1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
A K/N Attack-Resilient ICT Shield for SCADA
Systems, with State Based Attack Detection
I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta
Joint Research Centre (JRC)
The European Commission’s Research-Based Policy Support Organisation
Insubria University
2
Consequences of pervasive ICT in Critical Infrastructures
New Attack ScenariosPublic
Network
Supervisory Control and Data Acquisition
(SCADA)
Today most of critical infrastructures depend highly on the underlying
communication networks
New Vulnerabilities
New Risks
3
An Example: The ModBUS frame
ModBUS serial frame
ModBUS TCP/IP frame
MBAP Header:• Transaction Identifier• Protocol Identifier• Length• Unit Identifier
RS232RS232 RS422/485RS422/485253 bytes + 1 byte + 2 bytes = 256 bytes(PDU) (sl. ADDR) (CRC) Max ADU
253 bytes + 1 byte + 2 bytes = 256 bytes(PDU) (sl. ADDR) (CRC) Max ADU
253 bytes + 7 byte = 260 bytes(PDU) (MBAP) Max ADU
253 bytes + 7 byte = 260 bytes(PDU) (MBAP) Max ADU
4
SCADA Protocols Vulnerabilities
• Unauthorized Command Execution• Man-in-the-Middle• Replay-attacks• Repudiation
…authentication……authentication…
…integrity……integrity…
…freshness……freshness…
5
• Time-stamp• SHA2 digest (256 bit)• RSA signature on the SHA2 digest
Secure Modbus Prototype
DataFuntionMBAPTS
ModBUS TCP/IP frame
SHA2 (E-Modbus)
E-Modbus
pKMpKM
S-Modbus pktS-Modbus pkt
6
Considerations
• A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…
7
{data}PKm{TS|ModBUS}PKm
{{{TS|ModBUS}PKm}PKt}SKt
K-Survivable SCADA Architecture
Attacks: • Unauth. Com. Exec.• Reply Attack• Master infection• Master-FU infection
Attacks: • Unauth. Com. Exec.• Reply Attack• Master infection• Master-FU infection
SlaveSlave
Solutions: • Signature• Secure ModBUS• Filtering Unit• Multiple FU
Solutions: • Signature• Secure ModBUS• Filtering Unit• Multiple FU
AttackerAttacker
FUFU
FUFU
FUFU
Msg
AttackerAttacker
PKm= Private Key Master
SKm= Public key Master
TS= Time Stamp
FU= Filtering Unit
PKf= Private key FU
SKf= Public key FU
{{{TS|ModBUS}PKm}SKm
{TS|ModBUS}
Master
AttackerAttacker
DataFuntionMBAPTS
ModBUS TCP/IP frame
{TS|ModBUS}PKm{{TS|ModBUS}PKm}PKf
{{TS|ModBUS}PKm}
PKf{TS|ModBUS}PKm
- Different Architecture- SO: Linux, windows
- Different Architecture- SO: Linux, windows
Scada FWScada FW
8
Open V2
...Problem...
R1: PKT(###)
R2: PKT(#@!)
R3: PKT(^&%)
Cl. V1
Locally licit commands
put the system into a
critical state
Locally licit commands
put the system into a
critical state
PLC1
PLC3
PLC2
Filtering Cloud
Alert !
