1 / 27

A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection

A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection. I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta. Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University.

xuxa
Télécharger la présentation

A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A K/N Attack-Resilient ICT Shield for SCADASystems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University

  2. Consequences of pervasive ICT in Critical Infrastructures Today most of critical infrastructures depend highly on the underlying communication networks Supervisory Control and Data Acquisition (SCADA) New Vulnerabilities New Attack Scenarios Public Network New Risks

  3. An Example: The ModBUS frame ModBUS serial frame 253 bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU RS232 RS422/485 ModBUS TCP/IP frame • MBAP Header: • Transaction Identifier • Protocol Identifier • Length • Unit Identifier 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU

  4. SCADA Protocols Vulnerabilities …authentication… • Unauthorized Command Execution • Man-in-the-Middle • Replay-attacks • Repudiation …integrity… …freshness…

  5. Secure ModbusPrototype • Time-stamp • SHA2 digest (256 bit) • RSA signature on the SHA2 digest ModBUS TCP/IP frame TS MBAP Funtion Data SHA2 (E-Modbus) pKM E-Modbus S-Modbus pkt

  6. Considerations • A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…

  7. K-Survivable SCADA Architecture • Attacks: • Unauth. Com. Exec. • Reply Attack • Master infection • Master-FU infection • Solutions: • Signature • Secure ModBUS • Filtering Unit • Multiple FU - Different Architecture - SO: Linux, windows ModBUS TCP/IP frame Scada FW TS MBAP Funtion Data FU {TS|ModBUS}PKm {{TS|ModBUS}PKm}PKf {TS|ModBUS}PKm {data}PKm {{TS|ModBUS}PKm}PKf {TS|ModBUS}PKm Slave Msg FU Master FU {{{TS|ModBUS}PKm}PKt}SKt {{{TS|ModBUS}PKm}SKm Attacker PKm= Private Key Master SKm= Public key Master TS= Time Stamp FU= Filtering Unit PKf= Private key FU SKf= Public key FU Attacker Attacker {TS|ModBUS}

  8. Cl. V1 ...Problem... PLC1 Close V1 PKT(###) PLC3 Open V2 PLC2 Locally licit commands put the system into a critical state R1: PKT(###) Close V3 R2: PKT(#@!) R3: PKT(^&%) Filtering Cloud Alert !

  9. …but… Industrial World ICT World ICT Signature based IDS Safety Analysis ICT Signature based IDS Safety Analysis

  10. State Based Approach (1) • SCADA System Representation

  11. State Based Approach (3) • Critical State Representation IF ( PLC[ 10.0.0.1 ].HR[1] < 20 AND PLC[ 10.0.0.2 ].HR[2] > 70 ) THEN “The system is in a critical state” 100 0

  12. State Based Filter Architecture

  13. Loader: Virtual System Loader

  14. Loader: Critical State Rules Loader PLC[10.0.0.1].HR[1] > 70 OR AND • IF ( PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 ) AND • ( PLC[10.0.0.2].CO[0] = 0 OR NOT PLC[10.0.0.2].CO[1] = 1 ) THEN ALERT PLC[10.0.0.1].HR[2] < 20 PLC[10.0.0.2].CO[0] = 0 PLC[10.0.0.2].CO[1] = 1 OR NOT

  15. SVI: Update System Manager Virtual System 1

  16. SVI: Real System Synchronizer Virtual System Before Query Field Devices Virtual System After System Update

  17. Analyzer: Critical State Analyzer Virtual System 1 IF ( PLC[10.0.0.1].CO[1] == 1 ) THEN ALERT

  18. The Power system SCADA lab Contains: Idrolab (+150 sensors/actuators) Control room 3 SCADA systems Hardware and Software: 20 High Performance Servers 150 High End PCs and notebooks 10 Layer 3, 24 ports, gigabit switches 4 High Performance wireless switches 1 Nokia-checkpoint solid state Firewall 4 full network racks 18 km of network cables 300 gigabit network cards A 100 KW cooling system A 100 KW UPS system

  19. JRC SCADA LAB. PLC - RTU Actuators Sensors

  20. Test: Encryption Layer

  21. Test: Packet Loss • Master: sends 100.000 request packets of 260 bytes • Slave: responds with 100.000 responses of 260 bytes

  22. Test: Single Signature Rules Analyzer • Master: sends 1000 request • Slave: responds with 1000 responses • Filter: captures the messages and checks if they are licit, according to a rules file which contains n-rules.

  23. Test: Virtual System Update • Master: sends 1000 request with the command “Read n-coils” • Slave: responds with 1000 responses which contains the n-values. • Filter: captures the request/response transaction and updates the n-values in the Virtual System.

  24. Test: Critical State Rules Analyzer (1) • Master: sends 1000 generic requests • Slave: responds with 1000 responses • Filter: captures the req/res transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains only one rule with n-conditions.

  25. Test: Critical State Rules Analyzer (2) • Master: sends 1000 generic requests • Slave: responds with 1000 responses • Filter: captures the request/response transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains n-rules.

  26. Thousands of devices to monitor • Hundreds of Subsystems • Geographically sparse systems • System of Systems Impossible to analyze states on a single level

  27. Future Works Abstract Aggregation Critical State Prediction Critical State Prediction based Firewalls Lightweight Cryptographic mechanisms for SCADA protocols

More Related