The S4 SCADA Security Conference

This year I was asked to come speak at S4, a conference hosted by Digital Bond every January for the past 14 years. I was scheduled to speak on the OTDay, a free day for conference attendees intended to:

"Like it or not, your critical infrastructure SCADA or DCS is running a mission critical IT network. It is time to learn how to apply the mission critical IT technology and practices to Operations Technology (OT)."

My talk, given once in the morning and once in the afternoon to a full room of folks, was titled "Tiptoe Through The Network: Practical Vulnerability Assessments in Control Systems Environments". It covered three primary areas:

  • Discovery - Finding the assets on your network can be tricky, especially if you are a large organization with 10,000 or more hosts. However, in a control systems environment different segments may have a very small amount of hosts and devices, which means a new host is not a frequently occurring activity. This means being able to passively monitor the network for new hosts is important. Of course when we think of control systems environments there are concerns with network disruption (exp. on the PLCs). I covered P0f, Bro IDS, Tenable's Passive Scanner for tools. For methods of host discovery I also mentioned the ability of Nessus to pull hosts from VMware APIs and logs using Tenable's LCE.
  • Vulnerability Management - Many have seen the slides on this one as part of the Vulnerabilities Exposed Webcast Series. I cover what you need to get a successful program started, including policies, procedures and scan schedules/strategies.
  • Passive Vulnerability Scanning - Very much of interest to the ICS crowd! I stepped outside the boundaries and used examples such as Tivo, Nest, Wifi Treadmills and Wifi Scales as examples of how PVS can detect vulnerabilities.

The ICS Village

I got to have some fun in the ICS Village, a network of control systems, firewalls and security appliances setup for attendees to scan and hack. I ran Nessus against the entire environment (with some help from fellow Tenable employees). We generated over a gigabit of traffic on the wireless network in just over an hour, and all of my scans completed without errors. It was really a testament to how a well-tuned Nessus scan can accurately and quickly enumerate vulnerabilities. Below are some examples from the scan data:

Nessus identified the default credentials hardcoded into the Modicon FTP server. This plugin was provided to Tenable Network Security in 2006 in collaboration with Digital Bond and reportedly can be used to upload new firmware to the device.

Modbus is a networking protocol commonly implemented by control systems for sending and receiving messages. It uses coils or registers which contain binary functions (e.g. turn something off or on). Nessus implemented Modbus support in late 2006 again in collaboration with Digital Bond.

Rugged made headlines in 2012 as containing a backdoor in the RuggedOS operating system. The password was in fact derived from the MAC address allowing attackers to authenticate to devices running this firmware. Nessus obtains the MAC address and calculates the password to the device as shown in the screenshot above.

The information in the "informational" severity rated plugins is useful for many activities, including identifying the targets. In this case there were several hosts running a vulnerable version of the Dropbear SSH server. When reviewing the Ethernet card manufacturer we noticed it came from Ubiquity networks, a manufacturer of wireless hardware. Turns out this gear was running the wireless network, the very same one that stayed running during our scanning.

Conclusion

S4 was a great conference and a good opportunity for people to learn about ICS security topics. The OTDay was followed by two days of in-depth technical content. If you are interested in how Tenable's products can detect SCADA related vulnerabilities, please refer to our SCADA solutions page.