PREEMPTIVE PREventivE Methodology and Tools to protect utilities

Transcription

1 PREEMPTIVE PREventivE Methodology and Tools to protect utilities With the financial support of FP7 Seventh Framework Programme Grant agreement no:

2 Preemptive goal The main goal of PREEMPTIVE is to provide an innovative solution for enhancing existing procedures and methods and conceiving tools to prevent against cyber-attacks, that target utility companies relying heavily on industrial networks and automated control systems. PREEMPTIVE addresses, in particular, the prevention of cyber-attacks against hardware and software systems such as DCS, SCADA, PLC, networked electronic sensing, and monitoring and diagnostic systems used by the utilities networks. Moreover, the research aims to implement detection tools based on a dual approach comprising low direct detection (e.g. network traffic and system calls) and process misbehavior detection (e.g. automatic industrial processes to control water distribution). The work is based mainly on utilities about electricity, water and gas. We plan to achieve this goal by proposing a combination of methodologies and detection tools

3 Preemptive outcomes The desired main outcomes of PREEMPTIVE are: Taxonomy report Classifying the utility networks taking into account type and communication technology, sensibility to Cyber threats - already available Modelling software Models and virtual environment for simulating and gathering data on cyber attacks - Already available Software detection (network, host and process based) and event correlation tools - Software Prevention and detection tools to improve security on SCADA utility networks - expected for february 2017 Cyber Defence Methodology Framework Guidelines Risk and Vunerability Assessment Methods Standard policies, procedures and guidelines to prevent cyber attacks - expected for September 2016

4 Preemptive outcome - Taxonomy GOAL The objective of Taxonomy is to gain a comprehensive understanding of the utility operational technology infrastructure that we want to protect. We define a taxonomy to structure the collected information in a consistent way across different utility sectors. We focus on three sectors: electricity, gas and water STRUCTURE The need for a consistent organization of information is derived by the observation that it is difficult for researchers working in the area of SCADA and critical infrastructure cyber- security to obtain information about the technology and systems they aim to protect. The main information gap is how the technology is used to control the physical processes. The taxonomy includes eleven domains in three distinct utility sectors indicated as critical infrastructure: 1. electricity (generation, transmission, distribution and distributed energy resources) 2. gas (production, storage, transmission and distribution) 3. water (drinking water treatment, waste water treatment and water distribution).

5 Preemptive outcome - Taxonomy UTILITIES TARGETED We organize the knowledge about the different types of utilities in order to provide a reference for assessing and studying their cyber-security properties. In particular, we want the taxonomy to capture the types and characteristics of industrial processes the different systems used to control such processes, the use cases implemented by the systems the devices and network communication protocols used by these systems. The taxonomy then describe the cyber-security-related properties of all these components in such a way that cyber- attack scenarios can be built for different types of utilities, and that different security solutions can be evaluated according to the applicability and coverage they offer with regards to the technology in use at different utilities.

6 Preemptive outcome Taxonomy RESULTS We notice that the same automation technology process is shared across sectors and domains, with the same devices and communication protocols employed in the domain-specific automation systems. With the exception of electrical domains and the cross-sector end-user metering domain, there is a tendency among vendors to create Distributed Control Systems that are generic enough to be deployed in many different domains. COMMON VULNERABILITIES The results of our analysis indicate that different domains share common vulnerabilities that could be exploited by attackers. Despite the heterogeneous nature of utility networks, there are common components and protocols across the different domains with similar vulnerabilities. These common vulnerabilities include:. Poor networking stack implementations make components vulnerable to denial of service and buffer overflow attacks Components exposing interfaces (with default or no credentials required) that allow reconfiguring or taking control of process automation functionalities. Protocols do not define authentication or message integrity features, allowing attackers with network access to manipulate process control information

7 Preemptive outcome Modelling Software GOAL We build the simulation tools in order to understand consequences of cyber-attack in different components and elements of the networks and to support the testing and validation of the detection tools to develop. Simulation tools represent a safe approach to test the effectiveness of detection tools that does not require actual deployment into the operational environment hence it reduces the associated costs as well as the risks of potential loss of service. Specifically, simulation tools can generate both normal operations and attack scenarios which allow us to achieve two main goals: produce synthetic datasets of typical behavior in different domains that can be used by detection tool to gain insight about typical processes and important variables Verify the effectiveness of the detection tools developed to detect attacks that attempt to disrupt Industrial Control Systems

8 Preemptive outcome Modelling Software Most of the existing simulation tools are specialized for a specific sector of a specific domain while, as goal of PREEMPTIVE, we want to be able to test and validate the tools developed by the project on data coming form the different domains, namely electricity, gas and water utilities. While numerous tools exists for the simulation of electrical power grid, the presence of simulation tools is more limited for the water and the gas domain. For water domain, EPANET, that models water piping systems, seems to be the most used toolkit for the analysis of water distribution systems. For the gas domain the tool GASMOD seems to be one of the few to offer hydraulic simulation software for gas pipeline

