Hardware-based solutions for critical infrastructure security

Similar documents
Threat Modeling. Bart De Win Secure Application Development Course, Credits to

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

Distributed Agent-Based Intrusion Detection for the Smart Grid

Failure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data

RiskSense Attack Surface Validation for Web Applications

Malicious Firmware Detection with Hardware Performance Counters

Statement for the Record

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Chapter 2 State Estimation and Visualization

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Securing Industrial Control Systems

Connecting Securely to the Cloud

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Control Systems Cyber Security Awareness

2009 OSIsoft, LLC. OSIsoft vcampus Live! where PI geeks meet OSIsoft, LLC. OSIsoft vcampus Live! 2009 where PI geeks meet

UNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM

Firewalls (IDS and IPS) MIS 5214 Week 6

Expanding Cyber Security Management for Critical Infrastructure

Security Pitfalls. A review of recurring failures. Dr. Dominik Herrmann. Download slides at

Multistage Cyber-physical Attack and SCADA Intrusion Detection

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

Reinvent Your 2013 Security Management Strategy

Vulnerability Disclosure

The Road to Industry 4.0

Resilient Smart Grids

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Training for the cyber professionals of tomorrow

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

A Knowledge-based Alert Evaluation and Security Decision Support Framework 1

GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-In-The-Loop Environment

intelop Stealth IPS false Positive

Passive Real-time Asset Inventory Tracking and Security Monitoring of Grid-edge Devices

hidden vulnerabilities

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

CS 356 Operating System Security. Fall 2013

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Cyber Vulnerabilities on Agent-based Smart Grid Protection System

Building a resilient ICS

Secure Development Lifecycle

IRL: Live Hacking Demos!

CIRT: Requirements and implementation

RBS of 6

CIH

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

Annual Industry Workshop March 27-29, Session Abstracts

IoT Security for Critical Information Infrastructures. Andrey Tikhonov

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Chapter 5: Vulnerability Analysis

Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids

The Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1

Are Mobile Technologies Safe Enough for Industrie 4.0?

Information Security CS 526

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

AAD - ASSET AND ANOMALY DETECTION DATASHEET

How AlienVault ICS SIEM Supports Compliance with CFATS

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

WHITE PAPER. Vericlave The Kemuri Water Company Hack

ANATOMY OF AN ATTACK!

Building Resilience in a Digital Enterprise

Securing the future of mobility

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

NETWORK THREATS DEMAN

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

The Perfect Storm Cyber RDT&E

Hardening Attack Vectors to cars by Fuzzing

A Survey on False Data Injection Attack and Detection in Smart Grid

Improving SCADA System Security

Innovation policy for Industry 4.0

EPRI Research Overview IT/Security Focus. Power Delivery & Energy Utilization Sector From Generator Bus Bar to End Use

BETTER Mobile Threat Defense (BMTD)

Cyber Security of Power Grids

CyberP3i Hands-on Lab Series

Advanced Diploma on Information Security

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

S1.1: RESEARCH AND DEVELOPMENT IN EUROPE FOR COMPETITIVE MANUFACTURING. Competitiveness of Industry by means of Cross Fertilisation

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

SECURITY OF CPS: SECURE EMBEDDED SYSTEMS AS A BASIS

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

McAfee Embedded Control

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

Cyber Security Analysis of State Estimators in Electric Power Systems

Objectives of the Security Policy Project for the University of Cyprus

Risk-based design for automotive networks. Eric Evenchik, Linklayer labs & Motivum.io Stefano Zanero, Politecnico di Milano & Motivum.

