Attacking IEC-60870-5-104 SCADA Systems...IEC-104 Security •IEC-104 is based on the TCP/IP which exhibits a number of security issues •The data at the application layer is transmitted
Post on 18-Mar-2020
11 Views
Preview:
Transcript
P. Radoglou-Grammatikis, P. Sarigiannidis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis
University of Western Macedonia, Eight Bells Ltd, University of Surrey
Attacking IEC-60870-5-104 SCADA Systems
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
• The heterogeneous nature of SG creates severe security issues
• SCADA systems are the most vulnerable elements of SG due to
their insecure industrial communication protocols like Modbus, DNP3, IEC-104, etc.
• IEC 60870-5-104 (IEC-104) protocol is utilized widely in Europe and characterized by
severe security flaws
• Threat model for SCADA systems based on Control Petri Net (CPN)
• Emulating and evaluating the risk level four cyberattacks against IEC-104
• This project has received funding from the European Union’s Horizon 2020 research
and innovation programme under grant agreement No. 787011 (SPEAR)
Introduction
Related Work
Anomaly-based IDS for IEC-104, private dataset, ARP
attacks, DoS attacks and Replay attacks, WEKA, Many
algorithms: Naïve Bayes, Ibk, J48, Random Forest, OneR,
RandomTree and DecisionTable
E. Hodo et al.Anomaly detection for simulated
iec-60870-5-104 traffic
Signature and specification rules for IEC-104, Snort IDS,
unauthorized read commands, unauthorized reset commands,
unauthorized remote control, spontaneous packet storms,
buffer overflows
Y. Yang et al.Intrusion detection system for iec60870-5-104 based scadanetworks
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Specification-based IDS for IEC-104, Finite
State Machines (FSM), ITACA software,
TPR=100%, FPR=0%
Y. Yang et al.Stateful intrusion detection for iec
60870-5-104 scada security
Machine learning based anomaly detection for
Modbus, Lemay and Fernadez dataset, SVM, KNN,
Random Forest, K-means
S. Anton et al.Evaluation of machine learning-based anomaly detection algorithms on an industrial modbus/tcp data set
Specification-based IDS for IEC 61850, GOOSE and
SVM protocols, DoS Attacks, Replay attacks,
Wireshark, Nmap, Colasoft Packet Builder, FPR =
1.61 x 10^-4
J. Hong et al.Detection of cyber intrusions using network-based multicast messages for substation automation
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Smart Grid Overview
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA Systems
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Software package with graphics
capabilities through which the
system operator can monitor the
processes of the SCADA system..
Human Machine Interface (HMI)
Modbus, Distributed Network
Protocol (DNP3), IEC 61850, IEC
60870- 5 do not include
authentication and authorization
mechanisms. Therefore, they are
vulnerable to various cyberattacks.
Industrial Protocols
Programmable Logic Controller (PLC),
Remote Terminal Unit (RTU) are
mainly responsible for collecting data
from the measuring instruments,
detecting abnormal behaviors and
activating or deactivating technical
components.
Logic Controllers
hardware device that represents all
the received data from the logic
controllers to the operator of the
SCADA system.
Master Terminal Unit (MTU)
IEC-104 Security• IEC-104 is based on the TCP/IP which exhibits a number of security issues
• The data at the application layer is transmitted without integrating encryption mechanisms, thus
making it possible the execution of traffic analysis and MiTM attacks
• Many commands of the protocol, such as reset command, interrogation commands, read
commands, etc. do not integrate authentication mechanisms, thereby resulting in unauthorized
access
• Based on these vulnerabilities, a cyber attacker possesses the ability to control PLCs and possibly, the
overall operation of an automation substation
• Although the IEC 62351 provides solutions that enhance the security of IEC-104, the industrial
nature of the SCADA systems hinders their immediate upgrade
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
A yellow triangle which denotes the
power flows transmitted by the Power
Supply to the other components of
PLC.
Token Colour 1
An orange square which denotes
the command flows.
Token Colour 3
A blue circle which implies the data
flows exchanged by the various
components and systems.
Token Colour 2
An elliptical node which usually
denotes a device or component
sending data to another device (or
component).
Place
S black circle denotes the type of
information transmitted between two
Places.
Token
A rectangular and intermediate node
between the Connection of two
Places, where Connection is depicted
by a directed arrow.
Transition
Coloured Petri Nets
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA as CPN
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA as CPNTransition No Flow Type Source Place Destination Place Transition Description
1 Power Supply Flow Power Supply Processor The power supply component provides power to the processor
2 Power Supply Flow Power Supply Input Modules The power supply component provides power to the input modules
3 Power Supply Flow Power Supply Output Modules The power supply component provides power to the output modules
4 Data Flow Input Modules Processor The input modules transmit signals data to the processor
5 Commands Flow Processor Output Modules The processor handles the input signals provided by the input modules and transmits control commands to the output
modules
6 Data Flow Processor Memory The processor stores some control data to the memory
7 Data Flow Processor Communication Module The processor passes the control data to the communication module
8 Data Flow Communication Module MTU The control data is sent to MTU via the communication module
9 Data Flow MTU Communication Module The communication module receives control data from the MTU
10 Commands Flow MTU Communication Module The receives control commands from the MTU
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Threat ModellingType of
CyberattacksAttacks on Power Supply Flows Attacks on Control Data Flows Attacks on Control Command Flows
Transitions 1, 2, 3 4, 6, 7, 8, 9 5, 10
Physical Attacks 1) Physical disruption or malicious modification of the connections 1, 2 and 3.2) Physical destruction or malicious modification of the Power Supply, Processor, Input Modules and Output Modules.
1) Physical disruption or malicious modification of the connections 4, 6, 7, 8 and 9.2) Physical destruction or malicious modification of the Processor, Input Modules Output Modules, Memory, Communication Module and MTU.3) Physical malicious programming of the Processor4) Physical violation of MTU of the SCADA system
1) Physical disruption or malicious modification of the connections 5 and 10.2) Physical destruction or malicious modification of the Processor, Output modules, Communication Module and MTU.3) Physical malicious programming of the Processor4) Physical violation of MTU of the SCADA system.
Cyber attacks 1) Unauthorised access to Processor2) Unauthorised access to Input Modules3) Unauthorised access to Output Modules
1) Unauthorised access to Input Modules2) Unauthorised access to Processor3) Unauthorised access to Output Modules4) MiTM attack between Input Modules and Processor5) MiTM attack between Output Modules and Processor6) DoS attacks7) MiTM attack between Communication Module and MTU8. Traffic Analysis Attack
1) Unauthorised access to Processor2) Unauthorised access to Output Modules3) MiTM attack between Communication Module and MTU4) DoS attacks5. Traffic Analysis Attack
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Testbed• PLC – 192.168.1.7: IEC TestServer emulates a PLC
utilizing IEC-104
• MTU – 192.168.1.7: QTester104 is an HMI for IEC-
104
• Cyberattacker – 192.168.1.9: Kali Linux is used to
perform the four cyberattacks. We expand
OpenMUC j60870 in order to perform
unauthorized Read (C_RD_NA_1), Reset
(C_RP_NA_1) and Counter Interrogation
(C_CI_NA_1) commands
• AlienVault OSSIM – 192.168.1.99: OSSIM is a SIEM
tool which undertakes to protect the SCADA system
via OSSEC and Suricata that are Host-based IDS and
Network-based IDS respectively.
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Cyberattacks
Aiming to monitor and isolate or even drop
IEC-104 packets between PLC and MTU.
Ettercap was used.
DoS attack where the cyberattacker
continuously transmits to PLC
several SYN packets without
remaining the corresponding
answers (SYN+ACK). The hping tool
was used.
TCP SYN DoS Attack
The IP of the cyberattacker was
changed, hence he/she is not
considered is not considered as
member of the network. OpenMUC
j60870 was used to transmit the
unauthorised commands.
Unauthorized Access
A kind of DoS which aims at flooding
MTU with specific IEC104 command
packets. To emulate this attack, PLC
transmits the single point
information command
(M_SP_NA_1) to MTU per second.
IEC-104 Packet Flooding Attack
03
02
01
04
Traffic Analysis & MiTM IEC 60870-5-104 Isolation Attack
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Risk Assessment
Risk =Asset Value × Event Priority × Event Reliability
25
• Asset Value (ranging between 0-5) implies how significant an asset is. In our case, there are two assets:
1) MTU and 2) PLC whose value is equal to 5, since they are crucial for the normal operation of a SCADA
system.
• Event priority (ranging between 0-5) is determined by the expected impact of this threat.
• Event Reliability (ranging between 0-10) is determined by the probability of the threat occurring.
• Impact and Threat Occurrence values from [1] were used to initialize Event Priority and Event Reliability.
These values were computed by using real-world data from the Common Weakness Enumeration (CWE)
category system.
[1] A. Fielder, E. Panaousis, P. Malacaria, C. Hankin, and F. Smeraldi, “Decision support approaches for
cyber security investment,” Decision Support Systems, vol. 86, pp. 13–23, 2016.
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Risk Assessment
Threat CWE Vulnerability Threat Occurrence Impact
DoS Allocation of Resources Without Limits or Throttling (CWE-770) 8.65 3.5
Traffic Analysis Cleartext Transmission of Sensitive Information (CWE-319) 7.834 2.5
MitM Missing Encryption of Sensitive Data (CWE-311) 6.793 3.5
Unauthorised Access Improper Access Control (CWE-284) 9.4 3.5
Risk =Asset Value × Event Priority × Event Reliability
25
Goal:SPEAR intends to provide a set of secure,
privacy-enabled and resilient to cyberattacks
tools, thus ensuring the normal operation of
SG as well as the integrity and the
confidentiality of communications. https://www.spear2020.eu/
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SPEAR ObjectivesObj 1: To define the SPEAR system architecture, the
security components and the privacy frameworks for
situational awareness provisioning in relation to cyber
security threats
Obj 2: To build attack detection mechanisms and
promote resilience operations in smart grids
Obj 3: To increase situational awareness in smart grid
networks
Obj 4: To create and maintain an anonymous
repository of smart grid incidents
Obj 5: To provide smart network forensics subject to
data protection and privacy
Obj 6: To empower EU-wide consensus of cyber
security in smart grid systems
Obj 7: To validate the SPEAR architecture capabilities
in proof-of-concept Use Cases
Obj 8: To design an innovative business model and
conduct a techno-economic analysis to strengthen the
role of European smart grid and cyber-security
industry in the global market.
Thank You!Questions
top related