Nilufer Tuptuk and Stephen Hailes University College London...Targeting SIEMENS SCADA • Targeting...
Transcript of Nilufer Tuptuk and Stephen Hailes University College London...Targeting SIEMENS SCADA • Targeting...
Securing Industrial & Manufacturing Control
Systems
Nilufer Tuptuk and Stephen Hailes
University College London
Factory 2050
Computer-Integrated Manufacturing (CIM)
Level
5
4
3
2
1
Enter-
prise
Level
Plant Management
Level
Supervisory Level
Ethernet, TCP/IP, EtherNet/IP, ModBus/TCP
Cell Control Level
Profibus, WorldFip, LonWorks,
ControlNet, BACnet, IECFieldbus
Sensor-Actuator Level
CAN, DeviceNet, BitBus, ProfiBus DP, HART
P-Net, InterBus, Sercos III, Seriplex
Workstations
WANs
Workstations, Servers
Workstations,
PC
PLC, CNC, PC
Sensors,
actuators
LANs
Fieldbus
Factory 2050
Enterprise IT Security vs ICS Security
Confidentiality
Integrity
Authentication
Enterprise Security • Years of experience
• Good understanding of threats
• Frequent patching
• Multiple credentials, 2-Factor
Passwords, SSO
ICS Security • Run by plant engineers not IT
• Lack of security knowledge
• Lack of communication
• Heavy Vendor Compliance • But reliance on COTS
• Legacy systems & devices
• Short Default Passwords
• Poor understanding of threats • And increasing networking
• Infrequent Patching
Confidentiality
Integrity
Availability
Factory 2050
Cyber-Physical Systems
Interdependence between different processes
Spanning different infrastructures
Large, smart, heterogeneous, complex, distributed control
Autonomous nodes
Real-time information propagation
Susceptible to cascading failures
Propagation of such failures
Impact on the overall systems and business
Security and Privacy
More vulnerabilities
Factory 2050
More connections
736 million connected things will be in use in 2015, a 30% rise from 2014 (by Gartner, Inc.) Top 3 Sectors: Manufacturing,
utilities and transportation
By 2020 this number is expected to reach 1.7 billion Top 3 Sectors: Utilities,
manufacturing, and government
Germany By 2020 more than 80% of the
German industry will digitise their supply chain (currently rate is 20%)
Factory 2050
Threats (2014)
Source: Internet Security Threat Report,” Symantec Corporation,
2014
Factory 2050
hackmageddon.com
Factory 2050
hackmageddon.com
Factory 2050
Estonia: Cyber Attack (2007)
Motivation:
Disagreement with Russia on the
movement of the Bronze Soldier of
Tallinn
Attack:
A series of attacks
Mainly Distributed Denial of
Service Attacks
Consequences:
Lasted 3 weeks
Government infrastructure,
Internet service providers, banks,
media telecommunication
companies were taken down
Factory 2050
Maroochy: Water Services Breach (2000)
Motivation: Revenge (Insider: Disgruntled ex-
employee)
Attack: Attack on SCADA Control systems Insecure radio communication between
control centre and pumping stations
No SCADA system security
Using insecure radio communication & stolen SCADA configuration program to impersonate a legitimate machine to reconfigure pumping stations
Consequences: “Marine life died, the creek water turned
black and the stench was unbearable for residents,“ (Australian Environmental Protection Agency)
800,000 litres of raw sewage released into environment
Factory 2050
Germany: Steel Plant (Dec, 2014)
Motivation: Sabotage
Attack(Details Unknown):
Spear-phishing techniques
Zero-Day Vulnerabilities
Escalated privileges (corporate network
to production components)
Consequences:
Brought the blast furnace under their
control.
Massive Damage
Factory 2050
Stuxnet
Infection technique
Including PLC rootkit • Hide file copies to drives
• Preventing user notifying
infection before sharing drive
Targeting SIEMENS SCADA • Targeting only SIEMENS SCADA
• Under Windows & running
WinCC/Step-7 software
Subverting SIMATIC WinCC • Sending malicious SQL code to
WinCC database for execution
• Modifying view adding code
Attack strategy
Drives frequency changes = 1410 Hz 2Hz 1064 Hz
Changing motor speed
Monitoring Profibus = Identify targeted module
Communication with motor drives
“Man-in-the-Middle” attack = Fake industrial process control
sensor signals
Avoiding shutting down due to
abnormal behaviour
Based on source: Symantec Corporation, 2011
Factory 2050
Lifecycle of the Stuxnet Attack
Pre-Entry
• Define objectives
• Acquire skills and tools
• Design & Implement
• Testing
Entry (Initial Infection)
• Insiders
• Social Engineering
• Drive-by-download
Propagation
• Internal Network Reconnaissance
• Escalate Privileges
Updates
• Peer to Peer Communication
• C&C Server
Operation
• Data Exfiltration
• Sabotage
Clean-Up
• Cover Tracks
• Remain Undetected
Factory 2050
Attacks on Industrial Control Networks
• Target Selection
- Not Random
- Clear objectives (Network, Process, System, Data, People,
Environment)
• Motivation
- Exfiltration
- Sabotage
- Extortion (halt the system & ransom)?
• Organisation
- Different sets of skills, insiders, coordinated groups
- Government agencies
• Effort (Research and Preparation)
- System Infrastructure, people, behaviour, manuals, key
certificates
• Length of the attack
- Short-term to Long-term
Factory 2050
Challenges
Trust/key establishment
Secure community management
Privacy
Policy specification (from formal languages to HCI aspects to management)
Power awareness
Integrity
Assurance of middleware/components
Secure control loops
Perimeter devices in an open environment
Secure routing
Secure handoff (at many levels – network + service)
Intrusion Detection – (who responds?, honeypots??)
(For sensor nets) Secure data aggregation
Monitoring of neighbouring devices
New worms/viruses/spam(?)
Feature interaction
Standardisation: interoperable solutions
Education
Economics
Factory 2050
Opportunities
There are considerable benefits to be had from intelligence
in embedded systems. But
more embedded intelligence, more autonomy, more
communication required to optimise some process =>
more opportunities for compromise
more difficulty in understanding whether a system is behaving ‘as
expected’ – can you guarantee system stability in the presence of
attack?
It is vital that we address the security aspects of this
But it’s hard enough to do security in more controlled environments
Use ‘intelligent’ techniques to explore how to attack such systems
Over time
Which nodes/comms to compromise to have greatest effect
And use this to co-evolve defence
Factory 2050
Conclusion
Security is a complex process, not an end product
Need to be proactive:
Threat identification – new technologies, new threats
Looking for new attack vectors and new attacks
Evidence based security (not just for protection, for forensic
analysis too)
Get a handle on the costs
Collaboration between industry and researchers:
Closing the gaps between control engineers & security
engineers
Not adding security as an afterthought (again)
Sharing information about incidents
Educating the next generation, adapting response
Factory 2050
Covert Channels
• Modulating Transmission Power
- Impacts the RSSI (Received signal strength
indicator) or LQI (Link Quality Indicator) signal
at the receiver
• Modulating Sensor Data
- In a way that can be seen in the encrypted form
of that data