Cyber Security Research on Industrial Control Systems

SM Yiu Department of Computer Science

The University of Hong Kong

1

Cyber-security for industry 4.0 conference 23 June, 2017

2

Will the followings only be seen in movies?

Movies: Cyber Hacking (2015); Italian Job (2003)

3

IT IS REAL!

(Defcon Hacking conference 2014)

4

2016 (US): 295 reports of ICS attacks (20% )

Mar: New York dam (control system accessed) April: German nuclear power plant (malware) Light-rail system, ….

5

The purpose of the talk is to raise the awareness of the community on the security

issues of ICS.

6

Key components of an ICS (Guide to Industrial Control System (ICS) Security, NIST, 2015)

7

Numerous attack points

SCADA – a typical ICS (Guide to Industrial Control System (ICS) Security, NIST, 2015)

8

PLC (programmable logic controller)

- A small digital computer used for automation of various electro-mechanical process in industries.

- Specially designed to survive in harsh conditions

- Programs can be written in a computer and downloaded to PLC via a communication link (e.g. cable)

- “hard” real-time system: output produced in response to input conditions within limited time.

9

Is PLC critical? In what systems they are used?

10 Yueng Long Sewage Treatment system

11

Ventilation Control and Monitoring System for Tunnel of subway/railway

(pictures from MTR report)

How easy to hack in PLC?

• PLC are NOT secure:

PLC has no proper protection built in, no authentication nor encryption for the communication protocol.

Able to discover PLC by packet sniffing.

12

Touch panel for floor selection

PLC to control the lift

A Touch panel to control the lift

Sensor to detect the current floor

Switch that connects the PLC and Touch Panel

The PLC that controls the Lift system

Attack to the Lift System

19

Hacker

Connect to the PLC and control the lift directly

NO authentication

Q: Some engineers feel that it is not easy to connect to it because it is a “closed” system, do you agree?

Network capability

Five attacks (4 with demos) 1. DoS attack

– 100 MB/s is already enough to disable PLC to receive any valid commands

– No advanced hacking knowledge needed.

Packet generation program – free from Internet

2. Command injection attack –We connect to PLC directly and generate

random commands to PLC –A little bit more knowledge needed:

replay attack!

3. Control the lift –Take control of the PLC, attacker can

order to lift to whatever level. –Understand the commands from touch

panel to PLC.

4. Manipulate the sensor values –Actively modify the sensor values –More knowledge about the sensor

variables stored in PLC

5. Time bomb: hack the traffic lights – Build a time bomb to turn both lights

for cars and pedestrian green at the same time ONCE A WHILE.

25

Again, a real case in US (Dec 2015).

They examined the traffic light and performed forensic analysis on the PLC …........

26

Surprisingly…..

Event/log Date/time Program last modified Dec 08 2015 3:05pm Program last compiled Dec 08 2015 5:46pm Program last uploaded (by engineer) Dec 08 2015 5:46pm Program last uploaded (by ????) Dec 26 2015 4:18am Accident Dec 26 2015 pm

27

What we can do (our research directions besides attack) ?

- Build a protection layer * Difficulty: low processing power, limited memory/buffer of PLC.

- Add-in a forensic module * For detection and investigation.

28

Building a protection layer

….......

E.g. firewall

(i)

(ii) Light-weight detection module inside the PLC.

Remark: We also have some interesting methods to do forensics (e.g. how to log the events with limited buffers/power)

29

Acknowledgements

<Thank you>

Dr. KP Chow, leader of our research group Our talented research students/engineers - Raymond Chan * - Chun Fai Chan, Ken Yau - Han Yu, Bo Zhang, Yuan Zhang

Our partner: Cisco

** We are more than willing to collaborate with industry for related R&D problems **

Alex Choy, PolyU