ICS Security 101 by Sandeep Singh

Agenda
• What is ICS?
• IT vs ICS
• ICS Components
• ICS Protocols
• PLCs
• Common issues with ICS Security
• Pentesting ICS (approach and methodology)
• Securing ICS
• So you want to learn ICS Security?

What is industrial control system

Where do we
see ICS in use?
• Food manufacturing plants
• Power plants
• Building automation systems (AC/HVAC)
• Water treatment
• Chemical plants
• Oil & Gas
• Telcos
• Weapons Control System
• Dams, etc.

The confusion
IoT
Critical
Infrastructure
Industrial
Control
Systems

IT vs ICS
Confidentiality
Integrity
Availibility
Availability
Integrity
Confidentiality
ICS
IT

IT vs ICS
IT ICS
Security
patches
Applied regularly on standard systems
Only recently provided by vendors. Applied
once a year tops
Antivirus
Deployed on all Windows machines,
centrally managed
Sowly starting to show up. Some vendors used to / stil
forbid AV usage (lack of support if AV is installed)
Not managed
System
Administration
Centralized, dedicated teams, standard
operations and procedures
Lack of local skills, heterogeneous environments, lots of
different tools to use, vendor support is mandatory
IAM Nominative accounts Generic, shared accounts, no password policy
Availibility
Service interruptions are ok, especially
outside business hours
Real-time operations, downtime is unacceptable or very
costly
Protocols
Standard, TCP/IP protocols that include
authentication and encryption
Lot of vendor-specific protocol, no security built in to the
protocols
Impact No people endangered Possible impact of people, envrionment, industrial gear

A look into the
past
 1969: First PLCs
 1973: Modbus protocol invented
 1986: PLCs controlled by PCs
 1992: TCP/IP for PLCs
 2003: Web servers for PLCs
 2017: AD is coming!

ICS
Components
• Sensors and Actuators: allow interaction with
the physical world (pressure sensor, valves,
motors, …)
• Local HMI: Human-Machine Interface, permits
the supervision and control of a subprocess
• PLC: Programmable logic controller: manages
the sensor and actuators
• Supervisor screen: remote supervision of the
industrial process
• Data Historian: Records all data from the
production and Scada networks
• RTU: Remote Terminal Unit (standalone PLC)
• IED: Intelligent Electronic Device (smart sensor)

Industrial protocols
 At the beginning, specific protocols on specific physical layer (RS232, RS285, 4-20 current loop)
 Some protocols were adapted to TCP/IP, like Modbus, and other were developed to allow
interoperability.
Currently, the most used seem to be :
 HART / Wireless HART
 Profibus
 Modbus
 Profinet / S7
 DNP3
 OPC

Modbus protocol
 Serial communication protocol invented in 1979 by Schneider Electric
 Developed for industrial application
 Royalty-free
 Now one of the standards for industrial applications
Security?
 Clear-text
 No authentication
How it works:
 Master/Slave protocol
 Master must regularly poll the slaves to get
information
 Modbus addresses are 8 bits long
 There is no object description: a request returns
a value, without any context or unit.

Modbus protocol
 Modbus was originally made for serial communications
 It is now often used over TCP
MODBUS/TCP FRAME FORMAT

Modbus protocol
 The most common Modbus functions allow to read and write data from/to a PLC
 Other functions, such as file read and diagnostics functions also exist
 Undocumented Modbus function codes can also be used to perform specific actions
Commonly used MODBUS function codes
Function name
Function
code
Read coils 1
Write single coils 5
Read holding registers 3
Write single register 6
Write multiple registers 16
Read/Write multiple registers 23
All documented MODBUS function codes: https://en.wikipedia.org/wiki/Modbus

S7 protocol
 Proprietary protocol by Siemens
 TCP port 102
 Based on COTP (Connection-Oriented Transport Protocol, RFC905)
 No security
 New version of the protocol available starting with version 4 and up of the PLC firmware :
provides mutual authentication and communication Encryption
 Security features analyzed by Quarkslab, see the talk from SSTIC
https://www.sstic.org/2015/presentation/analyse_de_scurite_de_technologies_propritai
res_scada/

DNP3 protocol
 Standard protocol, developed by GE in the 90’s
 Slave/Slave : Information can be share at the initiative of any device
 Layer 2 protocol (just top of physical layer), ported to TCP/IP
 Integrity is verified using CRC
 Data reporting communication : only send the data that has changed (simplified), or at
the initiative of the PLC/RTU
 Used for smartgrids in the US
 Secure DNP3 introduced in 2007
- Works on serial and TCP versions
- Challenge/response to exchange a session key (using PSK)
- Can be done at startup, every XX minutes, or only for sensitive actions (write requests for example)
- Possible to use secure DNP3 over TLS

PLC
 Real-time digital computer used for automation
 Replaces electrical relays
 Lots of analogue or digital inputs & outputs
 Rugged devices (immune to vibration, electrical noise, temperature, dust, …)

PLC Programming
 “Ladder Logic” was the first programming language for PLC.

Other languages..
 SoMachine is the software provided by Schneider Electric to program
the entry level PLCs.
 PLCs used in big plants are usually programmed using Unity Pro.
 Unity Pro has no free/demo version

PLC programming
 Create a project
 Define the hardware setup
 Create variables
 Define the program
 Test
 Debug
 Push to PLC
 START

Common
issues with ICS
security
 Organization & awareness
 Network segmentation
 Vulnerability management
 Security in protocols
 Third Party management
 Security monitoring & detection

ICS security assessments
 Types of Security assessments
- Security Posture Audits (interview and artifact reviews)
- Physical Security Assessments (policy and walkthroughs)
- Network Capture Assessments (passive network)
- Vulnerability Scanning (actve network)
- Penetration Testing (active network and hands-on)
 Each assessment type fills looks at the system from different perspectives
and angles
 Most common time to do penetration tests on control systems are during
equipment acquisitions

What to pentest?
 All connectivity from corporate networks to control networks
 All remote access connectivity into the control network
 Any link carrying control traffic across public or semi-public links
 Any new system before it is implemented
 Any system changes or updates that are being tested in test or staging
environments
 Web applications running on top of devices such as RTUs, PLC, HMIs
 Fuzzing ICS protocol implementations

Port scanning on ICS networks is dangerous
 Nmap is the de-facto tool for port scanning but can be really
dangerous on ICS
 Two stories from NIST SP800-82
 A ping sweep broke for over $50,000 in product at a semi-conductor factory
 The blocking of gas distribution for several hours after a pentester went
slightly off-perimeter during an assessment for a gas company
 Nmap useful setup for scanning
 Reduce scanning speed! Use « --scan-delay=1 » to scan one port at a time
 Perform a TCP scan instead of a SYN scan / do not perform UDP scan
 Do not use fingerprinting functions, and manually select scripts (do not use “–
sC”)

PLCSCAN
 https://code.google.com/archive/p/plcscan/
by SCADAStrangeLove (http://scadastrangelove.org/)
 Scans for ports 102 (Siemens) and 502 (Modbus) and tries to pull
information about the PLC (modules, firmware version,…)
 Not exhaustive since not all PLCs use Modbus or are Siemens

Attacking standard services
 Most PLCs have standard interfaces, such as HTTP and FTP
 Lets’ say security was not the first thing in mind when introducing
these features …
 On Schneider M340
 FTP credentials are hardcoded (sysdiag /factorycast@schneider)
 Allows you to retrieve the password file for the web UI

Metasploit for everything
 /auxiliary/scanner/scada/modbusclient (can perform read/write
operations on coils and registers)
 Unauthenticated actions on PLC
 /auxiliary/scanner/scada/modicon_command (STOP/RUN)
 /auxiliary/scanner/scada/modicon_stux_transfer (Logic download/upload)

Securing ICS
 ICS security standards
 ANSSI
 ISA99
 NIST SP800-82 Revision 2
 ENISA Guidelines
 NERC CIP
 System Hardening
 Network Segmentation
 Corporate network to ICS network pivoting is a problem
 Segregate while allowing some communications
 Two network cards
 Security monitoring

So you want to learn ICS
Security? – ICS Security
Resources

Connect!
• SCADAsec email list at Infracritical
 ICS Security Conferences
 DigitalBond’s S4
 SANS ICS Summit
 4SICS
 EnergySec
 Oil and Gas Security Summit

Information Sharing
 National Council of ISACs
 Downstream Natural Gas (www.dngisac.com)
 Electricity (www.esisac.com)
 Oil & Natural Gas (www.ongisac.com)
 Water (www.waterisac.com)

Books
 Robust Control System Networks, Ralph Langner
 Industrial Network Security, 2nd Edition, Knapp & Langill
 Cybersecurity for Industrial Control Systems, Macaulay & Singer
 Countdown to Zero Day, Kim Zetter
 Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky &
Brodsky
 Hacking Exposed Industrial Control Systems, Bodungen, et al

Training
ICS-CERT
 Free online training and resources
 Free 5-day Red vs Blue ICS exercise
ICS Vendor Training
SANS ICS410 and ICS515
Red Tiger Security, Lofty Perch, SCADAhacker

Intelligence Sources
ICS-CERT portal
ISAC Portals
FBI Infragaurd
Twitter #ICS #SCADA
Google
Shodan.io

This slide deck is generously borrowed from the following
talks:
Pentesting ICS 101 - https://www.defcon.org/html/defcon-
24/dc-24-workshops.html#Soullie
How to get into ICS security – RSA Conference 2016
What the hell is ICS security – Bsides Tampa 2016

Thank you
Sandeep Singh
@sandy1sm
Email: sandeep.singh@owasp.org
san@null.co.in
Thank you 

ICS Security 101 by Sandeep Singh

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to ICS Security 101 by Sandeep Singh (20)

More from OWASP Delhi (20)

Recently uploaded (20)

ICS Security 101 by Sandeep Singh

Editor's Notes