PREEMPTIVE Preventive methodology and tools to protect utilities

Transcription

1 PREEMPTIVE Preventive methodology and tools to protect utilities Ignasi Cairó 15 October 2015 Brussels With the financial support of FP7 Seventh Framework Programme Grant agreement no:

2 Main goal The main goal of PREEMPTIVE is to provide an innovative solution for enhancing existing procedures and methods and conceiving tools to prevent against cyber attacks, that target utility companies relying heavily on industrial networks and automated control systems. PREEMPTIVE addresses, in particular, the prevention of cyber attacks against hardware and software systems such as DCS, SCADA, PLC, networked electronic sensing, and monitoring and diagnostic systems used by the utilities networks.

3 Innovative Breakthoughs The strong innovation proposed in PREEMPTIVE is to face the cyber attacks adopting a dual approach techniques that take into account industrial process behaviour (IPB) and communication & software related threats (CATh). (Industrial) process misbehaviours take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process. 1. To enhance existing methodological security and prevention frameworks with the aim of harmonizing Risk and Vulnerability Assessment methods, standard policies, procedures and applicable regulations or recommendations to prevent cyber attacks. The PREEMPTIVE methodology proposed will take into account the envisaged innovative technological solutions for preventing and for detecting zero day attacks. 2. To define guidelines for improving Critical Infrastructures (CIs) surveillance. 3. To design and develop prevention and detection tools complaint to the dual approach that takes into account both the industrial process misbehavior analysis (physic domain) and the communication and software anomalies (cyber domain): 4. Industrial process misbehavior detection. 5. Communication & software related threats prevention and detection. 3

4 Industrial networks (intrussion)

5 Electrical Power Gird Control center Model & Simulation Common in Electricity Water & Gas 5

6 Industrial networks vulnerabilities Industrial networks are subject to several types of vulnerabilities. The most common includes: Misconfiguration of software and devices Weak Passwords used Devices communications not encrypted/authenticated System not patched frequently 0- days vulnerabilities Subnetwork not properly isolated/segmented and monitored Commons Operating System used, inheriting their weaknesses Ad-hoc created malware We will use these vulnerabilities to simulate cyber attacks against an industrial network. 6

7 Tools/Techniques Kali Linux Performing penetration test Nmap Network scanning Large networks/single spots In this way we can discover: what hosts are active on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters / firewalls are in use. Other tools relating PLCs, detect MODBUS / TCP ports, etc.

8 Tools/Techniques Other tools that we can use to acquire information are Wireshark ( network sniffer) and Nessus / OpenVas (Vulnerability Scanner). All the information acquired will be used to attack the network with the following tools: Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible and allow to easily gain unauthorized access to a system remotely using brute force or dictionary attack. SQLmap is one of the most effective penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. Metasploit Framework is a powerful tool that helps to simplify the exploitation of a remote target machine. 8

9 Tools/Techniques 1. Simulate a man-in-the-middle attack where we can inject commands to an IED 2. Modify the values of certain values transmitted from/to an RTU to manipulate such values (the variables we should manipulate have to be derived from the process we are simulating) 3. Use a fuzzer to send malformed packet to fields device and see how they react (e.g. if they fail) 4. Use a malware that can be stored on an USB stick and it can infect a SCADA server to send strange commands to field device (e.g. opening a switch)

10 Attacks againts web servier

11 Attacks against internal database

12 Attacks against SCADA server

13 Attacks against PLC/IEDs

14 Attack simulations 14

15 Attacks Strategies Attacking the network from the outside using spear phishing / SQL-injection / brute force / other techniques to penetrate. Then we can use just a simple backdoor to maintain the access to the infected machines [@elisa]. Attacking the network from the inside infected usb-stick[@elisa] Attacking the network obtaining physical access to the RTU e.g. attack scenario (proposed by IREC) inside slide 6 15

16 Secondary Controller (AGC) SG Transformer Voltage inside operating limits PV Attacking the network obtaining physical access to the RTU CB Load WT Voltage inside operating limits 16 16

17 Attack at sec Frequency stabilizes to higher setpoint but inside the tripping limits of breakers System works insufficiently more energy lost balance is restored Frequency (Normal Case) Mech&El. Power, Torque (Normal Case) Turbine power Electrical power Mech&El. Power, Torque (Attack) Frequency (Attack) Frequency stabilizes to higher setpoint but inside the tripping limits of breakers

18 Programming attack Interfacing Simulation- Meas. IREC DSO Forecasts Gateway PC IREC DigSilent To LOG Raw data (*.txt) Bus (V, P, Q, f, Ph) Without DER 1month With DER 1 day 1 SM LOG parser + Modbus TCP/IP server Matlab 4 3 Modbus traffic Maliciuos attack EMS (SCADA) (with forecasts on txt) Injection Maliciuos attack Microgrid (data) concentrator 7 8 Local Controller IREC VITRO 6 5 XML traffic Injection Maliciuos attack IREC Modbus traffic IREC Metering IEDs 18

19 Detection methodologies 19

20 Anomaly detection The first step for the implementation of a anomaly detection system based on negative selection (an Artificial Immune System) is the characterization of the normality. Special common features of Critical Infrastructures (CI): Time series Periodicity (day, week, year pattern) Few consumption patterns Topology changes (discrete changes) Normality in this case is strongly dependent on WHO and WHEN cross checking subspaces (season, type of day) vertical, horizontal, similar comparison. Gathering if labeling is available (type and/or point of measurement) 20

21 Definition of normality In essence, normality is defined upon the concept of similarity Similarity is quantified through suitable metrics. Comparison is made among elements that have shown to be similar or should be similar: must be made in a subset. Different criteria to define subset allows to implement independent crossed detections: Instant snapshot of the whole (and/or subsetset) respect to similar instants Each detector, respect to itself in similar moments (for instance, daily pattern) Among similar detector (for instance, domestic consumption, industrial consumption). 21

22 Definition of normality Clustering ( similar measurement points ) 22

23 Applied examples IREC I: Electrical data ~20 min Time resolution: secondly 300 RTU s Simulated, one set with anomaly PCA No periodicity Continuity in reduced space V-detector train and test (Zhou Ji, Dipankar Dasgupta) t Horizontal (each point represents one instant) 23

24 NIDS A Network Intrusion Detection System (NIDS) identifies attacks by monitoring the traffic over a network /16 network sniffer /16 network sniffer / RTU PLC /16 WP7 General Meeting- Rome 16-Sep

25 Indicators of compromise (IoC) Some examples: Modbus provides (not commonly used) diagnostic functions that are able to reset a device registry IOC: monitor the presence of function code 08 to check for the presence of an attacker trying to change a device behavior Goose has sequential value for the field StNum IOC: monitor non-sequential value for StNum field that might indicate the presence of a spoofing attack DNP3 provides the DFC flag that, if set to 1, indicates a device is busy, hence the master will not communicate with it. IOC: monitor high frequency of DFC=1 which might indicate the presence of a DOS attack 25

26 Project outcome 26

27 PREEMPTIVE software prototype Detection and prediction tool based on a dual approach : low level direct detection and process misbehavior detection Correlation of events/alarm coming from network, host and process detection tool to detect and prevent cyber attacks Laboratory real/virtual environment based on electricity. Availabilty of real Scada data on operational plant Knowledge of operational process. 27

28 Thank You for Your attention! Ignasi Cairó Principal Investigator (IREC) With the financial support of FP7 Seventh Framework Programme Grant agreement no: