Abstract
Industrial automation and control systems (IACS) play a key role in modern production facilities. On the one hand, they provide real-time functionality to the connected field devices. On the other hand, they get more and more connected to local networks and the internet in order to facilitate use cases promoted by “Industrie 4.0”. A lot of IACS are equipped with web servers that provide web applications for configuration and management purposes. If an attacker gains access to such a web application operated on an IACS, he can exploit vulnerabilities and possibly interrupt the critical automation process. Cyber security research for web applications is well-known in the office IT. There exist a lot of best practices and tools for testing web applications for different kinds of vulnerabilities. Security testing targets at discovering those vulnerabilities before they can get exploited. In order to enable IACS manufacturers and integrators to perform security tests for their devices, ISuTest was developed, a modular security testing framework for IACS.
This paper provides a classification of known types of web application vulnerabilities. Therefore, it makes use of the worst direct impact of a vulnerability. Based on this analysis, a subset of open-source vulnerability scanners to detect such vulnerabilities is selected to be integrated into ISuTest. Subsequently, the integration is evaluated. This evaluation is twofold: At first, willful vulnerable web applications are used. In a second step, seven real IACS, like a programmable logic controller, industrial switches and cloud gateways, are used. Both evaluation steps start with the manual examination of the web applications for vulnerabilities. They conclude with an automated test of the web applications using the vulnerability scanners automated by ISuTest.
The results show that the vulnerability scanners detected 53 % of the existing vulnerabilities. In a former study using commercial vulnerability scanners, 54 % of the security flaws could be found. While performing the analysis, 45 new vulnerabilities were detected. Some of them did not only break the web server but crashed the whole IACS, stopping the critical automation process. This shows that security testing is crucial in the industrial domain and needs to cover all services provided by the devices.
Zusammenfassung
Industrielle Automatisierungs- und Steuerungssysteme (IACS) spielen eine Schlüsselrolle in modernen Produktionsanlagen. Zum einen stellen sie den angeschlossenen Feldgeräten Echtzeitfunktionalität zur Verfügung. Zum anderen werden sie immer mehr mit lokalen Netzwerken und dem Internet verbunden, um die durch „Industrie 4.0“ erdachten Anwendungsfälle zu ermöglichen. Viele IACS sind mit Webservern ausgestattet, die Webanwendungen für Konfigurations- und Verwaltungszwecke bereitstellen. Wenn ein Angreifer Zugriff auf eine solche Webanwendung erhält, die auf einem IACS betrieben wird, kann er Schwachstellen ausnutzen und möglicherweise den kritischen Automatisierungsprozess unterbrechen. Sicherheitsforschung für Webanwendungen ist in der Office-IT wohlbekannt. Es gibt eine Vielzahl von Best Practices und Tools zum Testen von Webanwendungen auf verschiedene Arten von Schwachstellen. Security-Tests zielen darauf ab, diese Schwachstellen zu entdecken, bevor sie ausgenutzt werden können. Um IACS-Herstellern und Integratoren die Durchführung von Security-Tests für ihre Geräte zu ermöglichen, wurde ISuTest entwickelt, ein modulares Security-Testing-Framework für IACS.
Dieser Beitrag enthält eine Klassifizierung bekannter Arten von Schwachstellen in Webanwendungen. Dazu verwendet er die schlimmstmögliche direkte Auswirkung einer Schwachstelle. Basierend auf dieser Analyse wird eine Teilmenge von Open-Source-Schwachstellenscannern zur Erkennung solcher Schwachstellen ausgewählt und in ISuTest integriert. Anschließend wird die Integration ausgewertet. Diese Auswertung ist zweischrittig: Zuerst werden absichtlich verwundbare Webanwendungen genutzt. In einem zweiten Schritt werden sieben reale IACS, wie eine speicherprogrammierbare Steuerung, industrielle Switche und Cloud-Gateways, eingesetzt. Beide Auswertungsschritte beginnen mit der manuellen Überprüfung der Webanwendungen auf Schwachstellen. Sie schließen mit einem automatisierten Test der Webanwendungen mit den von ISuTest automatisierten Schwachstellenscannern.
