Irfan Ahmed Assistant Professor Department of Computer Science University of New Orleans

Transcription

1 Irfan Ahmed Assistant Professor Department of Computer Science University of New Orleans

2 Canizaro-Livingston Endowed Assistant Professor in Cybersecurity Faculty of Computer Science at the University of New Orleans (UNO) Director, Cyber-Physical Systems (CyPhy) Lab at UNO Associate Director, Greater New Orleans Center for Information Assurance (GNOCIA) designated as NSA National Center of Academic Excellence in Cyber Operation One of the nineteen universities/centers in the USA that has this designation Research interests include Industrial Control Systems (ICS) Digital Forensics Security via Virtualization Malware Detection and Analysis Cybersecurity Education 2

3 Control Center Corporate Network HMI Engineering Workstation Modem Corporate LAN SCADA System LAN PBX PBX Modem Wide Area Network Internet Historian Control Server (MTU) External Communication Infrastructure Modem PLC Modem PLC WAN Card PLC Field Sites 3

4 4

5 What components were affected in an ICS environment? How was the attack executed? Who was the perpetrator and what was his location? Was he either an internal or an external actor, and what was his motivation? Is the attack still active, and can it be repeated? 5

6 HMI SCADA System LAN Historian Control Center Engineering Workstation Control Server (MTU) Modem PBX Modem PLC PBX Modem Modem Corporate Network Wide Area Network PLC Corporate LAN External Communication Infrastructure Field Sites WAN Card Internet PLC Little or no understanding of digital artifacts Limited ICS forensics tools Local Access to a PLC Resource-constrained PLC Insufficient Logging Disruption on the availability Remote Data Acquisition Closed-source Software such as Firmware 6

7 Control logic the code runs in a PLC defines how a PLC controls a physical process. Stuxnet modifies control logic monitors the frequency of variable frequency drives only launches an attack if the frequency is within a certain normal range, 807 Hz ~ 1,210 Hz attack involves changing the motor speed periodically from 1,410 Hz to 2 Hz to 1,064 Hz and then over again Ladder Logic Code Snippet 7

8 Control Center Corporate Network HMI Engineering Workstation SCADA System LAN Control Logic PBX PBX Modem Corporate LAN Modem Wide Area Network Internet Historian Control Server (MTU) External Communication Infrastructure Modem PLC Modem PLC WAN Card PLC Field Sites 8

9 Forensic investigators cannot use the engineering software as a reliable forensic data acquisition tool DEO 1: Hiding infected control logic from the engineering software DEOs 2 & 3 : Jeopardize the engineering software s capability to acquire control logic from a PLC remotely 9

10 Attack Scenario 1 Engineering Software Original Program Original Program MITM Attacker Program Attacker Program PLC 10

11 Attack Scenario II Engineering Software Attacker Program MITM Original Program PLC Crash 11

12 Attack Scenario III Engineering Software Attacker Program PLC Attacker Program Attacker Error 12

13 RSLogix Forensic Analysis of the Network Traffic AB Micrologix 13

14 a) Ladder-logic source code snippet of a traffic-light program 14

15 a) Ladder-logic source code snippet of a traffic-light program b) Binary ladder-logic snippet of a traffic-light program 15

16 LADDIS Rung-0: (XIC/[I1:0/0]) AND (XIO/[T4:2/DN]) --> (TON/[T4:0/1.0/3/0]) Rung-1: (XIC/[T4:0/TT]) --> (OTE/[B3:0/3]) Rung-2: (XIC/[T4:0/DN]) --> (TON/[T4:1/1.0/5/0]) Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1]) Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0]) Rung-5: (XIC/[T4:2/TT]) --> (OTE/[B3:0/2]) Rung-6: (XIO/[I1:0/0]) AND (XIO/[T4:3/DN]) --> (TON/[T4:3/1.0/1/0]) Rung-7: ( (XIC/[O0:0/0] AND XIO/[T4:3/DN]) OR (XIC/[T4:3/DN] AND XIO/[O0:0/0]) ) --> (OTE/[B3:0/0]) Rung-8: ( ( XIC/[B3:0/0]) OR ( XIC/[B8:0/0]) ) --> (OTE/[O0:0/0]) Rung-9: ( ( XIC/[B3:0/1]) OR ( XIC/[B8:0/1]) ) --> (OTE/[O0:0/1]) Rung-10: ( ( XIC/[B3:0/2]) OR ( XIC/[B8:0/2]) ) --> (OTE/[O0:0/2]) Rung-11: ( ( XIC/[B3:0/3]) OR ( XIC/[B8:0/3]) ) --> (OTE/[O0:0/3]) Rung-12: END Disassembled to 16