Close V1
Close V3
PKT(###)
9
…but…
ICT Signature
based IDS
Safety Analysis
ICT Signature
based IDS
Safety Analysis
ICT
World
Industrial
World
10
State Based Approach (1)
•SCADA System Representation
-address : string = 10.0.0.1-port : int = 502-id : byte = 1-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
PLC 1
[100][100]
[100]
[100]
[8]
[9]
-address : string = 10.0.0.2-port : int = 502-id : byte = 2-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
PLC 2
[200][200]
[200]
[200]
[8]
[9]
-address : string = 10.0.0.3-port : int = 502-id : byte = 3-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
PLC 3
[300][300]
[300]
[300]
[8]
[9]
-address : string = 10.0.0.254-port : int = 502
Master
Address: 10.0.0.3 Port: 502 ID: 3
Address: 10.0.0.2 Port: 502 ID: 2
Address: 10.0.0.1 Port: 502 ID: 1
Address: 10.0.0.254 Port: 502
PLC
Master
PLC PLC
DI
CO
IR
HR
100
100
100
100
DI
CO
IR
HR
200
200
200
200
DI
CO
IR
HR
300
300
300
300
1 2 3
11
State Based Approach (3)
•Critical State Representation
Address: 10.0.0.3 Port: 502 ID: 3
Address: 10.0.0.2 Port: 502 ID: 2
Address: 10.0.0.1 Port: 502 ID: 1
Address: 10.0.0.254 Port: 502
PLC
Master
PLC PLC1 2 3
VOUTVIN
P1
IF ( PLC[ 10.0.0.1 ].HR[1] < 20 AND
PLC[ 10.0.0.2 ].HR[2] > 70 ) THEN
“The system is in a critical state”
HR[1] 100 HR[2] 500 100
12
State Based Filter Architecture
Loader
SCADA Protocol Sensor (SPS)
Single packet rules DB (SPDB)
Critical State Rules DB (CSRDB)
DB Sender
Database
Analyzer
Virtual System Loader
Critical StateAnalyzer
Basic Analyzer
Basic Rules File
Critical State Rules File
Virtual System
Descriptor File
System Virtual Image (SVI)
Real System Synchronizer
Update SystemManager
Protocol Builder
Protocol Discover
Real System
PLC 1 PLC 2
PLC n
Network Capture Module
13
Loader: Virtual System Loader
Address: 10.0.0.3 Port: 502 ID: 3
Address: 10.0.0.2 Port: 502 ID: 2
Address: 10.0.0.1 Port: 502 ID: 1
Address: 10.0.0.254 Port: 502
PLC
Master
PLC PLC
DI
CO
IR
HR
100
100
100
100
DI
CO
IR
HR
200
200
200
200
DI
CO
IR
HR
300
300
300
300
1 2 3
Real System
PLC 1
-address : string = 10.0.0.1-port : int = 502-id : byte = 1-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
[100][100]
[100]
[100]
[8]
[9]
PLC 2
-address : string = 10.0.0.2-port : int = 502-id : byte = 2-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
[200][200]
[200]
[200]
[8]
[9]
PLC 3
-address : string = 10.0.0.3-port : int = 502-id : byte = 3-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
[300][300]
[300]
[300]
[8]
[9]
Master
-address : string = 10.0.0.254-port : int = 502
Objects Stored in the Filter memory
<infrastructure> <master address="10.0.0.254" port="502" /> <plc address="10.0.0.1" port="502" id="1" > <discrete_inputs numbers="100" /> ... <holding_registers numbers="100" /> </plc> <plc address="10.0.0.2" port="502" id="2" > <discrete_inputs numbers="200" /> ... <holding_registers numbers="200" /> </plc> <plc address="10.0.0.3" port="502" id="3" > <discrete_inputs numbers="300" /> ... <holding_registers numbers="300" /> </plc></infrastructure>
XML Virtual System Descriptor File
14
•IF ( PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 ) AND
•( PLC[10.0.0.2].CO[0] = 0 OR NOT PLC[10.0.0.2].CO[1] = 1 ) THEN ALERT
Loader: Critical State Rules Loader
OR
PLC[10.0.0.1].HR[1] > 70 PLC[10.0.0.1].HR[2] < 20
PLC[10.0.0.1].HR[1] > 70
OR
OR PLC[10.0.0.1].HR[2] < 20
PLC[10.0.0.2].CO[0] = 0 NOT PLC[10.0.0.2].CO[1] = 1
AND
OR
PLC[10.0.0.2].CO[0] = 0
PLC[10.0.0.2].CO[1] = 1
NOT
AND
15
SVI: Update System Manager
0 0 ..DI0 1 99
0
CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.1
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.2
0 0 .. 0DI0 1 299
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.3
0 0 .. 0
Source Destination
10.0.0.254 10.0.0.1
Function Code
Write Coil (05)
Address
1
Value
1
Virtual System
CO
10.0.0.1
PLC 10.0.0.1
Write Coil (05)
1
1 1
16
SVI: Real System Synchronizer
0 0 ..
