270 likes | 503 Views
A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection. I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta. Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University.
E N D
A K/N Attack-Resilient ICT Shield for SCADASystems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University
Consequences of pervasive ICT in Critical Infrastructures Today most of critical infrastructures depend highly on the underlying communication networks Supervisory Control and Data Acquisition (SCADA) New Vulnerabilities New Attack Scenarios Public Network New Risks
An Example: The ModBUS frame ModBUS serial frame 253 bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU RS232 RS422/485 ModBUS TCP/IP frame • MBAP Header: • Transaction Identifier • Protocol Identifier • Length • Unit Identifier 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU
SCADA Protocols Vulnerabilities …authentication… • Unauthorized Command Execution • Man-in-the-Middle • Replay-attacks • Repudiation …integrity… …freshness…
Secure ModbusPrototype • Time-stamp • SHA2 digest (256 bit) • RSA signature on the SHA2 digest ModBUS TCP/IP frame TS MBAP Funtion Data SHA2 (E-Modbus) pKM E-Modbus S-Modbus pkt
Considerations • A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…
K-Survivable SCADA Architecture • Attacks: • Unauth. Com. Exec. • Reply Attack • Master infection • Master-FU infection • Solutions: • Signature • Secure ModBUS • Filtering Unit • Multiple FU - Different Architecture - SO: Linux, windows ModBUS TCP/IP frame Scada FW TS MBAP Funtion Data FU {TS|ModBUS}PKm {{TS|ModBUS}PKm}PKf {TS|ModBUS}PKm {data}PKm {{TS|ModBUS}PKm}PKf {TS|ModBUS}PKm Slave Msg FU Master FU {{{TS|ModBUS}PKm}PKt}SKt {{{TS|ModBUS}PKm}SKm Attacker PKm= Private Key Master SKm= Public key Master TS= Time Stamp FU= Filtering Unit PKf= Private key FU SKf= Public key FU Attacker Attacker {TS|ModBUS}
Cl. V1 ...Problem... PLC1 Close V1 PKT(###) PLC3 Open V2 PLC2 Locally licit commands put the system into a critical state R1: PKT(###) Close V3 R2: PKT(#@!) R3: PKT(^&%) Filtering Cloud Alert !
…but… Industrial World ICT World ICT Signature based IDS Safety Analysis ICT Signature based IDS Safety Analysis
State Based Approach (1) • SCADA System Representation
State Based Approach (3) • Critical State Representation IF ( PLC[ 10.0.0.1 ].HR[1] < 20 AND PLC[ 10.0.0.2 ].HR[2] > 70 ) THEN “The system is in a critical state” 100 0
Loader: Critical State Rules Loader PLC[10.0.0.1].HR[1] > 70 OR AND • IF ( PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 ) AND • ( PLC[10.0.0.2].CO[0] = 0 OR NOT PLC[10.0.0.2].CO[1] = 1 ) THEN ALERT PLC[10.0.0.1].HR[2] < 20 PLC[10.0.0.2].CO[0] = 0 PLC[10.0.0.2].CO[1] = 1 OR NOT
SVI: Update System Manager Virtual System 1
SVI: Real System Synchronizer Virtual System Before Query Field Devices Virtual System After System Update
Analyzer: Critical State Analyzer Virtual System 1 IF ( PLC[10.0.0.1].CO[1] == 1 ) THEN ALERT
The Power system SCADA lab Contains: Idrolab (+150 sensors/actuators) Control room 3 SCADA systems Hardware and Software: 20 High Performance Servers 150 High End PCs and notebooks 10 Layer 3, 24 ports, gigabit switches 4 High Performance wireless switches 1 Nokia-checkpoint solid state Firewall 4 full network racks 18 km of network cables 300 gigabit network cards A 100 KW cooling system A 100 KW UPS system
JRC SCADA LAB. PLC - RTU Actuators Sensors
Test: Packet Loss • Master: sends 100.000 request packets of 260 bytes • Slave: responds with 100.000 responses of 260 bytes
Test: Single Signature Rules Analyzer • Master: sends 1000 request • Slave: responds with 1000 responses • Filter: captures the messages and checks if they are licit, according to a rules file which contains n-rules.
Test: Virtual System Update • Master: sends 1000 request with the command “Read n-coils” • Slave: responds with 1000 responses which contains the n-values. • Filter: captures the request/response transaction and updates the n-values in the Virtual System.
Test: Critical State Rules Analyzer (1) • Master: sends 1000 generic requests • Slave: responds with 1000 responses • Filter: captures the req/res transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains only one rule with n-conditions.
Test: Critical State Rules Analyzer (2) • Master: sends 1000 generic requests • Slave: responds with 1000 responses • Filter: captures the request/response transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains n-rules.
Thousands of devices to monitor • Hundreds of Subsystems • Geographically sparse systems • System of Systems Impossible to analyze states on a single level
Future Works Abstract Aggregation Critical State Prediction Critical State Prediction based Firewalls Lightweight Cryptographic mechanisms for SCADA protocols