#CyberCamp18
S e c u r i n g M a c h i n e s : D e t e c t i n g a t t a c k s
i n I n d u s t r i a l E n v i r o n m e n t s
Mikel Iturbe Urretxa
Mondragon Unibertsitatea
iturbe.info
#CyberCamp18
1. Whoami
2. Industrial Environments
3. Research in Attack Detection
4. How to train for research in this field
Índice
#CyberCamp18
▪ Mikel Iturbe Urretxa
▪ Lecturer/Researcher at the Data Analysis and
Cybersecurity research group at Mondragon
Unibertsitatea > danz.eus
▪ Member of EuskalHack, the Basque information
security association
$ whoami
#CyberCamp18
▪ What do I do
▪ PhD in Industrial Intrusion Detection.
• Best student work award in JNIC 2018
▪ Mainly industrial security R&D both through or through contracts with industry:
• CounterCraft, MSIGrupo, OpenCloudFactory, Orona Group…
▪ Also some data analysis (also in industrial settings)
$ whoami
#CyberCamp18
What I will talk about today:
“An overview of the of some industrial attack detection approaches, based on
my personal experience from the field in the last years.”
#CyberCamp18
Industrial Environments
#CyberCamp18
Industrial?
7
CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz
#CyberCamp18
So, what’s in a name?
8
© 2016 Little Bobby All Rights Reserved
#CyberCamp18
How does an Industrial Network look like?
9
#CyberCamp18
How does an Industrial Network look like?
10
CC-BY 2.0 Robert Kevin Moore @ Flickr
#CyberCamp18
How does an Industrial Network look like?
11
CC-BY-SA 4.0 hddgomez@Wikicommons
#CyberCamp18
▪ Trans-Siberian pipeline explosion (1982)
▪ Source unconfirmed (myth?)
▪ Two main hypotheses:
• Operator mistake
• Malicious and leaked software caused the explosion
And, if things go wrong?
12
#CyberCamp18
▪ Maroochy Water Breach (2004)
▪ 142 pumping stations
▪ Ex-employee attacks system with stolen equipment
▪ >1m liters of sewage waters were spilled with no control
And, if things go wrong?
13
#CyberCamp18
▪ Stuxnet (2010)
▪ Designed to disrupt Iran’s nuclear
program
▪ Exploited 4 zero-days
▪ Sabotaged uranium centrifuges by
spinning them faster
• While the operator knew nothing was
wrong…
And if things go wrong?
14
#CyberCamp18
▪ German Steel Mill Incident
(2014)
▪ Not much known (who,where…)
▪ Spear-Phishing > IT network > OT
network
▪ A blast furnace could not be shut down
properly. “Massive” losses.
And if things go wrong?
15
#CyberCamp18
▪ December 2015 Ukrainan blackout
▪ ~230.000 people lost electricity for some hours
▪ 30 substations switched off
▪ Spearphising > IT network > OT network
And if things go wrong?
16
#CyberCamp18
So, how do we protect them?
17
#CyberCamp18
So, how do we protect them?
18
#CyberCamp18
ICS IT
Main objective Control of physical equipment Data processing and transfer
Failure severity High Low
Round-trip times 250μs-20ms 50ms+
Determinism High Low
Data composition Small packets of periodic and
aperiodic traffic
Large, aperiodic packets
Operating environments Harsh, often hostile (EM noise,
dust…)
Clean
System lifetime Some tens of years Some years
Node complexity Low High
Differences between ICS and IT
19
#CyberCamp18
▪ There are many differences between IT and ICS
▪ We can´t just install antiviruses everywhere
▪ How can we monitor ICSs to detect attacks in them?
▪ Anomaly Detection FTW!
So, how do we protect them?
20
#CyberCamp18
Research in Attack Detection
#CyberCamp18
Jurassic or BS times (before Stuxnet)
22
#CyberCamp18
▪ ICS attack detection is a niche research field
▪ Most approaches are based on migrations of IT
counterparts (e.g. signature-based IDSs)
▪ Good practices and standard equipment existing today
simply did not exist.
• Whitelisting, Industrial FWs, network segmentation
Jurassic or BS times (before Stuxnet)
23
#CyberCamp18
▪ Zhu and Sastry published a review of (the then) current
proposals on intrusion detection of SCADA
□ Some terms start appearing, and how they can be useful for ICS-specific
attack detection
• Model-based detectrion, specification-based detection
Jurassic or BS times (before Stuxnet)
24
Zhu, Bonnie, and Shankar Sastry. "SCADA-specific intrusion detection/prevention systems: a survey and taxonomy."
Proceedings of the 1st Workshop on Secure Control Systems (SCS). Vol. 11. 2010.
#CyberCamp18
▪ Interest from the research community grows exponentially
▪ Publication rate goes higher
▪ More workshops and conferences are created
▪ Two main approaches:
• Network level detection and field level detection
▪ And I started my PhD…
After Stuxnet
25
#CyberCamp18
▪ Flow-level anomaly detection
Detection at the network level
26
Iturbe, Mikel, et al. "Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting."
VISIGRAPP (2: IVAPP). 2016.
#CyberCamp18
▪ Why field level?
▪ Data is already there!
▪ We want to know how the process is behaving, not (just) the network
▪ Most approaches based on physical models
• There are some issues…
More recently: Detection at the field level
27
#CyberCamp18
▪ Diagnosing attacks
Field-level approaches
28
Iturbe, Mikel, et al. "On the feasibility of distinguishing between process disturbances and intrusions in process control
systems using multivariate statistical process control."
2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W). IEEE, 2016.
#CyberCamp18
▪ Diagnosing attacks
Field-level approaches
29
Iturbe, Mikel, et al. "On the feasibility of distinguishing between process disturbances and intrusions in process control
systems using multivariate statistical process control."
2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W). IEEE, 2016.
#CyberCamp18
▪ Diagnosing attacks
Field-level approaches
30
Iturbe, Mikel, et al. "On the feasibility of distinguishing between process disturbances and intrusions in process control
systems using multivariate statistical process control."
2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W). IEEE, 2016.
#CyberCamp18
▪ Detecting stealthy attacks with PASAD
Field-level approaches
31
Aoudi, Wissam, Mikel Iturbe, and Magnus Almgren.
"Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems."
Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2018.
#CyberCamp18
▪ Detecting stealthy attacks with PASAD
Field-level approaches
32
Aoudi, Wissam, Mikel Iturbe, and Magnus Almgren.
"Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems."
Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2018.
#CyberCamp18
▪ ML-based solutions will gain prominency
▪ More approaches based on field readings
▪ Posible integration with network-level approaches
▪ Software Defined Networking will have a large impact in the
field
Future tendencies
33
#CyberCamp18
So you wanna start doing research in ICS attack
detection?
#CyberCamp18
▪ Books
Training
35
#CyberCamp18
▪ Books
Training
36
#CyberCamp18
▪ Github
• https://github.com/hslatman/awesome-
industrial-control-system-security
Training
37
#CyberCamp18
▪ Virtuaplant
▪ https://github.com/jseidl/virtuaplant
Training
38
#CyberCamp18
▪ Tennessee-Eastman process
• https://github.com/satejnik/DVCP-TE
Training
39
Krotofil, Marina, and Jason Larsen. "Rocking the pocket book: Hacking chemical plants for competition and extortion."
DEF CON 23 (2015).
#CyberCamp18
▪ Securing ICS is strategic, but it has some particularities
▪ ML/AI based attack detection in ICS is a very active research
field
▪ Learning ICS security takes time and a change in mentality,
but it is definitely doable.
Conclusions
40
#CyberCamp18
GRACIAS