0
DI0 1 99
0
0
.. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.1
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.2
0 0 .. 0DI0 1 299
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.3
0 1 ..
1
DI0 1 99
0
0
.. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.1
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 8 .. 0IR
0 0 .. 0HR
PLC 10.0.0.2
0 0 .. 0DI0 1 299
0 0 .. 1CO
0 0 .. 0IR
0 7 .. 0HR
PLC 10.0.0.3
Address: 10.0.0.3 Port: 502 ID: 3
Address: 10.0.0.2 Port: 502 ID: 2
Address: 10.0.0.1 Port: 502 ID: 1
Address: 10.0.0.254 Port: 502
PLC
Master
PLC PLC1 2 3
0 1 ..
1
DI0 1 99
0
0
.. 0CO
0 0 .. 0IR
0 0 .. 0HR
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 8 .. 0IR
0 0 .. 0HR
0 0 .. 0DI0 1 299
0 0 .. 1CO
0 0 .. 0IR
0 7 .. 0HR
Virtual System Before
Virtual System After
Query
Field
Devic
es
System
Update
17
Analyzer: Critical State Analyzer
0 0 ..DI0 1 99
0
CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.1
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.2
0 0 .. 0DI0 1 299
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.3
0 0 .. 0
Source Destination
10.0.0.254 10.0.0.1
Function Code
Write Coil (05)
Address
1
Value
1
Check Rules DB
CSRDB
Virtual System
1
Block the Packet
IF ( PLC[10.0.0.1].CO[1] == 1 ) THEN ALERT
18
The Power system SCADA lab
Contains:
- Idrolab (+150 sensors/actuators)
- Control room
- 3 SCADA systems
Hardware and Software:- 20 High Performance Servers
- 150 High End PCs and notebooks
- 10 Layer 3, 24 ports, gigabit switches
- 4 High Performance wireless switches
- 1 Nokia-checkpoint solid state Firewall
- 4 full network racks
- 18 km of network cables
- 300 gigabit network cards
- A 100 KW cooling system
- A 100 KW UPS system
19
JRC SCADA LAB.
Corporate Intranet
Router Wind
Switch Office Net
WorkStationWorkStation
WorkStation
WorkStation
Plant Office Network
Router Wind
Subnet B
Router Wind
Subnet C
Router Wind
RadiusServer
FW Switch
Power Plant FW
Process Network
Scada Sub-Net
ASC Sub-Net
Switch2
Switch1
SecondaryRegulationController
TurbogasController
Steam CycleController
RTU (secondary regulation)
Control Network
Secondary Regulation
Network
DMZ
Internet
SCTG SCP Server
SCPClient
ATTPIAWINIS
SwitchASC
TenoreASC
GatewayOPC-PI SMAVTG
GTDS
DB
Server PI
DBPI
SwitchDMZ
SME
SwitchASC
Modbus
Analogic 4-20 mA
Field Network
Profibus
I/O Tras.
Data Network
Router
Subnet B
Router Subnet C
Router
Router
DNS ParentServer
Router
Router
FW-VPN
Master/ Secondary
PLC - RTUPLC - RTU
Actuators
Sensors
Actuators
Sensors
Operative System
TCP socket .net C#
TCP Stream Builder
Level 0
ModBUS ADU Builder
ModBUS Stream Builder
Registers
Level 1
TCP/IP
Virtual PLC
Level 2
PLC Logic
Coils
20
Test: Encryption Layer
21
Test: Packet Loss
MasterSlave
Switch
Filter
Request
Response
• Master: sends 100.000 request packets of 260 bytes
• Slave: responds with 100.000 responses of 260
bytes
Requests Sent 100.000
Responses Sent 100.000
Size Request 315 bytes
Size Response 315 bytes
Request Rate 1 request sent each 1 ms
Rate 615,2 kbytes/s
Packet Loss 0
22
Test: Single Signature Rules Analyzer
Num Rules Average Time (on 1000 pkts)
10 0.0412618 ms
50 0.1495607 ms
100 0.2486327 ms
500 1.1152725 ms
1000 2.1427072 ms
2000 4.1623632 ms
• Master: sends 1000 request
• Slave: responds with 1000 responses
• Filter: captures the messages and
checks if they are licit, according to a
rules file which contains n-rules.
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
0 500 1000 1500 2000 2500
Rules Number
Tim
e in
ms
MasterSlave
Switch
Filter
Request
Response
23
Test: Virtual System Update
Num Coils Average Time (on 1000 pkts)
1 0,0012168 ms
50 0,0030485 ms
100 0,0044824 ms
500 0,0173109 ms
1000 0,0334344 ms
2000 0,0624535 ms
• Master: sends 1000 request with the command
“Read n-coils”
• Slave: responds with 1000 responses which
contains the n-values.
• Filter: captures the request/response
transaction and updates the n-values in the
Virtual System.
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0 500 1000 1500 2000 2500
Coils Number
Tim
e in
ms
MasterSlave
Switch
Filter
Request
Response
24
Test: Critical State Rules Analyzer (1)
Num Conditions Average Time (on 1000 pkts)
2 0,0204746 ms
16 0,0301169 ms
64 0,0550301 ms
128 0,1206957 ms
256 0,2127598 ms
512 0,4226185 ms
1024 1,0706136 ms
• Master: sends 1000 generic requests
• Slave: responds with 1000 responses
• Filter: captures the req/res transaction
then checks if the Virtual System is
entering in a Critical State, according to a
rules file which contains only one rule with
n-conditions.
0
0.2
0.4
0.6
0.8
1
1.2
0 200 400 600 800 1000 1200
Conditions Number
Tim
e in
ms
MasterSlave
Switch
Filter
Request
Response
25
Test: Critical State Rules Analyzer (2)
Num Rules Average Time (on 1000 pkts)
10 0,1123061 ms
50 0,5153591 ms
100 1,0248889 ms
500 2,6010271 ms
1000 5,0175991 ms
2000 9,9285867 ms
• Master: sends 1000 generic requests
• Slave: responds with 1000 responses
• Filter: captures the request/response
transaction then checks if the Virtual System
is entering in a Critical State, according to a
rules file which contains n-rules.
0
2
4
6
8
10
12
0 500 1000 1500 2000 2500
Rules Number
Tim
e in
ms
MasterSlave
Switch
Filter
Request
Response
26
• Thousands of devices to monitor
• Hundreds of Subsystems
• Geographically sparse systems
• System of Systems
Impossible to analyze
states on a single level
Impossible to analyze
states on a single level
SCADAMASTER
SignatureLayer
SCADA protocolSigned packets PLC
PLC
PLC
PLC
CS based Filtering Unit
CS based Filtering Unit
CS based Filtering Unit
CS based Filtering Unit
SCADA protocolDouble Signed
packets
PacketValidatorsPLC
Gateway
SCADA protocolSigned packets
SCADA protocolDouble Signed
packets
Proactive - mitigation
Subsystem 1
Subsystem 2
SCADA protocolSigned packets
SCADA protocolDouble Signed
packets
Subsystem 3
SCADA protocolSigned packets
SCADA protocolDouble Signed
packets
CS based IDS
CS based IDS
CS based IDS
Alert
Alert
Alert
CS Aggregator
Proactive - mitigation
Proactive - mitigation
Critical StateMonitor mesh
FilteringMesh
SoS
SystemSystem
System
Subsystem
SubsystemComponent
Stakeholders
27
Future Works
–Abstract Aggregation
–Critical State Prediction
–Critical State Prediction based Firewalls
–Lightweight Cryptographic mechanisms for SCADA protocols
Related Documents
