Intrusion Detection for SCADA Systems - Pure - Login · SCADA Intrusion Detection System Kieran...

© The SPARKS Consortium

EU FP7 Programme Contract No. 608224

SCADA Intrusion Detection System

Kieran McLaughlin

BooJoong Kang

Centre for Secure Information Technologies (CSIT) – Queen’s University Belfast

[email protected]

SEGRID-SPARKS, Bilbao, 8th September 2015



Outline

Background & Motivation

IEC 61850 PV Environment

SPARKS Multistage Attack

SCADA IDS Functions

Conclusions



Recent Cyber-attacks

– “Black Energy”

• Malware discovered on internet-connected HMIs

• Targets HMI products from three vendors: GE, Siemens, BroadWin

– “Havex” Remote Access Trojan (RAT)

• Targets OPC communications

• Client/server technology widely used in process control systems

Ref: Trend Micro



SCADA Vulnerabilities

Interconnected IT systems (e.g. office network) can

provide ‘beachhead’ for attacks

Intruders able to pivot to the SCADA network can:

– Sniff, observe, learn, record, replay, tamper, launch man-in-

the-middle attacks, exfiltrate data

Attacks on SCADA threaten:

– System availability

– Data and control integrity

Cyber attack >>

Physical impact



Motivation

Current cyber security deployments:

– Generally lack awareness of power systems properties

– Lack deep protocol analysis at SCADA application layer

– NIST recommends further research on above, as well as

whitelist enforcement

Our aims:

– SCADA protocol verification, stateful analysis, and functional

whitelisting

– Combine SCADA and power systems knowledge for detection in

application layer data / OSI L7

– Interface to anomaly detection based on system model (T4.3)




AIT SmartEST Lab

– Test laboratory for grid-coupled distributed energy resources

(DER) in SPARKS

– Specialises in inverter tests, system tests with multiple

components and environmental tests

– Laboratory capable of testing PV inverters up to 800 kW class

PV inverter Converts the direct current (DC) output of a photovoltaic (PV) solar panel into a utility frequency alternating current (AC) that can be fed into a the electrical grid




Internet

SCADA network

Office network

IEC 61850 client

PV inverters

Physical electrical systems

IEC 61850 SCADA IDS

SCADA network SPAN port




Simple overview of attack scenario

IEC 61850 server

(PV inverter) IEC 61850 client (HMI)

IEC 61850 Communications standard for substations. Enables integration of protection, control, measurement and monitoring functions



IEC 61850

Communication Services

– Testbed photovoltaic inverters use IEC 61850 with

manufacturing message specification (MMS)

Sampled Values

(Multicast)

Generic Object

Oriented Substation

Event

Core Abstract Communication Service Interface (ACSI)

Services

Generic Substation

Status Event

MMS Protocol Suite

TCP/IP T-Profile

ISO CO T-Profile

ISO/IEC 8802-2 LLC

GSSE T-Profile

GSSE

ISO/IEC 8802-3

ISO/IEC 8802-3 Ethertype

SV GOOSE TimeSync

(SNTP)

UDP/IP

PV Testbed



IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Office network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian


• Attacker is able to launch

targeted attacks against the

PV inverter, using a custom

Ettercap plugin

• Communication between

IEC 61850 client and PV

inverter intercepted and

modified



IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Office network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian


Attack 1:

• Modify the max power limit

of the PV inverter

• E.g. change 100% to 40%

Attack 2:

• Shut down the PV inverter



SCADA IDS Functions



Protocol Analysis of Environment

Communication between Inverter and HMI

– Requests/Responses

• getVariableAccessAttributes

• read & write

– Keep-alive packets if no message for 5 seconds

Inverter (Server)

HMI (Client)

Requests

Responses

Keep-Alive

(5 sec.)



Protocol Analysis of Environment:

MMS Request / Response



SCADA IDS Functions

Fundamental “low-level” alerts directly linked to SCADA

– Increased visibility of attack steps being executed

– Detect SCADA-specific attacks that standard IT approaches cannot

Detect malformed or malicious packets

– Due to replay or protocol fuzzing

– Even if the attack is ineffective, something is wrong

– IT assets may already be compromised (e.g. by 0-day)

Combine with other anomaly detection to form wider view

– Provide enhanced “security sensor” data for event correlation

– Use for traceability, forensic analysis



SCADA IDS Software

(Left) Custom IDS rules developed for standard open source tools such as Snort

(Right) Custom SCADA IDS tool incorporates custom Snort rules, plus stateful

analysis which Snort cannot provide



Conclusions

Prediction: 2010s the decade when open and standard

–but obscure– SCADA protocols become known by attackers

Our work contributes to mitigating the impact of likely

consequent attacks in the SCADA domain

No Standard

Protocols

Proprietary

and Industrial

Protocols

Open

Protocols

Promoting

Standard

Protocols

1970s 1980s 1990s 2000s

Closed, centralised, without standards Open, distributed, standards based

2010s..?

A brief history of SCADA communication protocols



SCADA Intrusion Detection System

Kieran McLaughlin

BooJoong Kang

Centre for Secure Information Technologies (CSIT) – Queen’s University Belfast

[email protected]

SEGRID-SPARKS, Bilbao, 8th September 2015

Date post:	29-Apr-2018
Category:	Documents
Upload:	vodung
View:	226 times
Download:	0 times

Intrusion Detection for SCADA Systems - Pure - Login · SCADA Intrusion Detection System Kieran...

Documents