New York University Abu Dhabi Center for Cyber Security sites.nyuad.nyu.edu/ccs-ad/ Hardware-based solutions for critical infrastructure security Mihalis Maniatakos Assistant Professor, New York University Abu Dhabi Center for Cyber Security
NYU Abu Dhabi 2
Critical Infrastructure Sectors As defined by the US Department of Homeland Security Image Source: http://www.sandia.gov/nisac/overview/ NYU Abu Dhabi Center for Cyber Security
Cyberattacks are increasing 20% increase in cyber incidents in 2015 Image Source: ICS-CERT 2015 report https://www.wired.com/2016/03/inside-cunningunprecedented-hack-ukraines-power-grid/ NYU Abu Dhabi Center for Cyber Security
Published vulnerabilities ICS-CERT alert snapshot as of Sep 7th, 2017 NYU Abu Dhabi Center for Cyber Security
Critical Infrastructure Sectors As defined by the US Department of Homeland Security Image Source: http://www.sandia.gov/nisac/overview/ NYU Abu Dhabi Center for Cyber Security
Testbed Lab Setup: Real-time operation R R V R I Power connections to simulate the current inputs to the devices (fine-tuned) Data acquisition device connections to capture the controller output trip and close signals NYU Abu Dhabi Center for Cyber Security
Outline Case study: Attacking the Smart Grid Creating a testbed Generate attack vectors Develop security mechanisms for legacy systems NYU Abu Dhabi Center for Cyber Security
Attacking the Smart Grid Information needed to attack: 1. Power system topological and electrical characteristics 2. Control units models & operation 3. Access path to control equipment NYU Abu Dhabi Center for Cyber Security
Identifying vital points of the grid Contingency analysis Power system stability constraints should not be violated in case of contingency (N 1) Attacker s perspective: p failures Find those components p that will cause N p contingency collapse of the system NYU Abu Dhabi Center for Cyber Security
Identifying vital points of the grid Contingency analysis An adversary needs to know topological and electrical characteristics of the grid Publicly available NYU Abu Dhabi Center for Cyber Security
Attacking the Smart Grid Information needed to attack: 1. Power system topological and electrical characteristics 2. Control units models & operation 3. Access path to control equipment NYU Abu Dhabi Center for Cyber Security
Exploiting control units Find security weaknesses Obtaining firmware from device or web Reverse engineer firmware Extract default credentials, vulnerabilities NYU Abu Dhabi Center for Cyber Security
What about encrypted firmware? Option 1: PCB Reverse Engineering https://harryskon.com/2016/05/08/ive-been-watching-you-a-lalalalong-reverse-engineering-ip-cameras-part-1/ Option 2: Reconstruction through JTAG Option 3: Firmware cryptanalysis NYU Abu Dhabi Center for Cyber Security
Demonstrating an attack [1] 1. Topological and electrical characteristics PowerWorld Simulator Model 2. Control units models Retrieve firmware from vendor website 3. Access path to control equipment CVE-2017-7905 [2] Advisory: ICSA-17-117-01A [1] C. Konstantinou and M. Maniatakos. Impact of Firmware Modification Attacks on Power Systems Field Devices. In: IEEE International Conference on Smart NYU Grid Abu Communications. Dhabi Center 2015, for pp. Cyber 283-288Security [2] A. Keliris, C. Konstantinou, and M. Maniatakos. GE Multilin SR Protective Relays Passcode Vulnerability. In: BlackHat USA. 2017
