In 2010, the Stuxnet virus incident in Iran came to light, unveiling the “mystery” of the industrial control system (“industrial control system”), and also opened the prelude to the attack on the industrial control system. In the following ten years, many security incidents related to industrial control systems broke out, such as directed attacks or targeted attacks (APT, advanced persistent threat) against infrastructures such as electricity, water conservancy, energy, and transportation, which had a great impact on social order; Targeted attacks on manufacturing and other enterprises steal business secrets and affect normal production; casting net attacks, especially the WannaCry ransomware virus that swept the world in 2017, industrial control systems have also become an “epidemic” area, and the aftermath has continued in the past two years. .
In addition, world-renowned hacker conferences, such as BlackHat, DefCon, etc., have included industrial control security into the topic; in January 2020, the world high-level hacker competition Pwn2Own even included industrial control in the competition for the first time. It can be seen that the field of industrial control seems to be becoming a blue ocean of “underworld” and “white way”, and the vulnerabilities and attack surfaces of industrial control systems are also becoming more exposed to attackers with the development of the Industrial Internet.
This article will analyze the attack methods and paths from the perspective of hackers, and identify the vulnerabilities and vulnerabilities that are easily exploited in the industrial control environment.
Industrial control system application field
01 The overall attack idea of industrial control system
Strongly targeted and targeted attacks are usually aimed at damaging industrial control equipment, causing factory shutdowns, abnormal processes, increased defective rates, and even serious consequences such as fire and explosion. In modern factories, most of the on-site production equipment is operated on-site by control systems (such as PLC-programmable logic controllers, CNC lathes, DCS-distributed control systems). Therefore, the attacker’s goal is achieved by directly or indirectly attacking or influencing the control system. The following will take the factory PLC as an example to illustrate the hacker’s attack on the industrial control system.
Examples of hacking targets
targeted direct attack
Directly attacking the PLC refers to using the loopholes in the PLC, or bypassing the security authentication by means of password cracking, etc., to successfully control the PLC and modify the instructions to achieve the purpose of the attack. At present, many PLCs are on the intranet and cannot be directly accessed through the Internet. In this scenario, direct attacks are generally realized by physically touching the PLC, or connecting to the PLC through the internal office network. With the improvement of factory intelligence, equipment is interconnected, and a large number of PLC systems are connected to the Internet, which will make it easier for hackers to launch direct attacks on PLCs.
Targeted indirect attack
Indirectly attacking the PLC refers to obtaining the control right of the monitoring system (such as HMI, IPC, SCADA, etc.) on the upper layer of the PLC, sending malicious commands to the PLC through the monitoring system, or interfering with the normal communication between the monitoring system and the PLC, to achieve the purpose of the attack. In indirect attack scenarios, the attackers usually have no direct access to the control system or have limited understanding of the factory’s internal PLC system, so they turn to attack the process and monitoring layer systems that have a large number of IT components familiar to the attackers. For example, the attacker first obtains the control right of the IPC (industrial computer), analyzes the transmission mode between the IPC and the PLC, constructs malicious instructions, and transmits them to the PLC through the IPC, which indirectly affects the normal operation of the PLC or blocks the monitoring and early warning of the production status. .
Non-targeted attacks, also known as casting net attacks, refer to malicious programs exploiting common loopholes in the system or network to infect the system without differentiation and spread on the intranet, affecting the normal production order. Although such attack scenarios are not aimed at industrial control systems, due to the relatively weak security measures in the current industrial control environment, casting-net-type attacks are often successful all over the world. Casting-net attacks are usually dominated by viruses or malicious programs. For example, attackers take advantage of employees’ weak security awareness, send phishing emails, infect recipients’ computers, and then take advantage of the vulnerability of the network environment to spread rapidly on the office network, and then spread to Production network, infecting systems with common vulnerabilities, such as IPC, etc., affecting production or causing damage.
The attack methods of industrial control systems generally include two types: internal and external. Internal launch can be divided into infiltrating from the office network to the factory network and launching attacks on the workshop site; external launches include targeted attacks (such as APT) and net-casting attacks.
