工控裝置探測工具
幾十年來,監督控制和資料採集(SCADA)系統和工業控制系統(ICS)控制著關鍵國家基礎設施環境的法規和管理。
Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICSs) have controlled the regulation and management of Critical National Infrastructure environments for decades。
隨著對遠端設施進行控制和監視的需求,工業界繼續在其ICS和SCADA系統中採用Internet技術,以便其企業可以跨越國際邊界,以滿足現代生活的需求。
With the demand for remote facilities to be controlled and monitored, industries have continued to adopt Internet technology into their ICS and SCADA systems so that their enterprise can span across international borders in order to meet the demand of modern living。
儘管這是必要的,但被證明可能具有潛在的危險。組成ICS和SCADA系統的裝置具有特定的用途,通常固有地易受攻擊,很難與新技術融合。
Although this is a necessity, it could prove to be potentially dangerous。 The devices that make up ICS and SCADA systems have bespoke purposes and are often inherently vulnerable and difficult to merge with newer technologies。
本文的重點是針對定製的工控裝置探索、測試和批判性地分析網路掃描工具的使用,以識別使用與傳統IP網路上相同的工具在工控系統上進行資產發現或服務檢測的問題。
The focus of this article is to explore, test, and critically analyse the use of network scanning tools against bespoke SCADA equipment in order to identify the issues with conducting asset discovery or service detection on SCADA systems with the same tools used on conventional IP networks。
一、工控裝置探測
偵察,無論是被動的還是主動的,合法的還是惡意的,仍然是任何戰略性網路安全運營中最重要的部分之一[11]。網路掃描有助於視覺化通訊基礎架構的配置,並幫助確定可能的進入或利用方法。偵查可以透過服務檢測和作業系統指紋來實現,這是許多網路掃描工具的兩個關鍵功能[12]。隨著現在使用計算機網路來管理和控制各國的國家關鍵基礎設施(Critical National Infrastructure,CNI),在網路域內進行偵察變得更加重要。這些系統負責國家電網,電站,水處理廠和工業生產線的稽核和控制。
Reconnaissance, whether passive or active, lawful or malicious, remains one of the most important parts of any strategic cybersecurity operation [11]。 Network scans help visualise the confguration of a communications infrastructure and help identify possible methods of entry or exploitation。 Reconnaissance can be achieved through service detection and operating system fngerprinting, two key features of many network scanning tools [12]。 Conducting reconnaissance within the cyberdomain has become even more vital as the CNIs of various countries are now governed and controlled using computer networks。 Tese systems are responsible for the auditing and control of national grids, power stations, water treatment plants, and industrial production lines。
由於執行這些系統的技術和通訊網路已經過時,因此安全性降低,因此必須提出以下問題:
這些裝置在進行網路掃描時有多大的可變性?
對人類文明的福祉產生直接影響的系統正成為用於稽核或攻擊公司網路和基於Internet的服務的工具的受害者。與使用TCP / IP技術的傳統網路不同,工控由於其使用的定製裝置以及它們提供的服務和功能的配置而面臨眾多獨特的漏洞[13]。基於IP的網路可以利用入侵檢測系統,防火牆和反惡意軟體工具來識別和防止針對節點或網路的監聽或開放埠攻擊。SCADA / ICS裝置(例如可程式設計邏輯控制器(PLC)和遠端終端單元(RTU))上已安裝的作業系統可能不具有此功能。
As the technology and communication networks that run these systems have become outdated and consequently less secure, the question must be asked about how volatile are these devices when conducting network scans? Systems which have a direct impact on the wellbeing of human civilisation are falling victim to the same tools used to audit or attack corporate networks and Internet-based services。 Unlike traditional networks which utilise TCP/IP technology, ICSs face numerous unique vulnerabilities due to the bespoke devices they use and the confguration of the services and functionality they provide [13]。 IP-based networks can take advantage of Intrusion Detection Systems, frewalls, and antimalware tools to identify and prevent snooping or open-port attacks that target a node or network。 The operating systems which have been installed on SCADA/ICS devices such as programmable logic controllers (PLCs) and Remote Terminal Units (RTUs) may not have this capability。
此外,控制SCADA / ICS資料傳輸的埠執行在不安全的協議上[14],即使單個意外資料包也可能導致系統檢修並可能完全停止裝置的正常功能。由於這些裝置是網路與工業資產(如泵,渦輪機和感測器)之間的介面,因此可能會造成嚴重的破壞性後果。這項研究的目的是調查使用SCADA網路上的資產檢測工具建立的漏洞,以及它們是否對這些系統的完整性構成了重大威脅。
掃描網路中的資產的過程是否會在全國範圍內造成損害?如果是,原因是什麼?
