Post on 30-Jul-2020
transcript
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Multistage Cyber-physical Attack and SCADA Intrusion Detection
Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Belfast, 26th August, 2016 Kieran McLaughlin, BooJoong Kang, Ivor Bradley, Andrew Wright Centre for Secure Information Technologies (CSIT) @QUB
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Outline
Recent cyber-attacks & motivation IEC 61850 smart grid environment Multi-stage cyber-attack scenario Intrusion detection Lab demo
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Recent Cyber-attacks
– “Black Energy” • Malware discovered on internet-connected HMIs (2011...2014) • Targeting HMI products from three vendors: GE, Siemens, BroadWin
– “Havex” Remote Access Trojan (RAT) • Targeting OPC communications (2014) • Client/server technology widely used in process control systems
Ref: Trend Micro
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
What is a RAT?
A Remote Administrator/Access Tool/Trojan is malware that allows the master complete control of the infected machine
RATs can have special features or plugins Well know are:
– PlugX know as Korplug or Gulpix or Thoper – DarkComet – PoisonIvy – Gh0St – Taidoor – Xtreme RAT
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Ukraine Electric Grid Attack
The SCADA system was the target (2015)
BlackEnergy appears to have been the “dropper”
A final component made the cyber-physical effect
Analysis from SANS ICS blog 5
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Recent Cyber-attacks
– German steel plant (2014) • ‘Spear phishing’ emails and social engineering techniques • Login credentials obtained • Access gained to the office network... and then to the production systems • Blast furnace could not shut down as normal • Caused “massive damage”
Attackers showed technical expertise
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Take Away Message
Cyber attack but...
Physical impact
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 PV Environment
8
IEC 61850 server (PV inverter)
IEC 61850 client (HMI)
IEC 61850 Communications standard for substations. Enables integration of protection, control, measurement and monitoring functions
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• Phishing email • Looks genuine • Simple - often successful
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• Infected PC contacts malicious server
• Malware payload downloads and installs
• SPARKS demo with DarkComet, PlugX
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• Attacker ‘pwns’ a PC in the enterprise network
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• Uses “remote desktop” functions of RAT (like Ukraine)
• In this case, the attacker finds a vulnerable web-based historian used by the operator
• Runs known exploit
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• From RAT controller, attacker is able to establish a connection from Windows machine to historian
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• From the RAT controller, the attacker instructs the Linux machine to download another attack payload
• Custom code that allows directed attack against IEC 61850
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• The attacker now begins sniffing the IEC 61850 SCADA commands between the IEC 61850 client and the PV inverter
• Could carry out reconnaissance and learn about the system
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• Communication between IEC 61850 client and PV inverter intercepted and modified
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Enterprise network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
Attack 1: • Modify the max power limit
of the PV inverter • E.g. change 100% to 40% Attack 2: • Shut down the PV inverter
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Multi-stage Cyber-attack Scenario
Phishing email & social engineering
Install Remote Access Trojan (RAT) in office PC
Network mapping & lateral movement
Exploit vulnerability & pivot to SCADA network
Deploy SCADA attack payload
Attack physical system functions
More than one way to skin a RAT... – Multiple options for each stage of a multi-stage
attack
• Waterhole attacks • Infected software • Stolen/insecure
username and password credentials
• Compromise from the internet
• Office PC • Third party remote
maintenance • Engineer’s laptop • BYOD
• Well known tools like nmap
• Havex, Stuxnet sniffed traffic
• RAT can keylog credentials
• Vulnerable operating system
• Vulnerable services on SCADA server, data historian, etc.
• Vulnerable network devices
• Variety of known and unknown vulnerabilities in SCADA devices and software – CVEs
• e.g. GE, Siemens, BroadWin
• Inherently vulnerable SCADA protocols
• Devices vulnerable to freeze, shutdown, etc.
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Observations (1/2)
BlackEnergy, Havex and steel mill attacks: – Control systems are being specifically targeted – Malware / intruders aim to identify specific control system
communications and devices – Attackers have technical knowledge of underlying control systems,
physical systems & communications >> not ‘script kiddies’ – Trajectory is towards selective intrusions and tailored attacks
We need to: – Better understand the physical consequences of cyber-attacks – Develop and embed resilience measures to mitigate impact
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Observations (2/2)
Prediction: 2010s the decade when open and standard –but obscure– SCADA protocols become known by attackers
Our work contributes to mitigating the impact of resultant attacks in the SCADA domain
No Standard Protocols
Proprietary and Industrial
Protocols
Open Protocols
Promoting Standard Protocols
1970s 1980s 1990s 2000s
Closed, centralised, without standards Open, distributed, standards based
2010s..?
A brief history of SCADA communication protocols*
21 * Modified from: Ten, Chee-Woo, et al. “Cybersecurity for electric power control and automation systems." 2007 IEEE International Conference on Systems, Man and Cybernetics. IEEE, 2007.
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Outline
Recent cyber-attacks & motivation IEC 61850 smart grid environment Multi-stage cyber-attack scenario Intrusion detection Lab demo
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Objectives for SCADA IDS
Current approaches: – Security generally lacks awareness of power systems properties – SCADA protocols lack consideration for cyber security – Lack of deep analysis at SCADA application layer – NIST recommends further research on above
Our aims are therefore: – Combine SCADA and power systems knowledge to effectively
monitor application layer data – SCADA protocol verification, stateful analysis, and functional
whitelisting to support intrusion detection in IEC61850 use-case – Collaborative approach towards supporting Resilient Control with
SCADA IDS information
23
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Multi-Attribute SCADA IDS Concept
24
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Whitelist & Signature
Whitelist – Alerts on any traffic not specified as allowed
Signature – Detect known attacks – Can comprise part of stateful analysis
• E.g. Complicated attacks with multiple packets
alert tcp any any -> 10.55.55.111 102 (msg:"Write Request with Low Active Power Limitation"; sid:10000007; pcre:"/\xa0.*\xa5.\xa0.*DRCC1\$SP\$MaxWLimPct\$setMag\$f .*\x08((\x41(\x20\x00\x00|([\x00-\x0f]|[\x10-\x1f])..)|\x40...)|([\x00-\x0f]|[\x10-\x1f]|[\x20-\x2f]|[\x30-\x3f])...)$/")
Example signature for PV inverter attack
25
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
‘Characterisation’ of Environment
Critical State Analysis – System description and critical state representation – State evolution monitor – Critical state detection, e.g. $MaxWLimPct <10%
Example: turbine in a factory – If the temperature is greater than 99 and the turbine rotates at
less than 1000 rpm
PLC[10.0.0.10:502].HR[1] < 1000, → Alert : 4
PLC[10.0.0.22:502].IR[1] > 99
Carcano, A. et al. (2011). A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems. IEEE Transactions on Industrial Informatics, 7(2), 179–186.
26
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Deep protocol analysis, MMS Request / Response Meta-data about network traffic and payload content
‘Characterisation’ of Environment
27
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Stateful Analysis
Correlated Rules
28
<Stateful Analysis Process>
<Rule Match of Write-Request>
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Unsupervised Learning Model
Yoo, H. et al. (2014). Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC 61850. Multimedia Tools and Applications, 1–16.
Single MMS Packet
29
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Multi-Attribute SCADA IDS
30
Network Traffic
Whitelist Generation
Signature Generation
Stateful Rule Generation
Protocol Violation
Rule Generation
Machine Learning
System Configurations
3rd Party Signature DB
Protocol Standards
Normal Data
Attack Data
Whitelist
Signatures
Violation & Stateful Rules
Models
ELK (Elasticsearch, Logstash, Kibana)
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
SPARKS ‘MMS Scanner’
MMS device detection – Port scan (102)
Information gathering – Send valid requests
• Domain name, attributes Attacker
– Attribute manipulation • Known or random values
Therefore, to characterise normal network behaviour we must include all these SCADA-specific parameters IEC 61850-8-1
31
© The SPARKS Consortium EU FP7 Programme Contract No. 608224
Lab Demo
Let’s ROCK