+ All Categories
Home > Documents > Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage...

Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage...

Date post: 30-Jul-2020
Category:
Upload: others
View: 4 times
Download: 1 times
Share this document with a friend
32
© The SPARKS Consortium EU FP7 Programme Contract No. 608224 Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Belfast, 26 th August, 2016 Kieran McLaughlin, BooJoong Kang, Ivor Bradley, Andrew Wright Centre for Secure Information Technologies (CSIT) @QUB
Transcript
Page 1: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Multistage Cyber-physical Attack and SCADA Intrusion Detection

Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Belfast, 26th August, 2016 Kieran McLaughlin, BooJoong Kang, Ivor Bradley, Andrew Wright Centre for Secure Information Technologies (CSIT) @QUB

Page 2: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Outline

Recent cyber-attacks & motivation IEC 61850 smart grid environment Multi-stage cyber-attack scenario Intrusion detection Lab demo

Page 3: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Recent Cyber-attacks

– “Black Energy” • Malware discovered on internet-connected HMIs (2011...2014) • Targeting HMI products from three vendors: GE, Siemens, BroadWin

– “Havex” Remote Access Trojan (RAT) • Targeting OPC communications (2014) • Client/server technology widely used in process control systems

Ref: Trend Micro

Page 4: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

What is a RAT?

A Remote Administrator/Access Tool/Trojan is malware that allows the master complete control of the infected machine

RATs can have special features or plugins Well know are:

– PlugX know as Korplug or Gulpix or Thoper – DarkComet – PoisonIvy – Gh0St – Taidoor – Xtreme RAT

Page 5: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Ukraine Electric Grid Attack

The SCADA system was the target (2015)

BlackEnergy appears to have been the “dropper”

A final component made the cyber-physical effect

Analysis from SANS ICS blog 5

Page 6: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Recent Cyber-attacks

– German steel plant (2014) • ‘Spear phishing’ emails and social engineering techniques • Login credentials obtained • Access gained to the office network... and then to the production systems • Blast furnace could not shut down as normal • Caused “massive damage”

Attackers showed technical expertise

Page 7: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Take Away Message

Cyber attack but...

Physical impact

Page 8: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 PV Environment

8

IEC 61850 server (PV inverter)

IEC 61850 client (HMI)

IEC 61850 Communications standard for substations. Enables integration of protection, control, measurement and monitoring functions

Page 9: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

Page 10: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

• Phishing email • Looks genuine • Simple - often successful

Page 11: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

• Infected PC contacts malicious server

• Malware payload downloads and installs

• SPARKS demo with DarkComet, PlugX

Page 12: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

• Attacker ‘pwns’ a PC in the enterprise network

Page 13: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

• Uses “remote desktop” functions of RAT (like Ukraine)

• In this case, the attacker finds a vulnerable web-based historian used by the operator

• Runs known exploit

Page 14: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

• From RAT controller, attacker is able to establish a connection from Windows machine to historian

Page 15: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

• From the RAT controller, the attacker instructs the Linux machine to download another attack payload

• Custom code that allows directed attack against IEC 61850

Page 16: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

• The attacker now begins sniffing the IEC 61850 SCADA commands between the IEC 61850 client and the PV inverter

• Could carry out reconnaissance and learn about the system

Page 17: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

• Communication between IEC 61850 client and PV inverter intercepted and modified

Page 18: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

IEC 61850 Smart Grid Environment

Attacker’s controller

Attacker’s web server

Internet

SCADA network

Enterprise network

IEC 61850 client

PV inverter

Windows 7 Office PC

Linux machine E.g. historian

Physical electrical systems

Attack 1: • Modify the max power limit

of the PV inverter • E.g. change 100% to 40% Attack 2: • Shut down the PV inverter

Page 19: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Multi-stage Cyber-attack Scenario

Phishing email & social engineering

Install Remote Access Trojan (RAT) in office PC

Network mapping & lateral movement

Exploit vulnerability & pivot to SCADA network

Deploy SCADA attack payload

Attack physical system functions

More than one way to skin a RAT... – Multiple options for each stage of a multi-stage

attack

• Waterhole attacks • Infected software • Stolen/insecure

username and password credentials

• Compromise from the internet

• Office PC • Third party remote

maintenance • Engineer’s laptop • BYOD

• Well known tools like nmap

• Havex, Stuxnet sniffed traffic

• RAT can keylog credentials

• Vulnerable operating system

• Vulnerable services on SCADA server, data historian, etc.

• Vulnerable network devices

• Variety of known and unknown vulnerabilities in SCADA devices and software – CVEs

• e.g. GE, Siemens, BroadWin

• Inherently vulnerable SCADA protocols

• Devices vulnerable to freeze, shutdown, etc.

