1
A K/N Attack-Resilient ICT Shield for SCADA
Systems, with State Based Attack Detection
I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta
Joint Research Centre (JRC)
The European Commission’s Research-Based Policy Support Organisation
Insubria University
2
Consequences of pervasive ICT in Critical Infrastructures
New Attack ScenariosPublic Network
Supervisory Control and Data Acquisition
(SCADA)
Today most of critical infrastructures depend highly on the underlying
communication networks
New Vulnerabilities
New Risks
3
An Example: The ModBUS frame
ModBUS serial frame
ModBUS TCP/IP frame
MBAP Header:• Transaction Identifier• Protocol Identifier• Length• Unit Identifier
RS232 RS422/485253 bytes + 1 byte + 2 bytes = 256 bytes(PDU) (sl. ADDR) (CRC) Max ADU
253 bytes + 7 byte = 260 bytes(PDU) (MBAP) Max ADU
4
SCADA Protocols Vulnerabilities
• Unauthorized Command Execution• Man-in-the-Middle• Replay-attacks• Repudiation
…authentication…
…integrity…
…freshness…
5
• Time-stamp• SHA2 digest (256 bit)• RSA signature on the SHA2 digest
Secure Modbus Prototype
DataFuntionMBAPTS
ModBUS TCP/IP frame
SHA2 (E-Modbus)
E-Modbus
pKM
S-Modbus pkt
6
Considerations
• A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…
7
{data}PKm{TS|ModBUS}PKm
{{{TS|ModBUS}PKm}PKt}SKt
K-Survivable SCADA Architecture
Attacks: • Unauth. Com. Exec.• Reply Attack• Master infection• Master-FU infection
Slave
Solutions: • Signature• Secure ModBUS• Filtering Unit• Multiple FU
Attacker
FU
FU
FU
Msg
Attacker
PKm= Private Key Master
SKm= Public key Master
TS= Time Stamp
FU= Filtering Unit
PKf= Private key FU
SKf= Public key FU
{{{TS|ModBUS}PKm}SKm
{TS|ModBUS}
Master
Attacker
DataFuntionMBAPTS
ModBUS TCP/IP frame
{TS|ModBUS}PKm{{TS|ModBUS}PKm}PKf
{{TS|ModBUS}PKm}PKf{TS|ModBUS}PKm
- Different Architecture- SO: Linux, windows
Scada FW
8
Open V2
...Problem...
R1: PKT(###)R2: PKT(#@!)R3: PKT(^&%)
Cl. V1
Locally licit commandsput the system into a
critical state
PLC1
PLC3
PLC2
Filtering Cloud
Alert !
Close V1
Close V3
PKT(###)
9
…but…
ICT Signaturebased IDS
Safety Analysis
ICT Signaturebased IDS
Safety Analysis
ICTWorld
IndustrialWorld
10
State Based Approach (1)
•SCADA System Representation
-address : string = 10.0.0.1-port : int = 502-id : byte = 1-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
PLC 1
[100][100]
[100]
[100]
[8]
[9]
-address : string = 10.0.0.2-port : int = 502-id : byte = 2-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
PLC 2
[200][200]
[200]
[200]
[8]
[9]
-address : string = 10.0.0.3-port : int = 502-id : byte = 3-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
PLC 3
[300][300]
[300]
[300]
[8]
[9]
-address : string = 10.0.0.254-port : int = 502
Master
Address: 10.0.0.3 Port: 502 ID: 3
Address: 10.0.0.2 Port: 502 ID: 2
Address: 10.0.0.1 Port: 502 ID: 1
Address: 10.0.0.254 Port: 502
PLC
Master
PLC PLC
DICOIRHR
100100100100
DICOIRHR
200200200200
DICOIRHR
300300300300
1 2 3
11
State Based Approach (3)
•Critical State Representation
Address: 10.0.0.3 Port: 502 ID: 3
Address: 10.0.0.2 Port: 502 ID: 2
Address: 10.0.0.1 Port: 502 ID: 1
Address: 10.0.0.254 Port: 502
PLC
Master
PLC PLC1 2 3
VOUTVIN
P1
IF ( PLC[ 10.0.0.1 ].HR[1] < 20 ANDPLC[ 10.0.0.2 ].HR[2] > 70 ) THEN“The system is in a critical state”
HR[1] 100 HR[2] 500 100
12
State Based Filter Architecture
Loader
SCADA Protocol Sensor (SPS)
Single packet rules DB (SPDB)
Critical State Rules DB (CSRDB)
DB Sender
Database
Analyzer
Virtual System Loader
Critical StateAnalyzer
Basic Analyzer
Basic Rules File
Critical State Rules File
Virtual System
Descriptor File
System Virtual Image (SVI)
Real System Synchronizer
Update SystemManager
Protocol Builder
Protocol Discover
Real System
PLC 1 PLC 2
PLC n
Network Capture Module
13
Loader: Virtual System Loader
Address: 10.0.0.3 Port: 502 ID: 3
Address: 10.0.0.2 Port: 502 ID: 2
Address: 10.0.0.1 Port: 502 ID: 1