17 LADDIS Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1]) Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0]) c) Laddis ASCII output of decompiling the binary ladder-logic snippet d) Laddis graphical output of decompiling the binary ladder-logic snippet 17

18 Identify Instruction Anatomy Opcodes for instructions Instruction format Low-level representation does not have variable names/tags and comments Ladder logic file is not sufficient for disassembly A typical PE/ELF executable file is self contained for disassembly Ladder logic disassembly requires multiple files Ladder logic file Main Configuration file Timer File Counter File etc. 18

19 Rung starts with 0x00 0x00 Rung Signature Rung Size File No. Word offset Bit address XIO File No. [00E4] name = Examine_if_closed inscode = XIC instype = bit size = 8 Word offset Bit address TON XIC File No. Timer Addressing First Rung [00E8] name = Examine_if_Open instype = bit inscode = XIO size = 8 [0158] name = Timer_on_delay instype = timer inscode = TON size = 10 Signature (first two enclosed bytes) and Size (next two enclosed bytes) of Rungs END

20 MAIN CONFIG Start of 10-byte tuples; Each representing a data file 10-bytes of first tuple Processor Name Data file information Starts with offset 0x86 Instruction addressing operand Zero Padding File Size INPUT File Type TIMER Zero Padding File Type File Size Starting Offset for Addressing Starting Offset for Addressing 20

21 TIMER CE 4F (CONFIG) - CE 4F (LADDER) = 0x00 T4 à 4 is the sequence number of the timer data tuple in the main config file 21

22 Rung-0: (XIC/[I1:0/0]) AND (XIO/[T4:2/DN]) --> (TON/[T4:0/1.0/3/0]) Rung-1: (XIC/[T4:0/TT]) --> (OTE/[B3:0/3]) Rung-2: (XIC/[T4:0/DN]) --> (TON/[T4:1/1.0/5/0]) Rung-3: (XIC/[T4:1/TT]) --> (OTE/[B3:0/1]) Rung-4: (XIC/[T4:1/DN]) --> (TON/[T4:2/1.0/2/0]) Rung-5: (XIC/[T4:2/TT]) --> (OTE/[B3:0/2]) Rung-6: (XIO/[I1:0/0]) AND (XIO/[T4:3/DN]) --> (TON/[T4:3/1.0/1/0]) Rung-7: ( (XIC/[O0:0/0] AND XIO/[T4:3/DN]) OR (XIC/[T4:3/DN] AND XIO/[O0:0/0]) ) --> (OTE/[B3:0/0]) Rung-8: ( ( XIC/[B3:0/0]) OR ( XIC/[B8:0/0]) ) --> (OTE/[O0:0/0]) Rung-9: ( ( XIC/[B3:0/1]) OR ( XIC/[B8:0/1]) ) --> (OTE/[O0:0/1]) Rung-10: ( ( XIC/[B3:0/2]) OR ( XIC/[B8:0/2]) ) --> (OTE/[O0:0/2]) Rung-11: ( ( XIC/[B3:0/3]) OR ( XIC/[B8:0/3]) ) --> (OTE/[O0:0/3]) Rung-12: END 22

23 23

24 INSTRUCTION LEVEL 24

25 LOGIC LEVEL 25

26 Compatibility With Older Versions 26

27 Attack Scenario 1 Timer : 5 secs Timer : 100 secs Engineering Software Original Program Original Program Timer : 5 secs MITM Attacker Program Attacker Program Timer : 100 secs PLC 27

28 Evaluation of Laddis on Attack Scenario I C2: Attacker changed the preset of second timer (T4:1) data from 5 sec to 100 (0x64) sec Preset Accum EN DN TT [Time base] 00: 0.01 sec / 01: sec / 10: 1 sec T4:2 T4:3 T4:0 T4:1 MAC address of attacker system (00:0c:29:c6:f5:36) < (00:1d:9c:a5:bc:3f) Rung-0: XIC/[I1:0/0] AND XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] Rung-2: XIC/[T4:0/DN] --> TON/[T4:1/1.0/100/22] Preset of T4:1 is 100 sec Rung-3: XIC/[T4:1/TT] --> OTE/[B3:0/1] MAC address of RSLogix system MAC address of PLC a) Decompiled ladder logic program (PLC Attacker) MAC address of attacker system (00:0c:29:9f:ad:bb) < (00:0c:29:c6:f5:36) Rung-0: XIC/[I1:0/0] AND XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] Rung-2: XIC/[T4:0/DN] --> TON/[T4:1/1.0/5/0] Preset of T4:1 is 5 sec Rung-3: XIC/[T4:1/TT] --> OTE/[B3:0/1] a) Decompiled ladder logic program (Attacker RSLogix) 28

29 Attack Scenario II 0xFF 0XFF 0XFF replace XIC instruction Engineering Software Attacker Program MITM Original Program PLC Crash 29

30 Evaluation of Laddis on Attack Scenario II MAC address of attacker system MAC address of PLC Start of Rung #0 Original instruction :XIC a) Original binary ladder logic Attacker replace the original instruction (XIC) with a malformed instruction b) Malformed binary ladder logic Reply (00:0c:29:c6:f5:36) < (00:1d:9c:a5:bc:3f) Rung-0: XIC/[I1:0/0] AND XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] a) Decompiled ladder logic program (PLC Attacker) MAC address of RSLogix system (00:0c:29:9f:ad:bb) < (00:0c:29:c6:f5:36) Detect unknown instruction code 'ffff' at file offset '0x6' Detect unknown instruction code 'ffff' at file offset '0x8' Detect unknown instruction code 'ffff' at file offset '0xa' Detect unknown instruction code 'ffff' at file offset '0xc' Rung-0: XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] MAC address of attacker system Malformed rung b) Decompiled ladder logic program (Attacker RSLogix) Original rung 30

31 Attack Scenario III Engineering Software Attacker Program PLC Attacker Program Attacker Error 31

32 Evaluation of Laddis on Attack Scenario III Insert a new rung into a binary ladder logic MAC address of RSLogix system MAC address of PLC (00:0c:29:9f:ad:bb) < (00:1d:9c:a5:bc:3f) Rung-0: XIC/[I1:0/0] AND XIO/[T4:2/DN] --> TON/[T4:0/1.0/3/3] Rung-1: XIC/[T4:0/TT] --> OTE/[B3:0/3] Rung-2: XIC/[T4:0/DN] --> TON/[T4:1/1.0/5/0] Rung-3: XIC/[T4:1/TT] --> OTE/[B3:0/1] Rung-4: XIC/[T4:1/DN] --> TON/[T4:2/1.0/2/0] Rung-5: XIC/[T4:2/TT] --> OTE/[B3:0/2] Rung-6: XIO/[I1:0/0] AND XIO/[T4:3/DN] --> TON/[T4:3/1.0/1/0] Rung-7: ( ( XIC/[O0:0/0] AND XIO/[T4:3/DN] ) OR ( XIC/[T4:3/DN] AND XIO/[O0:0/0] ) ) --> OTE/[B3:0/0] Rung-8: ( ( XIC/[B3:0/0] ) OR ( XIC/[B8:0/0] ) ) --> OTE/[O0:0/0] Rung-9: ( ( XIC/[B3:0/1] ) OR ( XIC/[B8:0/1] ) ) --> OTE/[O0:0/1] Rung-10: ( ( XIC/[B3:0/2] ) OR ( XIC/[B8:0/2] ) ) --> OTE/[O0:0/2] Rung-11: ( ( XIC/[B3:0/3] ) OR ( XIC/[B8:0/3] ) ) --> OTE/[O0:0/3] Rung-12: XIC/[I1:0/0] --> OTE/[O0:0/3] Inserted rung by attacker Rung-13: END 32

33 Evaluation of Laddis on Attack Scenario III 10-byte tuples representing data files Related to integrity of ladder logic file Related to size of ladder logic file File type: ladder logic File size a) Configuration file (type: 0x03) Base Address Related to size of ladder logic file b) Unknown file (type: 0x24) 33

34 Introduced a new class of attacks on industrial control systems denial of engineering operations developed Laddis a ladder logic decompiler that can correctly reconstruct the source of the original code from a network trace Generally, ICS forensics is an underrepresented area and needs more attention from cybersecurity researchers Funding should be directed for the research on this topic Solutions should cover a wide variety of vendors and protocols 34

35 Irfan Ahmed, Sebastian Obermeier, Sneha Sudhakaran, Vassil Roussev, Programmable Logic Controller Forensics, IEEE Security & Privacy, Vol. 15, No. 6, November 2017 Saranyan Senthivel, Shrey Dhungana, Hyunguk Yoo, Irfan Ahmed, Vassil Roussev, Denial of Engineering Operations Attacks in Industrial Control Systems, In 8th ACM Conference on Data and Application Security and Privacy (CODASPY 18), March 2018, Tempe, AZ, USA. Saranyan Senthivel, Irfan Ahmed, Vassil Roussev, "SCADA Network Forensics of the PCCC Protocol", In the 17th Annual Digital Forensics Research Conference (DFRWS'17), August 2017, Austin, USA. 35