Attacking IEC-60870-5-104 SCADA Systems...IEC-104 Security •IEC-104 is based on the TCP/IP which exhibits a number of security issues •The data at the application layer is transmitted

P. Radoglou-Grammatikis, P. Sarigiannidis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis

University of Western Macedonia, Eight Bells Ltd, University of Surrey

Attacking IEC-60870-5-104 SCADA Systems

The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things


• The heterogeneous nature of SG creates severe security issues

• SCADA systems are the most vulnerable elements of SG due to

their insecure industrial communication protocols like Modbus, DNP3, IEC-104, etc.

• IEC 60870-5-104 (IEC-104) protocol is utilized widely in Europe and characterized by

severe security flaws

• Threat model for SCADA systems based on Control Petri Net (CPN)

• Emulating and evaluating the risk level four cyberattacks against IEC-104

• This project has received funding from the European Union’s Horizon 2020 research

and innovation programme under grant agreement No. 787011 (SPEAR)

Introduction

Related Work

Anomaly-based IDS for IEC-104, private dataset, ARP

attacks, DoS attacks and Replay attacks, WEKA, Many

algorithms: Naïve Bayes, Ibk, J48, Random Forest, OneR,

RandomTree and DecisionTable

E. Hodo et al.Anomaly detection for simulated

iec-60870-5-104 traffic

Signature and specification rules for IEC-104, Snort IDS,

unauthorized read commands, unauthorized reset commands,

unauthorized remote control, spontaneous packet storms,

buffer overflows

Y. Yang et al.Intrusion detection system for iec60870-5-104 based scadanetworks


Specification-based IDS for IEC-104, Finite

State Machines (FSM), ITACA software,

TPR=100%, FPR=0%

Y. Yang et al.Stateful intrusion detection for iec

60870-5-104 scada security

Machine learning based anomaly detection for

Modbus, Lemay and Fernadez dataset, SVM, KNN,

Random Forest, K-means

S. Anton et al.Evaluation of machine learning-based anomaly detection algorithms on an industrial modbus/tcp data set

Specification-based IDS for IEC 61850, GOOSE and

SVM protocols, DoS Attacks, Replay attacks,

Wireshark, Nmap, Colasoft Packet Builder, FPR =

1.61 x 10^-4

J. Hong et al.Detection of cyber intrusions using network-based multicast messages for substation automation


Smart Grid Overview


SCADA Systems


Software package with graphics

capabilities through which the

system operator can monitor the

processes of the SCADA system..

Human Machine Interface (HMI)

Modbus, Distributed Network

Protocol (DNP3), IEC 61850, IEC

60870- 5 do not include

authentication and authorization

mechanisms. Therefore, they are

vulnerable to various cyberattacks.

Industrial Protocols

Programmable Logic Controller (PLC),

Remote Terminal Unit (RTU) are

mainly responsible for collecting data

from the measuring instruments,

detecting abnormal behaviors and

activating or deactivating technical

components.

Logic Controllers

hardware device that represents all

the received data from the logic

controllers to the operator of the

SCADA system.

Master Terminal Unit (MTU)

IEC-104 Security• IEC-104 is based on the TCP/IP which exhibits a number of security issues

• The data at the application layer is transmitted without integrating encryption mechanisms, thus

making it possible the execution of traffic analysis and MiTM attacks

• Many commands of the protocol, such as reset command, interrogation commands, read

commands, etc. do not integrate authentication mechanisms, thereby resulting in unauthorized

access

• Based on these vulnerabilities, a cyber attacker possesses the ability to control PLCs and possibly, the

overall operation of an automation substation

• Although the IEC 62351 provides solutions that enhance the security of IEC-104, the industrial

nature of the SCADA systems hinders their immediate upgrade


A yellow triangle which denotes the

power flows transmitted by the Power

Supply to the other components of

PLC.

Token Colour 1

An orange square which denotes

the command flows.

Token Colour 3

A blue circle which implies the data

flows exchanged by the various

components and systems.

Token Colour 2

An elliptical node which usually

denotes a device or component

sending data to another device (or

component).

Place

S black circle denotes the type of

information transmitted between two

Places.

Token

A rectangular and intermediate node

between the Connection of two

Places, where Connection is depicted

by a directed arrow.

Transition

Coloured Petri Nets


SCADA as CPN


SCADA as CPNTransition No Flow Type Source Place Destination Place Transition Description

1 Power Supply Flow Power Supply Processor The power supply component provides power to the processor

2 Power Supply Flow Power Supply Input Modules The power supply component provides power to the input modules

3 Power Supply Flow Power Supply Output Modules The power supply component provides power to the output modules

4 Data Flow Input Modules Processor The input modules transmit signals data to the processor

5 Commands Flow Processor Output Modules The processor handles the input signals provided by the input modules and transmits control commands to the output

modules

6 Data Flow Processor Memory The processor stores some control data to the memory

7 Data Flow Processor Communication Module The processor passes the control data to the communication module

8 Data Flow Communication Module MTU The control data is sent to MTU via the communication module

9 Data Flow MTU Communication Module The communication module receives control data from the MTU

10 Commands Flow MTU Communication Module The receives control commands from the MTU


Threat ModellingType of

CyberattacksAttacks on Power Supply Flows Attacks on Control Data Flows Attacks on Control Command Flows

Transitions 1, 2, 3 4, 6, 7, 8, 9 5, 10

Physical Attacks 1) Physical disruption or malicious modification of the connections 1, 2 and 3.2) Physical destruction or malicious modification of the Power Supply, Processor, Input Modules and Output Modules.

