Securing Industrial & Manufacturing Control

Systems

Nilufer Tuptuk and Stephen Hailes

University College London

Factory 2050

Computer-Integrated Manufacturing (CIM)

Level

5

4

3

2

1

Enter-

prise

Level

Plant Management

Level

Supervisory Level

Ethernet, TCP/IP, EtherNet/IP, ModBus/TCP

Cell Control Level

Profibus, WorldFip, LonWorks,

ControlNet, BACnet, IECFieldbus

Sensor-Actuator Level

CAN, DeviceNet, BitBus, ProfiBus DP, HART

P-Net, InterBus, Sercos III, Seriplex

Workstations

WANs

Workstations, Servers

Workstations,

PC

PLC, CNC, PC

Sensors,

actuators

LANs

Fieldbus

Factory 2050

Enterprise IT Security vs ICS Security

Confidentiality

Integrity

Authentication

Enterprise Security • Years of experience

• Good understanding of threats

• Frequent patching

• Multiple credentials, 2-Factor

Passwords, SSO

ICS Security • Run by plant engineers not IT

• Lack of security knowledge

• Lack of communication

• Heavy Vendor Compliance • But reliance on COTS

• Legacy systems & devices

• Short Default Passwords

• Poor understanding of threats • And increasing networking

• Infrequent Patching

Confidentiality

Integrity

Availability

Factory 2050

Cyber-Physical Systems

Interdependence between different processes

Spanning different infrastructures

Large, smart, heterogeneous, complex, distributed control

Autonomous nodes

Real-time information propagation

Susceptible to cascading failures

Propagation of such failures

Impact on the overall systems and business

Security and Privacy

More vulnerabilities

Factory 2050

More connections

736 million connected things will be in use in 2015, a 30% rise from 2014 (by Gartner, Inc.) Top 3 Sectors: Manufacturing,

utilities and transportation

By 2020 this number is expected to reach 1.7 billion Top 3 Sectors: Utilities,

manufacturing, and government

Germany By 2020 more than 80% of the

German industry will digitise their supply chain (currently rate is 20%)

Factory 2050

Threats (2014)

Source: Internet Security Threat Report,” Symantec Corporation,

2014

Factory 2050

hackmageddon.com

Factory 2050

hackmageddon.com

Factory 2050

Estonia: Cyber Attack (2007)

Motivation:

Disagreement with Russia on the

movement of the Bronze Soldier of

Tallinn

Attack:

A series of attacks

Mainly Distributed Denial of

Service Attacks

Consequences:

Lasted 3 weeks

Government infrastructure,

Internet service providers, banks,

media telecommunication

companies were taken down

Factory 2050

Maroochy: Water Services Breach (2000)

Motivation: Revenge (Insider: Disgruntled ex-

employee)

Attack: Attack on SCADA Control systems Insecure radio communication between

control centre and pumping stations

No SCADA system security

Using insecure radio communication & stolen SCADA configuration program to impersonate a legitimate machine to reconfigure pumping stations

Consequences: “Marine life died, the creek water turned

black and the stench was unbearable for residents,“ (Australian Environmental Protection Agency)

800,000 litres of raw sewage released into environment

Factory 2050

Germany: Steel Plant (Dec, 2014)

Motivation: Sabotage

Attack(Details Unknown):

Spear-phishing techniques

Zero-Day Vulnerabilities

Escalated privileges (corporate network

to production components)

Consequences:

Brought the blast furnace under their

control.

Massive Damage

Factory 2050

Stuxnet

Infection technique

Including PLC rootkit • Hide file copies to drives

• Preventing user notifying

infection before sharing drive

Targeting SIEMENS SCADA • Targeting only SIEMENS SCADA

• Under Windows & running

WinCC/Step-7 software

Subverting SIMATIC WinCC • Sending malicious SQL code to

WinCC database for execution

• Modifying view adding code

Attack strategy

Drives frequency changes = 1410 Hz 2Hz 1064 Hz

Changing motor speed

Monitoring Profibus = Identify targeted module

Communication with motor drives

“Man-in-the-Middle” attack = Fake industrial process control

sensor signals

Avoiding shutting down due to

abnormal behaviour

Based on source: Symantec Corporation, 2011

Factory 2050

Lifecycle of the Stuxnet Attack

Pre-Entry

• Define objectives

• Acquire skills and tools

• Design & Implement

• Testing

Entry (Initial Infection)

• Insiders

• Social Engineering

• Drive-by-download

Propagation

• Internal Network Reconnaissance

• Escalate Privileges

Updates

• Peer to Peer Communication

• C&C Server

Operation

• Data Exfiltration

• Sabotage

Clean-Up

• Cover Tracks

• Remain Undetected

Factory 2050

Shodan

Factory 2050

Attacks on Industrial Control Networks

• Target Selection

- Not Random

- Clear objectives (Network, Process, System, Data, People,

Environment)

• Motivation

- Exfiltration

- Sabotage

- Extortion (halt the system & ransom)?

• Organisation

- Different sets of skills, insiders, coordinated groups

- Government agencies

• Effort (Research and Preparation)

- System Infrastructure, people, behaviour, manuals, key

certificates

• Length of the attack

- Short-term to Long-term

Factory 2050

Challenges

Trust/key establishment

Secure community management

Privacy

Policy specification (from formal languages to HCI aspects to management)

Power awareness

Integrity

Assurance of middleware/components

Secure control loops

Perimeter devices in an open environment

Secure routing

Secure handoff (at many levels – network + service)

Intrusion Detection – (who responds?, honeypots??)

(For sensor nets) Secure data aggregation

Monitoring of neighbouring devices

New worms/viruses/spam(?)

Feature interaction

Standardisation: interoperable solutions

Education

Economics

Factory 2050

Opportunities

There are considerable benefits to be had from intelligence

in embedded systems. But

more embedded intelligence, more autonomy, more

communication required to optimise some process =>

more opportunities for compromise

more difficulty in understanding whether a system is behaving ‘as

expected’ – can you guarantee system stability in the presence of

attack?

It is vital that we address the security aspects of this

But it’s hard enough to do security in more controlled environments

Use ‘intelligent’ techniques to explore how to attack such systems

Over time

Which nodes/comms to compromise to have greatest effect

And use this to co-evolve defence

Factory 2050

Conclusion

Security is a complex process, not an end product

Need to be proactive:

Threat identification – new technologies, new threats

Looking for new attack vectors and new attacks

Evidence based security (not just for protection, for forensic

analysis too)

Get a handle on the costs

Collaboration between industry and researchers:

Closing the gaps between control engineers & security

engineers

Not adding security as an afterthought (again)

Sharing information about incidents

Educating the next generation, adapting response

Factory 2050

Covert Channels

• Modulating Transmission Power

- Impacts the RSSI (Received signal strength

indicator) or LQI (Link Quality Indicator) signal

at the receiver

• Modulating Sensor Data

- In a way that can be seen in the encrypted form

of that data