Threat modeling of SCADA cyber attacks

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

Cyber Security for Smart Grid Devices

Certified Ethical Hacker (CEH)

Authentication Protocol for Industrial Control Systems without Encryption

A Rising Tide: Design Exploits in Industrial Control Systems

Cyber Physical System Security

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Transcription:

New York University Abu Dhabi Center for Cyber Security sites.nyuad.nyu.edu/ccs-ad/ Hardware-based solutions for critical infrastructure security Mihalis Maniatakos Assistant Professor, New York University Abu Dhabi Center for Cyber Security

NYU Abu Dhabi 2

Critical Infrastructure Sectors As defined by the US Department of Homeland Security Image Source: http://www.sandia.gov/nisac/overview/ NYU Abu Dhabi Center for Cyber Security

Cyberattacks are increasing 20% increase in cyber incidents in 2015 Image Source: ICS-CERT 2015 report https://www.wired.com/2016/03/inside-cunningunprecedented-hack-ukraines-power-grid/ NYU Abu Dhabi Center for Cyber Security

Published vulnerabilities ICS-CERT alert snapshot as of Sep 7th, 2017 NYU Abu Dhabi Center for Cyber Security

Critical Infrastructure Sectors As defined by the US Department of Homeland Security Image Source: http://www.sandia.gov/nisac/overview/ NYU Abu Dhabi Center for Cyber Security

Testbed Lab Setup: Real-time operation R R V R I Power connections to simulate the current inputs to the devices (fine-tuned) Data acquisition device connections to capture the controller output trip and close signals NYU Abu Dhabi Center for Cyber Security

Outline Case study: Attacking the Smart Grid Creating a testbed Generate attack vectors Develop security mechanisms for legacy systems NYU Abu Dhabi Center for Cyber Security

Attacking the Smart Grid Information needed to attack: 1. Power system topological and electrical characteristics 2. Control units models & operation 3. Access path to control equipment NYU Abu Dhabi Center for Cyber Security

Identifying vital points of the grid Contingency analysis Power system stability constraints should not be violated in case of contingency (N 1) Attacker s perspective: p failures Find those components p that will cause N p contingency collapse of the system NYU Abu Dhabi Center for Cyber Security

Identifying vital points of the grid Contingency analysis An adversary needs to know topological and electrical characteristics of the grid Publicly available NYU Abu Dhabi Center for Cyber Security

Attacking the Smart Grid Information needed to attack: 1. Power system topological and electrical characteristics 2. Control units models & operation 3. Access path to control equipment NYU Abu Dhabi Center for Cyber Security

Exploiting control units Find security weaknesses Obtaining firmware from device or web Reverse engineer firmware Extract default credentials, vulnerabilities NYU Abu Dhabi Center for Cyber Security

What about encrypted firmware? Option 1: PCB Reverse Engineering https://harryskon.com/2016/05/08/ive-been-watching-you-a-lalalalong-reverse-engineering-ip-cameras-part-1/ Option 2: Reconstruction through JTAG Option 3: Firmware cryptanalysis NYU Abu Dhabi Center for Cyber Security

Demonstrating an attack [1] 1. Topological and electrical characteristics PowerWorld Simulator Model 2. Control units models Retrieve firmware from vendor website 3. Access path to control equipment CVE-2017-7905 [2] Advisory: ICSA-17-117-01A [1] C. Konstantinou and M. Maniatakos. Impact of Firmware Modification Attacks on Power Systems Field Devices. In: IEEE International Conference on Smart NYU Grid Abu Communications. Dhabi Center 2015, for pp. Cyber 283-288Security [2] A. Keliris, C. Konstantinou, and M. Maniatakos. GE Multilin SR Protective Relays Passcode Vulnerability. In: BlackHat USA. 2017

https://www.reuters.com/article/us-cyber-generalelectric-power-iduskbn17s23y https://www.youtube.com/watch?v=a58dprdsllm https://it.slashdot.org/story/17/04/26/1839218/ge-fixing-bug-in-software-after-warning-about-power-grid-hacks https://www.usnews.com/news/technology/articles/2017-04-26/ge-fixes-bug-in-power-software-as-researchers-warn-o https://www.theregister.co.uk/2017/04/27/ge_rushing_patches_to_grid_systems_ahead_of_black_hat_demonstration/ https://www.reddit.com/r/energy/comments/67qks9/ge_fixing_bug_in_software_after_warning_about/ https://uk.finance.yahoo.com/quote/ge?p=ge http://www.bbc.com/news/technology-40766757 https://nakedsecurity.sophos.com/2017/05/02/ge-patches-flaws-allowing-attackers-to-disconnect-power-grid-at-will/ http://gulftoday.ae/portal/ae098790-8b50-43ef-a70b-b2c584954606.aspx https://www.helpnetsecurity.com/2017/07/28/power-grid-cyberattacks/ https://www.eenews.net/energywire/2017/07/28/stories/1060058065 NYU Abu Dhabi Center for Cyber Security http://www.engerati.com/article/smart-grid-security-vulnerabilities-and-how-deal-them

