Documente Academic
Documente Profesional
Documente Cultură
protect a system
from cyber attacks?
System Technical Note
Design your
architecture
Disclaimer
This document is not comprehensive for any systems using the given architecture
and does not absolve users of their duty to uphold the safety requirements for the
equipment used in their systems or compliance with both national or international
safety laws and regulations.
Readers are considered to already know how to use the products described in
this System Technical Note (STN).
This STN does not replace any specific product documentation.
Development Environment
PlantStruxure, the Process Automation System from Schneider Electric, is a
collaborative system that allows industrial and infrastructure companies to meet
their automation needs while also addressing growing energy management
requirements. Within a single environment, measured energy and process data
can be analyzed to yield a holistically optimized plant.
Table of Contents
1.
Security Overview..............................................................7
1.1.
Purpose ................................................................................................................................................... 7
1.2.
Introduction ............................................................................................................................................. 7
1.3.
2.
2.1.
2.2.
2.3.
2.4.
2.5.
3.
3.1.
3.2.
3.3.
3.4.
3.5.
3.6.
Monitoring ............................................................................................................................................ 65
4.
4.1.
IP Spoofing ............................................................................................................................................ 67
4.2.
4.3.
4.4.
4.5.
4.6.
4.7.
4.8.
4.9.
5.
References ...................................................................... 77
1-Security Overview
1. Security Overview
1.1.
Purpose
The intent of this System Technical Note (STN) is to describe the capabilities of
the different Schneider Electric solutions that answer the most critical applications
requirements, and consequently increase the security of an Ethernet-based
system. It provides a description of a common, readily understandable, reference
point for end users, system integrators, OEMs, sales people, business support
and other parties.
1.2.
Introduction
PlantStruxure openness and transparency provides seamless communication
from the enterprise system or the internet to the control network. With this
transparency comes security vulnerabilities that can be exploited to negatively
impact production, equipment, personnel safety, or the environment. Security
practices should be deployed to prevent these unwanted incidents from disrupting
operations.
Security is no longer a secondary requirement but should be considered
mandatory and be viewed as important as safety or high availability. To meet the
security challenges, Schneider Electric recommends a defense-in-depth
approach. Defense-in-depth is a concept that assumes there is no single
approach that provides all security needs. Rather, defense-in-depth layers the
network with security features, appliances, and processes to ensure that
disruption threats are minimized. Schneiders defense-in-depth approach
includes:
1-Security Overview
RTUs that offer secure links via VPN and strong authentication
technology.
The intent of this document is to understand what constitutes cyber security in the
industrial market, why cyber security has become such a hot topic, risks caused
by system vulnerabilities, methods of network penetration and Schneider
Electrics recommendations to mitigate those risks. Remember, there is not one
single product that can defend the network, rather a defense-in-depth approach
ensures the best coverage for a secured, highly available operation.
1.3.
1-Security Overview
This technical evolution has exposed control systems to vulnerabilities previously
only affecting office and business computers. Although the malware found in the
world has been used to target home, office, or business computers, the industrial
computers employing the same technology has become exposed through lax
internal security practices, external contractors with access to systems, and
through inadvertent publicly accessible networked interfaces. Ethernet and
TCP/IP have provided many new and attractive capabilities:
Wireless connectivity
Distributed control
With the use of standard technologies such as Ethernet, control systems are now
vulnerable to cyber attacks from both inside and outside of the industrial control
system network.
The security challenges for the controls environment are:
Systems can span over large geographical regions with multiple sites.
With the heightened threats caused by political terrorism, cyber attacks, and
internal security threats, companies must be more diligent than ever with how
their systems are protected. Motivations can be hard to understand, but the
implications can be devastating; from lost production, damaged company image,
environmental disaster, or loss of life. Companies need to be more conscious of
security than ever before. No longer will barbed wire and security guards
satisfactorily protect industrial assets. Lessons learned from the IT world must be
employed to protect industrial facilities and infrastructure from disruptions,
damage, or worse.
2.1.
Accidental events
Disgruntled employees/contractor
Script kiddies
Recreational hackers
Virus writers
Criminal groups
Activists
Terrorists
10
Most cyber attacks that penetrate the control network system originate from the
enterprise system followed by the internet and trusted third parties.
2.2.
11
2.2.1.
Corporate VPN
Database links
Peer utilities
2.2.2.
Supplier Access
In order to minimize down time and reduce costs, suppliers are often given VPN
access for remote diagnostics or maintenance. The suppliers frequently leave
ports open on the equipment to simplify their tasks, giving the attacker access to
the equipment and links to control system network.
12
2.2.3.
2.2.4.
Corporate VPNs
Engineers working in the corporate offices and will often use VPN from the
company broadband to gain access to the control network. The attacker waits for
the legitimate user to VPN into the control system network and piggybacks on the
connection.
13
2.2.5.
Database Links
Most control systems use real-time databases, configuration databases, and
multiple historian databases. If the firewall or the security on the database is not
configured properly, a skilled attacker can gain access to the database from the
business LAN and generate SQL commands to take control of the database
server on the control system network.
2.2.6.
14
2.3.
Names of databases differ from suppliers but most use a common naming
convention with a unique number (i.e. Pump1, pump2, breaker1, breaker2). On
the communications protocol level, the devices are simply referred to by number
(memory location or register address). For a precise attack, the attacker needs to
translate the numbers into meaningful information.
Gaining access to the HMI screens is the easiest method for understanding the
process and the interaction between the operator and the equipment. The
information on the screen allows the attacker to translate the reference numbers
into something meaningful.
15
2.3.2.
16
2.3.4.
Man-in-the-Middle Attacks
Man-in-the-middle is a type of attack where the attacker intercepts messages from
one computer (Host A), manipulates the data prior to forwarding to the intended
computer (Host B) and vice versa. Both computers appear to be talking to each
other and are unaware of an intruder in the middle.
In order for the attacker to be successful in manipulating the packets, the protocol
must be known. The man-in-the-middle attack allows the attacker to spoof the
operator HMI screens and take full control of the control system.
17
2.4.
Accidental Events
While many threats exist from disgruntled employees, hackers, terrorists, or
activists, the majority of system outages related to networks are caused by
accidental events. In this case, we are referring to personnel not following proper
procedures, accidentally connecting network cables in wrong ports, poor network
design, programming errors, or badly behaving network devices. Experts
attribute >75% of network-related system outages to accidental events. Many of
the security features and processes discussed in this document can also prevent
these types of accidental events.
In many cases, contractors are necessary contributors to system design,
commissioning, or maintenance. Proper procedures should be defined that
ensure that contractors dont bring malware, viruses, or other problems into the
control network. Another example of proper procedures involves how USB keys;
a convenient method to transfer files, can be safely employed in the control
network environment. USB keys are a common source of malware and viruses
and must be carefully screened before permitting their use.
Network architectures are designed and configured at design time to comply with
robust behaviors; including segmenting, filtering, and topological rules.
Individuals who inadvertently connect a network cable into the wrong port on a
multi-port switch might create outages or broadcast storms bringing a network to
its knees. Many of the broadcast storm protections discussed in this document
apply to this accidental events as well as Denial of Service attacks.
In general, the cause might be accidental, but the features, practices, and
procedures used to protect from cyber attack work equally well to prevent
accidental system outages. In this case, disaster recovery methods should be
18
2.5.
2. Inadequately designed control system networks that lack sufficient defensein-depth mechanisms:
File Sharing
Instant Messaging
Laptops.
USB memory.
20
21
1. Security Plan
Creating the security plan is the first step to secure the control system network.
Polices and procedures must be defined, implemented and most importantly
updated and maintained. The planning process involves perform a vulnerability
assessment, mitigating the risk and creating a plan to reduce or avoid those risks.
2. Network Separation
Physically separating the control system network from other networks, including
the enterprise, by creating demilitarized zones (DMZs).
3. Perimeter Protection
Preventing unauthorized access to the control system through the use of firewall,
authentication and authorization, VPN (IPsec) and anti-virus software. This
includes remote access.
22
3.1.
Security Plan
The first step towards a secure network is to create a security plan with
procedures and policies. A cross-functional team consisting of management, IT
staff, control engineer, operator and a security expert should participate in the
creation of a comprehensive security plan.
The security plan should clearly define:
Actions, activities and processes that are allowed and not allowed.
Consequences of non-compliance.
For existing networks, a full assessment is needed prior to creating the plan:
23
Prioritized by threat
24
Mitigating possible attacks The more secure the network becomes, the
greater the impact on latency. In order for the process to run correctly a level
of vulnerability may be required.
3.2.
Network Separation
One of the critical elements of designing a control system network is the physical
separation between the control network and external communication networks.
Data access between the internet, enterprise system and the control network
should take place on servers located in a demilitarized zone (DMZ). A DMZ
provides a safe and secure means of sharing data between zones. The DMZ
should contain:
Data servers such as Citect Historian that share and collect data from the
control system and enterprise system.
Patch management
Antivirus server
Remote access
All communication links should end in the DMZ. There should be no direct
communication path into the industrial control network.
25
DMZ Guidelines
All outbound traffic from the control network to the corporate network
should be source and destination-restricted by service and port.
The servers in the DMZ zone must be hardened. Security patches and
anti-virus software must be continuously updated.
26
Packet filtering: A low cost basic type of firewall having minimal impact on the
network performance. Basic information in each packet, such as IP addresses
is validated prior to forwarding. This type is not recommended due to lack of
authentication. It does not conceal the protected networks architecture.
27
3.3.1.
Firewall Guidelines
The National Institute of Standards and Technology (NIST) has provided the
following guidelines:
Ports and services between the control system network environment and the
corporate network should be enabled and permissions granted on a specific
case-by-case basis. There should be a documented business justification with
risk analysis and a responsible person for each permitted incoming or
outgoing data flow.
All permit rules should be both IP address and TCP/UDP port specific.
Traffic should be prevented from transiting directly from the control network to
the corporate network. All traffic should terminate in a DMZ.
Any protocol allowed between the control network and the DMZ should
explicitly NOT be allowed between the DMZ and corporate networks (and
vice-versa).
All outbound traffic from the control network to the corporate network should
be source and destination-restricted by service and port.
Outbound packets from the control network or DMZ should be allowed only if
those packets have a correct source IP address that is assigned to the control
network or DMZ devices.
28
Firewall Vulnerabilities
Denial of Service is one of the most common vulnerabilities of the outer perimeter.
Other common vulnerabilities:
Spoofing
Viruses
Hijacking
False identity
Data/Network Sabotage
3.3.3.
Damage to equipment
Environmental damage
Product contamination
IP protocol
Source IP address
29
Source port
Destination IP address
Destination port
With packet filtering, access to a device can be restricted to only allow specific
protocols (ports). In the drawing below, the PC can communicate with the PLC
via port 80, but port 69 messages are blocked by the firewall.
Ports that need extra protection due to low or no built-in security are:
Non-secure Protocols
IP
Protocol
Port #
TCP
Telnet
23
TCP/UDP
HTTP
80
TCP/UDP
SNMP
v1&v2
161
20-Data
TCP
FTP
UDP
TFTP
69
TCP/UDP
DNS
53
TCP
POP3
110
TCP/UDP
SMTP
25
21-Command
30
Some firewalls are even capable of looking within the protocol to make intelligent
decisions about allowing/restricting specific messages. These highly evolved
firewalls are capable of looking into a protocol like Modbus TCP (port 502) and
allowing certain function codes to pass while blocking others. An example of this
type of firewall is the Eagle Tofino from Hirschmann Electronics.
Anti-virus Software
Always implement anti-virus scanning and keep anti-virus software and definition
files up-to-date. This applies to the SCADA system and all PCs used to monitor or
maintain the control system.
Flood Protection
The firewall is an important player in preventing unwanted traffic such as DoS
attacks onto the control network. DoS attacks are the most common form of flood
attacks. If a DoS attacker is successful in penetrating the control network, the
impact can be minimized using flood protection provided in the firewall.
31
3.3.4.
32
33
HTTP Vulnerabilities
HTTP has little inherent security and can be used as a transport mechanism for
attacks and worms. Common attacks are man-in-the-middle and eavesdropping.
