Tuesday, September 15, 2015

SCADA/Control System Security

Control System Security Overview

Control systems monitor and control industrial infrastructures and facilities including electric, water, oil and gas pipelines, among others.  System types are implemented based on the needs of the facility and their need for either constant measures or simple notification. 

Types of Control Systems

Distributed control systems are geographically local control systems used in power generation facilities, refineries and water treatment plants.  DCS provide constant feedback, via analog input/output (IO), on systems status to engineers.  Engineers can then make adjustments as required.  For example, DCS’s can be setup to issue alarms when a subsystem reaches a certain predetermined temperature.
Programmable logic controllers are also geographically local control systems that, unlike DCS’s, utilize discrete input, which is, in simplest terms, on or off.  PLC’s are used on assembly lines and industrial facilities. For example, a PLC may be used to alert an operator that assembly of a car component has completed.  Like DCS, PLC’s utilize high-speed communications. 
Supervisory Control and Data Acquisition (SCADA), unlike DCS and PLC controlled systems, are more widely distributed. SCADA is, essentially a system where data is collected from a system in order to control it.  Utilizing Local Area Networks (LANS), SCADA installations can cover hundreds or thousands of miles.  They are used in water utilities, oil and gas pipelines and electric utilities among others. The components of a SCADA system are SCADA control centers and the systems that they monitor.  Control centers constantly monitor other systems or field sites, collecting data and keeping track of systems status.  If an event occurs the control center can trigger an alarm, alert an operator or whatever it is designed to do in response to the event.
Energy Management t systems are actually a type of SCADA system designed to monitor and control power systems.  They are generally connected to the SCADA LAN.

Brief History of Control Systems

Prior to the 1990’s control systems were largely isolated networks whose main ‘security’ concern was physical.  The systems were mostly closed-loop networks that relied upon system to system communication.  As the year 2000 approached the industry leaders realized they needed to prepare for potential year 2000 or Y2K issues.  As these improvements were made the industries also began to recognize the cost benefits of interconnecting systems and attached them to networked computer systems.  Systems that were mainly stand-alone were now being connected to corporate networks so that decision makers could get feedback in real or near-real time.  The approach did improve efficiency, but it also introduced vulnerabilities that did not previously exist.

Threats to Control Systems

Being in a more open environment has exposed control systems to the same vulnerabilities that were initially faced in Information Technology (IT).  However, control systems are usually run on much older technology that has not been ‘hardened’ over time as IT systems have.  The lack of maturity leaves them open to vulnerabilities that have long been solved by IT systems.  Attempting to apply IT safeguards to control systems can have adverse effects.  For example, port scanning, commonly used to find open ports on a network, can freeze PLC’s.  Additionally, there is a lack of knowledgeable resources available to tackle the control system cyber security issue with most of those coming from the IT world.

An attempt has been made at protection standardization. The North American Electric Reliability Council (NERC) created the Critical Infrastructure Protection standards to address the issue.  However, many aspects of the standard are too liberal, allowing individual organizations decide what was critical and what was not.  This lack of application of rigorous standards leaves, not only an organizations systems at risk, but any systems that interface with that organizations self-identified non-critical components.

Experimenting with Android Permissions


Last year, as part of the curriculum for my Masters in Information Assurance, I took a class in Mobile Security.  I tested the new Android Permission Structure.  The year prior, I wrote a paper on the inadequacy of the older Android Permission Structure and wanted to test the new operating system to determine if it would remedy the problems that the older version had.

SMS Fake Player

The SMS Fake Player was, allegedly, the first Trojan targeted for Android devices back in 2010, as reported by Kaspersky labs. The Trojan, passing itself off as a media player, sends Short Message Service (SMS) messages to premium numbers at a rate of $6 per message. The Trojan has to be downloaded and installed in order to infect the Android device, thus it does NOT self-propagate. The user is prompted to give the application the authority to send SMS messages:

This is the only message users received warning them to potential danger.  Users have become complacent with regard to permissions during install time.
According to Felt, Chin, Hanna, Song and Wagner in an article titled “Android Permissions Demystified” in 2011 for the Association for Computing Machinery:
“Access to privacy- and security-relevant parts of Android‘s rich API is controlled by an install-time application permission system. Each application must declare upfront what permissions it requires, and the user is notified during installation about what permissions it will receive. If a user does not want to grant a permission to an application, he or she can cancel the installation process.”

Too Much Trust?

The same article stated:  “However, an install-time permission system is ineffective if developers routinely request more permissions than they require. Over privileged applications expose users to unnecessary permission warnings and increase the impact of a bug or vulnerability.”

Poor Documentation

Developers utilized Google Android documentation which, the aforementioned article stated, had inadequate information regarding Application permissions. As a result, developers often request more permissions than they will actually use for their applications, just to make it work. They also found 6 errors in the permissions documentation provided to developers.

Inadequate Protection of Permissions

An article in the April/May 2010 edition of IEEE Computer Magazine stated that the Android provided inadequate protection to their Application permissions using this model. This was 5 months prior to the release of the Trojan.
Some of the Application permissions that can be accessed at install time:
SEND_SMS –Sending text messages
READ_INPUT_STATE – Read keystrokes
BRICK-Render phone unusable
The ACM article found that approximately one-third of the applications they studied on the Android Market were over privileged.

Ask Yourself

From a developer perspective:
If you have been working on a program and are facing a deadline and did not have adequate documentation, but knew that including a .dll or .jar would solve your problem, would you include it?
From a User perspective:
How many times have you simply clicked ‘Yes’ or ‘OK’ while installing software?
Should a user be expected to know what functionality an application requires in order to function properly? 

As a developer, you are taught to abstract the users, as much as possible, from the inner workings of your program. Is it fair to blame the user for not knowing those inner workings?

Enter the Jelly Bean

June 27, 2012 Google introduced Jelly Bean to replace Honey Comb.  It introduced many security improvements including addressing the SMS issue.
Google improved the permission model.  The issue that allowed the SMS trojan to work has been mitigated with the addition of a warning message that appears when an application attempts to send a text to a number that is KNOWN to be a fee number.

My Experiment

I attempted to create a program that would show how differently the Honey Comb and Jelly Bean versions of Android handle premium rate SMS attempts.
The program performed the following:
Modified a program from a sample provided by “Beginning Android 4 Development”
Displays a gallery of thumbnail photos
When a thumbnail is clicked, the picture is enlarged AND a covert SMS message is sent.
Tools Used
Android emulator (Free)
Eclipse Integrated Development Environment (Free)

Premium Rate SMS Numbers

Android maintains an XML document holding known Premium Rate numbers.  Once I managed to find the file I was able to utilize one of the numbers in the XML file to test the Premium SMS blocking system for JellyBean.

shortcode country="us" 
premium="20433|21(?:344|472)|22715|23(?:333|847)|24(?:15|28)0|25209|27(?:449|606|663)|28498|305(?:00|83)|32(?:340|941)|33(?:166|786|849)|34746|35(?:182|564)|37975|38(?:135|146|254)|41(?:366|463)|42335|43(?:355|500)|44(?:578|711|811)|45814|46(?:157|173|327)|46666|47553|48(?:221|277|669)|50(?:844|920)|51(?:062|368)|52944|54(?:723|892)|55928|56483|57370|59(?:182|187|252|342)|60339|61(?:266|982)|62478|64(?:219|898)|65(?:108|500)|69(?:208|388)|70877|71851|72(?:078|087|465)|73(?:288|588|882|909|997)|74(?:034|332|815)|76426|79213|81946|83177|84(?:103|685)|85797|86(?:234|236|666)|89616|90(?:715|842|938)|91(?:362|958)|94719|95297|96(?:040|666|835|969)|97(?:142|294|688)|99(?:689|796|807)" />

The Code…Seeking Permission

Using a simple modification to the ‘Image Switcher’ program provided in the ‘Beginning Android 4 Development’ area, I Added a request for SMS permissions.

The Code…Sending the Secret Message


I added a simple method using the sendTextMessage command.  When the item (thumbnail) is clicked, it will display the full picture, however, I have added code that will wait 5 seconds and then send a covert message to another device.
Running the Code
To ensure that both implementations executed, I added the code to send the covert messages to the app and installed it on both.  I opened and emulation running Jelly Bean and an Implementation running Honey Comb.
I started the application on both implementations and ran them:

Honey Comb Results

Clicking on the smaller thumbnail from the HoneyComb phone opens the larger picture and sends a message to the JellyBean phone.  However, no message is generated about the message sent to the “Premium” number.

1-555-521-5554: Secretly sent message is
sent without warning the user

Jelly Bean Results

While the message from the JellyBean phone to the HoneyComb phone is allowed, the message that would go to the “Premium” number is caught and a message is presented to the user.

Provides users with a warning that the app is going to
send a message to a fee based number allowing them to stop it.


Jon Oberheide (2011). “Dexcode Teardown of the Android SMS Trojan”. Jon.Oberheide.org. Retrieved from http://jon.oberheide.org/blog/2010/08/10/dexcode-teardown-of-the-android-sms-trojan/.
Bernadette Irinco (2010). “First Android Trojan in the Wild”. TrendMicro.com. Retrieved from http://blog.trendmicro.com/first-android-trojan-in-the-wild/.
Richard Adhikari (2011). “Rogue Android Devs Plant SMS-Crazy Trojan in App”. Linux Insider. Retrieved from http://www.linuxinsider.com/story/70598.html.
Denis Maslennikov (2011). “Android SMS Trojan Now Being Delivered via SEO Techniques”. Securlist. Retrieved from http://www.securelist.com/en/blog/2286/Android_SMS_Trojan_Now_Being_Delivered_via_SEO_Techniques.

