Nuove tecnologie per la sicurezza dei sistemi SCADA il progetto H2020 ATENA

Transcription

1 Nuove tecnologie per la sicurezza dei sistemi SCADA il progetto H2020 ATENA Prof. Stefano Panzieri Dipartimento di Ingegneria Modeling for Critical Infrastructures Protection Laboratory 1

2 A proactive system to avoid unsecured environment due to misconfiguration or to a lack of basic security measures in measurable way vs. desired levels of security Advanced algorithms/tools to minimize frequency and impact of adverse events detection of occurring events risk analysis and evaluation decision support for supervised reaction A platform designed to continuously suggest actions on OT and ICT networks, able to execute actions under the operators supervision 2

3 Industria 4.0 e la Control Room di domani La maggior parte dei dispositivi, sensori attuatori, protocolli di comunicazione installati finora è stata progettata prima dell era dell IP & Internet Numerosi costi durante tutto il ciclo di vita: disegno, installazione, manutenzione, espansione e sostituzione/obsolescenza Si prevede che nel 2020 i dispositivi connessi saranno miliardi Tutto il misurabile sarà in rete Disponibilità sempre e ovunque di conoscenze operative Contesto Ruolo Localizzazione Notifiche intelligenti Mobilità 3

4 Segmentazione secondo ISA s99 Zone&Conduit (IEC 62443, NIST SP800-82)

5 ATENA Architecture MODELS MANAGEMENT OF VULNERABILITIES RISK EVALUATION & MITIGATION ASSET MANAGEMENT INTRUSION DETECTION INTERFACES LOCAL AWARENESS & MITIGATION 5

6 Perché tanta modellistica? Analisi del comportamento Fault/attack detection Conseguenze a Cascata Risk Analysis Contromisure Mitigation 6

7 7

8 CISIApro Modelling for Risk Analysis Electrical Distribution and SCADA Networks Services Electrical Distribution Network SCADA Network 8

9 Attacks Modeling Port State S tage 1: Hosts and services Port State Switch Stage 2: Modbus Devices Enumeration FIN FIN 2 2 Modbus (Error) Reply If UnitID is correct HMI1 Modbus (Malformed) Switch 1 Request 1 UnitID=[1-247] Do slowly Attacker And for all the network S tage 1: AR P poisoning Attacker 1 Disclaimer: You may not even need nothing of this but it can be useful to understand the device you are talking to Attacker Attacker PLC ARP Spoofed Reply Control Loop System until Network get positive replies Stage 2: TCP Hijacking PLC Or continuosly because of potential 2 2 gateways Switch R/W Coils Request Control System Network 2 ARP Spoofed Reply R/W Coils Reply PLC HMI1 (spoofed) ARP Cache Table: ip_plc è mac_atacker 1 Attacker Attacker 8 2 Switch (spoofed) ARP Cache Table: 6 ip_hmi è mac_atacker Control System Network PLC HMI1 (spoofed) ARP Cache Table: ip_plc è mac_atacker Attacker Attacker (spoofed) ARP Cache Table: ip_hmi è mac_atacker Control System Network 9

10 HIDS Host Based Intrusion Detection System 10

11 Network Intrusion Detection System 11

12 Leveraging SDN and NFV for probe deployment ICS Domain Detection Layer Domain Scada Server Switch Traffic Redirection Probe... PLC 1 PLC 2 PLC 3 PLC N ICS Detection Layer Domain Scada Server SDN Switch SDN Rule Info. Traffic Redirection SDN Controller Probe... Probe Probe... PLC 1 PLC 2 PLC 3 PLC N NFV Infrastructure

13 Specialized Security Probes Field Network Firewall Event Correlator Security Mgmt. Platform ICS Security Management Platform Modbus API Event Tx. Security Events Captured Control Flow Interactions Security Events Port Scan FTPD Event Assembly Redutor Watchdog Message Checker Replicated Control Flow Interactions Intercepted Communications Flow Shadow Security Unit SSU Analog Front-end ADC I/O Channel Operational Information SNMPD Honeypot Frontend Interface Filter Event Monitor Master Station TAP Comunications flow PLC Physical I/O Channels Process Sensors/Actuators Modbus Honeypot SCADA Honeypot Shadow Security Unit

14 Smart Behavioural filter / Smart Extension

15 IACS-oriented security components for rule-based filtering

16 Smart device for mitigation strategy Based on the previous requirements, itrust consulting has developed POC of encryption pair systems (SLCM) able to be installed as plug-and-play devices. Test and demonstration platform of SLCM 16

17 DECISION SUPPORT SYSTEMS CRITERIA 1) Active healthy switches; 2) Active healthy generators; 3) Number of active generators; 4) Healthy changing switches; 5) Hops number; 6) Active switches Strategic Value; 7) Black-out dimension; 8) Population involved Results using a Multi-Objective Optimization Algorithm

18 Software Defined Security Objective: Prompt reaction to new network attacks with dynamic security reconfiguration Use the outputs of Detection and Risk Predictor + orchestrator

19 La Cyber-Security è un fattore di sviluppo, un asset critico per fare bene business, un servizio fondamentale per chi vuole investire in Italia. prof. Stefano Panzieri LA CYBERSECURITY PER LA PROTEZIONE DEI SISTEMI INTEGRATI ICT E SCADA: ASPETTI TECNICI E NORMATIVI NELLA TRASFORMAZIONE DIGITALE Grazie per l attenzione The research leading to these results has received funding from the European Union s Horizon 2020 Research and Innovation Programme, under Grant Agreement no This document is the property of the ATENA consortium and shall not be distributed or reproduced without the formal approval of the ATENA governing bodies.