ICS/SCADA Security Analysis of a Beckhoff CX5020 PLC - PowerPoint Presentation

Slide1

ICS/SCADA Security

Analysis of a Beckhoff CX5020 PLC

Hans HoefkenSlide2

About

Gregor Bonney

Master Student at Aachen University of Applied Sciences (FH Aachen) Hans HoefkenResearch Assistant at FH AachenElectrical Engineer, Ethical hacking, PentestingBenedickt PaffenMaster Student at Aachen University of Applied Sciences (FH Aachen)Marko SchubaProfessor at FH AachenIT-Security, IT-ForensicsSlide3

Agenda

Introduction

Structure SCADA SystemBeckhoff CX 5020TwinCATAutomation Device Specification (ADS)Security InvestigationPossible AttacksAdvisory for SuppliersSlide4

Introduction

globalization of business

growing number of decentralized companiesIndustrial Control Systems (ICS) have to be network- and internet-enabledessential part of ICS are SCADA systemsSupervisory Control and Data Acquisitionthere are known attacksnumber of attacks is growingSlide5

CIA vs. AIC

IT Security

confidentiality, integrity, availabilitySCADAavailability, integrity, confidentialitySlide6

Design

and

Structure of a SCADA systemERPMESSCADAPLC/RTUSensor/Actuator

Enterprise

Resource

Planning

Manufacturing Execution System

Supervisory Control and Data

Acquisition

Programmable Logic Controller

planning

retrieve dataSlide7

Design

and

Structure of a SCADA systemSlide8

Security of SCADA devices

not engineered with security in mind

not engineered with remote connections in mindmany are 15 years and oldernew devices have built-in security, BUT…Beckhoff: 90% older systems in the fieldSlide9

CX5020 – Brief overview

embedded PC

Dual Core Atom processor1 GB RAMflashcard serving as persistent memory Slide10

Operating system

customized Windows CE 6.0

keyboard and mouselogin password possibleSlide11

TwinCAT Devices

every device has a unique ADS-

NetIDenhancement of an IP addresse.g. 192.168.1.100.1.1for communication between devices a route needs to be establishedADS packets will be transported over TCP Port 48898 and UDP Port 48899ADS-NetIDTransport-Address

Hostname

192.168.2.100.1.1

192.168.2.100

Device1Slide12

A

utomation Device

Specificationproprietary protocol from Beckhoffused by TwinCAT (Management System)optimized for throughputencapsulated in TCP/IPor serial connectionsno encryptionauthorizationSlide13

System Control on CX5020

important Control Software

CX Configuration Tool (FTP, VPN)Network and Dial-up Connection (IP)PasswordSlide14

Security Analysis

Results

nmap scan16 open portswell knownunknown services48898 and 48899maintenancemight be open in firewallSlide15

Telnet

enabled by default

greeting phrase at start of the connectionWelcome to Windows CE 6.0 Telnet service on CX-ABCDEF CX-ABCDEF is the hostname of the device (MAC in ASCII)default username/passwordwebguest/1Windows CE 6.0 is a single user system all accounts get full administration privilegesis able to create new accounts (CxAddUser) Slide16

Webserver

index file

Welcome to BECKHOFF CE device special URL for administration interfacesupports virtual directories exports different hard disk pathsspecial URL for administration interface <ip>:5120/config Slide17

Webserver: Virtual Directory

/remoteadmin

Microsoft’s Windows CE remote management toolnot documented in Beckhoff’s manualactivated and not preconfiguredon first visitset a passwordgives full controlnetwork, time, file, and print server settingsSlide18

CE Remote Display

remote desktop service for Windows CE

listens on TCP port 987connection requires passwordconnection setup transmitted in plaintextattackable via ARP-Spoofing (mitm)authenticated user has full controlSlide19

SCADA Service

Automation Device Specification (ADS)

proprietary protocolTwinCAT System Managercontrols PLCsdiscover PLCstransmit programs to PLCsSlide20

Test Setup

EtherCAT

TCP/IPSlide21

ADS Search

for Devices Slide22

Search Devices

UDP Broadcast

can also be sent to a dedicated IPthe ADS-NetID can be randomSlide23

Response

PLC answers with its own ADS NetIDSlide24

Creation of an ADS route

Source WIN7VM-PC

Destination CX5020 PLCno encryptionusername/password in plaintextADS packet headerADS NetID

EWS

hostname

Username

Password

EWS

IP-AddressSlide25

Login in

to CX5020

if password is wrongnon zero error is returned (04 07)if password is correctzero error code is returend (00 00)packets can easily be reverse engineeredattackers can create their own ADS routeError codeError codeSlide26

Complete

Message FlowSlide27

Possible Attacks

use of virtual directory

/remoteadminafter setting the initial password a new admin account is createdcreate a new VPN accountNo blocking after too many wrong passwordsbrute force/dictionary attack (UDP port 48899)PCL answers very fast multiple connections in parallel possiblePython script achieved ~8000 pw/secPassword allows full PLC control on port 987 & 48899Slide28

Possible Attacks

Attack on VPN connection

VPN connection to CX5020 with PPTPauthentication with mschapv2mschapv2 is vulnerablesteps of the attackmitm (with e.g. arpspoof)sniff connection establishmentSlide29

Possible Attacks

Attack on VPN connection

VPN connection to CX5020 with PPTPauthentication with mschapv2mschapv2 is vulnerablesteps of the attackmitm (with e.g. arpspoof)sniff connection establishmentbrute force crack (e.g. with asleap)Slide30

Attack

mschapv2Slide31

Possible attacks

USB Port

WLAN adapterbuilt-in driver support for WLAN adapter with RT2501 chipadapter is automatically connectedchoose a WLANpreconfigured registry entries are not usedafter connection all PLC-services are accessiblebypass infrastructure firewalls (direct connection)Slide32

Advisory for Suppliers

disable

/remoteadmin virtual directorydisable telnet by defaultlimit number of ADS packets per seconddeliver the device with strong passwordsdelete WLAN drivers (if not used)use alternative VPN technologySlide33

Thank

you!

Hans HoefkenAachen University of Applied SciencesGermanyhoefken@fh-aachen.de