{"id":9869,"date":"2013-03-15T12:18:32","date_gmt":"2013-03-15T11:18:32","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9869"},"modified":"2013-03-15T12:18:32","modified_gmt":"2013-03-15T11:18:32","slug":"blackhateu2013-day2-whos-really-attacking-your-ics-devices","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-whos-really-attacking-your-ics-devices\/","title":{"rendered":"BlackHatEU2013 - Day2 - Who's really attacking your ICS devices ?"},"content":{"rendered":"

Kyle Wilhoit<\/a>, Threat researcher at Trend Micro, explains that he will provide an overview of ICS systems before looking at some interesting attacks at ICS systems.<\/p>\n

Concerns\/Overview of ICS Security and\u00a0Typical deployments<\/h3>\n

ICS devices are used in production of virtually anything. They are used in water\/gas\/energy\/automobile\/manufacturing, etc. \u00a0They are notoriously insecure in many ways. \u00a0Software is sometimes embedded, sometimes not. ICS devices are typically proprietary, specific to the vendor.<\/p>\n

A typical ICS deployment contains a supervisory network (SCADA network) and one or multiple control systems. \u00a0The supervisory network communicates with the control systems. \u00a0Traditional deployments usually don't contain any security layers.<\/p>\n

Overview of 2 SCADA protocols<\/h3>\n

DNP3 is a complex protocol, used to send and receive messages. \u00a0There is no authentication or encryption and have several published vulnerabilities.<\/p>\n

Modbus is the oldest ICS protocol, which mostly controls I\/O interfaces. No authentication or encryption, no broadcast suppression and has multiple vulnerabilities.<\/p>\n

Typically, priorities for ICS are productively, up-time and reliability of data. \u00a0IT is concerned about protecting the data, communications and limiting the number of interruptions.<\/p>\n

In 2012, 171 unique vulnerabilities affecting ICS products were reported, affecting 55 vendors. \u00a026% of these devices revolve around internet-facing devices.<\/p>\n

Scada on the internet<\/h3>\n

It has proven to be trivial to find ICS systems using Shodan. Example searches include \"VxWorks\" and \"Meter Information\". \u00a0Of course, this only gets you the systems that are internet facing, not just the ones that are vulnerable. \u00a0You can find other systems by querying paste bin, ERIPP and Twitter. \u00a0In short, there a multiple ways to find Scada systems exposed to the entire world.<\/p>\n

Story time<\/h3>\n

\"Small town in rural America, has a water pump controlling system, which is internet facing. \u00a0During Q3\/Q4 of 2012, it has been attacked multiple times.\" \u00a0 Kyle introduces the fact that he has set up an ICS honeypot in his basement that looks like a water pump controlling system to gather information about real attacks.<\/p>\n

His honeypot consists of 2 low interaction systems and one high-interaction system (using real devices), deployed on a Windows 2008 server and 2 Ubuntu servers. \u00a0It ran for 28 days in total. \u00a0On the internet facing UI, he included very clear messages that a system compromise might adversly affect water containment.<\/p>\n

The external IP of the honeypot exposes a \"Control System\", which uses a PLC in the back-end, simulating a water pump system. \u00a0The high-interaction honeypot consists of a couple of machines (combination of physical systems and Amazon EC2 instances), simulating a control system, a Nano-10 PLC, a Siemens Simatic S7-1200 system, and a separate workstation that contained \"salted\" docs. \u00a0He also used Honeywall and generated real DNP3 and Modbus traffic on the network.<\/p>\n

To make things look real, he registered a domain name that references the name of the city where he set up the honeypot, to make it look like this is the city water containment system.<\/p>\n

To make the system vulnerable, he used a set of vulnerabilities:<\/p>\n