Attack impact Carefully picking reclosers to open [1] [1] C. Konstantinou and M. Maniatakos. Impact of Firmware Modification Attacks on Power Systems Field Devices. In: IEEE International Conference on Smart NYU Grid Abu Communications. Dhabi Center 2015, for pp. Cyber 283-288Security

Reminder! Talk Title: Hardware-based solutions for critical infrastructure security NYU Abu Dhabi Center for Cyber Security

Hardware is the root of trust Re-use existing hardware structures for intrusion detection purposes Compatible with existing devices Two methodologies: Anomaly detection using hardware performance counters Anomaly detection using external monitor (work in progress) NYU Abu Dhabi Center for Cyber Security

Hardware Performance Counters A set of special-purpose registers that count lowlevel hardware events Primarily targeting performance tuning Included in some existing grid devices Name CPU_CLK COMPLETED_INSNS INSTRUCTION_FETCHES PM_EVENT_TRANS PM_EVENT_CYCLES COMPLETED_BRANCHES COMPLETED_LOAD_OPS COMPLETED_STORE_OPS BRANCHES_FINISHED TAKEN_BRANCHES_FINISHED Description Cycles Completed Instructions (0, 1, or 2 per cycle) Instruction fetches 0 to 1 translations on the pm_event input processor bus cycle Branch Instructions completed Load micro-ops completed Store micro-ops completed Branches finished Taken branches finished BRANCHES_MISPREDICTED Branch instructions mispredicted due to direction, target, or IAB prediction MPU POWERQUICC II PRO, containing the e300c3 processor core DECODE_STALLED ISSUE_STALLED CACHEINHIBITED_ACCESSES_TR ANSLATED Cycles the instruction buffer was not empty, but 0 instructions decoded Cycles the issue buffer is not empty but 0 instructions issued Number of cache inhibited accesses translated Counts the number of fetches that write at NYU Abu FETCHES Dhabi Center for Cyber Security least one instruction to the instruction buffer

Toy example: Blowfish Cipher Malicious actions will show up on a performance counter The valid execution flow runs 16 iterations Modify cmpwi r29, 0x10 to cmpwi r29, 0x0A to run less iterations Profile of the valid path: # of instructions = 1143 # of branches = 82 Profile of the malicious path: # of instructions = 723 # of branches = 52 NYU Abu Dhabi Center for Cyber Security

ConFirm [3] Anomaly detection using HPCs [3] X. Wang, C. Konstantinou, R. Karri, and M. Maniatakos. ConFirm: Detecting Firmware Modifications in Embedded Systems using Hardware Performance Counters. In: IEEE International Conference on Computer-Aided Design. 2015, pp. 544-551 NYU Abu Dhabi Center for Cyber Security

Leverage Hardware Defenses: JTAG Detect intrusions in already installed real-time embedded devices via JTAG External monitoring tool No code instrumentation Adapt and prioritize based on: Real-time requirements of the critical infrastructure process Computing capabilities of the embedded system Does not require any form of vendor collaboration NYU Abu Dhabi Center for Cyber Security

PHYLAX: Snapshot-based Profiling Defenses: JTAG Prerequisites: 1. JTAG-enabled device IEEE Std. 1149.1 Boundary scan testing Storing firmware programming modules Debugging embedded systems 2. Specific debugging features internal register access (invasive) memory access (non-invasive) placement of hardware breakpoints (non-invasive) Selection of 1 & 2 Make PHYLAX applicable to as many embedded devices as possible NYU Abu Dhabi Center for Cyber Security