Furthermore, the ports which control the transfer of SCADA/ICS data run on insecure protocols [14], where even a single unexpected packet could cause a system overhaul and could stop the normal function of the equipment entirely。 As these devices are the interface between networks and industrial assets such as pumps, turbines, and sensors, this could have signifcantly damaging consequences。 Te purpose of this study is to investigate the vulnerabilities which are created by the use of asset-detection tools on SCADA networks and whether they pose a signifcant threat to the integrity of these systems。 Could the process of scanning a network for assets cause damage on a national scale? If so, what are the causes?
二、網路掃描的方法
網路偵查是任何網路審計或滲透測試操作中必不可少的階段。無論是使用被動掃描系統還是主動探測工具,服務發現和資產檢測對於評估公司網路或工業基礎設施的整體脆弱性都是至關重要的[15]。
整理所有論文中的資訊,集中於被動和主動掃描方法的描述性細分,並參考SCADA環境中使用的工具和技術,可以對兩種網路掃描方法進行以下推論。
Collating the information from all the papers, focussing on the descriptive breakdown of both passive and active scanning methods, and with reference to the tools and technologies used within SCADA environments, the following deductions can be made about the two methods of network scanning。
被動掃描
。被動掃描方法使用對網路流量的監視來識別服務、主機和客戶端。在網路上設定了一個觀察點,需要網路管理員或網路工程師的協助才能配置這些系統以獲得最佳結果。如徐等人所述 [17]無源掃描器可以長時間連續執行,而不會破壞常規的網路流量或與裝置本身進行互動,因為無源掃描工具的輸入資料是網路流量的直接饋送。這意味著可以建立演算法為了剖析每個協議。這有可能從每個資料包中提取重要的資訊和識別符號。由Gonzalez和Papa設計的獨立無源掃描器[18]演示瞭如何建立一種簡單的演算法來從網路中提取Modbus流量並獲取有關主裝置和從屬裝置的資訊以及監視Modbus事務的狀態。儘管本文中介紹的演算法演示了被動掃描器的多功能性,但這些工具仍然僅限於分析單個SCADA協議。由於該系統是在2007年設計和實現的,因此演算法的有效性也可能受到挑戰。很有可能會對該特定協議進行更改,從而使提取和解析系統變得多餘[19]。透過對這些論文的檢查,很明顯,無源系統似乎滿足了本研究的主要標準之一,符合常規的網路流量,並避免了與易失性現場裝置的互動。
Passive Scanning。 Passive scanning methods use the monitoring of network traffic to identify services, hosts, and clients。 An observation point is set up on the network, requiring assistance from network administrators or network engineers to confgure these systems for optimum results。 As referenced in Xu et al。 [17] passive scanners can be run continuously for large periods of time without disrupting regular network trafc or interacting with the devices themselves, as the input data for passive scanning tools is a direct feed of the network’s traffic。This means that algorithms can be created in order to dissect each protocol。 This has the potential to extract important information and identifers from each packet。 An independent passive scanner designed by Gonzalez and Papa [18] demonstrates how a simple algorithm can be created to extract Modbus trafc from a network and gain information about master and slave devices as well as monitoring the status of Modbus transactions。 Although the algorithms presented in this article demonstrate the versatility of passive scanners, the tools are still only limited to analysing a single SCADA protocol。 The validity of the algorithms could also be challenged as this system was designed and implemented in 2007。 There is a signifcant chance that changes may have been made to this particular protocol which makes the extraction and parsing system redundant [19]。 Through inspection of these papers it is evident that passive systems seem to satisfy one of the main criteria of this research, compliance with regular network traffic and the avoidance of interacting with the volatile field devices。
