Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. - - PowerPoint PPT Presentation
Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. . Sari Sarigiannid idis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis University of Western Macedonia, Eight Bells Ltd, University of Surrey The 1st IEEE Services Workshop
. Sari Sarigiannid idis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis University of Western Macedonia, Eight Bells Ltd, University of Surrey
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
their insecure industrial communication protocols like Modbus, DNP3, IEC-104, etc.
severe security flaws
and innovation programme under grant agreement No. 787011 (SPEAR)
Ano Anomaly-based IDS DS for
104, private dataset, ARP attacks, DoS attacks and Replay attacks, WEKA, Many algorithms: Naïve Bayes, Ibk, J48, Random Forest, OneR, RandomTree and DecisionTable
Anomaly detection for simulated iec-60870-5-104 traffic
Sign Signature an and sp spec ecifi fication rul ules s for
unauthorized read commands, unauthorized reset commands, unauthorized remote control, spontaneous packet storms, buffer overflows
Intrusion detection system for iec 60870-5-104 based scada networks The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Sp Specif ific ication-based IDS DS for
104, Finite State Machines (FSM), ITACA software, TPR=100%, FPR=0%
Stateful intrusion detection for iec 60870-5-104 scada security
Mac achin ine lear learning ba base sed an anomaly ly de detection for
Mod
Random Forest, K-means
Evaluation of machine learning-based anomaly detection algorithms on an industrial modbus/tcp data set
Sp Specif ific ication-based IDS DS for
61850, GOOSE and SVM protocols, DoS Attacks, Replay attacks, Wireshark, Nmap, Colasoft Packet Builder, FPR = 1.61 x 10^-4
Detection of cyber intrusions using network-based multicast messages for substation automation The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Software package with graphics capabilities through which the system operator can monitor the processes of the SCADA system..
Human Machine Interface (HMI)
Modbus, Distributed Network Protocol (DNP3), IEC 61850, IEC 60870- 5 do not include authentication and authorization
vulnerable to various cyberattacks.
Industrial Protocols
Programmable Logic Controller (PLC), Remote Terminal Unit (RTU) are mainly responsible for collecting data from the measuring instruments, detecting abnormal behaviors and activating or deactivating technical components.
Logic Controllers
hardware device that represents all the received data from the logic controllers to the operator of the SCADA system.
Master Terminal Unit (MTU)
making it possible the execution of traffic analysis and MiTM attacks
commands, etc. do not integrate authentication mechanisms, thereby resulting in unauthorized access
nature of the SCADA systems hinders their immediate upgrade
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
A yellow triangle which denotes the power flows transmitted by the Power Supply to the other components of PLC.
Token Colour 1
An orange square which denotes the command flows.
Token Colour 3
A blue circle which implies the data flows exchanged by the various components and systems.
Token Colour 2
An elliptical node which usually denotes a device or component sending data to another device (or component).
Place
S black circle denotes the type of information transmitted between two Places.
Token
A rectangular and intermediate node between the Connection of two Places, where Connection is depicted by a directed arrow.
Transition
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Transition No Flow Type Source Place Destination Place Transition Description
1 Power Supply Flow Power Supply Processor The power supply component provides power to the processor 2 Power Supply Flow Power Supply Input Modules The power supply component provides power to the input modules 3 Power Supply Flow Power Supply Output Modules The power supply component provides power to the output modules 4 Data Flow Input Modules Processor The input modules transmit signals data to the processor 5 Commands Flow Processor Output Modules The processor handles the input signals provided by the input modules and transmits control commands to the output modules 6 Data Flow Processor Memory The processor stores some control data to the memory 7 Data Flow Processor Communication Module The processor passes the control data to the communication module 8 Data Flow Communication Module MTU The control data is sent to MTU via the communication module 9 Data Flow MTU Communication Module The communication module receives control data from the MTU 10 Commands Flow MTU Communication Module The receives control commands from the MTU
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Type of Cyberattacks Attacks on Power Supply Flows Attacks on Control Data Flows Attacks on Control Command Flows
Transitions 1, 2, 3 4, 6, 7, 8, 9 5, 10 Physical Attacks 1) Physical disruption or malicious modification of the connections 1, 2 and 3. 2) Physical destruction or malicious modification of the Power Supply, Processor, Input Modules and Output Modules. 1) Physical disruption or malicious modification of the connections 4, 6, 7, 8 and 9. 2) Physical destruction or malicious modification of the Processor, Input Modules Output Modules, Memory, Communication Module and MTU. 3) Physical malicious programming of the Processor 4) Physical violation of MTU of the SCADA system 1) Physical disruption or malicious modification of the connections 5 and 10. 2) Physical destruction or malicious modification of the Processor, Output modules, Communication Module and MTU. 3) Physical malicious programming of the Processor 4) Physical violation of MTU of the SCADA system. Cyber attacks 1) Unauthorised access to Processor 2) Unauthorised access to Input Modules 3) Unauthorised access to Output Modules 1) Unauthorised access to Input Modules 2) Unauthorised access to Processor 3) Unauthorised access to Output Modules 4) MiTM attack between Input Modules and Processor 5) MiTM attack between Output Modules and Processor 6) DoS attacks 7) MiTM attack between Communication Module and MTU
1) Unauthorised access to Processor 2) Unauthorised access to Output Modules 3) MiTM attack between Communication Module and MTU 4) DoS attacks
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
utilizing IEC-104
104
perform the four cyberattacks. We expand OpenMUC j60870 in order to perform unauthorized Read (C_RD_NA_1), Reset (C_RP_NA_1) and Counter Interrogation (C_CI_NA_1) commands
tool which undertakes to protect the SCADA system via OSSEC and Suricata that are Host-based IDS and Network-based IDS respectively.
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Aiming to monitor and isolate or even drop IEC-104 packets between PLC and MTU. Ettercap was used. DoS attack where the cyberattacker continuously transmits to PLC several SYN packets without remaining the corresponding answers (SYN+ACK). The hping tool was used.
TCP SYN DoS Attack
The IP of the cyberattacker was changed, hence he/she is not considered is not considered as member of the network. OpenMUC j60870 was used to transmit the unauthorised commands.
Unauthorized Access
A kind of DoS which aims at flooding MTU with specific IEC104 command
transmits the single point information command (M_SP_NA_1) to MTU per second.
IEC-104 Packet Flooding Attack
03 02 01 04
Traffic Analysis & MiTM IEC 60870-5-104 Isolation Attack
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Risk = Asset Value × Event Priority × Event Reliability 25
1) MTU and 2) PLC whose value is equal to 5, since they are crucial for the normal operation of a SCADA system.
Impact and Threat Occ Occurrence values from [1] were used to initialize Event t Prio riority and Event Reli liabil ility ty. These values were computed by using real-world data from the Common Weakness Enumeration (CWE) category system. [1] A. Fielder, E. Panaousis, P. Malacaria, C. Hankin, and F. Smeraldi, “Decision support approaches for cyber security investment,” Decision Support Systems, vol. 86, pp. 13–23, 2016.
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Threat CWE Vulnerability Threat Occurrence Impact
DoS Allocation of Resources Without Limits or Throttling (CWE-770) 8.65 3.5 Traffic Analysis Cleartext Transmission of Sensitive Information (CWE-319) 7.834 2.5 MitM Missing Encryption of Sensitive Data (CWE-311) 6.793 3.5 Unauthorised Access Improper Access Control (CWE-284)
9.4
3.5
Risk = Asset Value × Event Priority × Event Reliability 25
SPEAR intends to provide a set of secure, privacy-enabled and resilient to cyberattacks tools, thus ensuring the normal operation of SG as well as the integrity and the confidentiality of communications. https://www.spear2020.eu/
The 1st IEEE Services Workshop On Cyber Security And Resilience In The Internet Of Things
Obj 1: To define the SPEAR system architecture, the security components and the privacy frameworks for situational awareness provisioning in relation to cyber security threats Obj 2: To build attack detection mechanisms and promote resilience operations in smart grids Obj 3: To increase situational awareness in smart grid networks Obj 4: To create and maintain an anonymous repository of smart grid incidents Obj 5: To provide smart network forensics subject to data protection and privacy Obj 6: To empower EU-wide consensus of cyber security in smart grid systems Obj 7: To validate the SPEAR architecture capabilities in proof-of-concept Use Cases Obj 8: To design an innovative business model and conduct a techno-economic analysis to strengthen the role of European smart grid and cyber-security industry in the global market.