34
DHCP
Dynamic Host Configuration Protocol (DHCP) is a network application protocol
based on BootP. It is used by devices (DHCP clients) to obtain configuration
information for operation in an Internet Protocol network. DHCP is an
unauthenticated protocol. The DHCP service works by using the DORA (Discover,
Offer, Request and Acknowledgment) grants.
DHCP service uses port 67/UDP in the DHCP server, and 68/UDP at the DHCP
clients.
Schneider Electric uses DHCP for Faulty Device Replacement (FDR).
DHCP Vulnerabilities
There are two common types of DHCP attacks:
DHCP starvation attack The DHCP server is inundated with countless requests
from different MAC addresses. The DHCP server will eventually run out of IP
addresses blocking a legitimate user from obtaining or renewing an IP address.
35
36
37
Telnet
The telnet protocol provides an interactive, text-based communications session
between a client and a host. Telnet provides access to a command-line interface,
typically via port 23. It is mainly used for remote login and simple control services
to systems with limited resources or to systems with limited needs for security.
Due to security risks, Schneider has limited the use of Telnet in its products.
Telnet Vulnerabilities
Use of Telnet is a severe security risk because all telnet traffic, including
passwords, is unencrypted. It can allow a remote individual considerable control
over a device.
Telnet Risk Mitigation
Inbound telnet sessions from the corporate to the control network should be
prohibited unless secured with authentication and an encrypted tunnel.
Outbound telnet sessions should be allowed only over encrypted tunnels (e.g.,
VPN) to specific devices (Covered in the Remote Access section).
Simple Mail Transfer Protocol (SMTP) & Post Office Protocol (POP3)
Email notification in the automation industry is becoming more prevalent as plants
downsize and rely on remote experts to troubleshoot and fix detected problems.
PlantStruxure devices only send email. However, there is potential that nonSchneider Electric devices residing on the network can receive email. Therefore,
it is highly recommended that firewalls be configured to scan the email for viruses.
The Simple Mail Transport Protocol (SMTP) is an internet standard used by e-mail
clients or mail transfer agents (MTA) to send e-mails. An SMTP server performs
two functions:
38
39
Message integrity
Authentication
Encryption
40
SNMP Vulnerabilities
SNMP in general is weak in security. Versions 1 and 2 of SNMP use unencrypted
passwords to both read and configure devices. Passwords may not be able to be
changed. Version 3 is considerably more secure but is still limited in use.
Often SNMP is automatically installed with "public" as the read string and "private"
as the write string. This type of installation provides an attacker the means to
perform reconnaissance on a system to create a denial of service.
SNMP also provides information about the system that may allow the attacker to
piece together the network system with the interconnection.
41
NAT Vulnerabilities
None known
NAT Configuration Recommendation
Use NAT whenever possible. Note that NAT does not support producer-consumer
protocols such as EtherNet/IP or Foundation Fieldbus.
42
3.3.5.
External Authentication
Authentication is the process of determining a persons true identity. There are
several methods of external authentication. Remote Authentication Dial in User
Service (RADIUS) is the most popular network protocol used in the control system
network.
Transactions between the client and the RADIUS server are authenticated
through the use of a shared secret. A shared secret is encrypted using the MD5
hashing algorithm. Originally, RADIUS was developed for dial-up remote access.
Today, RADIUS is supported by VPN servers, wireless access points,
authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other
network access types.
43
Authentication Guidelines
Use a different shared secret for each RADIUS server-RADIUS client pair.
If possible, configure shared secrets with a minimum length of 16 characters
consisting of a random sequence of upper and lower case letters, numbers, and
punctuation.
Authentication Vulnerabilities
The RADIUS shared secret does not have sufficient randomness to face to a
successful offline dictionary attack. This vulnerability is addressed using IPsec in
the Remote Access section.
44
3.3.6.
Remote Access
There is a growing demand to establish connection to the control system that
enables engineers and support personnel to monitor and control the system from
remote locations. Remote access can be costly and susceptible to cyber attacks if
not configured correctly. Many companies are migrating from telephone modems
to a virtual private network (VPN) to reduce this risk. A VPN provides the highest
possible level of security, through encryption and authentication, preventing
viewing of the data over the public internet.
