1 / 69

Dissertation (Phase II)

Dissertation (Phase II). Dissertation (Phase – 2) Presentation On : Detecting Network Attack Vectors On SCADA Specific Network Operating On Modbus TCP/IP Protocol. PREPARED BY: Neel H. Pathak GTU ITSNS [121060751003]. GUIDED BY: Prof. H. B. Patel Asst. Professor at LCIT, BHANDU.

aquarius
Télécharger la présentation

Dissertation (Phase II)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dissertation (Phase II) Dissertation(Phase – 2) Presentation On: Detecting Network Attack Vectors On SCADA Specific Network Operating On Modbus TCP/IP Protocol PREPARED BY: Neel H. Pathak GTU ITSNS [121060751003] GUIDED BY: Prof.H. B. Patel Asst. Professor at LCIT, BHANDU

  2. Outline • Introduction • What, How, Why and Where of SCADA Systems? • Problem Description • Background and Reason to choose such Topic (Motivation) • Objectives and Scope of Work • Literature Survey • Issues • Modbus Protocol • Modbus Protocol Structure • Vulnerability in Modbus TCP/IP • C-I-A and Related Study • Proposed Solution • Proposed Solution Flow Diagram • Functional Description • How my proposed solution is different from others? • Implementation Details • Designing of Network • Network Diagram(Internal & External) • Comparison, Analysis and Testing Results • Comparison with popular NIDS • Conclusion and References

  3. Introduction: WHAT are SCADA systems? • Supervisionary Control and Data Acquisition (SCADA) systems are used for automation purposes in Chemical Plants, Oil and Gas plants, Power stations, Water Distribution etc. • A part of ICS (Industrial Control Systems) and Different form DCS (Distributed Control System) • Combination of Telemetry and Data Acquisition [1] • Often a misunderstood term

  4. HOW SCADA system communicates? • Third generation SCADA systems consists of the following components [1]. • Field Instrumentation • (Sensors and Actuators) • Remote Stations (RTU`s or PLC`s) • Communications Network • ( Ethernet, radio or Leased Line) • Central monitoring station. • ( HMI/MMI ) Figure adopted from SCADA Primer [1]

  5. Typical SCADA system. Figure adopted from SCADA Primer [1]

  6. Current SCADA systems. Figure adopted from “Defcon 2011” [7]

  7. WHERE SCADA Systems are used?

  8. SCADA System categories • SCADA systems can be broadly classified into three categories/generations [6]. • Monolithic • Independent stand-alone systems. • This is what EC engineers refers to. • 2. Distributed • Connected in LAN for real-time • information sharing • Networked • Connected with other networks and the • Internet. This is what we refer to.

  9. Problem Description • SCADA systems were not designed keeping security in mind. Analogy security, Functionality and ease of use triangle. • Bears more importance then other Information Systems. • Legacy Protocols like Modbus is now wrapped with TCP/IP functionality. Modern SCADA systems are connected to network of the networks i.e. INTERNET. • Little tampering to such systems can even cause LOSS OF LIFE and other casualties. • Do you remember the Al-Queda Attack ? And the recent STUXNET worm?

  10. Problem Description • Much research has been carried out to detect network attacks from external networks, but what about the network attacks which takes place within the secured periphery of such systems? • Such attacks (called as “insider attacks”) are also of paramount importance to be thought of.

  11. Problem Description Survey conducted by SANS Institute in Feb. 2013

  12. Background And Motivation • BACKGROUND • SCADA systems being Critical Infrastructure Systems are of prime target. • Cyber terrorists, hackers and state sponsored attacks by professionals. • Al-Queda Attack [2] , Siberian Pipeline Explosion [3] , Iran`s Nuclear Plant (STUXNET) worm [3], Common Wealth Games (CWG) [4] and many such attacks. • Motivation • Designed to be fail safe systems [5], no security in mind at that time. • Critical Infrastructure systems, if able to detect network attacks then to much extend casualties can be prevented and will be better for society as whole.

  13. Aim, Objectives and Scope of work • AIM ?? • OBJECTIVES ?? • SCOPE OF WORK ??

  14. Literature Survey: HOW SCADA Systems are different ? Table adopted from [10]

  15. Literature Survey: Issues to consider in SCADA system [11] • How to Audit and What to Audit? • Patching the SCADA systems are not so easy • Knowledge gap between SCADA personnel and IT engineers.

  16. Modbus TCP/IP Protocol and its Structure [9]. • Modbus Suite • Developed in 1979 by Modicon. • Free and Open Source and widely used. • Modbus protocol suite popularly used in Oil and Gas [8] sectors. This suite is further broken into two main versions. • Modbus Serial • Modbus TCP • Each protocol provides functionality of unicast and multicast

  17. Modbus Protocol • Fn Code : 1 – 127, Data: Sub-fn codes and Instruction for registers to read/write, Error Check : Uses CRC Figure adopted from “Defcon“ 2011

  18. Modbus TCP Protocol Modbus TCP frame structure (figure from [9])

  19. Function And Sub-Function Codes Figure adopted from modbus.org [Dt. 29/11/2013]

  20. Modbus TCP Protocol Comm. Stack Figure of Modbus TCP/IP Communication Stack (from [9])

  21. Modbus TCP/IP Packet Figure of Simple Modbus TCP/IP Packet Captured From Wireshark

  22. Modbus TCP/IP Protocol Vulnerabilities • Lack of Authentication. So, no way to find who sent Modbus Packet. • No way to measure the integrity of Modbus TCP/IP protocol. • Un-encrypted Communication • Moreover, the content was seen within protocol in plain hex.

  23. CIA Triad, Confidentiality has less impact • Confidentiality • Integrity • Availability Typical Business systems deal with C-I-A triad but in SCADA systems I-A-C triad [11].

  24. Typical attack scenario Figure adopted from IEEE Conference, Mumbai 19th OCT. 2013 [13]

  25. HOW security posture of SCADA network can be improved ? • Improvement in Protocol • Follow defense in depth for securing SCADA network • Stable standards • Intrusion detection system which detects network attacks efficiently.

  26. Accurate Modeling of Modbus TCP/IP for Intrusion Detection in SCADA Systems, (Jan, 2013). Tel Aviv University. [Paper -1] • Functional Description: • Based on the fact that Modbus Traffic to and from HMI-PLC is highly periodic. • Author has modeled each HMI-PLC channel by its unique characteristics. NIDS is based on anomaly based detection method. • Sensitive in nature. • Towards Periodicity Based Anomaly Detection in SCADA Networks [24] (IEEE, 2012) [Paper - 2] • Functional Description: • Intrusion detection is based on the fact that the traffic is between HMI-PLC is highly periodic due to polling mechanism. • Proposed an approach that exploits traffic periodicity to detect anomalies, which represents potential intrusion attempts.

  27. HMI-PLC1 Network Traffic Graph (Packets Vs Time) HMI-PLC2 Network Traffic Graph (Packets Vs Time)

  28. Cons: PAPER-1 and PAPER-2 • Both the papers are based only on polled communication mechanism of HMI-PLC SCADA System. What if interrupt based SCADA system is used? • Paper-1 Models every HMI-PLC channels traffic and proposes anomaly based detection NIDS. But, we know that in anomaly based NIDS there is high possibility of FALSE POSITIVE. • As the anomaly behaviour is solely based on the traffic periodicity then any attacker following traffic periodicity may inject malicious communication Modbus packets.

  29. On SCADA Control System Command and Response Injection and Intrusion Detection [22] (IEEE, 2012) [PAPER-3] • Functional Description: • A set of command injection, Data injection and Denial of service attacks are used as features of attack traffic to train Intrusion Detection System forming a neural network. • Normal traffic is collected to establish a baseline and detect an anomaly. • CONS: • Few type of attacks are used to check its effectiveness. • Modbus/DNP3 State-Based Filtering System[21](IEEE, 2010)[PAPER-4] • Functional Description: • System aims to detect attacks composed of set of “SCADA” commands. • Proposed IDS can detect complex attacks based on “to be” state of system. • Ex. of critical state: PLC1.C23 = 0 and PLC2.C17 -> ALERT

  30. Proposed Solution • Here, we propose an efficient solution to detect network attacks both within internal periphery and from external network which will make use of Sequencing and Directional Analysis (SADA) Module, Deep Packet Analysis and White Listing Module (DPAWM). • It is basically divided into five phases, they are as follows: • Capture raw network traffic. • Filtering SCADA specific traffic. • SCADA protocol Analyzer. • Analysis of captured traffic (three modules SADA, DPAWM and CSDM) • Notification generation and Alerting

  31. How my proposed solution is different? • My proposed solution has a layered approach to detect network attacks/Intrusions in SCADA network. WHY??? • Proposed solution make use of WHITELIST signature BASED NIDS. WHY??? • Identified more then 20 (22 to be precise) whitelist signatures for Attack Detection. • Deep packet analysis is done ( Thanks to SCAPY ). So, it prevents TCP VETO attack. • Based on my research proposed NIDS may alsobe used for commercial purpose as well.

  32. Experiments: • REPLAY-ATTACK • Primary Application: Modbus Poll Master from http://www.modbustools.com • Works on Modbus TCP/IP protocol. • freeware application used to understand the working of Modbus TCP/IP protocol. • Built with Modbus TCP/IP specification. • Utilities used to perform experiment: Modbus Poll Master, Modbus Slave, Wireshark, VM Ware Workstation, Colasoft Packet Builder, Playcap and packit. • DENIAL-OF-SERVICE ATTACK • Experiment was done to check denial of service attack from the tool modscan available at https://code.google.com/p/modscan

  33. Implementation Details: Implementation Environment:

  34. Network Design (External and Internal)

  35. Static Interfaces for Gateway Firewall External Internal

  36. ARP-Static binding to prevent MITM Static ARP Binding at Gateway Firewall

  37. SCADA Internal Network Scenario

  38. Modbus Poll (HMI-PLC1 and HMI-PLC2)

  39. Web-based One Click Gateway Firewall

  40. SCADA Protocol Analyzer (PSEUDO CODE) • Result=0 [Result Flag to Check Condition at last] • pkts = sniff(count=500) [Sniffing all the 500 real time packets in PROMISCOUS Mode] • protocol_analyser(pkts): [Protocol analyzer module] • proto_legitimate = 0 • Looping through each and every packet on real time. • proto_legitimate=0 [Flag to check legitimate protocol] • Compare each and every packet with predefined condition. • If any condition fails, then proto_legitimate=1 • If proto_legitimate == 1 [That means that protocol is not crafted properly] • LOG that packet to Blacklisting Signature Database, • Result = Result + 1 • Raise an ALERT

  41. If Result > 0 • do not process further modules • exit • else: • process further modules

  42. SCADA Protocol Analyzer Snapshot of Anomalies Found for Malicious Modbus Packet

More Related