Industrial Cybersecurity Efficiently secure critical infrastructure systems Pascal Ackerman BIRMINGHAM - MUMBAI Industrial Cybersecurity Copyright © 2017 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: October 2017 Production reference: 1161017 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78839-515-1 www.packtpub.com Credits Author Copy Editor Pascal Ackerman Stuti Srivastava Reviewers Project Coordinator Richard Diver Virginia Dias Sanjeev Kumar Jaiswal Commissioning Editor Proofreader Vijin Boricha Safis Editing Acquisition Editor Indexer Heramb Bhavsar Rekha Nair Content Development Editor Graphics Sweeny Dias Kirk D'Penha Technical Editor Production Coordinator Vishal Kamal Mewada Deepika Naik About the Author Pascal Ackerman is a seasoned industrial security professional with a degree in electrical engineering and over 15 years of experience in designing, troubleshooting, and securing large-scale industrial control systems and the various types of network technologies they utilize. After more than a decade of hands-on, in-the-field experience, he joined Rockwell Automation in 2015 and is currently employed as Senior Consultant of Industrial Cybersecurity with the Network and Security Services Group. He recently became a digital nomad and now travels the world with his family while fighting cyber adversaries. In the first place, I would like to thank my wife, Melissa, for her moral support while writing this book and for enduring the many long nights of studying and experimenting with cybersecurity that went into chasing my dream. Next, I would like to acknowledge the Packt team of editors for all the hard work and dedication they put into this book. Special thanks goes out to Sweeny Dias, who had the misfortune of trying to keep me on schedule as I attempted to balance my personal, professional, and book-writing lives. I would also like to acknowledge the fantastic team members I have encountered since taking on my role with Rockwell Automation. Finally, I would like to thank all the individuals I have crossed paths with and who have inspired me to pursue my passion for cybersecurity. About the Reviewers Richard Diver has over 20 years' experience in information technology across multiple sectors and geographies. He has worked for the largest companies, such as Microsoft, and also with smaller consultancies and business in the UK, Belgium, Australia, and the USA. With a deep technical background in Microsoft products and strong experience with strategy and architecture across industries, he is now focused on security to protect sensitive information, business-critical infrastructure, end-user mobility, and identity management. Richard lives near Chicago with his wife and three daughters, and is passionate about technology and bringing enthusiasm to every workplace. Sanjeev Kumar Jaiswal is a computer science graduate with 8 years of industrial experience. He uses Perl, Python, and GNU/Linux for his day-to-day activities. He is currently working on projects involving penetration testing, source code review, security design, and implementations. He is mostly involved in web and cloud security projects. Sanjeev loves teaching to engineering students and IT professionals. He has been teaching for the past 8 years in his leisure time. He is currently learning machine learning for cybersecurity and cryptography. He founded Alien Coders, based on the learning through sharing principle for computer science students and IT professionals in 2010, which became a huge hit in India among engineering students. You can follow him on Facebook at aliencoders, on Twitter at @aliencoders, and on GitHub at aliencoders. He wrote Instant PageSpeed Optimization and co-authored Learning Django Web Development with Packt . He has reviewed more than seven books for Packt and looks forward to authoring or reviewing more, from Packt as well as others. www.PacktPub.com For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com, and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. https://www.packtpub.com/mapt Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career. Why subscribe? Fully searchable across every book published by Packt Copy and paste, print, and bookmark content On demand and accessible via a web browser Customer Feedback Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1788395158. If you'd like to join our team of regular reviewers, you can email us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products! Table of Contents Preface 1 Chapter 1: Industrial Control Systems 6 An overview of an Industrial control system 7 The view function 9 The monitor function 10 The control function 11 The Industrial control system architecture 12 Programmable logic controllers 13 Human Machine Interface 13 Supervisory Control and Data Acquisition 14 Distributed control system 14 Safety instrumented system 15 The Purdue model for Industrial control systems 16 The enterprise zone 18 Level 5 - Enterprise network 18 Level 4 - Site business planning and logistics 19 Industrial Demilitarized Zone 19 The manufacturing zone 20 Level 3 - Site operations 21 Level 2 - Area supervisory control 21 Level 1 - Basic control 21 Level 0 - Process 22 Industrial control system communication media and protocols 22 Regular information technology network protocols 23 Process automation protocols 24 Industrial control system protocols 25 Building automation protocols 26 Automatic meter reading protocols 27 Communication protocols in the enterprise zone 28 Communication protocols in the Industrial zone 30 Summary 31 Chapter 2: Insecure by Inheritance 32 Industrial control system history 33 Modbus and Modbus TCP/IP 35 Breaking Modbus 41 Using Python and Scapy to communicate over Modbus 51 Replaying captured Modbus packets 62 PROFINET 65 PROFINET packet replay attacks 67 S7 communication and the stop CPU vulnerability 70 EtherNet/IP and the Common Industrial Protocol 76 Shodan: The scariest search engine on the internet 79 Common IT protocols found in the ICS 86 HTTP 86 File Transfer Protocol 87 Telnet 89 Address Resolution Protocol 89 ICMP echo request 90 Summary 92 Chapter 3: Anatomy of an ICS Attack Scenario 94 Setting the stage 95 The Slumbertown paper mill 96 Trouble in paradise 98 Building a virtual test network 99 Clicking our heels 102 What can the attacker do with their access? 113 The cyber kill chain 143 Phase two of the Slumbertown Mill ICS attack 145 Other attack scenarios 149 Summary 151 Chapter 4: Industrial Control System Risk Assessment 152 Attacks, objectives, and consequences 152 Risk assessments 153 A risk assessment example 157 Step 1 - Asset identification and system characterization 157 Step 2 - Vulnerability identification and threat modeling 161 Discovering vulnerabilities 162 Threat modeling 174 Step 3 - Risk calculation and mitigation 187 Summary 188 Chapter 5: The Purdue Model and a Converged Plantwide Ethernet 189 The Purdue Enterprise Reference Architecture 190 The Converged Plantwide Enterprise 191 [ ii ]