Attacking IEC-60870-5-104 SCADA Systems

Transcript

1. P. Radoglou-Grammatikis, P. Sarigiannidis*, I. Giannoulakis, E. Kafetzakis and E.

   Panaousis University of Western Macedonia, Eight Bells Ltd, University of Surrey Attacking IEC-60870-5-104 SCADA Systems The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things

2. The 1st IEEE Services Workshop On Cyber Security And Resilience

   In The Internet Of Things • The heterogeneous nature of SG creates severe security issues • SCADA systems are the most vulnerable elements of SG due to their insecure industrial communication protocols like Modbus, DNP3, IEC-104, etc. • IEC 60870-5-104 (IEC-104) protocol is utilized widely in Europe and characterized by severe security flaws • Threat model for SCADA systems based on Control Petri Net (CPN) • Emulating and evaluating the risk level four cyberattacks against IEC-104 • This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 787011 (SPEAR) Introduction

3. Related Work Anomaly-based IDS for IEC-104, private dataset, ARP attacks,

   DoS attacks and Replay attacks, WEKA, Many algorithms: Naïve Bayes, Ibk, J48, Random Forest, OneR, RandomTree and DecisionTable E. Hodo et al. Anomaly detection for simulated iec-60870-5-104 traffic Signature and specification rules for IEC-104, Snort IDS, unauthorized read commands, unauthorized reset commands, unauthorized remote control, spontaneous packet storms, buffer overflows Y. Yang et al. Intrusion detection system for iec 60870-5-104 based scada networks The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things

4. Specification-based IDS for IEC-104, Finite State Machines (FSM), ITACA software,

   TPR=100%, FPR=0% Y. Yang et al. Stateful intrusion detection for iec 60870-5-104 scada security Machine learning based anomaly detection for Modbus, Lemay and Fernadez dataset, SVM, KNN, Random Forest, K-means S. Anton et al. Evaluation of machine learning-based anomaly detection algorithms on an industrial modbus/tcp data set Specification-based IDS for IEC 61850, GOOSE and SVM protocols, DoS Attacks, Replay attacks, Wireshark, Nmap, Colasoft Packet Builder, FPR = 1.61 x 10^-4 J. Hong et al. Detection of cyber intrusions using network-based multicast messages for substation automation The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things

5. Smart Grid Overview The 1st IEEE Services Workshop On Cyber

   Security And Resilience In The Internet Of Things

6. SCADA Systems The 1st IEEE Services Workshop On Cyber Security

   And Resilience In The Internet Of Things Software package with graphics capabilities through which the system operator can monitor the processes of the SCADA system.. Human Machine Interface (HMI) Modbus, Distributed Network Protocol (DNP3), IEC 61850, IEC 60870- 5 do not include authentication and authorization mechanisms. Therefore, they are vulnerable to various cyberattacks. Industrial Protocols Programmable Logic Controller (PLC), Remote Terminal Unit (RTU) are mainly responsible for collecting data from the measuring instruments, detecting abnormal behaviors and activating or deactivating technical components. Logic Controllers hardware device that represents all the received data from the logic controllers to the operator of the SCADA system. Master Terminal Unit (MTU)

7. IEC-104 Security • IEC-104 is based on the TCP/IP which

   exhibits a number of security issues • The data at the application layer is transmitted without integrating encryption mechanisms, thus making it possible the execution of traffic analysis and MiTM attacks • Many commands of the protocol, such as reset command, interrogation commands, read commands, etc. do not integrate authentication mechanisms, thereby resulting in unauthorized access • Based on these vulnerabilities, a cyber attacker possesses the ability to control PLCs and possibly, the overall operation of an automation substation • Although the IEC 62351 provides solutions that enhance the security of IEC-104, the industrial nature of the SCADA systems hinders their immediate upgrade

8. The 1st IEEE Services Workshop On Cyber Security And Resilience

   In The Internet Of Things A yellow triangle which denotes the power flows transmitted by the Power Supply to the other components of PLC. Token Colour 1 An orange square which denotes the command flows. Token Colour 3 A blue circle which implies the data flows exchanged by the various components and systems. Token Colour 2 An elliptical node which usually denotes a device or component sending data to another device (or component). Place S black circle denotes the type of information transmitted between two Places. Token A rectangular and intermediate node between the Connection of two Places, where Connection is depicted by a directed arrow. Transition Coloured Petri Nets

9. The 1st IEEE Services Workshop On Cyber Security And Resilience

   In The Internet Of Things SCADA as CPN

10. The 1st IEEE Services Workshop On Cyber Security And Resilience

    In The Internet Of Things SCADA as CPN Transition No Flow Type Source Place Destination Place Transition Description 1 Power Supply Flow Power Supply Processor The power supply component provides power to the processor 2 Power Supply Flow Power Supply Input Modules The power supply component provides power to the input modules 3 Power Supply Flow Power Supply Output Modules The power supply component provides power to the output modules 4 Data Flow Input Modules Processor The input modules transmit signals data to the processor 5 Commands Flow Processor Output Modules The processor handles the input signals provided by the input modules and transmits control commands to the output modules 6 Data Flow Processor Memory The processor stores some control data to the memory 7 Data Flow Processor Communication Module The processor passes the control data to the communication module 8 Data Flow Communication Module MTU The control data is sent to MTU via the communication module 9 Data Flow MTU Communication Module The communication module receives control data from the MTU 10 Commands Flow MTU Communication Module The receives control commands from the MTU

11. The 1st IEEE Services Workshop On Cyber Security And Resilience

    In The Internet Of Things Threat Modelling Type of Cyberattacks Attacks on Power Supply Flows Attacks on Control Data Flows Attacks on Control Command Flows Transitions 1, 2, 3 4, 6, 7, 8, 9 5, 10 Physical Attacks 1) Physical disruption or malicious modification of the connections 1, 2 and 3. 2) Physical destruction or malicious modification of the Power Supply, Processor, Input Modules and Output Modules. 1) Physical disruption or malicious modification of the connections 4, 6, 7, 8 and 9. 2) Physical destruction or malicious modification of the Processor, Input Modules Output Modules, Memory, Communication Module and MTU. 3) Physical malicious programming of the Processor 4) Physical violation of MTU of the SCADA system 1) Physical disruption or malicious modification of the connections 5 and 10. 2) Physical destruction or malicious modification of the Processor, Output modules, Communication Module and MTU. 3) Physical malicious programming of the Processor 4) Physical violation of MTU of the SCADA system. Cyber attacks 1) Unauthorised access to Processor 2) Unauthorised access to Input Modules 3) Unauthorised access to Output Modules 1) Unauthorised access to Input Modules 2) Unauthorised access to Processor 3) Unauthorised access to Output Modules 4) MiTM attack between Input Modules and Processor 5) MiTM attack between Output Modules and Processor 6) DoS attacks 7) MiTM attack between Communication Module and MTU 8. Traffic Analysis Attack 1) Unauthorised access to Processor 2) Unauthorised access to Output Modules 3) MiTM attack between Communication Module and MTU 4) DoS attacks 5. Traffic Analysis Attack

12. The 1st IEEE Services Workshop On Cyber Security And Resilience

    In The Internet Of Things Testbed • PLC – 192.168.1.7: IEC TestServer emulates a PLC utilizing IEC-104 • MTU – 192.168.1.7: QTester104 is an HMI for IEC- 104 • Cyberattacker – 192.168.1.9: Kali Linux is used to perform the four cyberattacks. We expand OpenMUC j60870 in order to perform unauthorized Read (C_RD_NA_1), Reset (C_RP_NA_1) and Counter Interrogation (C_CI_NA_1) commands • AlienVault OSSIM – 192.168.1.99: OSSIM is a SIEM tool which undertakes to protect the SCADA system via OSSEC and Suricata that are Host-based IDS and Network-based IDS respectively.

13. The 1st IEEE Services Workshop On Cyber Security And Resilience

    In The Internet Of Things Cyberattacks Aiming to monitor and isolate or even drop IEC-104 packets between PLC and MTU. Ettercap was used. DoS attack where the cyberattacker continuously transmits to PLC several SYN packets without remaining the corresponding answers (SYN+ACK). The hping tool was used. TCP SYN DoS Attack The IP of the cyberattacker was changed, hence he/she is not considered is not considered as member of the network. OpenMUC j60870 was used to transmit the unauthorised commands. Unauthorized Access A kind of DoS which aims at flooding MTU with specific IEC104 command packets. To emulate this attack, PLC transmits the single point information command (M_SP_NA_1) to MTU per second. IEC-104 Packet Flooding Attack 03 02 01 04 Traffic Analysis & MiTM IEC 60870-5-104 Isolation Attack

14. The 1st IEEE Services Workshop On Cyber Security And Resilience

    In The Internet Of Things Risk Assessment Risk = Asset Value × Event Priority × Event Reliability 25 • Asset Value (ranging between 0-5) implies how significant an asset is. In our case, there are two assets: 1) MTU and 2) PLC whose value is equal to 5, since they are crucial for the normal operation of a SCADA system. • Event priority (ranging between 0-5) is determined by the expected impact of this threat. • Event Reliability (ranging between 0-10) is determined by the probability of the threat occurring. • Impact and Threat Occurrence values from [1] were used to initialize Event Priority and Event Reliability. These values were computed by using real-world data from the Common Weakness Enumeration (CWE) category system. [1] A. Fielder, E. Panaousis, P. Malacaria, C. Hankin, and F. Smeraldi, “Decision support approaches for cyber security investment,” Decision Support Systems, vol. 86, pp. 13–23, 2016.

15. The 1st IEEE Services Workshop On Cyber Security And Resilience

    In The Internet Of Things Risk Assessment Threat CWE Vulnerability Threat Occurrence Impact DoS Allocation of Resources Without Limits or Throttling (CWE-770) 8.65 3.5 Traffic Analysis Cleartext Transmission of Sensitive Information (CWE-319) 7.834 2.5 MitM Missing Encryption of Sensitive Data (CWE-311) 6.793 3.5 Unauthorised Access Improper Access Control (CWE-284) 9.4 3.5 Risk = Asset Value × Event Priority × Event Reliability 25

16. Goal: SPEAR intends to provide a set of secure, privacy-enabled

    and resilient to cyberattacks tools, thus ensuring the normal operation of SG as well as the integrity and the confidentiality of communications. https://www.spear2020.eu/

17. The 1st IEEE Services Workshop On Cyber Security And Resilience

    In The Internet Of Things SPEAR Objectives Obj 1: To define the SPEAR system architecture, the security components and the privacy frameworks for situational awareness provisioning in relation to cyber security threats Obj 2: To build attack detection mechanisms and promote resilience operations in smart grids Obj 3: To increase situational awareness in smart grid networks Obj 4: To create and maintain an anonymous repository of smart grid incidents Obj 5: To provide smart network forensics subject to data protection and privacy Obj 6: To empower EU-wide consensus of cyber security in smart grid systems Obj 7: To validate the SPEAR architecture capabilities in proof-of-concept Use Cases Obj 8: To design an innovative business model and conduct a techno-economic analysis to strengthen the role of European smart grid and cyber-security industry in the global market.

18. Thank You! Questions