Address: 10.0.0.254 Port: 502
PLC
Master
PLC PLC
DICOIRHR
100100100100
DICOIRHR
200200200200
DICOIRHR
300300300300
1 2 3
Real System
PLC 1-address : string = 10.0.0.1-port : int = 502-id : byte = 1-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
[100][100]
[100]
[100]
[8]
[9]
PLC 2-address : string = 10.0.0.2-port : int = 502-id : byte = 2-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
[200][200]
[200]
[200]
[8]
[9]
PLC 3-address : string = 10.0.0.3-port : int = 502-id : byte = 3-discrete inputs : bool-coils : bool-input registers : short-holding registers : short-exception status coils : bool-diagnostic register : short-counters : short
[300][300]
[300]
[300]
[8]
[9]
Master-address : string = 10.0.0.254-port : int = 502
Objects Stored in the Filter memory
<infrastructure> <master address="10.0.0.254" port="502" /> <plc address="10.0.0.1" port="502" id="1" > <discrete_inputs numbers="100" /> ... <holding_registers numbers="100" /> </plc> <plc address="10.0.0.2" port="502" id="2" > <discrete_inputs numbers="200" /> ... <holding_registers numbers="200" /> </plc> <plc address="10.0.0.3" port="502" id="3" > <discrete_inputs numbers="300" /> ... <holding_registers numbers="300" /> </plc></infrastructure>
XML Virtual System Descriptor File
14
•IF ( PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 ) AND•( PLC[10.0.0.2].CO[0] = 0 OR NOT PLC[10.0.0.2].CO[1] = 1 ) THEN ALERT
Loader: Critical State Rules Loader
OR
PLC[10.0.0.1].HR[1] > 70 PLC[10.0.0.1].HR[2] < 20
PLC[10.0.0.1].HR[1] > 70OR
OR PLC[10.0.0.1].HR[2] < 20PLC[10.0.0.2].CO[0] = 0 NOT PLC[10.0.0.2].CO[1] = 1
AND
OR
PLC[10.0.0.2].CO[0] = 0
PLC[10.0.0.2].CO[1] = 1
NOT
AND
15
SVI: Update System Manager
0 0 ..DI0 1 99
0
CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.1
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.2
0 0 .. 0DI0 1 299
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.3
0 0 .. 0
Source Destination10.0.0.254 10.0.0.1
Function CodeWrite Coil (05)
Address1
Value1
Virtual System
CO
10.0.0.1
PLC 10.0.0.1
Write Coil (05)
1
1 1
16
SVI: Real System Synchronizer
0 0 ..
0
DI0 1 99
0
0
.. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.1
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.2
0 0 .. 0DI0 1 299
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.3
0 1 ..
1
DI0 1 99
0
0
.. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.1
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 8 .. 0IR
0 0 .. 0HR
PLC 10.0.0.2
0 0 .. 0DI0 1 299
0 0 .. 1CO
0 0 .. 0IR
0 7 .. 0HR
PLC 10.0.0.3
Address: 10.0.0.3 Port: 502 ID: 3
Address: 10.0.0.2 Port: 502 ID: 2
Address: 10.0.0.1 Port: 502 ID: 1
Address: 10.0.0.254 Port: 502
PLC
Master
PLC PLC1 2 3
0 1 ..
1
DI0 1 99
0
0
.. 0CO
0 0 .. 0IR
0 0 .. 0HR
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 8 .. 0IR
0 0 .. 0HR
0 0 .. 0DI0 1 299
0 0 .. 1CO
0 0 .. 0IR
0 7 .. 0HR
Virtual System Before
Virtual System After
Query Fiel
d
Device
s
System
Update
17
Analyzer: Critical State Analyzer
0 0 ..DI0 1 99
0
CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.1
0 0 .. 0DI0 1 199
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.2
0 0 .. 0DI0 1 299
0 0 .. 0CO
0 0 .. 0IR
0 0 .. 0HR
PLC 10.0.0.3
0 0 .. 0
Source Destination10.0.0.254 10.0.0.1
Function CodeWrite Coil (05)
Address1
Value1
Check Rules DB
CSRDB
Virtual System
1
Block the Packet
IF ( PLC[10.0.0.1].CO[1] == 1 ) THEN ALERT
18
The Power system SCADA lab
Contains: - Idrolab (+150 sensors/actuators)
- Control room
- 3 SCADA systems
Hardware and Software:- 20 High Performance Servers
- 150 High End PCs and notebooks
- 10 Layer 3, 24 ports, gigabit switches
- 4 High Performance wireless switches
- 1 Nokia-checkpoint solid state Firewall
- 4 full network racks
- 18 km of network cables
- 300 gigabit network cards
- A 100 KW cooling system
- A 100 KW UPS system
19
JRC SCADA LAB.
