Live ICS Attack Demonstration

Cyber-intrusion Auto-response and

Policy Management System (CAPMS)

David Lawrence, Duke Energy Steve Lusk, ViaSat Tim Collins, ViaSat

Nick Saunders, ViaSat

2

Today’s Live Demo/Presentation

• Cyber-intrusion Auto-response and Policy Management System (CAPMS) Overview

– Why do we need a system that detects and responds to Cyber Attacks?

• Duke Energy – CAPMS Utility Partner

– Overview of Duke Energy’s Grid Of Things and the Open Field Message Bus

• CAPMS Demonstration

– Nick and Tim will demonstrate how an intruder could attack a typical utility network using DNP3 and how the network might respond

• Q&A

VIASAT PROPRIETARY 3

4

2.7 million people impacted

2011 Southwest blackout

• One Arizona utility worker triggered a chain of events which led to the outage

• A series of about 20 events occurred within 11 minutes of the Arizona transmission line failure

• According to SDG&E they learned of these outages about 30 seconds before they occurred but could not respond in time

• Several other outages occurred – one of which at the San Onofre Nuclear Generation Station, which was taken offline as a safety measure

5

2003 Northeast blackout

55 million people Impacted

An Alarm System bug at a Control Room in Ohio prevented an alert from

being displayed

6

CAPMS Overview Cyber-intrusion Auto-response and Policy Management System

• Although not a Cyber Attack, these large scale outages demonstrate the vulnerability of the grid

• A strategic Cyber Attack has the potential to cause major outages in multiple locations

• CAPMS is a DOE Grant to research methods of detecting/ reporting Cyber Attacks and to demonstrate possible responses

• Goal is to define a Policy based system that provides operators with more tools to defend, detect, and respond to Cyber Attacks

• Based on ViaSat’s Trusted Network Platform (TNP) architecture, CAPMS provides additional features to detect/respond to more complex attacks

• Algorithms, Policies and Policy engines will be used to help detect and isolate active attacks

• Depending upon the attack and based on Policy, responses may be automated, semi-automated, or manual

• DOE demonstration is planned for Sept 2015 … today’s demonstration is a preliminary look of the work thus far

Duke Energy Emerging Technology Office

Why we need CAPMS? Autonomous Distributed Functionality with the

Open Field Message Bus (OpenFMB)

David Lawrence, Duke Energy Dwayne Bradley, Duke Energy

2/23/2015 page 7

Grid is Transforming to a Hybrid, Central and Decentralized Control and Generation Model

Currently, large central power plants supply their immediate surroundings. In the future, more small, decentralized wind and solar generators will take up greater load. And

distributed autonomous control functions will be prevalent.

Source: Science Technology Daily

2/23/2015 page 8

Duke’s Electric Grid – Grid of Things (GoT)

Sub

stat

ion

• Solar PV • Energy Storage • Dist. Mgmt System • PMU (6) • Weather stations (7)

Sh

erri

ll’s

Ford

, Ran

kin

, M

cAlp

ine

Su

bst

atio

ns

Cu

sto

me

r P

rem

ise

~60

ho

mes

ser

ved

by

M

cAlp

ine

circ

uit

s • Solar PV • Home Energy Manager • PEV • Charging Stations • Smart Appliances • Demand Response • In-home load monitoring

Dis

trib

uti

on

C

ircu

it

6 M

cAlp

ine

circ

uit

s

• Line Sensors (200+) • Solar PV • CES, HES Energy Storage • Comm. Nodes (3,000) • Intelligent Switches • DERMS/DMS • AMI metering (14,000)

2/23/2015 page 9

What’s missing? Field device interoperability, autonomous distributed functionality, edge analytics, and distributed security.

Open Field Message Bus: The Grid of Things Enabler

Field Devices cannot communicate with each other outside of Vendor systems

CIM DDS

Field devices connected with the Open Field Message Bus

MDM

DMS

OMS

Death to Siloes! 2/23/2015 page 10

Smart Meter

Capacitor Bank

Line Sensor

Intelligent Switch

X Street Light

Customer Premise

Distributed Energy Resources

Transformer

Legacy Gateway

OFMB + DApps +

TNP/ CAPMS

Corporate Private

Network

DMS

Head End

SCADA

Higher Tier Central Office

(Utility Datacenter)

Middle Tier Nodes

(e.g. substation)

Lower Tier Nodes

(e.g. grid)

End Points Devices

Legacy Gateway

OFMB + DApps +

TNP/ CAPMS

Legacy Gateway

OFMB + DApps +

TNP/ CAPMS

Field Area Network

(FAN)

Wide Area Network (WAN)

Local Area Network

(LAN)

Electric Vehicle

Local Area Network

(LAN)

Local Area Network

(LAN)

Application Processor

Core Processor Legend

Physical Transport

Virtual Telemetry

Highest DIP Node

Distributed Architecture: Telecom Networking Vision Multi-Tier Communications Architecture Can Retrofit to Existing Systems and Enables Distributed Apps

Firewall

Virtual Firewall

MDM

TNP/ CAPMS

2/23/2015 page 11

School

Logo Here

School

Logo Here

Open Field Message Bus

Reporting! • Operator is informed of suspicious behaviour

and the CAPMS response

• Protected operating mode maintains

availability, minimizing service disruption

Prevention! • Systems interacting with the

compromised devices are protected

• Contains the attack

Central Security GUI (CSG) • Real-time cyber-security monitoring

• Security management and control

Data Capture

and Analysis

Physical Security

Network Anomaly

Detection

Trusted Platforms • Devices are authenticated

before joining the secure fabric

Quality of Trust (QoT) • Quantifies trustworthiness of devices

• Distributed (P2P) assessment

• Reputation-based decisions

• Enables automated responses

Trusted Monitoring Security Operations Center

(SOC)

Trusted Platforms • Maintains trust level throughout

the life-time of the device

Trusted Network Platform Cyber-intrusion Auto-response and Policy Management System

Cyber Sensors • Provides additional information

for real-time health and

monitoring of the Utility network

Detection! • Sensors detect unauthorized

access and unusual activity

• Sensors trigger system alerts Open Field Message Bus

Response! • Every Platform in the Trusted Network responds

to the Security Event based on Policy

13

CAPMS

Demonstration

Nick Saunders – CAPMS SW Lead (Operator)

Tim Collins – CAPMS SW Architect (Intruder)

14

Substation

page 14

Cut lock here

Climb Pole

Insert key

15

Siemens

7SJ85

Substation

Operations

192.168.2.x/24

ViaSat TNP

Intruder

192.168.2.9 192.168.2.12

SEL 351S

192.168.2.11

192.168.2.10

ABBREF615

Schneider MiCOM P642

DELL Power Edge 1950ABB MicroScada

10.10.1.210.10.1.3/4/5

10.10.1.6

10.10.10.1

Legend

SCADA (DNP3)

TNP Control & Status

1.1.1.31.1.1.2

SEL 3354GatewaySuricata DPI

CAPMS Policyd

CAPMS

For displayingCSG on big screens

Verizon

Palo Alto PA

MicroSCADA control

CAPMS

192.168.2.8

The “Node”

CAPMS Demonstration Network

16

DNP3 Threat Attack Demonstration

• Staged DNP3 on a simulated Utility Substation

– Intruder cuts lock, enters substation

– Attaches an attack computer (Rasberry Pi)

– Monitors DNP3 traffic to determine attack targets

– Attempts to send trip/close relay messages

• Demonstrates

– How Deep Packet Inspection can detect DNP3 attacks

– Detection mechanisms must use deep knowledge of protocol

– Layered security is needed with operational control

– Distributed Policy based system provides options for Network Utility Operators … policies can be changed/modified to adapt to changes in the network

17

What might an attack look like?

• Intruders in the Control House Run intruder light show

1. Experiment with just one relay

2. Start working all the relays at once

3. Try and coordinate all tripped, all closed

• What the Operator Sees:

– Stale comms in MicroSCADA

– Power goes out

• Potential Risks

– No concern for personnel working on live wires

18

How It Is Done ?

• Intruder computer (Raspberry Pi) on outstation network

– Installs a hub?

– Network tap?

– Reconfigures the switch?

– Attaches a “DO NOT TOUCH” sign on it.

– Steals copper to conceal true motive

• “tshark” is a command line version of wireshark

• "arpspoof" for IP hijack

• "senddnp3" sends properly formed DNP3 “control relay operating block” messages

19

tshark

• Command line version of Wireshark

Master: xx.xx.xx.108, DNP3 master ID 1

Outstation: xx.xx.xx.112, DNP3 outstation ID 10

Can also get:

dnp3.al.index (control point/index)

dnp3.al.fun (function code)

20

arpspoof

• ARP poison attack:

TCP-IP from master to outstation broken

• Intruder can assume master IP and connect to outstation

arpspoof –t <master IP> <intruderIP>

arpspoof –t <outstation IP> <intruderIP>

ifconfig eth0:0 192.168.2.8

21

sendddnp3

• Based on OpenDNP3 “masterdemo” sample program

• Can send any individual DNP3 CROB

– Source IP, master DNP3 address ID,

– Destination IP, outstation DNP3 address ID

– Direct or select-operate mode

– Commands: latch_on, latch_off, pulse, pulse_trip, pulse_close

• Scan mode (pseudo-code):

For mode in direct-operate, select-then-operate

For control code in

{ ControlCode::LATCH_OFF, ControlCode::LATCH_ON,

ControlCode::PULSE, ControlCode::PULSE_CLOSE,

ControlCode::PULSE_TRIP }

Send the command

22

Defense Solution

Suricata (for sensor events)

– Open source intrusion detection system (IDS)

– Added DNP3 inspection

– Sends JSON-formatted "out of band" messages

CAPMS Policy Service

– Built on ViaSat’s Trusted Network Platform

– Runs in substations and in operations

– Monitors DNP3, syslog, DDS, other protocols…

– Tracks both errors and out of profile events

– Behavioral model of a cyber attack

Actions

– Security management console

– Integration with ABB MicroSCADA display

– Future work: automated responses

23

Demo: Reconnaissance

• Demonstrate how intruder uses reconnaissance

– Send bad index. Send bad Control code.

• What can’t be detected?

– Source or destination IP (outside of DNP3)

– Bad master/outstation IDs (device terminates connection)

– Relay commands if none are actually sent

• Response!

– Warning on MicroSCADA

– Alerts in TNP/CAPMS

Src

IP

Dst

IP

Port

20000

Master

100

Outstation

1,2,3,4

Index Control code:

pulse/trip

Pulse values:

Count, on, off

24

Policy Validation

• Lots of control/status messages are possible

• Not all messages are normal

• Security policy can be customized to validate “normal” behavior

• Uses:

– Detect reconnaissance

– Protocol fuzzing

– Automated reactions to problematic conditions

25

Demo: Valid Commands

• Intruder gets the control points and command codes

– Tricks operator into sending CROB commands?

– Has hands-on access to devices?

– Ex-employee knows the standard defaults?

• Demonstrate how intruder attacks network

– Trip all the breakers

• Monitoring shows no out-of-profile commands!

• CAPMS adds

– “State model” of what is an OK state

– Correlates seemingly unrelated events

– Can track recon that might take place over months

• Operations view:

– MicroSCADA alarm

– CAPMS/TNP alert

26

Structured Defense Logic

• Based on NESCOR Attack Trees

• The stages of potential attacks are modeled using digital logic gates

• Remedial actions can be bound to stages of an attack

• In this simple attack tree, actions are associated to issue alerts and activate MicroSCADA alarm LED

27

Demo Summary

• Probing of substation with nonsense DNP3 commands

• Catching legal but out of profile commands

• Interpreting an attack in stages:

– A few bad commands

– PLUS legal but out of the ordinary commands means

– ESCALATE from warning to serious

• Example of how a distributed intelligent node fits into the larger network

28

CAPMS Summary

• More complex attacks require more complex responses

• Coordinated efforts are needed to monitor and respond to attacks

• Policy Management and Event correlation adds breath and depth to detecting/ responding to attacks

• Large distributed networks are vulnerable to both Cyber and Physical attacks

• Interoperability is a must

– Standards will facilitate open dialog between vendors and provide better responses to potential Cyber Attacks

• Strong Security is key

– Robust Security that supports normal operation is required

– Defense-in-Depth

29

Q&A

OpenFMB Standardization and Test Beds

• Standards Development Efforts – Smart Grid Interoperability Panel (SGIP) – North America Energy Standards Board (NAESB)

• Community Portal & Repository – Published Duke Energy Reference Architecture Spec – Transfer Opengridstandards.org to a non-profit – Utility Communications Architecture Int’l Users Group (UCAIug)

• Utility Partnerships/Research Alliances – National Renewable Energy Lab (NREL) DOE INTEGRATE project – Electric Power Research Institute (EPRI) Integrated Grid program – CPS Energy: “Grid-of the-Future” Deployment in San Antonio

• Duke Energy Coalition of the Willing (COW) Phase II Demo – Islandable Microgrid with PVs & Battery Storage – CIM, DDS, MQTT, & others – DistribuTECH 2016 in Orlando, FL – 25 Vendor partners

page 30