Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Scada Malware, A Proof of Concept by tpf49254

VIEWS: 8 PAGES: 19

									            Scada Malware,
           A Proof of Concept


A. Carcano, I. Nai Fovino, M. Masera, A. Trombetta
  European Commission Joint Research Centre



                         Critis 2008, Rome, October 15, 2008
                        Outline



• Motivations

• Testing Environment

• Experimental Program

• Results

• Conclusion
                                    CI Dependence on IT Systems


     • Today most of critical infrastructures depend highly on
       the underlying communication networks.

 -Remote Control                            Communications                            -New Vulnerabilities
 -Remote maintenance                           Network                                -New Attack Scenarios
 -New features                                                            Sensor      -New Threats


                                                                          Remote Terminal Unit 1

                                            Fiber, Radio, Modem,          Sensor
                                            Microwave, Telephone,
                                            Wireless, Powerline Carrier

                                                                          Remote Terminal Unit 2

             Central Monitoring Unit
                                                                          Sensor

Adapted from: Joint Program Office for Special
Technology Countermeasures Naval Surface
                                                            Programmable Logic Controller
Warfare Center, Dahlgren Division
                                                                     Computer Attacks


                                                                                   Virus                                     Need of concrete studies
Most of attacks are Malware based                                                                                           on the effects of Malwares
                                                                                  Worm                                      on Critical Infrastrucutres


                                                                                  Trojan
                                                                                                                                      Known Effects
                    Turbo Gas                        Plant        Unknown Effects                                                             Intranet
                     control                        control
                       comands                      comands                              common                   gateway
                    alarms - blocks                control data                          services
                      supervision                  supervision
                      monitoring                    monitoring                                                                         Workstation       router
                      diagnostics                  diagnostics                                      diagnostics
                                                                           diagnostics
                                                                                                     vibrations
                                                                                                                                              Office network

                                                                                 Process network                                                           External
                                                                                                                             firewall                      Network
           Field                                           control
                                                                                                       data server
                                                                                                                                firewall
          control
                                                                     field bus
                                                                                                                                                         router
                                                                                                    DMZ
              Control system                                                                                                                  Data Network
                                                  actuators / transductors


                    Combustion
gas                  chamber                                                                            steam

                                                                                    Steam
      Compressor                      Turbine
                                                           G                       generator
                                                                                                                            Turbine
                                                                                                                                                     G
air                                             fumes
               Turbogas                                                                                    water
                                                                                                                                            fumes
                      Problems




• How to simulate malwares on Critical
  Infrastructures?

• How and where to study their effects?
               Malware Simulation: MAlSim Toolkit


• MAlSim Toolkit:
• Various families of malware (worms,
  viruses, malicious mobile code etc.)
• Various species of malware of the
  same family (e.g. macro viruses,
  metamorphic and polymorphic
  viruses etc.)
• Well-known malware (e.g. Code Red,
  Nimda, SQL Slammer)
• Non-existent configurations
 Power Plant Simulator


 System Measurements
   Analysis Environment
     Attack Systems
Power Plant Source          Field Network
                          Vulnerabilities Repository
                                 Inside
                          Vulnerabilities Repository

                          Process Network
                            Binaries Repository
                            Binaries Repository
                               Outside
                           Data Network
                                  InSAW
                                   InSAW

                            DMZ Network
                            Experiments Archive
                            Experiments Archive

                          Intranet Network
                                  Ad-Hoc SCADA Malwares


 Considerations                       It is possible to create a set of Malwares
About “SCADA”                     Which take advantage of such basic vulnerabilities
   Protocols


 Such protocols, are normally
  used by some dedicated
   servers in order to send
commands to the field devices                            Lack of:

                                                         -Integrity controls
ModBUS       ProfiBUS                                    -Authentication Mechanisms
                                                         -Non Repudiation Mechanisms
  - Application layer …Others…
       DNP3           messaging                          - Anti-replay Mechanisms
    protocol
  - Provides Client/Server
    communication service
  - TCP/IP Implementation
  - Widely Used
                                   Attack Scenarios (1)