https://www.reuters.com/article/us-cyber-generalelectric-power-iduskbn17s23y https://www.youtube.com/watch?v=a58dprdsllm https://it.slashdot.org/story/17/04/26/1839218/ge-fixing-bug-in-software-after-warning-about-power-grid-hacks https://www.usnews.com/news/technology/articles/2017-04-26/ge-fixes-bug-in-power-software-as-researchers-warn-o https://www.theregister.co.uk/2017/04/27/ge_rushing_patches_to_grid_systems_ahead_of_black_hat_demonstration/ https://www.reddit.com/r/energy/comments/67qks9/ge_fixing_bug_in_software_after_warning_about/ https://uk.finance.yahoo.com/quote/ge?p=ge http://www.bbc.com/news/technology-40766757 https://nakedsecurity.sophos.com/2017/05/02/ge-patches-flaws-allowing-attackers-to-disconnect-power-grid-at-will/ http://gulftoday.ae/portal/ae098790-8b50-43ef-a70b-b2c584954606.aspx https://www.helpnetsecurity.com/2017/07/28/power-grid-cyberattacks/ https://www.eenews.net/energywire/2017/07/28/stories/1060058065 NYU Abu Dhabi Center for Cyber Security http://www.engerati.com/article/smart-grid-security-vulnerabilities-and-how-deal-them
Attack impact Carefully picking reclosers to open [1] [1] C. Konstantinou and M. Maniatakos. Impact of Firmware Modification Attacks on Power Systems Field Devices. In: IEEE International Conference on Smart NYU Grid Abu Communications. Dhabi Center 2015, for pp. Cyber 283-288Security
Reminder! Talk Title: Hardware-based solutions for critical infrastructure security NYU Abu Dhabi Center for Cyber Security
Hardware is the root of trust Re-use existing hardware structures for intrusion detection purposes Compatible with existing devices Two methodologies: Anomaly detection using hardware performance counters Anomaly detection using external monitor (work in progress) NYU Abu Dhabi Center for Cyber Security
Hardware Performance Counters A set of special-purpose registers that count lowlevel hardware events Primarily targeting performance tuning Included in some existing grid devices Name CPU_CLK COMPLETED_INSNS INSTRUCTION_FETCHES PM_EVENT_TRANS PM_EVENT_CYCLES COMPLETED_BRANCHES COMPLETED_LOAD_OPS COMPLETED_STORE_OPS BRANCHES_FINISHED TAKEN_BRANCHES_FINISHED Description Cycles Completed Instructions (0, 1, or 2 per cycle) Instruction fetches 0 to 1 translations on the pm_event input processor bus cycle Branch Instructions completed Load micro-ops completed Store micro-ops completed Branches finished Taken branches finished BRANCHES_MISPREDICTED Branch instructions mispredicted due to direction, target, or IAB prediction MPU POWERQUICC II PRO, containing the e300c3 processor core DECODE_STALLED ISSUE_STALLED CACHEINHIBITED_ACCESSES_TR ANSLATED Cycles the instruction buffer was not empty, but 0 instructions decoded Cycles the issue buffer is not empty but 0 instructions issued Number of cache inhibited accesses translated Counts the number of fetches that write at NYU Abu FETCHES Dhabi Center for Cyber Security least one instruction to the instruction buffer
Toy example: Blowfish Cipher Malicious actions will show up on a performance counter The valid execution flow runs 16 iterations Modify cmpwi r29, 0x10 to cmpwi r29, 0x0A to run less iterations Profile of the valid path: # of instructions = 1143 # of branches = 82 Profile of the malicious path: # of instructions = 723 # of branches = 52 NYU Abu Dhabi Center for Cyber Security
ConFirm [3] Anomaly detection using HPCs [3] X. Wang, C. Konstantinou, R. Karri, and M. Maniatakos. ConFirm: Detecting Firmware Modifications in Embedded Systems using Hardware Performance Counters. In: IEEE International Conference on Computer-Aided Design. 2015, pp. 544-551 NYU Abu Dhabi Center for Cyber Security
Leverage Hardware Defenses: JTAG Detect intrusions in already installed real-time embedded devices via JTAG External monitoring tool No code instrumentation Adapt and prioritize based on: Real-time requirements of the critical infrastructure process Computing capabilities of the embedded system Does not require any form of vendor collaboration NYU Abu Dhabi Center for Cyber Security
PHYLAX: Snapshot-based Profiling Defenses: JTAG Prerequisites: 1. JTAG-enabled device IEEE Std. 1149.1 Boundary scan testing Storing firmware programming modules Debugging embedded systems 2. Specific debugging features internal register access (invasive) memory access (non-invasive) placement of hardware breakpoints (non-invasive) Selection of 1 & 2 Make PHYLAX applicable to as many embedded devices as possible NYU Abu Dhabi Center for Cyber Security
PHYLAX Architecture Defenses: JTAG NYU Abu Dhabi Center for Cyber Security
PHYLAX Architecture Defenses: JTAG Memory Scanner (MS) Continuously extracts content from the device and inspects the run-time memory data Hardware Breakpoint Routine (HBR) Triggered when the scanner identifies memory (e.g. stack) content that matches instructions Program Counter Checker (PCC) Check execution area NYU Abu Dhabi Center for Cyber Security
Case Study: Power Grid Monitor Defenses: JTAG NYU Abu Dhabi Center for Cyber Security
Other projects at NYUAD NYU Abu Dhabi Center for Cyber Security
NYUAD Smart-city testbed Connecting various smartprocesses Smart-grid Chemical factory Intelligent transportation Smart house Smart building Desalination plant Come-and-hack environment http://sites.nyuad.nyu.edu/c cs-ad/smart-city-testbed/ NYU Abu Dhabi Center for Cyber Security
Chemical sector Hardware-In-The-Loop (HITL) testbed: Tennessee Eastman process NYU Abu Dhabi Center for Cyber Security
Chemical sector Hardware-In-The-Loop (HITL) testbed: Tennessee Eastman process Modeled a variety of attacks [4] Sensor: Control: Actuator: Trained an SVM for detection HITL allows us to model disturbances [4] A. Keliris, H. Salehghaffari, B. Cairl, P. Krishnamurthy, M. Maniatakos, and F. Khorrami. Machine Learning-based Defense NYU Against Abu Dhabi Process-Aware Center Attacks for Cyber on Industrial Security Control Systems. In: IEEE International Test Conference. 2016, pp. 12.2.1-12.2.10
False Data Injection: Supply Chain [5] Attacks: Hardware/Firmware Implementation of False Data Injection (FDI) attacks against State Estimation (SE) Deliver the FDI payload via infiltrating secondary channels of the smart grid: supply chain RTU firmware reverse engineering & modification [5] C. Konstantinou and M. Maniatakos, A Case Study on Implementing False Data Injection Attacks Against Nonlinear State Estimation, In: Proceedings of the Second ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy, CCS/ACM, Vienna, 2016. NYU Abu Dhabi Center for Cyber Security
Case Study: Acquisition and Analysis Attacks: Hardware/Firmware Flash Data Acquisition and Analysis De-solder flash memories from 3 commercial RTUs RTU Model Type Size Package Spansion S29AL004D NOR 4 Mbit 48-pin TSOP A AMD Am29F400B NOR 4 Mbit 44-pin TSOP Atmel AT29C040A NOR 4 Mbit 32-pin TSOP B Atmel AT29C040A NOR 4 Mbit 32-pin TSOP C Spansion S29AL008J NOR 8 Mbit 48-pin TSOP NYU Abu Dhabi Center for Cyber Security
GPS Spoofing Effect: RTDS-based HITL [6] Attacks: Network/Operation End-to-end study on the effect of PMU-based GPS spoofed measurements on power system applications Real attack model in an RTDS-based HITL testbed with commercial devices [6] C. Konstantinou, et al., GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-In-The-Loop Environment, In: IET Cyber-Physical Systems: Theory & Applications, Special Issue on Cyber-Physical Systems in Smart Grids: Security and Operations, 2017. NYU Abu Dhabi Center for Cyber Security
GPS Spoofing Effect: RTDS-based HITL Attacks: Network/Operation [6] C. Konstantinou, et al., GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-In-The-Loop Environment, In: IET Cyber-Physical Systems: Theory & Applications, Special Issue on Cyber-Physical Systems in Smart Grids: Security and Operations, 2017. NYU Abu Dhabi Center for Cyber Security
GPS Spoofing Effect: RTDS-based HITL Attacks: Network/Operation [6] C. Konstantinou, et al., GPS Spoofing Effect on Phase Angle Monitoring and Control in an RTDS-based Hardware-In-The-Loop Environment, In: IET Cyber-Physical Systems: Theory & Applications, Special Issue on Cyber-Physical Systems in Smart Grids: Security and Operations, 2017. NYU Abu Dhabi Center for Cyber Security
Thank you! More information: nyuad.nyu.edu/momalab Questions? NYU Abu Dhabi Center for Cyber Security