P. Radoglou-Grammatikis, P. Sarigiannidis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis University of Western Macedonia, Eight Bells Ltd, University of Surrey Attacking IEC-60870-5-104 SCADA Systems The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
18
Embed
Attacking IEC-60870-5-104 SCADA Systems...IEC-104 Security •IEC-104 is based on the TCP/IP which exhibits a number of security issues •The data at the application layer is transmitted
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
P. Radoglou-Grammatikis, P. Sarigiannidis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis
University of Western Macedonia, Eight Bells Ltd, University of Surrey
Attacking IEC-60870-5-104 SCADA Systems
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
• The heterogeneous nature of SG creates severe security issues
• SCADA systems are the most vulnerable elements of SG due to
their insecure industrial communication protocols like Modbus, DNP3, IEC-104, etc.
• IEC 60870-5-104 (IEC-104) protocol is utilized widely in Europe and characterized by
severe security flaws
• Threat model for SCADA systems based on Control Petri Net (CPN)
• Emulating and evaluating the risk level four cyberattacks against IEC-104
• This project has received funding from the European Union’s Horizon 2020 research
and innovation programme under grant agreement No. 787011 (SPEAR)
Introduction
Related Work
Anomaly-based IDS for IEC-104, private dataset, ARP
attacks, DoS attacks and Replay attacks, WEKA, Many
algorithms: Naïve Bayes, Ibk, J48, Random Forest, OneR,
RandomTree and DecisionTable
E. Hodo et al.Anomaly detection for simulated
iec-60870-5-104 traffic
Signature and specification rules for IEC-104, Snort IDS,
Y. Yang et al.Intrusion detection system for iec60870-5-104 based scadanetworks
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Specification-based IDS for IEC-104, Finite
State Machines (FSM), ITACA software,
TPR=100%, FPR=0%
Y. Yang et al.Stateful intrusion detection for iec
60870-5-104 scada security
Machine learning based anomaly detection for
Modbus, Lemay and Fernadez dataset, SVM, KNN,
Random Forest, K-means
S. Anton et al.Evaluation of machine learning-based anomaly detection algorithms on an industrial modbus/tcp data set
Specification-based IDS for IEC 61850, GOOSE and
SVM protocols, DoS Attacks, Replay attacks,
Wireshark, Nmap, Colasoft Packet Builder, FPR =
1.61 x 10^-4
J. Hong et al.Detection of cyber intrusions using network-based multicast messages for substation automation
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Smart Grid Overview
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA Systems
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Software package with graphics
capabilities through which the
system operator can monitor the
processes of the SCADA system..
Human Machine Interface (HMI)
Modbus, Distributed Network
Protocol (DNP3), IEC 61850, IEC
60870- 5 do not include
authentication and authorization
mechanisms. Therefore, they are
vulnerable to various cyberattacks.
Industrial Protocols
Programmable Logic Controller (PLC),
Remote Terminal Unit (RTU) are
mainly responsible for collecting data
from the measuring instruments,
detecting abnormal behaviors and
activating or deactivating technical
components.
Logic Controllers
hardware device that represents all
the received data from the logic
controllers to the operator of the
SCADA system.
Master Terminal Unit (MTU)
IEC-104 Security• IEC-104 is based on the TCP/IP which exhibits a number of security issues
• The data at the application layer is transmitted without integrating encryption mechanisms, thus
making it possible the execution of traffic analysis and MiTM attacks
• Many commands of the protocol, such as reset command, interrogation commands, read
commands, etc. do not integrate authentication mechanisms, thereby resulting in unauthorized
access
• Based on these vulnerabilities, a cyber attacker possesses the ability to control PLCs and possibly, the
overall operation of an automation substation
• Although the IEC 62351 provides solutions that enhance the security of IEC-104, the industrial
nature of the SCADA systems hinders their immediate upgrade
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
A yellow triangle which denotes the
power flows transmitted by the Power
Supply to the other components of
PLC.
Token Colour 1
An orange square which denotes
the command flows.
Token Colour 3
A blue circle which implies the data
flows exchanged by the various
components and systems.
Token Colour 2
An elliptical node which usually
denotes a device or component
sending data to another device (or
component).
Place
S black circle denotes the type of
information transmitted between two
Places.
Token
A rectangular and intermediate node
between the Connection of two
Places, where Connection is depicted
by a directed arrow.
Transition
Coloured Petri Nets
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA as CPN
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA as CPNTransition No Flow Type Source Place Destination Place Transition Description
1 Power Supply Flow Power Supply Processor The power supply component provides power to the processor
2 Power Supply Flow Power Supply Input Modules The power supply component provides power to the input modules
3 Power Supply Flow Power Supply Output Modules The power supply component provides power to the output modules
4 Data Flow Input Modules Processor The input modules transmit signals data to the processor
5 Commands Flow Processor Output Modules The processor handles the input signals provided by the input modules and transmits control commands to the output
modules
6 Data Flow Processor Memory The processor stores some control data to the memory
7 Data Flow Processor Communication Module The processor passes the control data to the communication module
8 Data Flow Communication Module MTU The control data is sent to MTU via the communication module
9 Data Flow MTU Communication Module The communication module receives control data from the MTU
10 Commands Flow MTU Communication Module The receives control commands from the MTU
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Threat ModellingType of
CyberattacksAttacks on Power Supply Flows Attacks on Control Data Flows Attacks on Control Command Flows
Transitions 1, 2, 3 4, 6, 7, 8, 9 5, 10
Physical Attacks 1) Physical disruption or malicious modification of the connections 1, 2 and 3.2) Physical destruction or malicious modification of the Power Supply, Processor, Input Modules and Output Modules.
1) Physical disruption or malicious modification of the connections 4, 6, 7, 8 and 9.2) Physical destruction or malicious modification of the Processor, Input Modules Output Modules, Memory, Communication Module and MTU.3) Physical malicious programming of the Processor4) Physical violation of MTU of the SCADA system
1) Physical disruption or malicious modification of the connections 5 and 10.2) Physical destruction or malicious modification of the Processor, Output modules, Communication Module and MTU.3) Physical malicious programming of the Processor4) Physical violation of MTU of the SCADA system.
Cyber attacks 1) Unauthorised access to Processor2) Unauthorised access to Input Modules3) Unauthorised access to Output Modules
1) Unauthorised access to Input Modules2) Unauthorised access to Processor3) Unauthorised access to Output Modules4) MiTM attack between Input Modules and Processor5) MiTM attack between Output Modules and Processor6) DoS attacks7) MiTM attack between Communication Module and MTU8. Traffic Analysis Attack
1) Unauthorised access to Processor2) Unauthorised access to Output Modules3) MiTM attack between Communication Module and MTU4) DoS attacks5. Traffic Analysis Attack
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Testbed• PLC – 192.168.1.7: IEC TestServer emulates a PLC
utilizing IEC-104
• MTU – 192.168.1.7: QTester104 is an HMI for IEC-
104
• Cyberattacker – 192.168.1.9: Kali Linux is used to
perform the four cyberattacks. We expand
OpenMUC j60870 in order to perform
unauthorized Read (C_RD_NA_1), Reset
(C_RP_NA_1) and Counter Interrogation
(C_CI_NA_1) commands
• AlienVault OSSIM – 192.168.1.99: OSSIM is a SIEM
tool which undertakes to protect the SCADA system
via OSSEC and Suricata that are Host-based IDS and
Network-based IDS respectively.
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things