Seeing is Believing: Live Demonstration of OT Cyber Attacks

Real-life live demonstrations of cyber-attacks scenarios are the best way to educate and create awareness of the potential risks and damages to ICS/SCADA systems, using various attack vectors.

Such a demonstration was held at the February 2018 CS4ICS IET convention in London, UK. The demonstration used actual SCADA devices from leading manufactures and off-the-shelf attack tools.

After each attack showcase, the detection and prevention methods were shown using Radiflow solutions.

The London convention brought together cyber-security and industrial automation operators from critical infrastructure operators and industrial facilities. During a two hours session held in front of over 100 participants, three use-cases were presented addressing the main operational scenarios.

USE-CASE #1: MALWARE ON TECHNICIAN LAPTOP
One of the major known ICS/SCADA vulnerabilities is access to sites by third-party contractors/employees, either remotely, or by plugging into an on-site switch. If the event the technician’s laptop is not well-protected the maintenance session could be used to modify the operation of PLCs and HMIs.

The demonstration presented remote access to a site and change of the PLC ladder logic using a hidden malware on the technician’s laptop that was running in the background while it was connected to the operational network.

[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]

Mitigation:

1. Detection of download of new logic to the PLC using an Industrial IDS
2. Prevention using a task-based identity management-equipped firewall, deployed between the technician’s laptop and the critical operational network.

USE-CASE #2: OPERATIONAL TAMPERING USING AN SSH BRUTE FORCE ATTACK
In many cases, default, dictionary or common passwords are used for authentication of operators of SCADA servers, HMIs and PLCs. This can be used to gain access to those computers and tamper with the SCADA system.

In this case, SSH access to the SCADA server was achieved using a password brute force attack, based on password databases from GitHub, Certyfence or other sources. Once access is gained, the SCADA server is used to disrupt the operation of the industrial process.

Mitigation:

1. Detection of SSH brute-force attacks using an IDS with a signature database
2. Alert on outdated software versions and unhardened industrial protocols with known vulnerabilities, using an Industrial IDS.
3. Use of firewalls to enforce task-based identity management and stronger password policies.

USE-CASE #3: RAILWAY TRACK SWITCHING USING MitM (MAN IN THE MIDDLE)
In MitM attacks, the attacker secretly relays, and possibly alters, the communication between two parties who believe they are directly communicating with each other.

In this case, the attack took advantage of the vulnerabilities in the network and in the Modbus automation protocol used between the HMI and the PLC.

In this scenario, the malware causes the track switch to divert trains to a alternate rail while sending false data to the operator as if the train is still on the right track.

The attack took place in two stages:

1. The attacker machine used ARP Poising to trick both the PLC and the HMI to believe that they are communicating with one another, while actually both were communicating with the attacker.
2. The attacker then sent a Modbus write command to the PLC, changing the direction of the rail and at the same time, it messaged the HMI that the track switch is still in its original position.

The attack logic was implemented in a Raspberry Pi device simulating a possible malware in a peripheral device in the network, such as a physical security sensor or CCTV camera whose cyber security was inadequate.

Mitigation

1. Detection of ARP poisoning using an IDS installed on the network
2. Detection of new Modbus commands using DPI (Deep-Packet-Inspection) of an Industrial IDS.
3. Prevention using a DPI firewall in the communication path to the PLC.
4. Validation of the security mechanism of IoT devices connected to the SCADA network, and of the network switches.

CONCLUSION
The demonstration at CS4ICS IET 2018 clearly highlighted the realization that a one-size-fits-all approach to OT network security is not sufficient, as it is safe to assume that cyber-threats, risks and attacks will only diversify and intensify.

ICS/SCADA operators need to engage in the process of installing multi-layer security measures, with detection and protection capabilities for different types of attacks, as demonstrated. Such a process should begin with a comprehensive security assessment, to map out all network devices, ports and connections, and should eventually include protections for known threats, as well as mechanisms for adapting to new threats as they are discovered.