Industrial control environment attack path
Office network as the starting point
In the office network environment, use tools such as nmap to scan and obtain network segment and asset information, especially conventional industrial control system and IT system ports, Siemens 102, modbus 502, EthernetIP 44818, 445, 3389, etc.;
Use vulnerabilities to attack the identified systems, including sniffing, privilege bypass or escalation, replay attacks, password guessing, instruction injection, EternalBlue exploits, password guessing, etc.;
After successfully obtaining system control, try to use the host as a springboard, use Pass the Hash and other methods to infiltrate other systems, and find industrial control-related systems such as PLC, IPC, and SCADA to achieve the purpose of attack;
If they are unsuccessful, turn to social engineering and other methods to obtain further relevant information (such as high-authority accounts, etc.);
At the same time, consider trying to enter the factory floor and switch to on-site attack methods;
Some central control platforms of integrated control systems, or web applications of some SCADA-like configuration control systems in the intranet, or dll and dat are easily hijacked to form a privilege escalation of the engineer station.
Workshop site as the starting point
Attacking the industrial control system in the workshop is the most direct method, and the methods and options are also diverse:
After entering the workshop, carefully observe the situation in the workshop, find the location of the IPC or control system, and prepare for subsequent attack attempts.
Attack Attempt One:
The preferred target is the control system (such as PLC), looking for devices that are unlocked or exposed to the network cable interface;
Try to understand the basic information of the relevant control system, such as the used brand, version, etc.;
Attempts to use a computer to connect to the control system on-site, exploit vulnerabilities such as weak passwords, and attempt malicious instruction injection, permission bypass, and replay attacks.
Attack Attempt Two:
Attempt to attack the IPC or HMI running on site, such as inserting a malicious U disk into the running IPC and implanting malicious programs;
Direct operations on IPCs or HMIs that do not have permissions set, such as malicious operations such as modifying the instructions of the control system.
APT attack is a typical externally launched targeted attack. The attack process includes
Collect information on the target enterprise to gain a preliminary understanding of the basic situation of the enterprise;
Use search engines such as Google and Baidu to find domain names or servers exposed on the Internet;
Use crawler technology to obtain all links, subdomains, C segments, etc. of the website as much as possible;
Attempt to exploit high-risk vulnerabilities in website applications, such as malicious file upload, command execution, SQL injection, cross-site scripting, account authorization, etc.;
Try to obtain the website webshell, and then elevate to the server authority;
Use this server as a springboard to enter the intranet environment and change into an internal attack mode;
By searching the user name of the external mailbox from the Internet, according to the characteristics of the enterprise, send phishing emails to these users in a targeted manner, and use the attacked computer as a springboard to break into the internal environment, turning it into an internal attack mode;
Using forged access control cards, or disguising visits, interviewing personnel, or following internal employees to physically enter the enterprise, it has transformed into an internal attack mode.
cast net attack
Use search engines such as Google and Baidu to find out the domain names of companies exposed on the Internet, and turn them into targeted attacks if exploitable vulnerabilities are found;
Use social workers to collect as many email addresses of employees as possible and send phishing emails in large batches;
Use the Shodan search engine to launch an attack on the industrial control system exposed on the Internet, and turn it into an internal attack after success.
Cyber Kill Chain
Generally speaking, attackers usually start their attack attempts with low-cost, casting-net-style attack methods, such as sending phishing emails and other social engineering methods. When the victim clicks on the malicious link or malicious program attached to the phishing email, the “Pandora’s Box” is opened, and the attacker will try to compromise the victim’s device and use this device as a springboard to enter the corporate intranet. If the industrial control network cannot be effectively isolated from the office network, the attacker can scan and analyze the relevant industrial control assets after entering the office network. At present, many factory industrial control environments are weak against network attacks. Most of them have weak passwords, improper permission settings, shared accounts and passwords, lack of patch and vulnerability management, insufficient network isolation and protection and other high-risk vulnerabilities, allowing attackers to exploit these vulnerabilities. , In the enterprise industrial control network, large-scale, unobstructed, cross-domain attacks on industrial control assets will eventually lead to serious consequences such as industrial data leakage, equipment damage, process abnormalities, increased defective rates, fire explosions and even threats to employee safety. hacking chain.
