250 likes | 374 Views
Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley). Applying policy-based intrusion detection to scada networks. Outline. Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats
E N D
Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley) Applying policy-based intrusion detection to scada networks
Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work
Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work
Motivation: SCADA • Supervisory Control and Data Acquisition • A process control system • Four main components • Sensors • Actuators • Local control loops • Plant-wide control loops • Applications: • Power plants • Oil and gas pipelines • Nuclear • Manufacturing • Next-generation SCADA • Wireless networking protocols for sensors and actuators provide new challenges • Security • Power • Link-level reliability
State of Security • Prior to wireless networks • Serial links between sensors, actuators and local control loops • Wireless networks • Two methodologies • RTUs – Remote Terminal Units • Intelligent Device Nodes: Integrated control, sensors and actuation • 802.15.4 and similar • Low-power ad-hoc networks • By default, unsecured • Star configuration • Low-power direct-to-Access Point configuration • By default, unsecured
Plant Management and Operation • Local control loops report to SCADA master • May be located offsite • Implies TCP-based connectivity • Allows off-site management of a plant or series of plants • Generally secured by enterprise-level firewall
Security Risks • Transition from wired serial links to wireless • Early implementations used no encryption or security methods • Secondary modifications included a firewalled method • Primary risk is from firewall-based protection • Sensors/actuators not locally protected • If firewall is breached, or on-site access established, control loops are at risk
Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work
Intrusion Detection • Identification of known attack patterns • Jamming • Denial of Service • Radio interference • Injection attacks • Packet replay • Route disruption • Re-routing of traffic to alternate destination • Affects mesh-routed networks • Packet alteration • Difficult to identify • Related work • T. Roosta, S. Shieh, S. Sastry, Taxonomy of Security Attacks in Sensor Networks, 1st International IEEE Conference on System Integration and Reliability Improvements, 2006 • A. Lauf, R. A. Peters, W. H. Robinson, Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks in Elsevier Journal for Ad-Hoc Networks, submitted for review
Intrusion Detection (cont’d) • Policy approach • Usage of pre-defined system-wide policies • Best for periodic systems • Optimized for deterministic data patterns • Attacks trip tolerance levels of monitored services • Hybrid approaches • Frequency detection • plus • Cross-correlation approaches
Proposed method • Usage of Policy-based IDS as proposed by T. Roosta[1] • Implementation of IDS in a JVM • Allows portability • Device cross-compatibility • Usage of the Tennessee Eastman plant model[2] • Simulated in MATLAB Simulink • Network simulation performed by TrueTime[3] • Direct Java interface between MATLAB and IDS • IDS to receive local UDP support [1] T. Roosta, An Intrusion Detection System for Wireless Process Control Systems [2] J. J. Downs, E. F. Vogel, A Plant-Wide Industrial Process Control Problem in Computers chem. Engng., Vol 17 No. 3 pp245-255 1993 [3] The TrueTime Project at Lund University, http://www.control.lth.se/truetime/
Proposed Method (cont’d) • Policy-based IDS runs on multiple nodes • Several copies distributed to select Intelligent Device Nodes (“Field” nodes) • Copy on local Access Points (“Master” nodes) • Policies monitor several factors • “Health” packets at 15-minute intervals • Average packet size • Routing stability
What is a policy? Why used? • Set of conditions and limits • Specifies normal operation • Ideal for periodic systems • Each policy covers a system aspect • Packet size • Radio power • Link stability • Policies provide specific capabilities • Determine if particular conditions met or exceeded • Can target an area more precisely than a general traffic-based IDS
Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work
Routing • Assuming 802.15.4 ZigBee networking between nodes • AODV mesh routing protocol • Ad Hoc On-Demand Distance Vector Routing • Reduces need for constant radio power • Creates routes as needed
Application of IDS • Policy-based IDS added to several key nodes on the mesh-routed network • AP also runs instance of IDS • JVM allows device independence • Intelligent Device Nodes can run the same IDS code • Policies are dynamically allocated, revoked and updated
Attack methods • No data available on proprietary plant technologies – let alone attacks • Simulation of attacks to follow logical choices • Jamming of one node • Jamming of several nodes • Packet alteration/checksum failures • Temporal disruption • Routing/link/PHY failures • Testing will consist of Simulink trial runs together with varying IDS policies
IDS Structure • IDS is comprised of 4 core Java components • IDS engine/policy adherence verification • Policy management • Event management • System control • Policy management is dynamic • Instance runs on JVM, receives event data from embedded C-based monitoring applications
Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work
Choosing a Plant Model • Tennessee Eastman plant model chosen as test system • Represents well-known chemical process control case • Uses “real-world” data in simulation • Provides MATLAB Simulink simulation • Can be adapted for a networked simulation • TrueTime used as network discrete event simulator • Integrates easily into existing Tennessee Eastman plant simulation • Multiple physical layer simulation methods • Can provide real-time data to IDS
Example: TN Eastman Plant • Sensor/actuator systems are grouped and discretized • Discrete components are matched to Intelligent Device Nodes with networking capabilities • Certain nodes are fitted with copies of the IDS • Monitors routing, received data, sent data, packet size, frequency, health, radio power, etc. • Access Point is also fitted with a copy of the IDS
AODV TrueTime implementation • Each node implements the TrueTime kernel • Capable of reading data inputs as well as routing • Sends data for consumption between nodes • Data sent to SCADA master
IDS localization Local Field IDS Sensor/actuator Intelligent Device Node (1 of 6)
IDS setup • Simulink sensor and actuator blocks discretized • Data routed via AODV network and TrueTime • IDS linked via MATLAB Java to selected nodes • IDS monitors events based on prescribed policies • In real-world scenario • Specialized monitor apps report to IDS via UDP • IDS runs on localized JVM Controller C Monitor C Monitor C Monitor C Monitor UDP Policies JVM IDS
Summary and Future Work • Development of Routing model in progress • IDS complete • IDS instance generation in progress • Attack synthesis in progress