MiniCPS: A toolkit for security research on CPS Networks D ANIELE A - - PowerPoint PPT Presentation

minicps a toolkit for security research on cps networks
SMART_READER_LITE
LIVE PREVIEW

MiniCPS: A toolkit for security research on CPS Networks D ANIELE A - - PowerPoint PPT Presentation

Oct 30, 2022 656 likes •880 views

CPS-SPC 15 @ Denver CO MiniCPS: A toolkit for security research on CPS Networks D ANIELE A NTONIOLI (SUTD) N ILS O LE T IPPENHAUER (SUTD) October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 1 Hi! Personal: D

slide-1
SLIDE 1

CPS-SPC 15 @ Denver CO

MiniCPS: A toolkit for security research

  • n CPS Networks

DANIELE ANTONIOLI (SUTD) NILS OLE TIPPENHAUER (SUTD)

October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 1

slide-2
SLIDE 2

Hi!

  • Personal:

◮ DANIELE ANTONIOLI ◮ SUTD’s ISTD PhD (Prof N.O. TIPPENHAUER)

  • SCy-Phy group:

◮ Applied CPS security research October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 2

slide-3
SLIDE 3

Why MiniCPS: Cyber-Physical Systems

  • CPS are:

◮ Complex ◮ Critical ◮ Connected October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 3

slide-4
SLIDE 4

Why MiniCPS: Cyber-Physical Systems

  • CPS are:

◮ Complex ◮ Critical ◮ Connected

  • CPS information may be difficult to:

◮ Obtain ◮ Prove ◮ Share October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 3

slide-5
SLIDE 5

Why MiniCPS: Cyber-Physical Systems

  • CPS are:

◮ Complex ◮ Critical ◮ Connected

  • CPS information may be difficult to:

◮ Obtain ◮ Prove ◮ Share

  • CPS research requires different expertises:

◮ Electronics, Automation ◮ Networking, Computer Science ◮ Physics. . . October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 3

slide-6
SLIDE 6

Why MiniCPS: SWaT testbed

  • Pure Water: 5 US gallons/min, 6.0 − 7.0 pH, minimum

conductivity of 10 µS/cm3

  • Recovered Water: 70% processed water, 50% dirty recirculation

October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 4

slide-7
SLIDE 7

Why MiniCPS: SWaT network

L1 Network HMI Switch

HMI

SCADA Historian

Remote IO

PLC1a PLC1b

PLC PLC

L0 Network

Sensor

42.42

Sensors RIO Process 1

Remote IO PLC PLC

L0 Network RIO Process 2

Remote IO PLC PLC

L0 Network RIO Process n

...

Actuators

Sensor

42.42

Sensors Actuators

Sensor

42.42

Sensors Actuators

...

PLC2a PLC2b PLCna PLCnb

HMI
  • Wired and Wireless links.
  • Ethernet/IP

, Common Industrial Protocol.

October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 5

slide-8
SLIDE 8

MiniCPS: Vision

  • Research Environment:

◮ Reproducible ◮ Extensible ◮ Shareable October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 6

slide-9
SLIDE 9

MiniCPS: Vision

  • Research Environment:

◮ Reproducible ◮ Extensible ◮ Shareable

  • Targeted to Cyber-Physical Systems:

◮ Network communications ◮ Control logic ◮ Physical layer interaction October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 6

slide-10
SLIDE 10

MiniCPS: Vision

  • Research Environment:

◮ Reproducible ◮ Extensible ◮ Shareable

  • Targeted to Cyber-Physical Systems:

◮ Network communications ◮ Control logic ◮ Physical layer interaction

  • Don’t reinvent the wheels. . .