9 Preemptive outcome Modelling-Software To allow the test of the detection tools on all the domains of interest we have built the following three different but complementary simulation environments: An electrical power network simulation environment, including models of distributed energy resources and smart grid control functions. This simulation environment allows to analyze the impact of attacks on the society and provides input data for anomaly detection algorithms developed process detection tool An electrical power network emulation environment that expands our potential to perform attacks in a closer-to-reality industrial environment that uses real Modbus/TCP communications. The traffic generated by this environment Is helpful to provide real data to network and host detection tool, dealing with network and software related threats detection A Matlab-based simulation environment that enables the simulation of any kind of utilities, e.g. water, gas and electricity, provided that a Matlab-Simulink block diagram is available. The virtual environments are composed of virtual images of basic components (work stations, servers, HMIs, SCADA/DCS servers and PLCs) that can be easily distributed to partners. We also provide realistic malware samples that attack Industrial Control networks from different entry points (both at system and process level). The environment constitute a useful toolkit for verify the effectiveness of the PREEMPTIVE tools against complex attack conditions and threats.

10 Preemptive outcome Modelling Software

11 Preemptive outcome - Software Detection Graphic Interface T6.3 Alarms from correlation (WEB -HTML 5) Critical alarms from tools VBrain BI (Historical Detection and Prediction) BI MODULE (WEKA) VBrain Server (Real Time Detection) RDBMS/SQL SERVER 7 TCP/UDP QUEUES WINDOWS SERVER T7.3 FTP CEF CEF CEF CE F LINUX SERVER VULNERBILITY ASSESMENT T4.4 LINUX SERVER NETWORK FLOW DETECTION T7.1 LINUX SERVER NETWORK PAYLOAD DETECTION T7.1 LINUX SERVER PROCESS DETECTION T6.1/6.2 ICS/SCADA network ICS/SCADA network HOST DETECTION T7.2 Integrity of personal storage devices IP/ IP/ IP/ Host based tool (HIDS) standard IT

12 Preemptive outcome - Software Detection The architecture is composed of: The ICS/SCADA network - the test bed of a simulated scenario (as that of the modelling software) or real scenarios located at IEC (electricity producer in Israel) premises The detection tools for network, host and process events detection are composed of: The host detection tools - 3 different agents collecting events from: Host-based standard devices (Workstation, Laptop) Host-based embedded devices (PLC, RTU) Integrity-based (USB pen) The network detection tool composed of: A Linux server for flow detection monitoring network anomalous behavior in the packets traffic A Linux server for payload detection analyzing packets content to check for anomalies A process detection tool on a Linux server to detect any anomalous condition in the operating state of a group of devices A vulnerability assessment tool on a Linux server which scans the network to detect the existing devices with main information (IP address, Operating System, version, open sockets ) The correlation engine to correlate events from all detection tool composed by: A real time detection tool which parses all events coming from the tools and stores them in a Data Base for later processing. The process also sends high severity events value to the graphical interface An historical detection and prediction tool to analyze all events and correlate them to identify APT and events which were not detected by the detection tool as possible attacks The graphic interface where alarm events from the correlation tool are displayed

13 Preemptive outcome Software detection - Correlation tool

14 Preemptive outcome Software Detection - Network Tool The two detection methods we propose belong to two distinct but complementary areas: Payload-based approaches rely on information extracted from the data contained in the payload of network packets to detect intrusions (e.g. malicious data injection) Flow-based approaches rely on aggregated network flow information (e.g. the number of messages exchanged between two hosts) to identify malicious activities The main results include: 1. A novel technology for payload-based IDS that from the payload of network packets detects anomalous behavior in ICS/SCADA network. The new technology creates probabilistic models for commands and device status sent over the network and identifies anomalies as deviations from such models. The payload-based IDS we propose has 2 main components: scan the network for the presence of indicators of compromise (defined by analyzing SCADA specific protocol vulnerabilities) learn and make a model of the normal behaviour for process variables describing commands (e.g. function codes) or device status (e.g. a circuit breaker is opened/closed) and detects deviations from such models as an anomaly. In this way we can detect attacks that e.g. use injection techniques to modify process variables in order to cause damages and disruption (e.g. changing the level setpoint of a tank to overflow it). 2. A novel method for flow-based IDS which leverages a two-layer detector combining signature-based and heuristic-based approaches for detecting advanced threats and zero-day attacks. Here, the deterministic layer embeds the knowledge of well-known attacks (e.g. syn-floood) into signatures, while the heuristic-layer learns communication patterns and uses such patterns to detect intrusions In particular, the heuristic layer focuses on learning communication patterns between Programmable Logic Controller (PLC) and Human Machine Interface (HMI).

15 Preemptive outcome Software Detection - Network tool Network-based monitoring and detection solutions that have the following advantages over host-based ones: Networks-based IDS (Intrusion Detection System) are typically passive and agent-less, i.e. no additional traffic is injected into the network and no agents need to be installed over the components. These characteristics make network-based IDS less-intrusive and easier to adopt than e.g. host-based IDS. Network-based IDS have a more global view of the status of the system since they monitor the communications between several (possibly all) the hosts in the network, while host-based solutions typically focus on detecting attacks that target a specific component (e.g. a server or a host). Network-based solutions are more versatile than host-based ones, since they are platform independent and they can be easily deployed no matters the variety of operative systems and components coming from different vendors that are present in an organization.

16 Preemptive outcome Software Detection - Host Tool We focus our research on three different but complementary areas: 1. malicious payload detection for embedded devices used in ICS environments 2. malware detection in standard IT components deployed in ICS environments 3. integrity of personal and company storage devices

17 Preemptive outcome Software Detection - Host While network-based approaches remain one of more accurate and less invasive approaches to detecting attacks against Industrial Control Systems (ICS), they also suffer from a number of limitations, which indicate that they should be complemented with host-based approaches. Reasons why it is important to examine host-based approaches include: The threats we are tackling in the context of PREEMPTIVE involve sophisticated attackers with internal knowledge about the ICS network and its components (the so-called Advanced Persistent Threats (APTs). In this scenario, an adversary may be able to gain direct access to its target without alerting network-based sensors. Generalizing, adopting only network monitoring approaches can potentially miss a number of attack vectors. In the cases in which an attacker manages to deliver a malicious payload without sending the exploit over the network (for instance by injecting it inside legitimate documents and project les) a network-based approach would not be able to report the intrusion. Network-based approaches are not aware of the internal operating system processes and of their mutual interactions. As a result, there is a significant loss of context information that could instead be used to improve the detection accuracy, particularly of process-based threats.

18 Preemptive outcome Software Detection - Process Tool This tool realizes the the detection of anomalies at industrial process level. For this purpose, the tool is first dedicated to the characterization of normal operation states in Critical Infrastructures (CI), and negative representation of data since the detection tool is based in Artificial Immune System (AIS). Among the different algorithms composing the so called AIS group, this report concentrates in Negative Selection Algorithm (NSA) which seems to be the most appropriate choice for dealing with the type of data coming from CI and the detection of anomalies that could come either from cyber-attacks or malfunctioning of any element or area of the industrial network under study. An important requirement in the implementation of such algorithm is the definition of the "Self" sample that denes the normal state of the system, which in this case corresponds to the normal operation state of the specific utility being monitored and any event laying outside the "Self" would be considered an anomaly. This definition of the "Self" is obtained trough the characterization of the Normal State Operation (NOS) applying different methods of data analysis,

19 Preemptive outcome - Cyber Defence Methodology Framework GOAL Final goal is the developing of the guidelines for improving Critical Infrastructures (CIs) surveillance with specialization for the utility networks that consist in a white paper for security managers describing how to improve the surveillance of CI using the lesson learned from the evaluation of the PREEMPTIVE methodology and innovative technologies STRUCTURE To our understanding a methodology framework should be comprised of catalogues of countermeasures, which may be organizational or technical. Organizational countermeasures are best practices related to the organization of work flows and the distribution of responsibilities Technical countermeasures are related to the deployment of devices and software components and their appropriate configuration and settings The aim is to analyse the forthcoming and existing standards, dealing with ICT security management, and to harmonize Risk and Vulnerability Assessment methods and standard practices to improve prevention detection procedures against cyber threats, introducing the capabilities to detect the zero day attacks and their signatures This approach aims to close the gap between a theoretical level and the practical utility networks world. Whereas these approaches are dedicated to the protection of general IT infrastructures, consideration of the particular requirements of utility networks supporting the operation of critical infrastructures is still immature.

20 Preemptive outcome - Cyber Defence Methodology Framework In order to reach this target, we evaluate the state of the art within this field. Based on that, we look for gaps that could be filled up with the new methodology. Therefore, we have reviewed security approaches ranging from the general IT, to Critical Infrastructures, and up to the Smart Grids and extracted countermeasures proposed to mitigate security breaches. Arranged in fine-grained groups, we have based on this collection of countermeasures a gap analysis which resulted in the description of seven weak points in the state of the art implementation. IT security standard: SANS Critical Security Controls Critical Infrastructure security standards: Guide to Industrial Control Systems Security from the NIST International Standard IEC \Industrial communication networks - Network and system security North American Electric Reliability Corporation Critical Infrastructure Protection standard (NERC CIP) Smart grid security standard: NISTIR 7628-Guidelines for Smart Grid Cyber Security ETSI TS ETSI TS We evaluated the state of the art of the above standard by analyzing and comparing security frameworks, standards and recommendations and identifying the existing gaps. We describe the developed methodology with special regard on how the PREEMPTIVE tools help to close those gaps.

21 Thank You for Your attention! Giorgio Sinibaldi Project Coordinator (Vitrociset) WEBSITE: With the financial support of FP7 Seventh Framework Programme Grant agreement no: