Multistage Cyber-physical Attack and SCADA Intrusion Detection

Transcription

1 Multistage Cyber-physical Attack and SCADA Intrusion Detection Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Belfast, 26 th August, 2016 Kieran McLaughlin, BooJoong Kang, Ivor Bradley, Andrew Wright Centre for Secure Information Technologies

2 Outline Recent cyber-attacks & motivation IEC smart grid environment Multi-stage cyber-attack scenario Intrusion detection Lab demo

3 Recent Cyber-attacks Black Energy Malware discovered on internet-connected HMIs ( ) Targeting HMI products from three vendors: GE, Siemens, BroadWin Havex Remote Access Trojan (RAT) Targeting OPC communications (2014) Client/server technology widely used in process control systems Ref: Trend Micro

4 What is a RAT? A Remote Administrator/Access Tool/Trojan is malware that allows the master complete control of the infected machine RATs can have special features or plugins Well know are: PlugX know as Korplug or Gulpix or Thoper DarkComet PoisonIvy Gh0St Taidoor Xtreme RAT

5 Ukraine Electric Grid Attack The SCADA system was the target (2015) BlackEnergy appears to have been the dropper A final component made the cyber-physical effect Analysis from SANS ICS blog 5

6 Recent Cyber-attacks German steel plant (2014) Spear phishing s and social engineering techniques Login credentials obtained Access gained to the office... and then to the production systems Blast furnace could not shut down as normal Caused massive damage Attackers showed technical expertise

7 Take Away Message Cyber attack but... Physical impact

8 IEC PV Environment IEC server (PV inverter) IEC client (HMI) IEC Communications standard for substations. Enables integration of protection, control, measurement and monitoring functions 8

9 IEC Smart Grid Environment controller web server Internet Windows 7 Office PC Enterprise Linux machine E.g. historian IEC client SCADA PV inverter Physical electrical systems

10 IEC Smart Grid Environment controller web server Internet Phishing Looks genuine Simple - often successful Windows 7 Office PC Enterprise Linux machine E.g. historian IEC client SCADA PV inverter Physical electrical systems

11 IEC Smart Grid Environment controller web server Internet Infected PC contacts malicious server Malware payload downloads and installs SPARKS demo with DarkComet, PlugX Windows 7 Office PC Linux machine E.g. historian IEC client Enterprise SCADA PV inverter Physical electrical systems

12 IEC Smart Grid Environment controller web server Internet Attacker pwns a PC in the enterprise Windows 7 Office PC Enterprise Linux machine E.g. historian IEC client SCADA PV inverter Physical electrical systems

13 IEC Smart Grid Environment controller web server Internet Uses remote desktop functions of RAT (like Ukraine) In this case, the attacker finds a vulnerable web-based historian used by the operator Runs known exploit Windows 7 Office PC Linux machine E.g. historian IEC client Enterprise SCADA PV inverter Physical electrical systems

14 IEC Smart Grid Environment controller web server Internet From RAT controller, attacker is able to establish a connection from Windows machine to historian Windows 7 Office PC Linux machine E.g. historian IEC client Enterprise SCADA PV inverter Physical electrical systems

15 IEC Smart Grid Environment controller web server Internet From the RAT controller, the attacker instructs the Linux machine to download another attack payload Custom code that allows directed attack against IEC Windows 7 Office PC Linux machine E.g. historian IEC client Enterprise SCADA PV inverter Physical electrical systems

16 IEC Smart Grid Environment controller web server Internet The attacker now begins sniffing the IEC SCADA commands between the IEC client and the PV inverter Could carry out reconnaissance and learn about the system Windows 7 Office PC Linux machine E.g. historian IEC client Enterprise SCADA PV inverter Physical electrical systems

17 IEC Smart Grid Environment controller web server Internet Communication between IEC client and PV inverter intercepted and modified Windows 7 Office PC Enterprise Linux machine E.g. historian IEC client SCADA PV inverter Physical electrical systems

18 IEC Smart Grid Environment controller web server Internet Attack 1: Modify the max power limit of the PV inverter E.g. change 100% to 40% Windows 7 Office PC Enterprise Attack 2: Shut down the PV inverter Linux machine E.g. historian IEC client SCADA PV inverter Physical electrical systems

19 Multi-stage Cyber-attack Scenario More than one way to skin a RAT... Multiple options for each stage of a multi-stage attack Phishing & social engineering Install Remote Access Trojan (RAT) in office PC Network mapping & lateral movement Exploit vulnerability & pivot to SCADA Deploy SCADA attack payload Attack physical system functions Waterhole attacks Infected software Stolen/insecure username and password credentials Compromise from the internet Office PC Third party remote maintenance Engineer s laptop BYOD Well known tools like nmap Havex, Stuxnet sniffed traffic RAT can keylog credentials Vulnerable operating system Vulnerable services on SCADA server, data historian, etc. Vulnerable devices Variety of known and unknown vulnerabilities in SCADA devices and software CVEs e.g. GE, Siemens, BroadWin Inherently vulnerable SCADA protocols Devices vulnerable to freeze, shutdown, etc.

20 Observations (1/2) BlackEnergy, Havex and steel mill attacks: Control systems are being specifically targeted Malware / intruders aim to identify specific control system communications and devices Attackers have technical knowledge of underlying control systems, physical systems & communications >> not script kiddies Trajectory is towards selective intrusions and tailored attacks We need to: Better understand the physical consequences of cyber-attacks Develop and embed resilience measures to mitigate impact

21 Observations (2/2) 1970s 1980s 1990s 2000s No Standard Protocols Proprietary and Industrial Protocols Open Protocols Promoting Standard Protocols 2010s..? Closed, centralised, without standards Open, distributed, standards based A brief history of SCADA communication protocols* Prediction: 2010s the decade when open and standard but obscure SCADA protocols become known by attackers Our work contributes to mitigating the impact of resultant attacks in the SCADA domain * Modified from: Ten, Chee-Woo, et al. Cybersecurity for electric power control and automation systems." 2007 IEEE International Conference on Systems, Man and Cybernetics. IEEE,

22 Outline Recent cyber-attacks & motivation IEC smart grid environment Multi-stage cyber-attack scenario Intrusion detection Lab demo

23 Objectives for SCADA IDS Current approaches: Security generally lacks awareness of power systems properties SCADA protocols lack consideration for cyber security Lack of deep analysis at SCADA application layer NIST recommends further research on above Our aims are therefore: Combine SCADA and power systems knowledge to effectively monitor application layer data SCADA protocol verification, stateful analysis, and functional whitelisting to support intrusion detection in IEC61850 use-case Collaborative approach towards supporting Resilient Control with SCADA IDS information 23

24 Multi-Attribute SCADA IDS Concept 24

25 Whitelist & Signature Whitelist Alerts on any traffic not specified as allowed Signature Detect known attacks Can comprise part of stateful analysis E.g. Complicated attacks with multiple packets Example signature for PV inverter attack alert tcp any any -> (msg:"write Request with Low Active Power Limitation"; sid: ; pcre:"/\xa0.*\xa5.\xa0.*drcc1\$sp\$maxwlimpct\$setmag\$f.*\x08((\x41(\x20\x00\x00 ([\x00-\x0f] [\x10-\x1f])..) \x40...) ([\x00-\x0f] [\x10-\x1f] [\x20-\x2f] [\x30-\x3f])...)$/") 25

26 Characterisation of Environment Critical State Analysis System description and critical state representation State evolution monitor Critical state detection, e.g. $MaxWLimPct <10% Example: turbine in a factory If the temperature is greater than 99 and the turbine rotates at less than 1000 rpm PLC[ :502].HR[1] < 1000, PLC[ :502].IR[1] > 99 Alert : 4 Carcano, A. et al. (2011). A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems. IEEE Transactions on Industrial Informatics, 7(2),

27 Characterisation of Environment Deep protocol analysis, MMS Request / Response Meta-data about traffic and payload content 27

28 Stateful Analysis Correlated Rules <Stateful Analysis Process> <Rule Match of Write-Request> 28

29 Unsupervised Learning Model Single MMS Packet Yoo, H. et al. (2014). Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC Multimedia Tools and Applications,

30 Multi-Attribute SCADA IDS Network Traffic System Configurations Whitelist Generation Whitelist ELK (Elasticsearch, Logstash, Kibana) 3 rd Party Signature DB Signature Generation Signatures Protocol Standards Protocol Violation Rule Generation Violation & Stateful Rules Normal Data Stateful Rule Generation Attack Data Machine Learning Models 30

31 SPARKS MMS Scanner MMS device detection Port scan (102) Information gathering Send valid requests Domain name, attributes Attacker Attribute manipulation Known or random values Therefore, to characterise normal behaviour we must include all these SCADAspecific parameters IEC

32 Lab Demo Let s ROCK