Tuesday, September 8, 2015

General Overview of SCADA Systems

What is PLC and how is it used?

A Programmable Logic Controller (PLC) is a major component in industrial control systems (ICS).  PLC’s are not geographically dispersed and use local area network (LAN) technology for communication.  They can be connected to input sources such as switches, sensors and relays. Outputs are also connected to it and, depending on how logic is programmed in the central processing unit (CPU), it will perform some action or provide some output, based on the input provided. They are normally used in a feedback control or closed loop systems.   A feedback control system, as the name suggests, utilizes the differences between the input and output feedback as input to the controller to determine the desired output.

Common Field Components

Component/Component Type
Data Historian
This server usually houses a database that allows commands and configurations and feedback to be saved for later analysis.
Servo Drives
Servo motors convert control elements into desired output.  There are two types of servo motors, Alternating Current (AC) and Direct Current (DC).
DC servo drives work specifically with servo motors to give commands to the motor and receive feedback from it.
Variable Frequency Drives and AC Drives
AC Drives/Variable Frequency Drives (VFD) work with non-servo AC motors.  They control the speed of the motor by varying the electricity sent to it.
Sensor, like the proximity sensor above, produce a signal as a measure of a variable used as a control.  In the example above, it could be used to send a signal when someone or something is within a certain number of previously configured feet.
Photo-Eye sensors detect presence (or absence) or distance of an object.
A field element used to provide indicators of a process or machine state.
Human Machine Interface (HMI)
A terminal used to receive input from or send commands to the system.
Now, the fieldbus, a special type of LAN specifically designed for data acquisition and control of ICS components.  Imagine the PLC as part of a control loop using a fieldbus for communication between the PLC and the other components.  A proximity sensor is used, likely, to detect the presence of person or thing.  When the sensor is tripped it sends a signal to a photo-eye to begin recording and to the light-tower to activate.  An alert is likely sent to the HMI for human intervention (likely to view the video and determine if the presence is friend or foe).  The event is then likely stored in the data historian. An engineering workstation, usually manned by engineers, is used to configure the PLC which connected to the same LAN.  A workstation is likely used to configure proximity limits.

How are PLC’s Used in ICS?

PLC’s are part of Distributed Control Systems and Supervisory Control and Data Acquisition systems.  In DCS, PLC’s are used as field control devices that are coupled with other components and connected to a LAN to provide data and feedback.  In SCADA, PLC’s are used to communicate data to SCADA master stations.  Data is communicated to the PLC’s using sensors. In smaller implementations that require simple, discrete control, PLC’s are the primary controllers.  Discrete control gives operators an indication when a process reaches a certain state.  You may see PLC’s used as primaries in operations that require discrete control, like alerting an operator to the completion of a component.

What is a DCS?

A Distributed Control System (DCS) is a local control system used for facilities in need of continuous monitoring or analog control. It, like the PLC, utilizes LAN’s for communication. It is usually comprised of a supervisory level and multiple substations.  The supervisory level control oversees the substations through distributed controllers that communicate with it over the LAN.  Controllers are configured to communicate or provide feedback when certain measurements are reached.

Description of DCS Applications

Imagine a typical DCS with both supervisory and field controls.You may have:
Machine controller
Consists of drives and motors that are synchronized electronically as opposed to mechanically.
Programmable Logic Controller
Control system with programmable memory area that can store commands for the execution of functions given a certain input or range of inputs.
Single-loop controller
Uses components to handle simple operations.
Process controller
Using actuators and sensors, it processes sensor input and, based on computer programming, determines outputs

All of these components are connected to the supervisory level controller via a local area network (LAN) or as it is sometimes referred, a local control network.  The single-loop controller has sensors and actuators connected directly to it and provide feedback to the supervisory controller whereas, the PLC and Process controllers communicate with their components via a fieldbus (see above for descrition) and the machine controller via LAN.

How is DCS used?

As mentioned previously, DCS’s are used in facilities that need continuous or analog monitoring. DCS’s are designed to be able to be configured for multiple alerts and alarms and present them to multiple operators. For that reason DCS’s lend themselves well to industries such as Chemical plants, Nuclear power plants and power plant systems among others. 
In large scale plants, like chemical plants DCS is crucial to the automation of the functional areas.  Chemical plant functional areas include manufacturing, transport, warehousing/storage and chemical end users.  DCS is an integral part of the manufacturing process.  DCS is used to constantly monitor steam flow, temperatures, pressures and composition of chemical components, to name a few. 
In nuclear power plants DCS provides real-time monitoring of equipment parameters, critical feedback and when parameters are exceeded, controlling equipment based on configured parameters and storing information on plant operations.

In the Energy sector, there are three segments: Electricity, Natural Gas and Petroleum. In the Electricity segment DCS monitors the flow of electricity through transmission and distribution lines.  In the Natural Gas segment DCS integrates gas flow and measurement data with other financial systems for billing and accounting functions.  In the Petroleum sector DCS monitors and transmits pipeline data.