This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Multistage Cyber-physical Attack and SCADA Intrusion Detection
Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Belfast, 26th August, 2016 Kieran McLaughlin, BooJoong Kang, Ivor Bradley, Andrew Wright Centre for Secure Information Technologies (CSIT) @QUB
– German steel plant (2014) • ‘Spear phishing’ emails and social engineering techniques • Login credentials obtained • Access gained to the office network... and then to the production systems • Blast furnace could not shut down as normal • Caused “massive damage”
BlackEnergy, Havex and steel mill attacks: – Control systems are being specifically targeted – Malware / intruders aim to identify specific control system
communications and devices – Attackers have technical knowledge of underlying control systems,
physical systems & communications >> not ‘script kiddies’ – Trajectory is towards selective intrusions and tailored attacks
We need to: – Better understand the physical consequences of cyber-attacks – Develop and embed resilience measures to mitigate impact
Prediction: 2010s the decade when open and standard –but obscure– SCADA protocols become known by attackers
Our work contributes to mitigating the impact of resultant attacks in the SCADA domain
No Standard Protocols
Proprietary and Industrial
Protocols
Open Protocols
Promoting Standard Protocols
1970s 1980s 1990s 2000s
Closed, centralised, without standards Open, distributed, standards based
2010s..?
A brief history of SCADA communication protocols*
21 * Modified from: Ten, Chee-Woo, et al. “Cybersecurity for electric power control and automation systems." 2007 IEEE International Conference on Systems, Man and Cybernetics. IEEE, 2007.
Current approaches: – Security generally lacks awareness of power systems properties – SCADA protocols lack consideration for cyber security – Lack of deep analysis at SCADA application layer – NIST recommends further research on above
Our aims are therefore: – Combine SCADA and power systems knowledge to effectively
monitor application layer data – SCADA protocol verification, stateful analysis, and functional
whitelisting to support intrusion detection in IEC61850 use-case – Collaborative approach towards supporting Resilient Control with
Whitelist – Alerts on any traffic not specified as allowed
Signature – Detect known attacks – Can comprise part of stateful analysis
• E.g. Complicated attacks with multiple packets
alert tcp any any -> 10.55.55.111 102 (msg:"Write Request with Low Active Power Limitation"; sid:10000007; pcre:"/\xa0.*\xa5.\xa0.*DRCC1\$SP\$MaxWLimPct\$setMag\$f .*\x08((\x41(\x20\x00\x00|([\x00-\x0f]|[\x10-\x1f])..)|\x40...)|([\x00-\x0f]|[\x10-\x1f]|[\x20-\x2f]|[\x30-\x3f])...)$/")
Critical State Analysis – System description and critical state representation – State evolution monitor – Critical state detection, e.g. $MaxWLimPct <10%
Example: turbine in a factory – If the temperature is greater than 99 and the turbine rotates at
less than 1000 rpm
PLC[10.0.0.10:502].HR[1] < 1000, → Alert : 4
PLC[10.0.0.22:502].IR[1] > 99
Carcano, A. et al. (2011). A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems. IEEE Transactions on Industrial Informatics, 7(2), 179–186.
Yoo, H. et al. (2014). Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC 61850. Multimedia Tools and Applications, 1–16.