主動探測
。主動探測的過程與被動嗅探有一個顯著差異:與裝置的實時互動。 Bartlett等[13]將主動探測定義為“試圖聯絡每個主機上的每個服務。向每個主機發送資料包並監視響應。”然後,這在Deraison和Gula [20]中是矛盾的,其中指出“任何使用網路掃描程式查詢主機,服務和漏洞都是一種積極的評估。”當比較兩篇論文中主動掃描的理由時,Deraison和Gula [20]中提供的評論似乎是有偏見和不合理的,因為發表本文的組織在主動掃描工具上投入了大量資金。但是,兩篇論文都對主動技術的缺陷達成了共識,這種方法為系統的當前狀態生成資料。隨著時間的流逝,或者實際上在以後重複相同的掃描時,該資訊可能會過時。
Active Probing。 The process of active probing has one signifcant difference to passive sniffing: live interaction with the devices。 Bartlett et al。 [13] define active probing as “attempting to contact each service at each host。 Sending packets to each host and monitoring the response。” This is then contradicted within Deraison and Gula [20], where it is stated that “any use of a network scanner to find hosts, services and vulnerabilities is an active assessment。” When comparing the justification of active scanning from both papers, the comments provided within Deraison and Gula [20] seem biased and irrational on the basis that the organisation publishing this paper has a large investment in active scanning tools。 However, both papers agree regarding the pitfalls of active techniques, this method produces data for the current state of the system。 This information could become obsolete as time passes, or indeed when repeating the same scan at a later date。
在評估先前資料中給出的資訊時,被動掃描網路的過程似乎更適用於獲取有關ICS或SCADA網路上裝置的資訊。正如Bartlett等人所引用的[13]和Deraison和Gula [20]的主動方法需要與網路上的裝置進行某種形式的互動,這可能是針對SCADA裝置使用主動工具的潛在後果之一,這與Xu等人討論的被動方法相反[17]在網路上的“觀察點”執行更長的時間,從而消除了從任何已連線裝置傳送或接收資料的需要。
In evaluating the information given in the previous sources, the process of passively scanning a network seems to be far more applicable to gaining information about devices on an ICS or SCADA network。 As referenced in both Bartlett et al。 [13] and Deraison and Gula [20] active methods require some form of interaction with the devices on the network, which could be one of the potential ramifcations of using active tools against SCADA devices, as opposed to the passive methodologies discussed in Xu et al。 [17] which run for a longer period at an “observation point” on the network, removing the need to send or receive data from any devices that are connected。
三、已有工控探測工具
1. Nmap
Bartlett等[13]討論了使用Nmap作為主動網路探測的示例。使用Nmap的條件僅限於一組非常有限的網路技術。主要焦點似乎是提供諸如HTTP,SSL,MySQL和SMTP之類的服務的標準公司網路。針對這些服務的Nmap應用展示了主動探測在TCP / IP環境中的工作方式。但是,它無法解決如何在更多定製網路(例如SCADA和ICS)上使用Nmap的問題。 Bodenheim [10]給出了一個在目標網路上使用Nmap的更相關的例子。本文提供了有關特定Nmap命令及其如何實現所需輸出的解釋,但是,沒有提到Nmap是主動和侵入式掃描型別。因此,沒有提供有關如何影響SCADA或ICS網路執行的資訊。 Jaronim [16]支援Bartlett等人提供的資訊[13],加強了一個事實,即Nmap是一種主動的探測機制。同樣,很明顯,對於諸如Nmap之類的探針如何影響SCADA和ICS網路的常規功能,人們知之甚少。
Nmap。 Bartlett et al。 [13] discuss the use of Nmap as an example of active network probing。 The conditions on which Nmap is used are confined to a very limited set of network technologies。 The main focus seems to be standard corporate networks with services such as HTTP, SSL, MySQL, and SMTP。 The application of Nmap against these services demonstrates how active probing works in a TCP/IP environment; however, it fails to address how Nmap is used on more bespoke networks such as SCADA and ICS。 Bodenheim [10] gives a more relevant example of Nmap being used on the networks of interest。 