Page 20: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Observations (1/2)

BlackEnergy, Havex and steel mill attacks: – Control systems are being specifically targeted – Malware / intruders aim to identify specific control system

communications and devices – Attackers have technical knowledge of underlying control systems,

physical systems & communications >> not ‘script kiddies’ – Trajectory is towards selective intrusions and tailored attacks

We need to: – Better understand the physical consequences of cyber-attacks – Develop and embed resilience measures to mitigate impact

Page 21: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Observations (2/2)

Prediction: 2010s the decade when open and standard –but obscure– SCADA protocols become known by attackers

Our work contributes to mitigating the impact of resultant attacks in the SCADA domain

No Standard Protocols

Proprietary and Industrial

Protocols

Open Protocols

Promoting Standard Protocols

1970s 1980s 1990s 2000s

Closed, centralised, without standards Open, distributed, standards based

2010s..?

A brief history of SCADA communication protocols*

21 * Modified from: Ten, Chee-Woo, et al. “Cybersecurity for electric power control and automation systems." 2007 IEEE International Conference on Systems, Man and Cybernetics. IEEE, 2007.

Page 22: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Outline

Recent cyber-attacks & motivation IEC 61850 smart grid environment Multi-stage cyber-attack scenario Intrusion detection Lab demo

Page 23: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Objectives for SCADA IDS

Current approaches: – Security generally lacks awareness of power systems properties – SCADA protocols lack consideration for cyber security – Lack of deep analysis at SCADA application layer – NIST recommends further research on above

Our aims are therefore: – Combine SCADA and power systems knowledge to effectively

monitor application layer data – SCADA protocol verification, stateful analysis, and functional

whitelisting to support intrusion detection in IEC61850 use-case – Collaborative approach towards supporting Resilient Control with

SCADA IDS information

23

Page 24: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Multi-Attribute SCADA IDS Concept

24

Page 25: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Whitelist & Signature

Whitelist – Alerts on any traffic not specified as allowed

Signature – Detect known attacks – Can comprise part of stateful analysis

• E.g. Complicated attacks with multiple packets

alert tcp any any -> 10.55.55.111 102 (msg:"Write Request with Low Active Power Limitation"; sid:10000007; pcre:"/\xa0.*\xa5.\xa0.*DRCC1\$SP\$MaxWLimPct\$setMag\$f .*\x08((\x41(\x20\x00\x00|([\x00-\x0f]|[\x10-\x1f])..)|\x40...)|([\x00-\x0f]|[\x10-\x1f]|[\x20-\x2f]|[\x30-\x3f])...)$/")

Example signature for PV inverter attack

25

Page 26: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

‘Characterisation’ of Environment

Critical State Analysis – System description and critical state representation – State evolution monitor – Critical state detection, e.g. $MaxWLimPct <10%

Example: turbine in a factory – If the temperature is greater than 99 and the turbine rotates at

less than 1000 rpm

PLC[10.0.0.10:502].HR[1] < 1000, → Alert : 4

PLC[10.0.0.22:502].IR[1] > 99

Carcano, A. et al. (2011). A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems. IEEE Transactions on Industrial Informatics, 7(2), 179–186.

26

Page 27: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Deep protocol analysis, MMS Request / Response Meta-data about network traffic and payload content

‘Characterisation’ of Environment

27

Page 28: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Stateful Analysis

Correlated Rules

28

<Stateful Analysis Process>

<Rule Match of Write-Request>

Page 29: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Unsupervised Learning Model

Yoo, H. et al. (2014). Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC 61850. Multimedia Tools and Applications, 1–16.

Single MMS Packet

29

Page 30: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Multi-Attribute SCADA IDS

30

Network Traffic

Whitelist Generation

Signature Generation

Stateful Rule Generation

Protocol Violation

Rule Generation

Machine Learning

System Configurations

3rd Party Signature DB

Protocol Standards

Normal Data

Attack Data

Whitelist

Signatures

Violation & Stateful Rules

Models

ELK (Elasticsearch, Logstash, Kibana)

Page 31: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

SPARKS ‘MMS Scanner’

MMS device detection – Port scan (102)

Information gathering – Send valid requests

• Domain name, attributes Attacker

– Attribute manipulation • Known or random values

Therefore, to characterise normal network behaviour we must include all these SCADA-specific parameters IEC 61850-8-1

31

Page 32: Multistage Cyber-physical Attack and SCADA Intrusion Detection...2016/09/04  · Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity:

© The SPARKS Consortium EU FP7 Programme Contract No. 608224

Lab Demo

Let’s ROCK


Recommended