man in the middle attacks on iec 60870 5 104
play

Man in the middle attacks on IEC 60870-5-104 Pete Maynard - PowerPoint PPT Presentation

Dec 12, 2023 •238 likes •584 views

Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530 Introduction Pete Maynard PhD Student CSIT Queen's University Belfast, UK Industrial Control System Security Partnership with

  1. Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530

  2. Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE 2

  3. What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning 3

  4. PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator) 4

  5. Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104 5

  6. What's SCADA Used for? 6

  7. How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … 7 [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.

  8. What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware 8

  9. SCADA Threats 9

  10. Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge 10

  11. Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored? 11

  12. Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove [1] ● Simple Python Script ● Return Device name, IP, software version 12 [1] https://github.com/atimorin/scada-tools

  13. SCADA Fuzzers ● Protocol Fuzzers ● Project Robus [1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill 13 [1] http://www.automatak.com/robus/

  14. Protocol Analysers 14

  15. Introduction IEC 104 15

  16. Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP 16

  17. IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented 17

  18. 104 Payload ASDU 18

  19. Attacking IEC 104 19

  20. Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing 20

  21. Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values 21

  22. Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff 22

  23. 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT 23

  24. Cause of Transmission CoT values can use the following number ranges: ● 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use. – 24

  25. Before and After Capture Before 25 After

  26. SNORT Alert Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[\S\s]{5}(\x2D|\x2E|\x2F|\x30|\x64|\x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7 26

  27. Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs 27

  28. Linz Test-bed 28

  29. Operator View 29

  30. 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value. 30

  31. ON/OFF Value Modification Before After 31

  32. Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations 32

  33. Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850 33

  34. Questions 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides
An Anomaly Detection Mechanism for IEC 60870-5-104 Panagioti s Sari gianni dis Uni versi

An Anomaly Detection Mechanism for IEC 60870-5-104 Panagioti s Sari gianni dis Uni versi

1 An Anomaly Detection Mechanism for IEC 60870-5-104 Panagioti s Sari gianni dis Uni versi ty o f Western Mac edoni a psari gianni di s@uowm.gr Auth thors 2 Under the H2020 SPEAR Project Antonios Sarigiannidis, Panagiotis Radoglou

254 views • 21 slides
Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects

Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects

Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects clients from compromised certificates Without revocation, these attacks would go undetected 2 Certificate Revocation Lists (CRLs) Lists of

544 views • 27 slides
Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. . Sari Sarigiannid idis*,

Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. . Sari Sarigiannid idis*,

Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. . Sari Sarigiannid idis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis University of Western Macedonia, Eight Bells Ltd, University of Surrey The 1st IEEE Services Workshop

435 views • 18 slides
Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle attack Diffie-Hellman Alice Bob new na new nb g na g nb K = (g nb ) na K = (g na ) nb Man-in-the-middle attack Diffie-Hellman Alice Bob Alice

401 views • 25 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill,

Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill,

Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill, Scott Ruoti, Kent Seamons, Daniel Zappala Internet Research Lab & Internet Security Research Lab Brigham Young University Certificate validation

484 views • 14 slides
Heart Attacks in Middle-aged Recreational Athletes Karl Cernovitch Alex C. Samak Jay Brophy

Heart Attacks in Middle-aged Recreational Athletes Karl Cernovitch Alex C. Samak Jay Brophy

Heart Attacks in Middle-aged Recreational Athletes Karl Cernovitch Alex C. Samak Jay Brophy MD,PhD Mark Goldberg PhD Royal Victoria Hospital Clinical Epidemiology Unit If it happened to a Pro, it could happen to you! Montreal

963 views • 21 slides
Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331:

Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331:

Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 High Level View Allows the hacker to sit in between all communication between client and

398 views • 15 slides
in Middle Tennessee Prevent Asthma Attacks in Children Gwen Sunkel, Indiana University-Purdue

in Middle Tennessee Prevent Asthma Attacks in Children Gwen Sunkel, Indiana University-Purdue

Breathe Easy: Helping Parents in Middle Tennessee Prevent Asthma Attacks in Children Gwen Sunkel, Indiana University-Purdue University Indianapolis United Neighborhood Health Services Nashville, TN Introduction Gwen en Sun unkel, , RN

570 views • 15 slides
MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation

MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation

Software and Web Security 2 MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation by Moxie Marlinspike; see URL on course page sws2 1 MitM (Man-in-the-Middle) attacks MitM attack: attacker

971 views • 38 slides
Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014 Plan 1 Match Box Meet-in-the-Middle Attacks Sieve-in-the-Middle Framework Match Box Cryptanalysis of KATAN 2 Description

1.61k views • 37 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
The middle program $ middle 3 3 5 middle: 3 $ middle 2 1 3 middle: 1 10 10 int main(int

The middle program $ middle 3 3 5 middle: 3 $ middle 2 1 3 middle: 1 10 10 int main(int

Detecting Anomalies Andreas Zeller 1 Tracing Infections For every infection, we must find the earlier infection that causes it. Which origin should we focus upon? 2 2 Tracing Infections 3 3 Focusing on Anomalies

522 views • 27 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Gelfand-Kirillov Dimension of Nonsymmetric Operads The 3rd Conference on Operad Theory and

Gelfand-Kirillov Dimension of Nonsymmetric Operads The 3rd Conference on Operad Theory and

Gelfand-Kirillov Dimension of Nonsymmetric Operads The 3rd Conference on Operad Theory and Related Topics Zihao Qi East China Normal University September 20, 2020 Joint work This talk is based on a joint work with Yongjun Xu, James J. Zhang

930 views • 39 slides
Lowest Cost Denominator Networking The Internet is for Everyone

Lowest Cost Denominator Networking The Internet is for Everyone

Lowest Cost Denominator Networking The Internet is for Everyone Arjuna Sathiaseelan www.cl.cam.ac.uk/~as2330/lcd July 12, 2013 Next Genera9on Networking

384 views • 24 slides
Whodunnit? Crime Drama as a Case for Natural Language Understanding Lea Frermann , Shay Cohen and

Whodunnit? Crime Drama as a Case for Natural Language Understanding Lea Frermann , Shay Cohen and

Whodunnit? Crime Drama as a Case for Natural Language Understanding Lea Frermann , Shay Cohen and Mirella Lapata lfrerman@amazon.com www.frermann.de ACL, July 18, 2018 1 / 18 Introduction Natural Language Understanding (NLU) uncover

909 views • 68 slides
Nonparametric and Simulation-Based Tests STAT 3202 @ OSU, Spring 2019 Dalpiaz 1 What is

Nonparametric and Simulation-Based Tests STAT 3202 @ OSU, Spring 2019 Dalpiaz 1 What is

Nonparametric and Simulation-Based Tests STAT 3202 @ OSU, Spring 2019 Dalpiaz 1 What is Parametric Testing? 2 Warmup #1, Two Sample Test for p 1 p 2 Ohio Issue 1 , the Drug and Criminal Justice Policies Initiative , is on the ballot in Ohio

530 views • 30 slides
Pose Estimation for Robotic Soccer Players in the Context of RoboCup Judith Hartfill University

Pose Estimation for Robotic Soccer Players in the Context of RoboCup Judith Hartfill University

MIN Faculty Department of Informatics Pose Estimation for Robotic Soccer Players in the Context of RoboCup Judith Hartfill University of Hamburg Faculty of Mathematics, Informatics and Natural Sciences Department of Informatics Technical

410 views • 21 slides
Computational Pragmatics Autumn 2015 Raquel Fernndez Institute for Logic, Language &

Computational Pragmatics Autumn 2015 Raquel Fernndez Institute for Logic, Language &

Computational Pragmatics Autumn 2015 Raquel Fernndez Institute for Logic, Language & Computation University of Amsterdam Where we are Today: Alignment and convergence of linguistic forms Homework #3 (available tomorrow)

491 views • 21 slides
"Never doubt that a small group of thoughtful, committed citizens can change the world;

"Never doubt that a small group of thoughtful, committed citizens can change the world;

"Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has." Margaret Mead Timing Note Approval of Tonight's Agenda President: If there is no objection, we

767 views • 37 slides
The sustainability of safety, security and privacy Ross Anderson Cambridge Darmstadt, September

The sustainability of safety, security and privacy Ross Anderson Cambridge Darmstadt, September

The sustainability of safety, security and privacy Ross Anderson Cambridge Darmstadt, September 2019 EU RAPEX A12/0157/19 Enoxs Safe-Kid One was recalled on Saturday 1 Feb Unencrypted communications with its backend

663 views • 32 slides

More recommend