1) Physical disruption or malicious modification of the connections 4, 6, 7, 8 and 9.2) Physical destruction or malicious modification of the Processor, Input Modules Output Modules, Memory, Communication Module and MTU.3) Physical malicious programming of the Processor4) Physical violation of MTU of the SCADA system

1) Physical disruption or malicious modification of the connections 5 and 10.2) Physical destruction or malicious modification of the Processor, Output modules, Communication Module and MTU.3) Physical malicious programming of the Processor4) Physical violation of MTU of the SCADA system.

Cyber attacks 1) Unauthorised access to Processor2) Unauthorised access to Input Modules3) Unauthorised access to Output Modules

1) Unauthorised access to Input Modules2) Unauthorised access to Processor3) Unauthorised access to Output Modules4) MiTM attack between Input Modules and Processor5) MiTM attack between Output Modules and Processor6) DoS attacks7) MiTM attack between Communication Module and MTU8. Traffic Analysis Attack

1) Unauthorised access to Processor2) Unauthorised access to Output Modules3) MiTM attack between Communication Module and MTU4) DoS attacks5. Traffic Analysis Attack


Testbed• PLC – 192.168.1.7: IEC TestServer emulates a PLC

utilizing IEC-104

• MTU – 192.168.1.7: QTester104 is an HMI for IEC-

104

• Cyberattacker – 192.168.1.9: Kali Linux is used to

perform the four cyberattacks. We expand

OpenMUC j60870 in order to perform

unauthorized Read (C_RD_NA_1), Reset

(C_RP_NA_1) and Counter Interrogation

(C_CI_NA_1) commands

• AlienVault OSSIM – 192.168.1.99: OSSIM is a SIEM

tool which undertakes to protect the SCADA system

via OSSEC and Suricata that are Host-based IDS and

Network-based IDS respectively.


Cyberattacks

Aiming to monitor and isolate or even drop

IEC-104 packets between PLC and MTU.

Ettercap was used.

DoS attack where the cyberattacker

continuously transmits to PLC

several SYN packets without

remaining the corresponding

answers (SYN+ACK). The hping tool

was used.

TCP SYN DoS Attack

The IP of the cyberattacker was

changed, hence he/she is not

considered is not considered as

member of the network. OpenMUC

j60870 was used to transmit the

unauthorised commands.

Unauthorized Access

A kind of DoS which aims at flooding

MTU with specific IEC104 command

packets. To emulate this attack, PLC

transmits the single point

information command

(M_SP_NA_1) to MTU per second.

IEC-104 Packet Flooding Attack

03

02

01

04

Traffic Analysis & MiTM IEC 60870-5-104 Isolation Attack


Risk Assessment

Risk =Asset Value × Event Priority × Event Reliability

25

• Asset Value (ranging between 0-5) implies how significant an asset is. In our case, there are two assets:

1) MTU and 2) PLC whose value is equal to 5, since they are crucial for the normal operation of a SCADA

system.

• Event priority (ranging between 0-5) is determined by the expected impact of this threat.

• Event Reliability (ranging between 0-10) is determined by the probability of the threat occurring.

• Impact and Threat Occurrence values from [1] were used to initialize Event Priority and Event Reliability.

These values were computed by using real-world data from the Common Weakness Enumeration (CWE)

category system.

[1] A. Fielder, E. Panaousis, P. Malacaria, C. Hankin, and F. Smeraldi, “Decision support approaches for

cyber security investment,” Decision Support Systems, vol. 86, pp. 13–23, 2016.


Risk Assessment

Threat CWE Vulnerability Threat Occurrence Impact

DoS Allocation of Resources Without Limits or Throttling (CWE-770) 8.65 3.5

Traffic Analysis Cleartext Transmission of Sensitive Information (CWE-319) 7.834 2.5

MitM Missing Encryption of Sensitive Data (CWE-311) 6.793 3.5

Unauthorised Access Improper Access Control (CWE-284) 9.4 3.5

Risk =Asset Value × Event Priority × Event Reliability

25

Goal:SPEAR intends to provide a set of secure,

privacy-enabled and resilient to cyberattacks

tools, thus ensuring the normal operation of

SG as well as the integrity and the

confidentiality of communications. https://www.spear2020.eu/

https://www.spear2020.eu/


SPEAR ObjectivesObj 1: To define the SPEAR system architecture, the

security components and the privacy frameworks for

situational awareness provisioning in relation to cyber

security threats

Obj 2: To build attack detection mechanisms and

promote resilience operations in smart grids

Obj 3: To increase situational awareness in smart grid

networks

Obj 4: To create and maintain an anonymous

repository of smart grid incidents

Obj 5: To provide smart network forensics subject to

data protection and privacy

Obj 6: To empower EU-wide consensus of cyber

security in smart grid systems

Obj 7: To validate the SPEAR architecture capabilities

in proof-of-concept Use Cases

Obj 8: To design an innovative business model and

conduct a techno-economic analysis to strengthen the

role of European smart grid and cyber-security

industry in the global market.

Thank You!Questions

Attacking IEC-60870-5-104 SCADA Systems...IEC-104 Security •IEC-104 is based on the TCP/IP which exhibits a number of security issues •The data at the application layer is transmitted

Documents