45
data confidentiality
replay protection
Secure Socket Layer (SSL): SSL is a common protocol built into most web
browsers. SSL is easier to configure and does not require special client software.
However, SSL only works for web-based (TCP) applications and only supports
Digital Signature.
46
VPN tunnel uses algorithms to encrypt and decrypt user information. The three
common encryption protocols are:
47
Verify that the VPN devices do not have a negative impact on the control
system network.
48
3.3.7.
The wireless access points and data servers for wireless worker devices
should be located on an isolated network with documented and minimal
(single if possible) connections to the ICS network.
Wireless device communications should be encrypted and integrityprotected. The encryption must not degrade the operational performance
of the end device. Encryption at OSI Layer 2 should be considered, rather
than at Layer 3 to reduce encryption latency. The use of hardware
accelerators to perform cryptographic functions should also be considered.
For mesh networks, consider the use of broadcast key versus public key
management implemented at OSI Layer 2 to maximize performance.
Asymmetric cryptography should be used to perform administrative
functions, and symmetric encryption should be used to secure each data
stream as well as network control traffic. An adaptive routing protocol
should be considered if the devices are to be used for wireless mobility.
The convergence time of the network should be as fast as possible
supporting rapid network recovery in the event of a detected failure or
power loss. The use of a mesh network may provide fault tolerance thru
alternate route selection and pre-emptive fail-over of the network.
50
Security settings are either not configured or configured for poor security.
Easy to eavesdrop.
After selecting VPN mode on both ETGs, configure the GPRS DNS name and the
mode to tunnel.
Here below, you see a fully configured system providing VPN access across the
public internet ensuring secured communications.
52
3.4.
3.4.1.
Virtual LANs
Virtual LANs (VLAN) are commonly used to segment networks. VLANs divide
physical networks into smaller logical networks to increase performance, improve
manageability, simplify network design and provide another layer of security.
Segmentation can be accomplished using devices such as firewalls, routers and
Ethernet switches with access control list.
Network segmentation advantages:
Most of the intruders scans are dropped by the network before they ever
hit a potential target system.
53
The first level involves the use of Ethernet switches to prevent unwanted
traffic from going to all devices, potentially allowing an attacker to view the
data.
The second level involves the use of switches with VLAN functionality to
further restrict traffic. At this point, the concept of a communications or
security zone is introduced. The control network is broken into separate
zones based on physical proximity of purpose. Use of Access Control
Lists further enhances the level of security to the zones.
The third level involves the use of high performance industrial firewalls or
routers to limit access to a communications zone and to monitor traffic
inside the zone.
As firewalls and routers are added to the system, the user must be cognizant of
potential reduced network performance.
54
Functionality or Cell Area: only relevant traffic for a particular cell area
necessary for operation.
Use one VLAN per ring topology for all manufacturing traffic per cell/area
zone.
Packets entering the DMZ from the Internet are assigned a restricted VLAN
ID that allows access only to devices on the DMZ.
Apply QoS ACLs to rate limit the maximum amount of ping traffic allowed.
VLAN Vulnerabilities
VLAN hopping is a method of attacking networked resources on a VLAN. In the
VLAN hopping attack, the attacker uses switch spoofing or double-encapsulated
frames on an unauthorized port to gain access to another VLAN.
Common types of attacks carried out once the intruder has gained access to the
desired VLAN:
ARP Attacks
Spanning-Tree Attack
56
Device Hardening
Device hardening is a process that reconfigures a devices default settings to
strengthen security.
Device hardening applies to routers, firewalls, switches and other devices on the
network such as SCADA and PACs. Examples of device hardening:
Access Control
Strong authentication
3.5.1.
Passwords
Password management is one of the fundamental means of device hardening that
can easily and quickly be implemented but often neglected in the control system
network. Policies and procedures are often lacking or missing entirely. Caution
57
Numbers
There needs to be a master of all passwords at all times in the plant that
can quickly be accessed in the event of an emergency that is secured.
Password Vulnerabilities
58
Default passwords are not changed and default settings can be easily
found in manuals.
3.5.2.