PHYLAX Architecture Defenses: JTAG NYU Abu Dhabi Center for Cyber Security

PHYLAX Architecture Defenses: JTAG Memory Scanner (MS) Continuously extracts content from the device and inspects the run-time memory data Hardware Breakpoint Routine (HBR) Triggered when the scanner identifies memory (e.g. stack) content that matches instructions Program Counter Checker (PCC) Check execution area NYU Abu Dhabi Center for Cyber Security

Case Study: Power Grid Monitor Defenses: JTAG NYU Abu Dhabi Center for Cyber Security

Other projects at NYUAD NYU Abu Dhabi Center for Cyber Security

NYUAD Smart-city testbed Connecting various smartprocesses Smart-grid Chemical factory Intelligent transportation Smart house Smart building Desalination plant Come-and-hack environment http://sites.nyuad.nyu.edu/c cs-ad/smart-city-testbed/ NYU Abu Dhabi Center for Cyber Security

Chemical sector Hardware-In-The-Loop (HITL) testbed: Tennessee Eastman process NYU Abu Dhabi Center for Cyber Security

Chemical sector Hardware-In-The-Loop (HITL) testbed: Tennessee Eastman process Modeled a variety of attacks [4] Sensor: Control: Actuator: Trained an SVM for detection HITL allows us to model disturbances [4] A. Keliris, H. Salehghaffari, B. Cairl, P. Krishnamurthy, M. Maniatakos, and F. Khorrami. Machine Learning-based Defense NYU Against Abu Dhabi Process-Aware Center Attacks for Cyber on Industrial Security Control Systems. In: IEEE International Test Conference. 2016, pp. 12.2.1-12.2.10

False Data Injection: Supply Chain [5] Attacks: Hardware/Firmware Implementation of False Data Injection (FDI) attacks against State Estimation (SE) Deliver the FDI payload via infiltrating secondary channels of the smart grid: supply chain RTU firmware reverse engineering & modification [5] C. Konstantinou and M. Maniatakos, A Case Study on Implementing False Data Injection Attacks Against Nonlinear State Estimation, In: Proceedings of the Second ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy, CCS/ACM, Vienna, 2016. NYU Abu Dhabi Center for Cyber Security

Case Study: Acquisition and Analysis Attacks: Hardware/Firmware Flash Data Acquisition and Analysis De-solder flash memories from 3 commercial RTUs RTU Model Type Size Package Spansion S29AL004D NOR 4 Mbit 48-pin TSOP A AMD Am29F400B NOR 4 Mbit 44-pin TSOP Atmel AT29C040A NOR 4 Mbit 32-pin TSOP B Atmel AT29C040A NOR 4 Mbit 32-pin TSOP C Spansion S29AL008J NOR 8 Mbit 48-pin TSOP NYU Abu Dhabi Center for Cyber Security

GPS Spoofing Effect: RTDS-based HITL [6] Attacks: Network/Operation End-to-end study on the effect of PMU-based GPS spoofed measurements on power system applications Real attack model in an RTDS-based HITL testbed with commercial devices [6] C. Konstantinou, et al., GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-In-The-Loop Environment, In: IET Cyber-Physical Systems: Theory & Applications, Special Issue on Cyber-Physical Systems in Smart Grids: Security and Operations, 2017. NYU Abu Dhabi Center for Cyber Security

GPS Spoofing Effect: RTDS-based HITL Attacks: Network/Operation [6] C. Konstantinou, et al., GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-In-The-Loop Environment, In: IET Cyber-Physical Systems: Theory & Applications, Special Issue on Cyber-Physical Systems in Smart Grids: Security and Operations, 2017. NYU Abu Dhabi Center for Cyber Security

GPS Spoofing Effect: RTDS-based HITL Attacks: Network/Operation [6] C. Konstantinou, et al., GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-In-The-Loop Environment, In: IET Cyber-Physical Systems: Theory & Applications, Special Issue on Cyber-Physical Systems in Smart Grids: Security and Operations, 2017. NYU Abu Dhabi Center for Cyber Security

Thank you! More information: nyuad.nyu.edu/momalab Questions? NYU Abu Dhabi Center for Cyber Security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback