1

A K/N Attack-Resilient ICT Shield for SCADA

Systems, with State Based Attack Detection

I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta

Joint Research Centre (JRC)

The European Commission’s Research-Based Policy Support Organisation

Insubria University

2

Consequences of pervasive ICT in Critical Infrastructures

New Attack ScenariosPublic Network

Supervisory Control and Data Acquisition

(SCADA)

Today most of critical infrastructures depend highly on the underlying

communication networks

New Vulnerabilities

New Risks

3

An Example: The ModBUS frame

ModBUS serial frame

ModBUS TCP/IP frame

MBAP Header:• Transaction Identifier• Protocol Identifier• Length• Unit Identifier

RS232 RS422/485253 bytes + 1 byte + 2 bytes = 256 bytes(PDU) (sl. ADDR) (CRC) Max ADU

253 bytes + 7 byte = 260 bytes(PDU) (MBAP) Max ADU

4

SCADA Protocols Vulnerabilities

• Unauthorized Command Execution• Man-in-the-Middle• Replay-attacks• Repudiation

…authentication…

…integrity…

…freshness…

5

• Time-stamp• SHA2 digest (256 bit)• RSA signature on the SHA2 digest

Secure Modbus Prototype

DataFuntionMBAPTS

ModBUS TCP/IP frame

SHA2 (E-Modbus)

E-Modbus

pKM

S-Modbus pkt

6

Considerations

• A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…

7

{data}PKm{TS|ModBUS}PKm

{{{TS|ModBUS}PKm}PKt}SKt

K-Survivable SCADA Architecture

Attacks: • Unauth. Com. Exec.• Reply Attack• Master infection• Master-FU infection

Slave

Solutions: • Signature• Secure ModBUS• Filtering Unit• Multiple FU

Attacker

FU

FU

FU

Msg

Attacker

PKm= Private Key Master

SKm= Public key Master

TS= Time Stamp

FU= Filtering Unit

PKf= Private key FU

SKf= Public key FU

{{{TS|ModBUS}PKm}SKm

{TS|ModBUS}

Master

Attacker

DataFuntionMBAPTS

ModBUS TCP/IP frame

{TS|ModBUS}PKm{{TS|ModBUS}PKm}PKf

{{TS|ModBUS}PKm}PKf{TS|ModBUS}PKm

- Different Architecture- SO: Linux, windows

Scada FW

8

Open V2

...Problem...

R1: PKT(###)R2: PKT(#@!)R3: PKT(^&%)

Cl. V1

Locally licit commandsput the system into a

critical state

PLC1

PLC3

PLC2

Filtering Cloud

Alert !

Close V1

Close V3

PKT(###)

9

…but…

ICT Signaturebased IDS

Safety Analysis

ICT Signaturebased IDS

Safety Analysis

ICTWorld

IndustrialWorld

10

State Based Approach (1)

•SCADA System Representation

-address : string = 10.0.0.1-port : int = 502-id : byte = 1-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short

PLC 1

[100][100]

[100]

[100]

[8]

[9]

-address : string = 10.0.0.2-port : int = 502-id : byte = 2-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short

PLC 2

[200][200]

[200]

[200]

[8]

[9]

-address : string = 10.0.0.3-port : int = 502-id : byte = 3-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short

PLC 3

[300][300]

[300]

[300]

[8]

[9]

-address : string = 10.0.0.254-port : int = 502

Master

Address: 10.0.0.3 Port: 502 ID: 3

Address: 10.0.0.2 Port: 502 ID: 2

Address: 10.0.0.1 Port: 502 ID: 1

Address: 10.0.0.254 Port: 502

PLC

Master

PLC PLC

DICOIRHR

100100100100

DICOIRHR

200200200200

DICOIRHR

300300300300

1 2 3

11

State Based Approach (3)

•Critical State Representation

Address: 10.0.0.3 Port: 502 ID: 3

Address: 10.0.0.2 Port: 502 ID: 2

Address: 10.0.0.1 Port: 502 ID: 1

Address: 10.0.0.254 Port: 502

PLC

Master

PLC PLC1 2 3

VOUTVIN

P1

IF ( PLC[ 10.0.0.1 ].HR[1] < 20 ANDPLC[ 10.0.0.2 ].HR[2] > 70 ) THEN“The system is in a critical state”

HR[1] 100 HR[2] 500 100

12

State Based Filter Architecture

Loader

SCADA Protocol Sensor (SPS)

Single packet rules DB (SPDB)

Critical State Rules DB (CSRDB)

DB Sender

Database

Analyzer

Virtual System Loader

Critical StateAnalyzer

Basic Analyzer

Basic Rules File

Critical State Rules File

Virtual System

Descriptor File

System Virtual Image (SVI)

Real System Synchronizer

Update SystemManager

Protocol Builder

Protocol Discover

Real System

PLC 1 PLC 2

PLC n

Network Capture Module

13

Loader: Virtual System Loader

Address: 10.0.0.3 Port: 502 ID: 3

Address: 10.0.0.2 Port: 502 ID: 2

Address: 10.0.0.1 Port: 502 ID: 1

Address: 10.0.0.254 Port: 502

PLC

Master

PLC PLC

DICOIRHR

100100100100

DICOIRHR

200200200200

DICOIRHR

300300300300

1 2 3

Real System

PLC 1-address : string = 10.0.0.1-port : int = 502-id : byte = 1-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short

[100][100]

[100]

[100]

[8]

[9]

PLC 2-address : string = 10.0.0.2-port : int = 502-id : byte = 2-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short

[200][200]

[200]

[200]

[8]

[9]

PLC 3-address : string = 10.0.0.3-port : int = 502-id : byte = 3-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short

[300][300]

[300]

[300]

[8]

[9]

Master-address : string = 10.0.0.254-port : int = 502

Objects Stored in the Filter memory

<infrastructure> <master address="10.0.0.254" port="502" /> <plc address="10.0.0.1" port="502" id="1" > <discrete_inputs numbers="100" /> ... <holding_registers numbers="100" /> </plc> <plc address="10.0.0.2" port="502" id="2" > <discrete_inputs numbers="200" /> ... <holding_registers numbers="200" /> </plc> <plc address="10.0.0.3" port="502" id="3" > <discrete_inputs numbers="300" /> ... <holding_registers numbers="300" /> </plc></infrastructure>

XML Virtual System Descriptor File

14

•IF ( PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 ) AND•( PLC[10.0.0.2].CO[0] = 0 OR NOT PLC[10.0.0.2].CO[1] = 1 ) THEN ALERT

Loader: Critical State Rules Loader

OR

PLC[10.0.0.1].HR[1] > 70 PLC[10.0.0.1].HR[2] < 20

PLC[10.0.0.1].HR[1] > 70OR

OR PLC[10.0.0.1].HR[2] < 20PLC[10.0.0.2].CO[0] = 0 NOT PLC[10.0.0.2].CO[1] = 1

AND

OR

PLC[10.0.0.2].CO[0] = 0

PLC[10.0.0.2].CO[1] = 1

NOT

AND

15

SVI: Update System Manager

0 0 ..DI0 1 99

0

CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.1

0 0 .. 0DI0 1 199

0 0 .. 0CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.2

0 0 .. 0DI0 1 299

0 0 .. 0CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.3

0 0 .. 0

Source Destination10.0.0.254 10.0.0.1

Function CodeWrite Coil (05)

Address1

Value1

Virtual System

CO

10.0.0.1

PLC 10.0.0.1

Write Coil (05)

1

1 1

16

SVI: Real System Synchronizer

0 0 ..

0

DI0 1 99

0

0

.. 0CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.1

0 0 .. 0DI0 1 199

0 0 .. 0CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.2

0 0 .. 0DI0 1 299

0 0 .. 0CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.3

0 1 ..