Corporate Intranet
Router Wind
Switch Office Net
WorkStationWorkStation
WorkStation
WorkStation
Plant Office Network
Router Wind
Subnet B
Router Wind
Subnet C
Router Wind
RadiusServer
FW Switch
Power Plant FW
Process Network
Scada Sub-Net
ASC Sub-Net
Switch2
Switch1
SecondaryRegulationController
TurbogasController
Steam CycleController
RTU (secondary regulation)
Control Network
Secondary Regulation
Network
DMZ
Internet
SCTG SCP Server
SCPClient
ATTPIAWINIS
SwitchASC
TenoreASC
GatewayOPC-PI SMAVTG
GTDS
DB
Server PI
DBPI
SwitchDMZ
SME
SwitchASC
Modbus
Analogic 4-20 mA
Field Network
ProfibusI/O
Tras.
Data Network
Router
Subnet B
Router Subnet C
Router
Router
DNS ParentServer
Router
Router
FW-VPNMaster/ Secondary
PLC - RTU
ActuatorsSensors
Operative System
TCP socket .net C#
TCP Stream Builder
Level 0
ModBUS ADU Builder
ModBUS Stream Builder
Registers
Level 1
TCP/IP
Virtual PLC
Level 2
PLC Logic
Coils
20
Test: Encryption Layer
21
Test: Packet Loss
MasterSlave
Switch
Filter
RequestResponse
• Master: sends 100.000 request packets of 260 bytes• Slave: responds with 100.000 responses of 260
bytes
Requests Sent 100.000
Responses Sent 100.000
Size Request 315 bytes
Size Response 315 bytes
Request Rate 1 request sent each 1 ms
Rate 615,2 kbytes/s
Packet Loss 0
22
Test: Single Signature Rules Analyzer
Num Rules Average Time (on 1000 pkts)
10 0.0412618 ms
50 0.1495607 ms
100 0.2486327 ms
500 1.1152725 ms
1000 2.1427072 ms
2000 4.1623632 ms
• Master: sends 1000 request• Slave: responds with 1000 responses• Filter: captures the messages and
checks if they are licit, according to a
rules file which contains n-rules.
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
0 500 1000 1500 2000 2500
Rules Number
Tim
e in
ms
MasterSlave
Switch
Filter
RequestResponse
23
Test: Virtual System Update
Num Coils Average Time (on 1000 pkts)
1 0,0012168 ms
50 0,0030485 ms
100 0,0044824 ms
500 0,0173109 ms
1000 0,0334344 ms
2000 0,0624535 ms
• Master: sends 1000 request with the command
“Read n-coils”• Slave: responds with 1000 responses which
contains the n-values. • Filter: captures the request/response
transaction and updates the n-values in the
Virtual System.
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0 500 1000 1500 2000 2500
Coils Number
Tim
e in
ms
MasterSlave
Switch
Filter
RequestResponse
24
Test: Critical State Rules Analyzer (1)
Num Conditions Average Time (on 1000 pkts)
2 0,0204746 ms
16 0,0301169 ms
64 0,0550301 ms
128 0,1206957 ms
256 0,2127598 ms
512 0,4226185 ms
1024 1,0706136 ms
• Master: sends 1000 generic requests• Slave: responds with 1000 responses• Filter: captures the req/res transaction
then checks if the Virtual System is
entering in a Critical State, according to a
rules file which contains only one rule with
n-conditions.
0
0.2
0.4
0.6
0.8
1
1.2
0 200 400 600 800 1000 1200
Conditions Number
Tim
e in
ms
MasterSlave
Switch
Filter
RequestResponse
25
Test: Critical State Rules Analyzer (2)
Num Rules Average Time (on 1000 pkts)
10 0,1123061 ms
50 0,5153591 ms
100 1,0248889 ms
500 2,6010271 ms
1000 5,0175991 ms
2000 9,9285867 ms
• Master: sends 1000 generic requests• Slave: responds with 1000 responses• Filter: captures the request/response
transaction then checks if the Virtual System
is entering in a Critical State, according to a
rules file which contains n-rules.
0
2
4
6
8
10
12
0 500 1000 1500 2000 2500
Rules Number
Tim
e in
ms
MasterSlave
Switch
Filter
RequestResponse
26
• Thousands of devices to monitor
• Hundreds of Subsystems
• Geographically sparse systems
• System of Systems
Impossible to analyze states on a single level
SCADAMASTER
SignatureLayer
SCADA protocolSigned packets PLC
PLC
PLC
PLC
CS based Filtering Unit
CS based Filtering Unit
CS based Filtering Unit
CS based Filtering Unit
SCADA protocolDouble Signed
packets
PacketValidatorsPLC
Gateway
SCADA protocolSigned packets
SCADA protocolDouble Signed
packets
Proactive - mitigation
Subsystem 1
Subsystem 2
SCADA protocolSigned packets
SCADA protocolDouble Signed
packets
Subsystem 3
SCADA protocolSigned packets
SCADA protocolDouble Signed
packets
CS based IDS
CS based IDS
CS based IDS
Alert
Alert
Alert
CS Aggregator
Proactive - mitigation
Proactive - mitigation
Critical StateMonitor mesh
FilteringMesh
SoS
System SystemSystem
Subsystem
Subsystem Component
Stakeholders
27
Future Works
–Abstract Aggregation
–Critical State Prediction
–Critical State Prediction based Firewalls
–Lightweight Cryptographic mechanisms for SCADA protocols