02 Can industrial control systems effectively resist attacks?
Whether the industrial control system can effectively prevent hacker attacks depends on the preparations and measures of both attackers and defenders. At present, attackers are more actively researching industrial control system vulnerabilities and attack methods, while enterprises are now more focused on efficient production and digital transformation, and their attention and investment in industrial control security is relatively lagging behind; coupled with the outdated and non-standard industrial control systems , which exposes more vulnerabilities to attackers, such as the following:
organization and personnel
Not fulfilling safety responsibilities
The management pays insufficient attention, the security responsibilities between departments are not clear, and there is no clear security department or position.
Weak security awareness
Employees have relatively weak security awareness of industrial control systems, especially production or front-line employees. The “security by obscurity” of traditional enterprises believes that strict physical security and access management can ensure security, and believes that security is safe if no security incidents occur, which often makes enterprises ignore the construction of network security and fail to timely Remediate hidden dangers.
Management and Supervision
The lack of safety design and consideration of the industrial control system itself is a common phenomenon in many enterprises, which can be effectively compensated by implementing appropriate security measures. However, many enterprises have not established effective security policies and measures, and only rely on personal experience and historical experience for management.
Lack of emergency response mechanism
The lack of an emergency response mechanism makes it impossible to quickly organize manpower and deploy countermeasures to control the further spread of the incident in the event of an emergency, solve the problem and resume production in the shortest time possible.
Lack of proper password policy
Failure to set appropriate password policies and management, such as weak passwords, shared passwords, multiple hosts or devices sharing a password, and password sharing with third-party providers, increases the risk of password leakage.
Lack of security audit logs
After a security incident occurs in the system, the source and cause of the incident cannot be tracked and analyzed to avoid the recurrence of similar situations.
Network and Architecture
“Gentleman-proof” network isolation
The internal office network and factory network lack effective isolation, and security domains are not divided for protection. As a result, attacks on the office network or viruses spread to the factory network, affecting production.
insecure communication protocol
Industrial control protocols are not standardized, and most of them have security risks, such as CAN, DNP3.0, Modbus, IEC60870-5-101.
insecure remote access
To facilitate remote debugging by service engineers and suppliers, security measures and monitoring are not deployed for remote access, which may be one of the most exploited vulnerabilities by attackers.
Compared with the IT environment, the structure of the industrial control system is more complex and has more attack surfaces. A typical industrial control environment generally has the following components: controller (PLC, CNC lathe, DCS), SCADA system, industrial computer, industrial software, HMI, network, switch, router, industrial database, etc., any of which links or components appear The problem may lead to the attack of the entire industrial control system.
host and device
Authentication and Authorization
For the convenience of daily use, important control systems do not have passwords, weak passwords or shared passwords, and the passwords are pasted on the on-site machines. These “conveniences” often provide great convenience for attackers to invade.
Virus protection software is not installed, virus database is not updated in time, non-genuine software, etc.
In the current factory environment, more and more computer systems are used. However, because the update and iteration time of the industrial control system is much longer than that of the IT system, there are a large number of outdated computer systems in the industrial control system, such as windows xp, Windows 2003 and other operating systems have a large number of high-risk vulnerabilities that can be exploited by attacks.
Many factories install devices with default passwords, default paths, and default configurations such as opening unnecessary and insecure ports and services.
Offline device management
For offline devices, it is often considered safe, ignoring network security protection measures. But as businesses digitize or connect to networks when business needs them, such devices can become a shortcoming and a gap in the security system.
Hardware debug interface
The frame of the critical control system is not locked, or the exposed debug interface is not effectively protected.
If general interfaces such as IPC are not effectively managed or disabled, such as external interfaces such as USB and PS/2, there may be a risk of unauthorized access to the device, resulting in virus infection or illegal program modification.
The control of personnel entering and leaving the workshop is not strict, especially external personnel such as suppliers.
Some of the vulnerabilities that can be exploited by attackers are summarized above. Enterprises can pay attention to them based on their own business characteristics, and consider taking certain compensatory measures for high-risk vulnerabilities in the short term. The industrial control safety management and control system with the simultaneous development of production.