© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
SCADA Intrusion Detection System
Kieran McLaughlin
BooJoong Kang
Centre for Secure Information Technologies (CSIT) – Queen’s University Belfast
SEGRID-SPARKS, Bilbao, 8th September 2015
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Outline
Background & Motivation
IEC 61850 PV Environment
SPARKS Multistage Attack
SCADA IDS Functions
Conclusions
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Recent Cyber-attacks
– “Black Energy”
• Malware discovered on internet-connected HMIs
• Targets HMI products from three vendors: GE, Siemens, BroadWin
– “Havex” Remote Access Trojan (RAT)
• Targets OPC communications
• Client/server technology widely used in process control systems
Ref: Trend Micro
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
SCADA Vulnerabilities
Interconnected IT systems (e.g. office network) can
provide ‘beachhead’ for attacks
Intruders able to pivot to the SCADA network can:
– Sniff, observe, learn, record, replay, tamper, launch man-in-
the-middle attacks, exfiltrate data
Attacks on SCADA threaten:
– System availability
– Data and control integrity
Cyber attack >>
Physical impact
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Motivation
Current cyber security deployments:
– Generally lack awareness of power systems properties
– Lack deep protocol analysis at SCADA application layer
– NIST recommends further research on above, as well as
whitelist enforcement
Our aims:
– SCADA protocol verification, stateful analysis, and functional
whitelisting
– Combine SCADA and power systems knowledge for detection in
application layer data / OSI L7
– Interface to anomaly detection based on system model (T4.3)
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
IEC 61850 PV Environment
AIT SmartEST Lab
– Test laboratory for grid-coupled distributed energy resources
(DER) in SPARKS
– Specialises in inverter tests, system tests with multiple
components and environmental tests
– Laboratory capable of testing PV inverters up to 800 kW class
PV inverter Converts the direct current (DC) output of a photovoltaic (PV) solar panel into a utility frequency alternating current (AC) that can be fed into a the electrical grid
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
IEC 61850 PV Environment
Internet
SCADA network
Office network
IEC 61850 client
PV inverters
Physical electrical systems
IEC 61850 SCADA IDS
SCADA network SPAN port
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
IEC 61850 PV Environment
Simple overview of attack scenario
IEC 61850 server
(PV inverter) IEC 61850 client (HMI)
IEC 61850 Communications standard for substations. Enables integration of protection, control, measurement and monitoring functions
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
IEC 61850
Communication Services
– Testbed photovoltaic inverters use IEC 61850 with
manufacturing message specification (MMS)
Sampled Values
(Multicast)
Generic Object
Oriented Substation
Event
Core Abstract Communication Service Interface (ACSI)
Services
Generic Substation
Status Event
MMS Protocol Suite
TCP/IP T-Profile
ISO CO T-Profile
ISO/IEC 8802-2 LLC
GSSE T-Profile
GSSE
ISO/IEC 8802-3
ISO/IEC 8802-3 Ethertype
SV GOOSE TimeSync
(SNTP)
UDP/IP
PV Testbed
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Office network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
• Attacker is able to launch
targeted attacks against the
PV inverter, using a custom
Ettercap plugin
• Communication between
IEC 61850 client and PV
inverter intercepted and
modified
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
IEC 61850 Smart Grid Environment
Attacker’s controller
Attacker’s web server
Internet
SCADA network
Office network
IEC 61850 client
PV inverter
Windows 7 Office PC
Linux machine E.g. historian
Physical electrical systems
Attack 1:
• Modify the max power limit
of the PV inverter
• E.g. change 100% to 40%
Attack 2:
• Shut down the PV inverter
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Protocol Analysis of Environment
Communication between Inverter and HMI
– Requests/Responses
• getVariableAccessAttributes
• read & write
– Keep-alive packets if no message for 5 seconds
Inverter (Server)
HMI (Client)
Requests
Responses
Keep-Alive
(5 sec.)
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Protocol Analysis of Environment:
MMS Request / Response
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
SCADA IDS Functions
Fundamental “low-level” alerts directly linked to SCADA
– Increased visibility of attack steps being executed
– Detect SCADA-specific attacks that standard IT approaches cannot
Detect malformed or malicious packets
– Due to replay or protocol fuzzing
– Even if the attack is ineffective, something is wrong
– IT assets may already be compromised (e.g. by 0-day)
Combine with other anomaly detection to form wider view
– Provide enhanced “security sensor” data for event correlation
– Use for traceability, forensic analysis
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
SCADA IDS Software
(Left) Custom IDS rules developed for standard open source tools such as Snort
(Right) Custom SCADA IDS tool incorporates custom Snort rules, plus stateful
analysis which Snort cannot provide
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Conclusions
Prediction: 2010s the decade when open and standard
–but obscure– SCADA protocols become known by attackers
Our work contributes to mitigating the impact of likely
consequent attacks in the SCADA domain
No Standard
Protocols
Proprietary
and Industrial
Protocols
Open
Protocols
Promoting
Standard
Protocols
1970s 1980s 1990s 2000s
Closed, centralised, without standards Open, distributed, standards based
2010s..?
A brief history of SCADA communication protocols
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
SCADA Intrusion Detection System
Kieran McLaughlin
BooJoong Kang
Centre for Secure Information Technologies (CSIT) – Queen’s University Belfast
SEGRID-SPARKS, Bilbao, 8th September 2015