59
3.5.3.
SNMP
Telnet/Web access
SNMP
A network management station communicates with the device via the Simple
Network Management Protocol (SNMP). A SNMP packet contains the IP of the
sending computer along with the devices password needed for access.
The device receives the SNMP packet and compares the IP address of the
sending computer and the password with the entries in the device MIB. If the
password has the appropriate access right, and if the IP address of the sending
computer has been entered, then the device will allow access.
60
SNMP Vulnerabilities
Ethernet switches are susceptible to MAC spoofing, table overflows, and attacks
against the spanning tree protocols, depending on the device and its
configuration.)
Password protect.
Limit the access rights of the known passwords or delete their entries.
Telnet/Web access
The devices Telnet server allows you to configure the device by using the
Command Line Interface (in-band).
The ConneXium switch can be configured using the web server. On delivery, the
server is activated.
Telnet/Web Access Vulnerabilities
Same vulnerabilities as described in the firewall section.
Telnet/Web access Configuration Recommendation
Deactivate Telnet and web servers if not used.
Ethernet Switch Configurator Software Protection
The Ethernet Switch Configurator Software protocol allows you to assign the
device an IP address based on its MAC address.
Ethernet Switch Configurator Software Vulnerability
Unauthorized access
Ethernet Switch Configurator Software Risk Mitigation
It is recommended that the Ethernet Switch Configurator Software function for the
device be disabled after you have assigned the IP parameters to the device.
61
3.5.4.
SCADA System
SCADA, or Supervisory Control and Data Acquisition systems are heavily used in
industrial control for data collection, human interface, and data analysis.
Schneiders Vijeo Citect is an example of this functionality. SCADA systems, due
to their typical PC-based architecture, simple access to process control functions
and criticality to the process, are one of the most vulnerable devices on the
control system network. Steps required to harden the SCADA system are:
62
Routinely track and monitor audit trails especially in the critical areas to
identify suspicious activity and remedy the activity immediately.
Configure mirrored servers such as the historian in the DMZ for external
access. Do not allow direct access on the control system network.
Keep the anti-virus software current. This can often conflict with
production and may require a risk assessment.
Maintain Passwords.
SCADA Vulnerabilities
SQL Injection is a code injection technique that occurs in the database layer of an
application. The attacker executes unauthorized SQL commands by taking
advantage of poorly secured code on a system connected to the Internet. Most of
the security issues center around the login and url string.
SQL injection attacks are used to steal information from a database and/or to gain
access to an organization's host computers through the computer that is hosting
the database.
63
64
Web Servers
Internet Display Clients (IDC) are configured using FTP. As stated before, FTP is
an untrusted protocol and should be avoided. Highly recommend that
CitectSCADA web client be used instead of IDCs.
3.5.5.
3.6.
Monitoring
Security monitoring on the control system network is critical. No system is fully
protected due to the continuous evolution of new cyber attacks. By monitoring the
system, immediate action can be taken to block intrusion attempts before damage
is done.
3.6.1.
65
3.6.2.
Monitoring Recommendations
SNMP Authentication Traps
Enable SNMP Authentication traps to monitor for unauthorized login attempts.
66
4 Appendix
IP Spoofing
IP Spoofing is a method used to disguise the identity of the attacker in the attempt
to perform various malicious attacks such as denial of service and man-in-themiddle. IP spoofing is accomplished by manipulating the IP address.
The Internet Protocol (IP) is the main protocol used to communicate data across
the Internet. The IP header of the data contains the information necessary to
transport data from the source to the destination. The header contains information
about the type of IP datagram, how long the datagram remains active on the
network, special flags indicating any special purpose the datagram is supposed to
serve such as whether or not the data can be fragmented, the destination and
source addresses, and several other fields.
The receiver of the packet is able to identify the sender by the source IP address.
IP does not validate the sources IP address. In IP spoofing, the attacker
manipulates the datagram. The most common manipulation is creating a false
source IP address to hide identity.
The primary motives of the attack are to:
To gather information about open ports, operating systems, or applications on the
host from the replies. For example: a port 80 response may indicate that the host
is running a web server. Using telnet, the attacker may be able to see the banner
and determine the Web server version and type. Now the attacker can try to
exploit any vulnerability associated with that Web server.
