SCADA Security, DNS Phishing AVE S TA HOJ J AT I, CO MMUT ER S CI E NCE D E PA R T ME NT A DVISO R D R A K B A R NA MI N T E X A S T E CH U NI VER SI TY What is SCADA? • Supervisory Control And Data Acquisition, type of Industrial Control System (ICS). • Computer based • Communication through IPv4 & IPv6 • Uses PLC (Programing Logic Controller) as the main operator Main Areas of Concern • Security and authentication in the design, deployment and operation of existing SCADA networks • The premise that SCADA systems are secure because they use specialized protocols and have proprietary interfaces • The premise that SCADA networks are secure because they have been physically secured • The premise that SCADA networks are secure because they are not exposed to the Internet SCADA Vulnerabilities • DoS (Denial of Service). Vulnerabilities found in FactoryTalk Services Platform and RSLinx Enterprise November 2011: The cyber-security of the North American power grid is "in a state of near chaos," according to a report by a respected U.S. energy consultancy monitoring the industry's transition to wireless digital technologies. • Critical Remote Code Execution (CRCE). Vulnerabilities found in Modbus Serial Driver, product by Schneider Electric September 2010: Iran admits that the Stuxnet worm had infected at least 30,000 computers in the country. The worm, which researchers have dubbed the most sophisticated malware ever, targets Windows PCs that manage large-scale SCADA systems at manufacturing and utility companies.) • Most SCADA protocols were never intended for use on publically accessible networks, and in some cases, not even on IP networks. MODBUS, a common SCADA protocol, was originally designed for use only within simple process control Networks to enable low speed serial communications between clients and servers Point of Attack CRCE Attack CRCE Prevention Securing SCADA Networks • Patch host operating systems, applications and SCADA components • Control application communications between SCADA networks and other networks • Control application communications within SCADA networks • Control what and who are allowed to interact with SCADA networks and systems • Monitor all networks closely and react quickly to viruses and attacks What is DNS? • The DNS (Domain Name System)translates Internet domain and host names to IP addresses. DNS automatically converts the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites. (wiki) DNS Phishing (Fake HTTP request) • Redirecting all incoming traffic to a fake server Enables to launch additional attacks, or collect traffic logs that contain sensitive information • Capturing all in-bound email Allows the attacker to send email on their behalf, using the victim organization's domain and cashing-in on their positive reputation DNS Phishing (Fake HTTP request) • Taking over the registration of a domain Attackers take over the registration of a domain and change the authoritative DNS servers This was the type of attack used by the Syrian Electronic Army. They gained access to the domain registration accounts operated by Melbourne IT, changed the authoritative DNS servers to ns1.syrianelectronicarmy.com and ns2.syrianarmyelectronicarmy.com. • Cache poisoning Attackers inject malicious DNS data into the recursive DNS servers operated by Internet Service Providers (ISPs). The damage cause by this attack is localized to specific users connecting to the compromised servers DNS Phishing scenario Demonstrating an attack using BackTrack Using ARP spoofing Technique (Address Resolution Protocol) Avoidance • Good security practices such as strong passwords, IP acceptable client lists (ACLs) and social engineering training will help guard against attack • DNSSTOP( Domain Name Server STOP) A curses-based application that displays various tables of DNS statistics • DSC (Domain Statistics Collector) DNS Statistics Collector is designed to collect and aggregate statistics from busy authoritative servers, such as those used by TLD (Top-Level Domain) and root server operators. • Traffic Gist A network traffic statistics collection tool. Gist can collect statistics about live traffic and do postmortem packet capture analysis Limiting Recursion to Authorized Clients For DNS servers that are deployed within an organization or Internet Service Provider, the resolver should be configured to perform recursive queries on behalf of authorized clients only. These requests typically should only come from clients within the organization’s network address range. We highly recommend that all server administrators restrict recursion to only clients on the organization’s network. BIND9 In the global options, include the following [10]: acl corpnets { 192.168.1.0/24; 192.168.2.0/24; }; options { allow-query { any; }; allow-recursion { corpnets; }; }; References • http://www.fastandeasyhacking.com/ (Armitage) • http://ettercap.github.io/ettercap/ (Ettercap) • Siemens PLS Simulator (S7 Seriese) Questions?