Red vs Blue – lessons learnt from the Critical Infrastructure Security Showdown
Cyber-attacks against critical national infrastructure including power and water are a serious and growing concern. The issue is not just a recent occurrence. As reported by the American Water Works Association (AWWA), in 2015, the U.S. Department of Homeland Security (DHS) responded to 25 cyber security incidents in the water sector, which increased from 14 incidents from the previous year.
In 2016, a water utility under the pseudonym of the “Kemuri Water Co.” was hacked and the team of computer forensic experts from Verizon that subsequently investigated the incident concluded:
“…the threat actors modified application settings with little apparent knowledge of how the flow control system worked. In at least two instances, they managed to manipulate the system to alter the amount of chemicals that went into the water supply and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased. Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimising the impact on customers. No clear motive for the attack was found.”
In this instance, the water utility was able to spot the attack through alerting functions but this raises the interesting question of how other CNI/OES can be sure that the specialist cyber security technologies that they have invested in are able to stop or at least detect a well organised and potentially state sponsored cyber-attack.
Time for a showdown
iTrust, an internationally renowned centre for research in cyber security, recently hosted the Third International Critical Infrastructure Security Showdown (CISS) 2019 to enable security researchers (Blue Teams) to test their defence mechanisms against white hat hackers (Red Teams).
iTrust, a collaboration between the Singapore University of Technology and Design (SUTD), the Ministry of Defence and the National Research Foundation is home to four testbeds – fully-functional, miniature versions of power generation, water treatment, water distribution systems, and the Internet of Things. Since researchers cannot test their ideas on actual critical infrastructure, this first-in-the-world testbed ecosystem affords them a realistic platform for applied research to be safely carried out. CISS allows security researchers to empirically test defence mechanisms developed in-house against skilled attackers. In addition, CISS allows researchers to be exposed to and discover new attack vectors to defend against; and strengthen existing defence mechanisms.
The Secure Water Treatment (SWaT) testbed consists of a modern six-stage process. The process begins by taking in raw water, adding necessary chemicals to it, filtering it via an Ultrafiltration (UF) system, de-chlorinating it using ultra-violet (UV) lamps, and then feeding it to a Reverse Osmosis (RO) system. A backwash process cleans the membranes in UF using the water produced by RO.
The cyber portion of SWaT consists of a layered communications network, Programmable Logic Controllers (PLCs), Human Machine Interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) workstation, and a Historian. Data from sensors is available to the SCADA workstation and is recorded at the Historian for subsequent analysis. The SWaT also included an array of monitoring sensors to ensure its safe operation.
The Red Team attackers’ goals were split between two areas. The first was to take control over a physical actuator or the process. In addition, attackers aimed to demonstrate control over sensor readings at different components: historian values, HMI/SCADA values, PLC values, remote I/O values.
Concurrently, Blue Team defenders endeavour to showcase their detection capabilities against cyber-attacks conducted by a skilled opponent in a real-world environment.
Ready for battle
Radiflow made up one of the 7 Blue Teams testing its defences against the Red Teams and the exercise started with a Learning Phase, during which Radiflow iSID self-learns the network, including topology, ports and connections, protocols and networked devices, and analyses of each and every component to detect suspect activity. This aims to construct a “clean” baseline network model, complete with tagging of critical assets in the network (Historian, HMI, PLCs, etc.) with their names for easy navigation and drill-down.
The Learning Phase at the SWaT exercise found no malicious activity; however, in production networks iSID typically will identify suspect activity or components, which require manual approval or remediation prior to their inclusion in the baseline model.
Following the Learning Stage, iSID was switched to “Detection Mode”. In this mode, iSID is now able to detect all “suspicious” traffic addresses, links and assets that were not part of the baseline but might have been part of the attacker’s lateral movement in the network. Unauthorized assets that were not part of the baseline were immediately flagged as potential attackers’ machines/ scanners, which caused the iSID Network Visibility Engine to generate alerts.
Throughout the SWaT sessions, the first step the attackers took was scanning the network to find attack vectors into the OT network. Network scanning involves detecting all active hosts on a network and mapping them to their IP addresses. This is followed by performing port scanning on specific ports on a host and analysing the responses received, to learn about its running services and/or locate potential vulnerabilities. iSID was able to detect all these scans by scanning engine and signature-based rules, and successfully detected ARP scans, UDP scans, TCP scans and ICMP.
ARP (Address Resolution Protocol) poisoning is a type of attack where a malicious actor sends falsified ARP messages over a LAN. This type of attack results in the linking of an attacker’s MAC address with the IP address of a legitimate computer/server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker can begin receiving any type of data that is intended for that IP address. Most of the Red Teams performed Man-in-the-middle (MITM) attacks and ARP Poisoning attacks in an attempt to take over their target in the OT network.