◮ But: "Stand on the Shoulders of Giants" ◮ Eg: linux, python, mininet, git October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 6

slide-11
SLIDE 11

MiniCPS: Diagram

Physical Layer Simulation Physical Layer API Component Logic Component Logic Network

  • (C)yber → Network Emulator
  • (P)hysical → Process Simulation, State API
  • (S)ystem → Control Logic Simulation

October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 7

slide-12
SLIDE 12

MiniCPS: What is Mininet

Physical Layer Simulation Physical Layer API Component Logic Component Logic Network

  • Network-in-a-box emulator:

◮ Reproduce (complex) topologies ◮ Generating real packets using real protocols October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 8

slide-13
SLIDE 13

MiniCPS: What is Mininet

Physical Layer Simulation Physical Layer API Component Logic Component Logic Network

  • Network-in-a-box emulator:

◮ Reproduce (complex) topologies ◮ Generating real packets using real protocols

  • One Linux kernel, multiple devices:

◮ Lightweight virtualization ◮ Each device is a container October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 8

slide-14
SLIDE 14

MiniCPS: What is Mininet

Physical Layer Simulation Physical Layer API Component Logic Component Logic Network

  • Network-in-a-box emulator:

◮ Reproduce (complex) topologies ◮ Generating real packets using real protocols

  • One Linux kernel, multiple devices:

◮ Lightweight virtualization ◮ Each device is a container

  • SDN/OpenFlow development

October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 8

slide-15
SLIDE 15

MiniCPS: Physical Layer API

Physical Layer Simulation Physical Layer API Component Logic Component Logic Network

  • Database to represent the (physical) state:

◮ Abstract low-level details (SQL query) ◮ Use high level semantic functions: get, set October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 9

slide-16
SLIDE 16

MiniCPS: Physical Layer API

Physical Layer Simulation Physical Layer API Component Logic Component Logic Network

  • Database to represent the (physical) state:

◮ Abstract low-level details (SQL query) ◮ Use high level semantic functions: get, set

  • Compatibility layer:

◮ Programming Language agnostic ◮ Support different storage back-ends October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 9

slide-17
SLIDE 17

MiniCPS: SWaT example

MV101 FIT101

Sensor 42.42

Grid

Sensor 42.42

LIT101 P_101 FIT201

Sensor 42.42 Sensor 42.42

LIT301 plc1.py plc2.py plc3.py L1 network emulation

PLC PLC PLC

Physical process Simulation script

  • Control strategy:

◮ Sensors: level (LIT), flow (FIT) ◮ Actuators: motorized valve (MV) and pump (P) ◮ PLC1 takes decision with the aid of PLC2 and PLC3 ◮ Physical process simulation updates the state

  • Network:

◮ Realistic addresses (CIDR, MAC, ports) ◮ Replicate services: web-servers, ENIP client/server ◮ Optional Attacker and SDN Controller October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 10

slide-18
SLIDE 18

MiniCPS: SWaT example II

L1 Network HMI SCADA Historian

Remote IO

PLC1a PLC1b

PLC PLC

L0 Network

Sensor

42.42

Sensors RIO Process 1 Actuators

  • 1a. Write '0' to

PLC valve tag

  • 1b. Write '1' to

PLC valve tag

  • 2. Write '1' to

RIO valve tag

  • 3. High current analog signal

Attacker

HMI HMI
  • Passive and Active ARP poisoning MITM attacks
  • SDN Controller for ARP poisoning Detection and Mitigation

October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 11

slide-19
SLIDE 19

MiniCPS: Conclusions

  • MiniCPS is a CPS research platform:

◮ Reproducible ◮ Extensible ◮ Shareable

  • MiniCPS is used to investigate issues in real testbeds:

◮ MITM attacks (ettercap) ◮ Ethernet/IP reverse-engineering (scapy) ◮ SDN controllers development (pox) October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 12

slide-20
SLIDE 20

MiniCPS: Conclusions

  • MiniCPS is a CPS research platform:

◮ Reproducible ◮ Extensible ◮ Shareable

  • MiniCPS is used to investigate issues in real testbeds:

◮ MITM attacks (ettercap) ◮ Ethernet/IP reverse-engineering (scapy) ◮ SDN controllers development (pox)

  • Contribute:

◮ http://scy-phy.github.io/index.html ◮ https://github.com/scy-phy/minicps

  • Thank You!

Q & A

October 26, 2015 MiniCPS: A toolkit for security research on CPS Networks 12