This paper provides explanations behind specific Nmap commands and how it achieves the desired output。There is, however, no reference to Nmap being an active and intrusive scanning type; therefore no information is supplied about how this could impact the operation of a SCADA or ICS network。 Jaronim [16] supports the information presented in Bartlett et al。 [13], enforcing the fact that Nmap is an active probing mechanism。 Again it is evident that there is little understanding as to how probes such as Nmap impact the ordinary functions of SCADA and ICS networks。
2. Nessus
Nessus是Tenable Network Security開發的工具。 Peterson [21]討論瞭如何使用Nessus來掃描控制系統環境中的漏洞,並參考“破壞關鍵控制系統伺服器或元件的漏洞掃描”。也有提到這種破壞作用。一般認為,不應掃描SCADA系統。在本文開頭介紹了這種態度之後,Peterson繼續說明Nessus的工作原理以及如何定製它以促進SCADA網路。後面的資訊似乎忽略了Nessus對ICS / SCADA系統可能造成的破壞性影響,指出由於與該工具相關的外掛數量眾多,某些擴充套件功能可能會導致控制系統崩潰。由於這些崩潰的原因仍然缺乏瞭解,因為本文中的補救措施建議使用Nessus工具進行反覆試驗,直到找到原因為止。 Jaronim [16]承認Nessus工具,並再次強調了它在SCADA網路上使用時可能造成重大破壞的潛力。本文仍然未能說明為什麼Nessus或什至更廣泛的主動探測工具會造成這種破壞。但是,Jaronim提請注意一份報告,該報告證明主動技術如何造成破壞性後果。該報告是將SCADA技術的敏感性與損壞事件的書面報告直接相關的僅有的研究檔案之一。儘管對掃描工具的工作方式的描述不夠複雜,但Jaronim能夠將主動掃描的陷阱與SCADA破壞的實際示例聯絡起來,而在以前的資料中卻忽略了這一領域。
Nessus。 Nessus is a tool developed by Tenable Network Security。 Peterson [21] discusses how Nessus can be used to scan for vulnerabilities within a control system environment with reference to “a vulnerability scan that takes down a key control system server or component。” There is also reference to the damaging effect this could have。 The general opinion is that SCADA systems should not be scanned。 With this attitude presented at the beginning of the paper, Peterson goes on to explain how Nessus works and how it can be tailored to facilitate SCADA networks。 The information that follows seems to disregard the damaging impact Nessus could have on an ICS/SCADA system by stating that, due to the number of plug-ins associated with the tool, some of the extended functionality may cause control systems to crash。This suggests that there is still a lack of understanding as to why these crashes happen, as the remedies in this paper suggest trial and error with the Nessus tool until the cause is found。 Jaronim [16] acknowledges the Nessus tool and again highlights its potential to cause significant disruptions when used on SCADA networks。 This paper still fails to specify why Nessus, or even the wider range of active probing tools, causes this disruption。 However, Jaronim brings attention to a report justifying how active techniques can have damaging consequences。 This report is one of the only research documents to directly relate the sensitivity of SCADA technology to a documented report of a damaging incident。 Although the description of how scanning tools operate lacks in sophistication, Jaronim is able to link the pitfalls of active scanning to real-world examples of SCADA disruption, an area which has been neglected in previous sources。
3. Passive Vulnerability Scanner (PVS)
PVS由負責Nessus的同一組織維護,是Tenable Network Security提供的網路掃描工具套件的被動附件。 Deraison和Gula [20]將被動工具定義為一種機制,它“嗅探網路流量以推斷出一系列主動系統”。本文有趣的是,PVS和被動掃描作為一個整體與“網路嗅探而不是掃描”相關聯。徐等[17]和Gonzalez和Papa [18]未能詳細說明這一基本細節。與最初的期望相反,Deraison和Gula [20]沒有討論PVS或任何其他無源系統如何實現其作為不引人注目的掃描器的目標。沒有給出技術細分,也幾乎沒有證據表明PVS已在一系列網路上成功使用。看到Tenable提供了這個來源,可以認為本文中的權利要求的有效性是有偏差的,而Xu等人則認為[17]和岡薩雷斯和Papa[18]和Myers等[22]清楚地確定了被動技術是如何工作的,並給出了現場實驗的例子。從這些來源中提供的資訊來看,在更長的時間內使用無源網路嗅探器似乎是在SCADA系統上執行偵察的最有益且非侵入性的方式。
Passive Vulnerability Scanner (PVS)。 Maintained by the same organisation responsible for Nessus, PVS is a passive accompaniment to the suite of network scanning tools provided by Tenable Network Security。 Deraison and Gula [20] define a passive tool to be a mechanism which “sniffs network traffic to deduce a list of active systems。” What is interesting within this paper is that PVS and passive scanning as a whole are associated with the “sniffing of a network, as opposed to scanning。” Both Xu et al。 [17] and Gonzalez and Papa [18] fail to elaborate on this underlying detail。 Contrary to initial expectations, Deraison and Gula [20] fail to discuss how PVS or any other passive system achieves its goals as an unobtrusive scanner。 No breakdown of technology is given and there is little evidence of PVS being used successfully on a range of networks。 Seeing as this source is provided by Tenable, the validity of the claims in this paper could be considered biased, whereas Xu et al。 [17] and Gonzalez and Papa [18] and Myers et al。 [22] clearly identify how passive technology works and give examples of live experiments。 From the information provided within these sources it seems that the use of passive network sniffers over a longer period of time is the most beneficial and nonintrusive way of performing reconnaissance on SCADA systems。
4. ZMap
ZMap具有與Nmap類似的功能,是一種開放原始碼的活動網路探測器,旨在執行Internet規模的掃描。廣域網(LAN)的探測是使用TCP-SYN和ICMP回波掃描實現的。這在Durumeric,Wustrow和Halderman [23]中得到了解決。 ZMap背後的活躍技術不僅得到詳細討論,而且ZMap功能的每個元素都在實質性的技術層面上進行了剖析和說明,包括其用於剖析不同協議的模組化框架。在這些資訊中,參考了某些網路的侷限性,這些侷限性可能導致工具無法正常執行,尤其是當傳送的探測資料包的掃描速率對於目標基礎架構而言過高時。探測網路時,“掃描速率”和“命中率”之間存在相關性,其結果更多地與工具本身的效率和成功有關,而不是對目標網路可能造成的潛在損害。這是一個問題將這項研究與ICS和SCADA系統聯絡起來時,其重點是保護系統的正常執行,而不是評估工具的成功程度。沒有提及針對SCADA或ICS系統使用ZMap。 Li等 [24]也參考了ZMap及其透過使用外掛模組探查多種不同協議的能力。有證據表明ZMap可用於探測協議,例如DNP3,Modbus和Siemens S7。儘管此資訊表明ZMap可以在這些網路上使用,但沒有評估此工具對裝置本身的成功或影響。與Durumeric等人的論文不同。 [23]本研究中沒有資訊可以強調可能與網路型別相關的潛在效能問題。另一方面,兩篇論文都沒有提到該工具可能對被探測的物理裝置產生潛在的影響。
ZMap。 With similar functionality to Nmap, ZMap is an open-source active network prober designed to perform Internet-scale scans。 The probing of Large Area Networks (LANs) is achieved using TCP-SYN and ICMP echo scans。 This is addressed in Durumeric, Wustrow, and Halderman [23]。 Not only is the active technology behind ZMap discussed in detail, but also each element of the ZMap functionality is dissected and explained at a substantial technical level, including its modular framework for dissecting different protocols。 Amongst these pieces of information, reference is made to limitations of certain networks which may result in the tool not working correctly, particularly when the scan rate of the probing packets being sent is too high for the target infrastructure。Although an experimentwas conducted to investigate whether there is a correlation between “scan rate” and “hit rate” when probing a network, the results are more concerned with the efficiency and success of the tool itself, not the potential damage this may cause to the target network。This is an issue when linking this research to ICS and SCADA systems, where the focus is on protecting the normal operation of the system rather than evaluating the success of the tool。 No reference is made to the use of ZMap against SCADA or ICS systems。 Li et al。 [24] also make reference to ZMap and its ability to probe a multitude of different protocols through the use of plug-in modules。 There is evidence to suggest that ZMap can be used to probe protocols such as DNP3, Modbus, and Siemens S7。 Although this information shows that ZMap can be used on these networks, there is no evaluation of the success or the effects this tool has on the devices themselves。 Unlike the paper by Durumeric et al。 [23], there is no information present within this research which highlights potential performance issues that could be linked to the network type。 On the other hand, neither paper addresses the potential impact this tool could have on the physical devices being probed。
5. shodan
Shodan是一項服務,可充當搜尋引擎來識別和索引面向Internet的裝置。 Shodan引起了極大的興趣,因為可以透過此工具識別許多ICS和SCADA系統。 Bodenheim [10]直接探討了Shodan背後的技術如何影響與ICS連線的裝置。關於如何獲取資料的詳細程度還不如先前討論其他掃描工具的資料透徹。但是,本文的總體前提有所不同,因為它從一開始就側重於網路掃描技術的可能有害性質。由於掃描器可能造成的潛在危害僅在以前的資料中進行了簡要討論,因此Bodenheim [10]提出了與使用Shodan對抗ICS和SCADA系統的負面影響相關的研究假設。本文在研究中產生重大差異的地方是Shodan掃描後發生的負面影響的型別。儘管這項研究的重點是發現物理裝置是如何受到影響的,但該訊息人士希望回答一個問題,即ICS或SCADA系統是否會因為存在於Shodan資料庫中而變得更加脆弱,這反過來可能說服惡意者或國家程式攻擊這些系統。這裡的目的不是要推斷對現場裝置的物理後果,而是Shodan掃描是否會鼓勵攻擊? Jaronim的工作[16]仍然是唯一能夠直接確認主動掃描器(例如Shodan)可能造成的物理損壞的論文。然而,本文缺乏在整個博登海姆執行的有效工具的假設和實驗[10]。
Shodan。 Shodan is a service which acts as a search engine to identify and index Internet-facing devices。 Shodan has become of significant interest as many ICS and SCADA systems are identifiable via this tool。 Bodenheim [10] directly explores how the technology behind Shodan impacts the devices connected to ICS。 The level of detail supplied about howShodanobtains its data is not as thorough as the previous sources discussing the other scanning tools。 However, the general premise of the paper is different as it focuses on the possible harmful nature of network scanning techniques from its start。 As the potential harms that scanners could cause are only briefly discussed in previous sources, Bodenheim [10] addresses research hypotheses relevant to the negative impact of using Shodan against ICS and SCADA systems。 Where this paper draws significant differences in research is the type of negative impact that occurs after a Shodan scan。 Whereas the key focus of this research is to find how the physical devices are affected, this source wishes to answer the question of whether or not an ICS or SCADA system will become more vulnerable because of their presence on the Shodan database, which in turn may convince malicious minds or state programs to attack these systems。 The aim here is not to deduce the physical consequences to the field devices but rather does a Shodan scan encourage attacks? Jaronim’s work [16] remains to be the only paper to directly acknowledge potential physical damage that can be done by active scanners such as Shodan。 This paper, however, lacks the hypotheses and experimentation with active tools which run throughout Bodenheim [10]。
四、參考資料
Vulnerability Analysis of Network Scanning on SCADA Systems
