Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. . Sari Sarigiannid idis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis University of Western Macedonia, Eight Bells Ltd, University of Surrey The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Introduction • The heterogeneous nature of SG creates severe security issues • SCADA systems are the most vulnerable elements of SG due to their insecure industrial communication protocols like Modbus, DNP3, IEC-104, etc. • IEC 60870-5-104 (IEC-104) protocol is utilized widely in Europe and characterized by severe security flaws • Threat model for SCADA systems based on Control Petri Net (CPN) • Emulating and evaluating the risk level four cyberattacks against IEC-104 • This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 787011 (SPEAR) The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Related Work Ano Anomaly-based IDS DS for or IEC-104 104, private dataset, ARP E. Hodo et al. attacks, DoS attacks and Replay attacks, WEKA, Many Anomaly detection for simulated algorithms: Naïve Bayes, Ibk, J48, Random Forest, OneR, iec-60870-5-104 traffic RandomTree and DecisionTable Sign Signature an and sp spec ecifi fication rul ules s for or IEC-104, Snort IDS, unauthorized read commands, unauthorized reset commands, Y. Yang et al. Intrusion detection system for iec unauthorized remote control, spontaneous packet storms, 60870-5-104 based scada buffer overflows networks The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Sp Specif ific ication-based IDS DS for or IEC-104 104, Finite Y. Yang et al. State Machines (FSM), ITACA software, Stateful intrusion detection for iec 60870-5-104 scada security TPR=100%, FPR=0% Mac achin ine lear learning ba base sed an anomaly ly de detection for or S. Anton et al. Evaluation of machine learning-based Mod odbus, Lemay and Fernadez dataset, SVM, KNN, anomaly detection algorithms on an Random Forest, K-means industrial modbus/tcp data set Sp Specif ific ication-based IDS DS for or IEC 61 61850, GOOSE and J. Hong et al. SVM protocols, DoS Attacks, Replay attacks, Detection of cyber intrusions using network-based multicast messages for Wireshark, Nmap, Colasoft Packet Builder, FPR = substation automation 1.61 x 10^-4 The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Smart Grid Overview The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA Systems Human Machine Interface (HMI) Logic Controllers Software package with graphics Programmable Logic Controller (PLC), capabilities through which the Remote Terminal Unit (RTU) are system operator can monitor the mainly responsible for collecting data processes of the SCADA system.. from the measuring instruments, detecting abnormal behaviors and activating or deactivating technical components. Industrial Protocols Modbus, Distributed Network Master Terminal Unit (MTU) Protocol (DNP3), IEC 61850, IEC hardware device that represents all 60870- 5 do not include the received data from the logic authentication and authorization controllers to the operator of the mechanisms. Therefore, they are SCADA system. vulnerable to various cyberattacks. The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
IEC-104 Security • IEC-104 is based on the TCP/IP which exhibits a number of security issues • The data at the application layer is transmitted without integrating encryption mechanisms, thus making it possible the execution of traffic analysis and MiTM attacks • Many commands of the protocol, such as reset command, interrogation commands, read commands, etc. do not integrate authentication mechanisms, thereby resulting in unauthorized access • Based on these vulnerabilities, a cyber attacker possesses the ability to control PLCs and possibly, the overall operation of an automation substation • Although the IEC 62351 provides solutions that enhance the security of IEC-104, the industrial nature of the SCADA systems hinders their immediate upgrade
Coloured Petri Nets Token Colour 1 Place A yellow triangle which denotes the An elliptical node which usually power flows transmitted by the Power denotes a device or component Supply to the other components of sending data to another device (or PLC. component). Transition Token Colour 2 A rectangular and intermediate node A blue circle which implies the data between the Connection of two flows exchanged by the various Places, where Connection is depicted components and systems. by a directed arrow. Token Token Colour 3 S black circle denotes the type of An orange square which denotes information transmitted between two the command flows. Places. The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA as CPN The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
SCADA as CPN Transition No Flow Type Source Place Destination Place Transition Description 1 Power Supply Flow Power Supply Processor The power supply component provides power to the processor 2 Power Supply Flow Power Supply Input Modules The power supply component provides power to the input modules 3 Power Supply Flow Power Supply Output Modules The power supply component provides power to the output modules 4 Data Flow Input Modules Processor The input modules transmit signals data to the processor 5 Commands Flow Processor Output Modules The processor handles the input signals provided by the input modules and transmits control commands to the output modules 6 Data Flow Processor Memory The processor stores some control data to the memory 7 Data Flow Processor Communication Module The processor passes the control data to the communication module 8 Data Flow Communication Module MTU The control data is sent to MTU via the communication module 9 Data Flow MTU Communication Module The communication module receives control data from the MTU 10 Commands Flow MTU Communication Module The receives control commands from the MTU The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Threat Modelling Type of Attacks on Power Supply Flows Attacks on Control Data Flows Attacks on Control Command Flows Cyberattacks Transitions 1, 2, 3 4, 6, 7, 8, 9 5, 10 Physical Attacks 1) Physical disruption or malicious 1) Physical disruption or malicious modification of the 1) Physical disruption or malicious modification of the connections 1, 2 and 3. connections 4, 6, 7, 8 and 9. modification of the connections 5 and 10. 2) Physical destruction or malicious 2) Physical destruction or malicious modification of 2) Physical destruction or malicious modification of the Power Supply, Processor, the Processor, Input Modules Output Modules, modification of the Processor, Output Input Modules and Output Modules. Memory, Communication Module and MTU. modules, Communication Module and MTU. 3) Physical malicious programming of the Processor 3) Physical malicious programming of the 4) Physical violation of MTU of the SCADA system Processor 4) Physical violation of MTU of the SCADA system. Cyber attacks 1) Unauthorised access to Processor 1) Unauthorised access to Input Modules 1) Unauthorised access to Processor 2) Unauthorised access to Input Modules 2) Unauthorised access to Processor 2) Unauthorised access to Output Modules 3) Unauthorised access to Output Modules 3) Unauthorised access to Output Modules 3) MiTM attack between Communication 4) MiTM attack between Input Modules and Module and MTU Processor 4) DoS attacks 5) MiTM attack between Output Modules and 5. Traffic Analysis Attack Processor 6) DoS attacks 7) MiTM attack between Communication Module and MTU 8. Traffic Analysis Attack The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Testbed • PLC – 192.168.1.7 : IEC TestServer emulates a PLC utilizing IEC-104 • MTU – 192.168.1.7 : QTester104 is an HMI for IEC- 104 • Cyberattacker – 192.168.1.9 : Kali Linux is used to perform the four cyberattacks. We expand OpenMUC j60870 in order to perform unauthorized Read (C_RD_NA_1), Reset (C_RP_NA_1) and Counter Interrogation (C_CI_NA_1) commands • AlienVault OSSIM – 192.168.1.99 : OSSIM is a SIEM tool which undertakes to protect the SCADA system via OSSEC and Suricata that are Host-based IDS and Network-based IDS respectively. The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Recommend
More recommend
