again This vulnerability is especially dangerous for controls Data tampering is when a third party modifies the contents of a message Eavesdropping is when a third party attempts to get some of the data and use it to their advantage 6 The way most of these communication vulnerabilities are prevented 1s by dynamically changing the keys used for signatures and encryption This practice is called key rotation There are currently two standards for SCADA communication There is the AGAI2 IEEE 1711 standard and the DNP3 secure authentication standard AGA12 has a philosophy based on encryption This philosophy incorporates confidentiality key technology cryptographicstandards and validation AGA12 protects messages through authenticating the partner device and randomizing the transactions between them This means that it signs and encrypts all messages 6 DNP3 secure authentication has a philosophy that is based on authentication and challenge This philosophy includes proving identity using challenges and uses key technology DNP3 protects all actions that are considered critical to the SCADA system It uses the protocol application layer challenge Controls and configurations change periodically A signature is used to prevent tampering The way authentication challenge works is relatively straightforward The non critical messages operate normally Critical messages are challenged and the operatio
31. y Josi jetemah Hee BUSCe Seem wipeest2 ED acan amnas R 1 iist gt fe CM E 7 Ppeemen Cem Apes See Cott Sim iost Popular Network Protocol Analyzer CH pee a Interface List ga Open 2 Website Uwe int cf he Capto mmer Oper a prevcusly captured Ye Cam e poeta eco Kier eczmng pecu Open Recent id e z The Laer Gusta erg vemor d raneted Crocs ra cr mos raam to capu fom me Siert Sample Captures kt keet 82579UM Gigabit Network Connection Device NPS 2294 1 8 9017 4670 96055 48 D6GLOR ASA Mb eub EP EEN Security Wot m AON a AA m potis agi Capture Options rein peteg vr Tage regen J How to Capture e by tow to o maient opte whe Network Media Leg Ze re aen e capter en Dera WLAN _ i i Fig 16 Select Interfaces Wireshark 22 ga Open o qp Website Lg int cf t e Capto mmer Oper a pecus captat Sw Vat ce poeta ecu kovn ege pecker Start gj Users Guide EI Chane era cr mcos men to capu om me Sart g Sample Captures Tre net Guse Soca vemor re t bael KISTROA gege Connecton Device NP J1ABU18 9 17 4610 N52 MIDISIDLABIT A nc sncmeet of snap captum Sar On me ete Security Wort r Wemtat a Ser m poos agi Cepture Options KL How to Capture LI Ei Network Media ege fe raer Nr ptum ger Brera WLAN _ D idt Yee Qo apre Analyze aer Telephony Tock jetemah Hee Ww Qi M M rene wih eFt EE aaan eax S fer i i 3 T Diet
Download Pdf Manuals
Related Search