Hans Hoefken About Gregor Bonney Master Student at Aachen University of Applied Sciences FH Aachen Hans Hoefken Research Assistant at FH Aachen Electrical Engineer Ethical hacking ID: 725979
Download Presentation The PPT/PDF document "ICS/SCADA Security Analysis of a Beckhof..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
ICS/SCADA Security
Analysis of a Beckhoff CX5020 PLC
Hans HoefkenSlide2
About
Gregor Bonney
Master Student at Aachen University of Applied Sciences (FH Aachen) Hans HoefkenResearch Assistant at FH AachenElectrical Engineer, Ethical hacking, PentestingBenedickt PaffenMaster Student at Aachen University of Applied Sciences (FH Aachen)Marko SchubaProfessor at FH AachenIT-Security, IT-ForensicsSlide3
Agenda
Introduction
Structure SCADA SystemBeckhoff CX 5020TwinCATAutomation Device Specification (ADS)Security InvestigationPossible AttacksAdvisory for SuppliersSlide4
Introduction
globalization of business
growing number of decentralized companiesIndustrial Control Systems (ICS) have to be network- and internet-enabledessential part of ICS are SCADA systemsSupervisory Control and Data Acquisitionthere are known attacksnumber of attacks is growingSlide5
CIA vs. AIC
IT Security
confidentiality, integrity, availabilitySCADAavailability, integrity, confidentialitySlide6
Design
and
Structure of a SCADA systemERPMESSCADAPLC/RTUSensor/Actuator
Enterprise
Resource
Planning
Manufacturing Execution System
Supervisory Control and Data
Acquisition
Programmable Logic Controller
planning
retrieve dataSlide7
Design
and
Structure of a SCADA systemSlide8
Security of SCADA devices
not engineered with security in mind
not engineered with remote connections in mindmany are 15 years and oldernew devices have built-in security, BUT…Beckhoff: 90% older systems in the fieldSlide9
CX5020 – Brief overview
embedded PC
Dual Core Atom processor1 GB RAMflashcard serving as persistent memory Slide10
Operating system
customized Windows CE 6.0
keyboard and mouselogin password possibleSlide11
TwinCAT Devices
every device has a unique ADS-
NetIDenhancement of an IP addresse.g. 192.168.1.100.1.1for communication between devices a route needs to be establishedADS packets will be transported over TCP Port 48898 and UDP Port 48899ADS-NetIDTransport-Address
Hostname
192.168.2.100.1.1
192.168.2.100
Device1Slide12
A
utomation Device
Specificationproprietary protocol from Beckhoffused by TwinCAT (Management System)optimized for throughputencapsulated in TCP/IPor serial connectionsno encryptionauthorizationSlide13
System Control on CX5020
important Control Software
CX Configuration Tool (FTP, VPN)Network and Dial-up Connection (IP)PasswordSlide14
Security Analysis
Results
nmap scan16 open portswell knownunknown services48898 and 48899maintenancemight be open in firewallSlide15
Telnet
enabled by default
greeting phrase at start of the connectionWelcome to Windows CE 6.0 Telnet service on CX-ABCDEF CX-ABCDEF is the hostname of the device (MAC in ASCII)default username/passwordwebguest/1Windows CE 6.0 is a single user system all accounts get full administration privilegesis able to create new accounts (CxAddUser) Slide16
Webserver
index file
Welcome to BECKHOFF CE device special URL for administration interfacesupports virtual directories exports different hard disk pathsspecial URL for administration interface <ip>:5120/config Slide17
Webserver: Virtual Directory
/remoteadmin
Microsoft’s Windows CE remote management toolnot documented in Beckhoff’s manualactivated and not preconfiguredon first visitset a passwordgives full controlnetwork, time, file, and print server settingsSlide18
CE Remote Display
remote desktop service for Windows CE
listens on TCP port 987connection requires passwordconnection setup transmitted in plaintextattackable via ARP-Spoofing (mitm)authenticated user has full controlSlide19
SCADA Service
Automation Device Specification (ADS)
proprietary protocolTwinCAT System Managercontrols PLCsdiscover PLCstransmit programs to PLCsSlide20
Test Setup
EtherCAT
TCP/IPSlide21
ADS Search
for Devices Slide22
Search Devices
UDP Broadcast
can also be sent to a dedicated IPthe ADS-NetID can be randomSlide23
Response
PLC answers with its own ADS NetIDSlide24
Creation of an ADS route
Source WIN7VM-PC
Destination CX5020 PLCno encryptionusername/password in plaintextADS packet headerADS NetID
EWS
hostname
Username
Password
EWS
IP-AddressSlide25
Login in
to CX5020
if password is wrongnon zero error is returned (04 07)if password is correctzero error code is returend (00 00)packets can easily be reverse engineeredattackers can create their own ADS routeError codeError codeSlide26
Complete
Message FlowSlide27
Possible Attacks
use of virtual directory
/remoteadminafter setting the initial password a new admin account is createdcreate a new VPN accountNo blocking after too many wrong passwordsbrute force/dictionary attack (UDP port 48899)PCL answers very fast multiple connections in parallel possiblePython script achieved ~8000 pw/secPassword allows full PLC control on port 987 & 48899Slide28
Possible Attacks
Attack on VPN connection
VPN connection to CX5020 with PPTPauthentication with mschapv2mschapv2 is vulnerablesteps of the attackmitm (with e.g. arpspoof)sniff connection establishmentSlide29
Possible Attacks
Attack on VPN connection
VPN connection to CX5020 with PPTPauthentication with mschapv2mschapv2 is vulnerablesteps of the attackmitm (with e.g. arpspoof)sniff connection establishmentbrute force crack (e.g. with asleap)Slide30
Attack
mschapv2Slide31
Possible attacks
USB Port
WLAN adapterbuilt-in driver support for WLAN adapter with RT2501 chipadapter is automatically connectedchoose a WLANpreconfigured registry entries are not usedafter connection all PLC-services are accessiblebypass infrastructure firewalls (direct connection)Slide32
Advisory for Suppliers
disable
/remoteadmin virtual directorydisable telnet by defaultlimit number of ADS packets per seconddeliver the device with strong passwordsdelete WLAN drivers (if not used)use alternative VPN technologySlide33
Thank
you!
Hans HoefkenAachen University of Applied SciencesGermanyhoefken@fh-aachen.de