To uncover the sequence-number. TCP requires the use of sequence number for
every byte transferred and requires an acknowledgement from the recipient. An
67
4 Appendix
attacker will send several packets to the victim in hopes of determining the
algorithm. Once the algorithm is determined, the attacker tricks the target in
believing its legitimacy and begins to launch various attacks.
Hijacking an authorized session by monitoring a session between two
communicating host and then injecting traffic that appears to be coming from one
host. By doing so the hijacker steals the session from one host and terminates its
session. The hijacker continues the same session with the same access
privileges to the other legitimate host.
4.2.
Description
68
4 Appendix
4.3.
Description
There is a limit to available resources. Once the limit has been reached, all other
requests are dropped. Older operating systems are more vulnerable than newer
operating systems. Newer operating systems manage resources better making it
more difficult to overflow tables, but still are vulnerable.
69
4 Appendix
70
4 Appendix
4.4.
Land Attack
In a land attack a spoofed TCP SYN packet is sent in which the source IP
addresses and the source port number are identical to the target IP address and
port number. The target machine replies to itself in an endless loop until the idle
timeout value is reached.
71
4 Appendix
4.5.
ARP Spoofing
Address Resolution Protocol (ARP) is a Layer 2 protocol that maps an IP address
to a MAC address stored in a table (ARP cache) residing in memory.
Step
Description
72
4 Appendix
4
ARP flood spoofing, also known as ARP poisoning or ARP routing, sends fake
ARP messages on the network. The intent is associate the attackers MAC
address of another node (i.e. gateway) by poisoning the ARP caches of the
system to intercept traffic.
73
4 Appendix
4.6.
ICMP Smurf
In a Smurf attack the attacker spoofs the target IP address, sending an ICMP
Echo Request (pings) to the broadcast address on an intermediary network. As a
result, the target host is flooded with replies and resources become exhausted so
legitimate users can not access the server. The ICMP Smurf attack is the same as
an ICMP flood attack except Smurf attacks uses other networks to multiply the
number of request.
74
4 Appendix
4.7.
The PING of death attack sends an ICMP Echo Request (pings) request multiple
fragmented packets that are larger than the maximum IP packet size (63, 535
bytes). Since the received ICMP echo request packet is larger than the allowed IP
packet size, the remote system crashes while attempting to reassemble the
packet.
75
4 Appendix
4.8.
The primary motivation of the UDP flood attack is not to break into a system but to
make the target system deny the legitimate user giving service.
4.9.
Teardrop Attack
Teardrop attack is the most popular fragment attack method. It involves inserting
false offset information into fragmented packets. As a result, during reassembly,
there are empty or overlapping fragments that can cause the system to crash.
76
5-References
5. References
US Department of Homeland Security:
http://www.us-cert.gov/control_systems/
Catalog of Control Systems Security: Recommendations for Standards
Developers - 2008
Guide to Industrial Control Systems (ICS) Security - National Institute of
Standards and Technology (NIST), Keith Stouffer, Joe Falco, Karen Scarfone
2008
Common Cyber Security Vulnerabilities Observed in Control System
Assessments by the INL NSTB Program - U.S. Department of Energy Office
of Electricity Delivery and Energy Reliability, National SCADA Test Bed
(NSTB) - 2008
Control Control Systems Cyber Security: Defense in Depth Strategies Idaho
National Laboratory May 2006
The Instrumentation, Systems and Automation Society (ISA):
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS
Networks - 2004
Mitigations for Security Vulnerabilities Found in Control System Networks 2006
2008 CSI Computer Crime & Security Survey - Robert Richardson, CSI
Director
Design Secure Network Segmentation Approach - SANS Institute InfoSec
Reading Room 2005
VLAN Best Practices White paper FLUKE networks -2004
OPC Security Whitepaper #3 Hardening Guidelines for OPC Hosts - Digital
Bond,
British Columbia Institute of Technology, Byres Research 2007
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
77
Due to evolution of standards and equipment, characteristics indicated in texts and images
in this document are binding only after confirmation by our departments.
Print:
78