Die Ergebnisse zeigen, dass die Schwachstellenscanner 53 % der vorhandenen Schwachstellen erkannt haben. In einer früheren Studie mit kommerziellen Schwachstellenscannern konnten 54 % der Sicherheitslücken gefunden werden. Während der Durchführung der Analyse wurden 45 neue Schwachstellen entdeckt. Einige von ihnen brachten nicht nur den Webserver zum Absturz, sondern ließen das komplette IACS abstürzen und stoppten damit den kritischen Automatisierungsprozess. Dies zeigt, dass Security-Tests im industriellen Umfeld von entscheidender Bedeutung sind und alle von den Geräten erbrachten Dienste abdecken müssen.
About the authors
Steffen Pfrang received his diploma degree in computer science from the Karlsruhe Institute of Technology in 2012. Since 2014, his work focuses on cybersecurity for industrial automation networks within the Fraunhofer IOSB IT Security Laboratory for Industrial Production. His research interests include applied security for industrial automation networks and critical infrastructures, security testing for industrial automation and control systems as wells as intrusion detection.
Anne Borcherding (M.Sc.) graduated from the Karlsruhe Institute of Technology in 2018 with a Master’s degree in Computer Science. During her studies she focused on IT security and cryptography. Following her studies, she now works as a researcher at Fraunhofer IOSB in the group “Secure Networked Systems”. Her focus includes security testing and web server security.
David Meier, M.Sc., received his master degree in Information System Technology from the Technische Universität Darmstadt in 2013. Since 2014, he is part of the research group on Secure Networked Systems at Fraunhofer IOSB. His research interests include network security, wireless networks and security for industrial systems.
Jürgen Beyerer is full professor for informatics at the Institute for Anthropomatics and Robotics at the Karlsruhe Institute of Technology (KIT) since March 2004 and director of the Fraunhofer Institute of Optronics, System Technologies and Image Exploitation (IOSB) in Ettlingen, Karlsruhe, Ilmenau and Lemgo. Research interests include automated visual inspection, signal and image processing, pattern recognition, metrology, information theory, machine learning, system theory security, autonomous systems and automation.
References
1. Jason Bau et al.“State of the art: Automated black-box web application vulnerability testing.” In: Security and Privacy (SP), 2010 IEEE Symposium on. IEEE (2010), pp. 332–345.10.1109/SP.2010.27Search in Google Scholar
2. CIRT.net. Nikto Homepage. URL: https://cirt.net/Nikto2 (visited on 02/06/2018).Search in Google Scholar
3. Google Information Security Engineering. Skipfish Homepage. URL: https://github.com/spinkham/skipfish (visited on 02/06/2018).Search in Google Scholar
4. ethicalhack3r. Damn Vulnerable Web Application. URL: http://www.dvwa.co.uk/ (visited on 05/14/2018).Search in Google Scholar
5. FIRST. FIRST Homepage. URL: https://www.first.org/ (visited on 09/04/2018).Search in Google Scholar
6. General Electric (GE). Achilles Test Platform. https://www.ge.com/digital/products/achilles-vulnerability-testing-platform (visited on 09/11/2018).Search in Google Scholar
7. Baptiste Gourdin et al.“Toward Secure Embedded Web Interfaces.” In: USENIX Security Symposium, Vol. 14.34 (2011), p. 113.Search in Google Scholar
8. SE Idrissi et al.“Performance Evaluation of Web Application Security Scanners for Prevention and Protection against Vulnerabilities.” In: International Journal of Applied Engineering Research, Vol. 12.21 (2017), pp. 11068–11076.Search in Google Scholar