    ModBUS Malware DOS
-   Attack Scope
     - To desynchronize the communication between Master and Slave
     - To completely avoid the communication stream between Master and
        Slaves
-   Code Implementation
     - A Packet builder, which forges in the proper manner ModBUS over
        TCP packets.
     - A Discovery engine, which explores the network in order to identify
        the IP addresses of the Modbus slaves.
     - A Packet deliverer, which sends in an optimized way the previously
        forged packets to the target slaves, in order to saturate the bandwidth
        as soon as possible.
                                     Attack Scenarios (1)


 - Infection Trigger:
ModBus DOS Worm

                                                                  -Slammer
                                                                  -Nimda
                     Modbus Packet                                -Poskiwing
                       Generator
                                                                  (6 october)
 Slammer Infection
     Engine                                                       -…


          Slammer
Malsim Framework
                                                                FW-VPN
                                                            Master/Secondary

                       Discovery
                        Engine
                      Test Results



1. Anti-viruses do not recognize the ad-hoc crafted
   malware
2. Firewalls do not stop the traffic generated by the
   malware since it has the shape of “legal ModBUS
   traffic”
                                  Attack Scenarios (2)


ModBUS COM Worm
-   Attack Scope
     – The scope of the Com Worm attack is to take the control of the slaves
        of the process control architecture by taking advantage of the lack of
        authentication and integrity countermeasures of the ModBUS protocol.

-   Code Implementation
     - A Packet builder
     - A Discovery engine
     - A Strategy & analysis module, which, on the basis of the information
       gathered by the discovery engine and some built-in heuristics identifies
       the strategy to adopt in order to send packets which could create
       damages to the system.
     - A Packet deliverer, which send the forged packets to the target slaves
                               Experimental tests


•   Worm prototypes:
-   Step 1 Malware: it replicates the MODBUS function 15 (0x0F), used to
    force each coil in a sequence of coils to either be ON or OFF in a remote
    device(valve).

-   Step 2 Malware: Through the function 16 it is able to write a block of
    contiguous Input registers (1 to 123) in a remote device.

-   Step 3 Malware: by combining the two ModBUS functions (0x01) (read
    output values) and (0x0F) used to force a sequence of coils, it revert
    completely the configuration of the target system (e.g. if a valve is
    opened it will be closed and viceversa.
                Experimental Considerations



• Antiviruses do not identify the new worms

• Firewall completely ignores the attacks since the
  traffic appears completely legal

• The slaves execute in all the cases all the worm
  command, without identifying any anomaly.
                            Conclusion


• Industrial SCADA protocols are far to be considered secure
• In this paper we proved that the scenario in which a worm could
  take the control of a portion of an industrial plant is nowadays a
  reality.
• Traditional Antiviruses and FW are inadequate for several
  reasons:
   – SCADA systems are very specialized systems, using dedicated
      protocols (sometimes proprietary).
   – Anomaly detection techniques cannot be easily deployed into
      industrial systems.
   – Patches could interfere with some particular ad-hoc sw.

• Future works:
- SCADA Intrusion Detection System
- Secure SCADA protocols
            …Considerations (1)



Considerations
about Process                      Low “ICT Security
                                      Perception”
 Sub-Systems


                                  Rare Patching
                                     Policies

       Old Operating Systems:

       • Win NT 3.0 /4.0
       • Win 2000
                            Process Sub-Systems
       • BSD                are typically prone to
       • SCO
                                traditional malwares
Consequences of pervasive ICT



                       - Software Vulnerabilities
                       - Architectural Vulnerabilities
                       - ICT Security Policy Vulnerabilities

                        Consequences
                        - New Attack Scenarios
                        - New Risks
                        - Old Safety studies no more
                           “actual”

                        -   Need for new Models
                        -   Need for new Risk
                            assessment methods
                        -   Need for new experimental
                        -   studies
                                 Attack Scenarios (1)



  - Infection Triggers:
                                                                Modbus Packet
E-mail                                                            Generator
                                            Slammer Infection
 Social Engineering
                         -Slammer               Engine
 E-Mail Forge
                         -Nimda
 Malware Camouflage      -Poskiwing
                                                     Slammer
                         (6 october)        Malsim Framework         Discovery
Phishing                 -…                                           Engine

 Fake Site Creation
                                                                 FW-VPN
                                                            Master/Secondary

 DNS Poisoning

 Operator PC Infection


ModBus DOS Worm
                                             DNS

								
To top