1

DI0 1 99

0

0

.. 0CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.1

0 0 .. 0DI0 1 199

0 0 .. 0CO

0 8 .. 0IR

0 0 .. 0HR

PLC 10.0.0.2

0 0 .. 0DI0 1 299

0 0 .. 1CO

0 0 .. 0IR

0 7 .. 0HR

PLC 10.0.0.3

Address: 10.0.0.3 Port: 502 ID: 3

Address: 10.0.0.2 Port: 502 ID: 2

Address: 10.0.0.1 Port: 502 ID: 1

Address: 10.0.0.254 Port: 502

PLC

Master

PLC PLC1 2 3

0 1 ..

1

DI0 1 99

0

0

.. 0CO

0 0 .. 0IR

0 0 .. 0HR

0 0 .. 0DI0 1 199

0 0 .. 0CO

0 8 .. 0IR

0 0 .. 0HR

0 0 .. 0DI0 1 299

0 0 .. 1CO

0 0 .. 0IR

0 7 .. 0HR

Virtual System Before

Virtual System After

Query Fiel

d

Device

s

System

Update

17

Analyzer: Critical State Analyzer

0 0 ..DI0 1 99

0

CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.1

0 0 .. 0DI0 1 199

0 0 .. 0CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.2

0 0 .. 0DI0 1 299

0 0 .. 0CO

0 0 .. 0IR

0 0 .. 0HR

PLC 10.0.0.3

0 0 .. 0

Source Destination10.0.0.254 10.0.0.1

Function CodeWrite Coil (05)

Address1

Value1

Check Rules DB

CSRDB

Virtual System

1

Block the Packet

IF ( PLC[10.0.0.1].CO[1] == 1 ) THEN ALERT

18

The Power system SCADA lab

Contains: - Idrolab (+150 sensors/actuators)

- Control room

- 3 SCADA systems

Hardware and Software:- 20 High Performance Servers

- 150 High End PCs and notebooks

- 10 Layer 3, 24 ports, gigabit switches

- 4 High Performance wireless switches

- 1 Nokia-checkpoint solid state Firewall

- 4 full network racks

- 18 km of network cables

- 300 gigabit network cards

- A 100 KW cooling system

- A 100 KW UPS system

19

JRC SCADA LAB.

Corporate Intranet

Router Wind

Switch Office Net

WorkStationWorkStation

WorkStation

WorkStation

Plant Office Network

Router Wind

Subnet B

Router Wind

Subnet C

Router Wind

RadiusServer

FW Switch

Power Plant FW

Process Network

Scada Sub-Net

ASC Sub-Net

Switch2

Switch1

SecondaryRegulationController

TurbogasController

Steam CycleController

RTU (secondary regulation)

Control Network

Secondary Regulation

Network

DMZ

Internet

SCTG SCP Server

SCPClient

ATTPIAWINIS

SwitchASC

TenoreASC

GatewayOPC-PI SMAVTG

GTDS

DB

Server PI

DBPI

SwitchDMZ

SME

SwitchASC

Modbus

Analogic 4-20 mA

Field Network

ProfibusI/O

Tras.

Data Network

Router

Subnet B

Router Subnet C

Router

Router

DNS ParentServer

Router

Router

FW-VPNMaster/ Secondary

PLC - RTU

ActuatorsSensors

Operative System

TCP socket .net C#

TCP Stream Builder

Level 0

ModBUS ADU Builder

ModBUS Stream Builder

Registers

Level 1

TCP/IP

Virtual PLC

Level 2

PLC Logic

Coils

20

Test: Encryption Layer

21

Test: Packet Loss

MasterSlave

Switch

Filter

RequestResponse

• Master: sends 100.000 request packets of 260 bytes• Slave: responds with 100.000 responses of 260

bytes

Requests Sent 100.000

Responses Sent 100.000

Size Request 315 bytes

Size Response 315 bytes

Request Rate 1 request sent each 1 ms

Rate 615,2 kbytes/s

Packet Loss 0

22

Test: Single Signature Rules Analyzer

Num Rules Average Time (on 1000 pkts)

10 0.0412618 ms

50 0.1495607 ms

100 0.2486327 ms

500 1.1152725 ms

1000 2.1427072 ms

2000 4.1623632 ms

• Master: sends 1000 request• Slave: responds with 1000 responses• Filter: captures the messages and

checks if they are licit, according to a

rules file which contains n-rules.