Exploiting known IT vulnerabilities
Several Red Teams exploited known vulnerabilities in order to take over critical assets such as the SCADA station. After taking over the station, the attackers were able to send operational commands to the controllers, control the business process and change physical values.
One attack attempted to exploit the SMBv1 eternalblue vulnerability in order to gain control over the SCADA station and the HMI. iSID detected this and other attacks by its cyber-attack signature-based engine. iSID also alerted an attempt to execute code on the target using Metasploit.
Attacks using SCADA commands
Another attack vector was aimed at controllers using SCADA commands. The main OT network protocol used at the SWaT was Common Industrial Protocol (CIP) that like all other OT protocols, introduces a host of vulnerabilities. It is an open-specification object-oriented protocol that can be easily exploited by a high-skills attacker. At the SWaT, highly skilled Red Team attacker’s adept with the CIP protocol sent CIP commands to the Rockwell ControlLogix controllers in an attempt to disrupt the physical process.
iSID’s DPI capabilities allowed the analysts in the Radiflow Blue Team to Investigate each packet message and monitor SCADA operational commands performed on the controllers. iSID’s DPI engine detected these messages and displayed the CIP service code and the CIP object. This capability allowed analysts to understand the operations taking place on the network and detect possible attacks. In several attacks, iSID detected “Create Object”, ”Reset”, “Start” and “Upload” CIP commands sent to the controllers in order to disrupt its operation or change its logic. These commands could be easily tracked by defining rules in Policy Monitor.
During the attack sessions, in addition to remote access, the Red Teams were also granted physical access to the SWaT that challenged the Blue Team to discover attacks performed by an insider actor. The Insider attacker had good knowledge of the system, including administrator passwords and the ability to operate the HMI.
The insider also had physical access to the system where control valves and network topology could be manipulated. In addition, the insider attacker had access to ICS-specific tools such as Studio 5000 (Engineering station). This is one of the most dangerous types of attack and in this case, iSID’s Online Traffic Graph, which monitors IT and OT traffic, showed significant changes in the graph trend which could indicate disruption in traffic, for example, the shutdown of a controller.
Exploiting known SCADA vulnerabilities
Red Team participants have a deep understating of PLCs, HMIs, a SCADA workstation and many attacks attempted to utilise exploitable vulnerabilities in Rockwell ControlLogix controllers. These can be exploited remotely to enable MiTM attacks, DDoS attacks, Improper Input Validation, and information disclosure attacks, which could cause loss of availability as well as disruption of communications with other connected devices.
At the SWaT, this type of exploit took the form of a ControlLogix crash ethernet module attack, which iSID cyber-attack engine alerted on. The attack exploited a known vulnerability (CVE-2012-64own 38) in the ControlLogix ethernet module. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices. This attack was performed from the SWaT SCADA station to the PLC P3 (UF stage).
Another example of Red Team exploiting a known ControlLogix vulnerability is through cross-site scripting XSS (CVE-2009-0473) via its web interface. The Rockwell ControlLogix uses a web interface to display log files and status information. The web interface contains a cross-site scripting vulnerability that may allow an attacker to spoof data or redirect end users to other sites or executing arbitrary HTML or script code in the user’s browser session. Again, iSID alerted on this attack attempt successfully with its cyber-attack engine. iSID also has the capability to discover PLCs type, model and firmware version and match the relevant CVEs for these types. Other attacks detected by iSID attempted to open unauthorized connections to internet IPs that might provide access to C2 servers or malicious IPs.
Participation at CISS has provided our researchers with a wealth of insight into how skilled adversaries attack critical infrastructure and an opportunity to showcase Radiflow’s detection capabilities facing different types of cyber-attacks in different network layers.
SWaT underscored that operators deploying iSID must allocate enough time and resources for baseline setup. This must include reviewing all suggested rules and enrichment of asset information – which can potentially include Integration with offline asset management tools such as AssetGuardian supported using active scanning probes if possible.
Stopping a skilled and dedicated attacker is made more effective when operators combine HIDS, NIDS and Physical Anomaly Detection. This should include the monitoring of HIDS logs from OT devices by NIDS. Threats can be detected more effectively when feeding NIDS with alerts from Physical Anomaly Detection tools such as SIGA.
Our Blue Team would like to recognise the expertise, skill and creativity of the Red Teams from ABZB LLC (USA), CTF.SG (Singapore), Politecnico di Milano (Italy), Nara Institute of Science and Technology (Japan), NATO CCDCOE (Estonia), NSHC (Singapore) and the researcher from iTrust.