9. Industrial communication networks—Network and system security—Part 1-1: Terminology, concepts and models. International Electrotechnical Commission (IEC). Geneva, Switzerland, 2009.Search in Google Scholar
10. Ralph Langner. Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon. TED, 2011.Search in Google Scholar
11. Peter Kok Keong Loh and Deepak Subramanian. “Fuzzy classification metrics for scanner assessment and vulnerability reporting.” In: IEEE Transactions on Information Forensics and security, Vol. 5.4 (2010), pp. 613–624.Search in Google Scholar
12. Yuma Makino and Vitaly Klyuev. “Evaluation of web vulnerability scanners.” In: Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015 IEEE 8th International Conference on, Vol. 1. IEEE (2015), pp. 399–402.Search in Google Scholar
13. OWASP. Application Security Attacks. 2016. URL: https://www.owasp.org/index.php/ Category:Attack (visited on 02/28/2018).Search in Google Scholar
14. OWASP. Overview of Vulnerability Scanning Tools. 2018. URL: https://www.owasp.org/index.php/ Category:Vulnerability_Scanning_Tools (visited on 01/30/2018).Search in Google Scholar
15. OWASP. OWASP Website. 2018. URL: https://www.owasp.org/index.php/Main_Page (visited on 01/30/2018).Search in Google Scholar
16. OWASP. Testing for Input Validation. URL: https://www.owasp.org/index.php/Testing_for_Input_Validation (visited on 09/06/2018).Search in Google Scholar
17. OWASP. WebGoat Project. URL: https://www.owasp.org/index.php/ Category:OWASP_WebGoat_Project (visited on 05/14/2018).Search in Google Scholar
18. OWASP. ZAP Homepage. URL: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project (visited on 02/06/2018).Search in Google Scholar
19. Steffen Pfrang, David Meier and Valentin Kautz. “Towards a Modular Security Testing Framework for Industrial Automation and Control Systems: ISuTest.” In: Proceedings of the 22nd IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2017. Limassol, Cyprus, 2017.Search in Google Scholar
20. Steffen Pfrang et al.“Advancing Protocol Fuzzing for Industrial Automation and Control Systems.” In: Proceedings of the 4th International Conference on Information Systems Security and Privacy—Volume 1: ForSE, INSTICC. SciTePress (2018), pp. 570–580. ISBN:978-989-758-282-0. doi:10.5220/0006755305700580.Search in Google Scholar
21. Stefan Heiss et al. Schwachstellenanalyse von Automatisierungskomponenten. Forschungsbericht, DFAM Nr. 30/2013. inIT and ifak, Dec. 2012.Search in Google Scholar
22. s4n7h0 und samanL33T. Extreme Vulnerable Web Application. URL: https://github.com/s4n7h0/xvwa (visited on 05/14/2018).Search in Google Scholar
23. Subgraph. Vega Homepage. URL: https://subgraph.com/vega/ (visited on 02/06/2018).Search in Google Scholar
24. Nicolas Surribas. Wapiti Homepage. URL: http://wapiti.sourceforge.net/ (visited on 02/06/2018).Search in Google Scholar
25. Natasa Suteva, Dragi Zlatkovski and Aleksandra Mileva. “Evaluation and testing of several free/open source web vulnerability scanners.” In: Proceedings ofthe Tenth International Conference on Informatics and Information Technology (2013).Search in Google Scholar
26. F. Tilaro and B. Copy. “Assessment And Testing of Industrial Devices Robustness Against Cyber Security Attacks.” In: Conf. Proc. C111010.CERN-ATS-Note-2011-108 TECH (Nov. 2011), WEPMU029. 4 p. URL: http://cds.cern.ch/record/1398647.Search in Google Scholar
27. UtiliSec. SamuraiSTFU. URL: http://www.samuraistfu.org/ (visited on 09/11/2018).Search in Google Scholar
© 2019 Walter de Gruyter GmbH, Berlin/Boston