0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

0 500 1000 1500 2000 2500

Rules Number

Tim

e in

ms

MasterSlave

Switch

Filter

RequestResponse

23

Test: Virtual System Update

Num Coils Average Time (on 1000 pkts)

1 0,0012168 ms

50 0,0030485 ms

100 0,0044824 ms

500 0,0173109 ms

1000 0,0334344 ms

2000 0,0624535 ms

• Master: sends 1000 request with the command

“Read n-coils”• Slave: responds with 1000 responses which

contains the n-values. • Filter: captures the request/response

transaction and updates the n-values in the

Virtual System.

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0 500 1000 1500 2000 2500

Coils Number

Tim

e in

ms

MasterSlave

Switch

Filter

RequestResponse

24

Test: Critical State Rules Analyzer (1)

Num Conditions Average Time (on 1000 pkts)

2 0,0204746 ms

16 0,0301169 ms

64 0,0550301 ms

128 0,1206957 ms

256 0,2127598 ms

512 0,4226185 ms

1024 1,0706136 ms

• Master: sends 1000 generic requests• Slave: responds with 1000 responses• Filter: captures the req/res transaction

then checks if the Virtual System is

entering in a Critical State, according to a

rules file which contains only one rule with

n-conditions.

0

0.2

0.4

0.6

0.8

1

1.2

0 200 400 600 800 1000 1200

Conditions Number

Tim

e in

ms

MasterSlave

Switch

Filter

RequestResponse

25

Test: Critical State Rules Analyzer (2)

Num Rules Average Time (on 1000 pkts)

10 0,1123061 ms

50 0,5153591 ms

100 1,0248889 ms

500 2,6010271 ms

1000 5,0175991 ms

2000 9,9285867 ms

• Master: sends 1000 generic requests• Slave: responds with 1000 responses• Filter: captures the request/response

transaction then checks if the Virtual System

is entering in a Critical State, according to a

rules file which contains n-rules.

0

2

4

6

8

10

12

0 500 1000 1500 2000 2500

Rules Number

Tim

e in

ms

MasterSlave

Switch

Filter

RequestResponse

26

• Thousands of devices to monitor

• Hundreds of Subsystems

• Geographically sparse systems

• System of Systems

Impossible to analyze states on a single level

SCADAMASTER

SignatureLayer

SCADA protocolSigned packets PLC

PLC

PLC

PLC

CS based Filtering Unit

CS based Filtering Unit

CS based Filtering Unit

CS based Filtering Unit

SCADA protocolDouble Signed

packets

PacketValidatorsPLC

Gateway

SCADA protocolSigned packets

SCADA protocolDouble Signed

packets

Proactive - mitigation

Subsystem 1

Subsystem 2

SCADA protocolSigned packets

SCADA protocolDouble Signed

packets

Subsystem 3

SCADA protocolSigned packets

SCADA protocolDouble Signed

packets

CS based IDS

CS based IDS

CS based IDS

Alert

Alert

Alert

CS Aggregator

Proactive - mitigation

Proactive - mitigation

Critical StateMonitor mesh

FilteringMesh

SoS

System SystemSystem

Subsystem

Subsystem Component

Stakeholders

27

Future Works

–Abstract Aggregation

–Critical State Prediction

–Critical State Prediction based Firewalls

–Lightweight Cryptographic mechanisms for SCADA protocols